| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
cd /etc/haproxy/
cp haproxy.cfg haproxy.cfg.old
# cat /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 40000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 40000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main *:80
# acl url_static path_beg -i /static /images /javascript /stylesheets
# acl url_static path_end -i .jpg .gif .png .css .js
# use_backend static if url_static
default_backend app
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
#backend static
# balance roundrobin
# server static 172.16.0.6:80 check
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
balance roundrobin
server app1 10.0.0.68:80 check
server app2 10.0.0.69:80 check
# server app3 127.0.0.1:5003 check
# server app4 127.0.0.1:5004 check
[root@r610 haproxy]# /etc/init.d/haproxy start
Starting haproxy: [ OK ]
lobal
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
#debug
#quiet
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen web 192.168.0.1:80
mode http
balance roundrobin
cookie JSESSIONID prefix
option httpclose
option forwardfor
option httpchk HEAD /index.html HTTP/1.0
server web1 192.168.0.2:80 cookie A check
server web2 192.168.0.3:80 cookie B check
listen tomcat *:8080
maxconn 4096
mode http
balance leastconn
option httpclose # disable keep-alive
option forwardfor
option httpchk GET /index.jsp
server tomcat_A 172.19.35.33:8080 check port 8080 inter 2000 rise 2 fall 3
server tomcat_B 172.19.35.44:8080 check port 8080 inter 2000 rise 2 fall 3
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 listen proxy 0.0.0.0:3128 server proxy_node_1 203.185.193.198:3128 server proxy_node_2 219.190.126.147:3128
例 128.1. haproxy + mysql 配置實例
# cat /etc/haproxy/haproxy.cfg | grep -v '#'
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option tcplog
option dontlognull
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
listen slave *:3306
mode tcp
balance leastconn
option tcpka
server mysql_22 202.123.6.166:3306 check
server mysql_26 202.123.6.177:3306 check
listen stats :8000
mode http
transparent
stats uri /haproxy-stats
stats realm Haproxy \ statistic
stats auth www:lJ2mXTjgtGIvRUN2qEE
stats hide-version
listen admin_status
mode http
bind 0.0.0.0:8899
option httplog
stats enable
stats refresh 10s
stats hide-version
stats realm Haproxy\ Statistics
stats uri /admin-status
stats auth admin:Ol9t1pk1zoJk3HctZivbR
stats admin if TRUE
例 128.2. Haproxy MySQL (Master + Master)
listen MYSQL_Slave *:3308
mode tcp
maxconn 4096
balance leastconn
server mysql_A 172.18.50.21:3306 check port 3306 inter 2s rise 2 fall 3
server mysql_B 100.101.5.21:3306 check port 3306 inter 2s rise 2 fall 3
listen MYSQL_Master *:3306
mode tcp
maxconn 2048
balance roundrobin
server mysql1 172.18.50.16:3306 check port 3306 inter 3s rise 2 fall 3
server mysql2 102.101.5.26:3306 check port 3306 inter 3s rise 2 fall 3 backup
生成自簽名證書的步驟, 如果你有購買的證書,此處略過
$ sudo mkdir /etc/ssl/example.com $ sudo openssl genrsa -out /etc/ssl/example.com/example.com.key 1024 $ sudo openssl req -new -key /etc/ssl/example.com/example.com.key -out /etc/ssl/example.com/example.com.csr > Country Name (2 letter code) [AU]:CN > State or Province Name (full name) [Some-State]:Guangdong > Locality Name (eg, city) []:Shenzhen > Organization Name (eg, company) [Internet Widgits Pty Ltd]:example > Organizational Unit Name (eg, section) []: > Common Name (e.g. server FQDN or YOUR name) []:*.example.com > Email Address []: > Please enter the following 'extra' attributes to be sent with your certificate request > A challenge password []: > An optional company name []: $ sudo openssl x509 -req -days 365 -in /etc/ssl/example.com/example.com.csr -signkey /etc/ssl/example.com/example.com.key -out /etc/ssl/example.com/example.com.crt $ sudo cat /etc/ssl/example.com/example.com.crt /etc/ssl/example.com/example.com.key | sudo tee /etc/ssl/example.com/example.com.pem
/etc/haproxy/haproxy.cfg
frontend localhost
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem
mode http
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:www.example.com
server web01 172.16.0.1:80 check
server web02 172.16.0.2:80 check
server web03 172.16.0.3:80 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
HTTP強行跳轉倒HTTP的配置方法
frontend localhost
bind *:80
bind *:443 ssl crt /etc/ssl/example.com/example.com.pem
redirect scheme https if !{ ssl_fc }
mode http
default_backend nodes
frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend nodes
backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 172.16.0.3:443 check
server web02 172.16.0.4:443 check