知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
cd /etc/haproxy/ cp haproxy.cfg haproxy.cfg.old # cat /etc/haproxy/haproxy.cfg #--------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 40000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 40000 #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main *:80 # acl url_static path_beg -i /static /images /javascript /stylesheets # acl url_static path_end -i .jpg .gif .png .css .js # use_backend static if url_static default_backend app #--------------------------------------------------------------------- # static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- #backend static # balance roundrobin # server static 172.16.0.6:80 check #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app balance roundrobin server app1 10.0.0.68:80 check server app2 10.0.0.69:80 check # server app3 127.0.0.1:5003 check # server app4 127.0.0.1:5004 check [root@r610 haproxy]# /etc/init.d/haproxy start Starting haproxy: [ OK ]
lobal log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #debug #quiet user haproxy group haproxy defaults log global mode http option httplog option dontlognull retries 3 redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 listen web 192.168.0.1:80 mode http balance roundrobin cookie JSESSIONID prefix option httpclose option forwardfor option httpchk HEAD /index.html HTTP/1.0 server web1 192.168.0.2:80 cookie A check server web2 192.168.0.3:80 cookie B check
listen tomcat *:8080 maxconn 4096 mode http balance leastconn option httpclose # disable keep-alive option forwardfor option httpchk GET /index.jsp server tomcat_A 172.19.35.33:8080 check port 8080 inter 2000 rise 2 fall 3 server tomcat_B 172.19.35.44:8080 check port 8080 inter 2000 rise 2 fall 3
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 listen proxy 0.0.0.0:3128 server proxy_node_1 203.185.193.198:3128 server proxy_node_2 219.190.126.147:3128
例 128.1. haproxy + mysql 配置實例
# cat /etc/haproxy/haproxy.cfg | grep -v '#' global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults mode tcp log global option tcplog option dontlognull option redispatch retries 3 timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout check 10s maxconn 3000 listen slave *:3306 mode tcp balance leastconn option tcpka server mysql_22 202.123.6.166:3306 check server mysql_26 202.123.6.177:3306 check listen stats :8000 mode http transparent stats uri /haproxy-stats stats realm Haproxy \ statistic stats auth www:lJ2mXTjgtGIvRUN2qEE stats hide-version listen admin_status mode http bind 0.0.0.0:8899 option httplog stats enable stats refresh 10s stats hide-version stats realm Haproxy\ Statistics stats uri /admin-status stats auth admin:Ol9t1pk1zoJk3HctZivbR stats admin if TRUE
例 128.2. Haproxy MySQL (Master + Master)
listen MYSQL_Slave *:3308 mode tcp maxconn 4096 balance leastconn server mysql_A 172.18.50.21:3306 check port 3306 inter 2s rise 2 fall 3 server mysql_B 100.101.5.21:3306 check port 3306 inter 2s rise 2 fall 3 listen MYSQL_Master *:3306 mode tcp maxconn 2048 balance roundrobin server mysql1 172.18.50.16:3306 check port 3306 inter 3s rise 2 fall 3 server mysql2 102.101.5.26:3306 check port 3306 inter 3s rise 2 fall 3 backup
生成自簽名證書的步驟, 如果你有購買的證書,此處略過
$ sudo mkdir /etc/ssl/example.com $ sudo openssl genrsa -out /etc/ssl/example.com/example.com.key 1024 $ sudo openssl req -new -key /etc/ssl/example.com/example.com.key -out /etc/ssl/example.com/example.com.csr > Country Name (2 letter code) [AU]:CN > State or Province Name (full name) [Some-State]:Guangdong > Locality Name (eg, city) []:Shenzhen > Organization Name (eg, company) [Internet Widgits Pty Ltd]:example > Organizational Unit Name (eg, section) []: > Common Name (e.g. server FQDN or YOUR name) []:*.example.com > Email Address []: > Please enter the following 'extra' attributes to be sent with your certificate request > A challenge password []: > An optional company name []: $ sudo openssl x509 -req -days 365 -in /etc/ssl/example.com/example.com.csr -signkey /etc/ssl/example.com/example.com.key -out /etc/ssl/example.com/example.com.crt $ sudo cat /etc/ssl/example.com/example.com.crt /etc/ssl/example.com/example.com.key | sudo tee /etc/ssl/example.com/example.com.pem
/etc/haproxy/haproxy.cfg
frontend localhost bind *:80 bind *:443 ssl crt /etc/ssl/example.com/example.com.pem mode http default_backend nodes backend nodes mode http balance roundrobin option forwardfor option httpchk HEAD / HTTP/1.1\r\nHost:www.example.com server web01 172.16.0.1:80 check server web02 172.16.0.2:80 check server web03 172.16.0.3:80 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
HTTP強行跳轉倒HTTP的配置方法
frontend localhost bind *:80 bind *:443 ssl crt /etc/ssl/example.com/example.com.pem redirect scheme https if !{ ssl_fc } mode http default_backend nodes
frontend localhost bind *:80 bind *:443 option tcplog mode tcp default_backend nodes backend nodes mode tcp balance roundrobin option ssl-hello-chk server web01 172.16.0.3:443 check server web02 172.16.0.4:443 check