反向代理HAProxy

介绍

HAProxy高并发、高性能的TCP和HTTP负载均衡器，支持基于cookie的持久性，自动故障切换。

编译安装

通过脚本进行一键安装

查看版本

[[email protected] ~]#haproxy -v
HAProxy version 2.4.10-bedf277 2021/12/23 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.10.html
Running on: Linux 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64

查看haproxy状态

[[email protected] ~]#systemctl status haproxy.service 
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2022-06-19 11:33:02 CST; 3min 59s ago
  Process: 2909 ExecStartPre=/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q (code=exited, status=0/SUCCESS)
 Main PID: 2913 (haproxy)
    Tasks: 17
   Memory: 31.7M
   CGroup: /system.slice/haproxy.service
           ├─2913 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/lib/haproxy/haproxy.pid
           └─2915 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/lib/haproxy/haproxy.pid

Jun 19 11:33:02 centos7 systemd[1]: Starting HAProxy Load Balancer...
Jun 19 11:33:02 centos7 systemd[1]: Started HAProxy Load Balancer.
Jun 19 11:33:02 centos7 haproxy[2913]: [NOTICE]   (2913) : New worker #1 (2915) forked

查看haproxy状态页

本地和远程日志

haproxy配置

[[email protected] ~]#grep log /etc/haproxy/haproxy.cfg 
log 127.0.0.1 local2 info
log 10.0.0.7 local2 info

rsyslog配置

[[email protected] ~]#grep -E '^module.*|^inpu.* |^local2.*' /etc/rsyslog.conf 
module(load="imudp")
input(type="imudp" port="514")
local2.*                                                /var/log/haproxy.log

验证 使用浏览器访问haproxy状态页观察日志

[[email protected] ~]#tail -f /var/log/haproxy.log 
Jun 19 11:56:17 localhost haproxy[2838]: Connect from 10.0.0.1:50679 to 10.0.0.7:9999 (stats/HTTP)
Jun 19 11:56:37 localhost haproxy[2838]: Connect from 10.0.0.1:50679 to 10.0.0.7:9999 (stats/HTTP)
Jun 19 11:56:43 localhost haproxy[2838]: Connect from 10.0.0.1:50679 to 10.0.0.7:9999 (stats/HTTP)
Jun 19 11:56:45 localhost haproxy[2838]: Connect from 10.0.0.1:50679 to 10.0.0.7:9999 (stats/HTTP)

HAProxy调度算法

静态算法

static-rr

[[email protected] conf.d]#cat /etc/haproxy/conf.d/static_rr.cfg 
listen WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance static-rr
	server web1 10.0.0.17:80 weight 1 check inter 3000 fall 2 rise 5
	server web2 10.0.0.27:80 weight 2 check inter 3000 fall 2 rise 5

测试

[[email protected] ~]#curl 10.0.0.7:80
10.0.0.17
[[email protected] ~]#curl 10.0.0.7:80
10.0.0.27
[[email protected] ~]#curl 10.0.0.7:80
10.0.0.27

first

第一台服务器连接数达到2台时，新的请求会分配给下一台

[[email protected] conf.d]#cat first.cfg 
listen WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance first
	server web1 10.0.0.17:80 maxconn 2 weight 1 check inter 3000 fall 2 rise 5
	server web2 10.0.0.27:80 weight 1 check inter 3000 fall 2 rise 5

测试

[[email protected] ~]#while :; do curl http://10.0.0.7/index.html;sleep 0.1;done
10.0.0.27
10.0.0.17
10.0.0.17
10.0.0.27

动态算法

基于后端服务器负载状态进行调度，且haproxy运行时无需重启可进行动态调整

roundrobin

基于权重的轮询

[[email protected] ~]#cat /etc/haproxy/conf.d/round.cfg 
listen WEB_PORT_80
    bind 10.0.0.7:80
    mode http
    log global
    balance roundrobin
    server web1 10.0.0.17:80 weight 1 check inter 3000 fall 2 rise 5
    server web2 10.0.0.27:80 weight 2 check inter 3000 fall 2 rise 5

测试

[[email protected] ~]#for i in {1..6};do curl http://10.0.0.7/index.html;sleep 0.1;done
10.0.0.17
10.0.0.27
10.0.0.17
10.0.0.17
10.0.0.17
10.0.0.27

调整权重值

[[email protected] ~]#echo "get weight WEB_PORT_80/web1"|socat stdio /var/lib/haproxy/haproxy.sock 
1 (initial 1)

[[email protected] ~]#echo "set weight WEB_PORT_80/web1 3 "|socat stdio /var/lib/haproxy/haproxy.sock 

[[email protected] ~]#echo "get weight WEB_PORT_80/web1"|socat stdio /var/lib/haproxy/haproxy.sock 
3 (initial 1)

测试

[[email protected] ~]#for i in {1..10};do curl http://10.0.0.7/index.html;sleep 0.1;done
10.0.0.17
10.0.0.17
10.0.0.27
10.0.0.17
10.0.0.17
10.0.0.17
10.0.0.27
10.0.0.17
10.0.0.17
10.0.0.27

leastconn

加权的最少连接的动态调度，支持权重运行时调整和慢启动。适合场景：长连接

[[email protected] conf.d]#cat leastcon.cfg 
listen WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance leastconn
	server web1 10.0.0.17:80 weight 1 check inter 3000 fall 2 rise 5
	server web2 10.0.0.27:80 weight 1 check inter 3000 fall 2 rise 5

random

随机负载均衡

其他算法

既可以作为static算法，也能根据参数调整为动态算法

source hash 源地址哈希

map-base取模法

一致性hash

uri取模法hash：根据用户请求的uri部分做hash，再将hash结果对总权重取模

uri一致性hash

url_param：对url中params中key对应的值做hash。

hdr 对http头部的header中指定信息做hash

rdp-cookie

haproxy使用windows的rdp协议，通过cookie保持会话

被代理端配置允许远程访问；IP地址为10.0.0.60/24；设置用户登录密码，windows远程禁止空密码登录

HAProxy配置

[[email protected] conf.d]#cat /etc/haproxy/conf.d/rdp.cfg 
listen RDP
	bind 10.0.0.7:3389
	balance rdp-cookie
	mode tcp
	server rdp1 10.0.0.60:3389 check fall 3 rise 5 inter 2000 weight 1

开启路由转发

[[email protected] conf.d]#sysctl -w net.ipv4.ip_forward=1 
net.ipv4.ip_forward = 1
[[email protected] conf.d]#sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1

配置防火墙规则

[[email protected] conf.d]#iptables -t nat -A PREROUTING -d 192.168.0.7 -p tcp --dport 3389 -j DNAT --to-destination 10.0.0.60:3389
[[email protected] conf.d]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.0.7          tcp dpt:3389 to:10.0.0.60:3389

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 22 packets, 1320 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination         

测试

登录成功后，查看远程计算机端口

ACL

访问控制列表(Access Control Lists)基于包过滤的访问控制技术。
根据设定的条件对经过服务器传输的数据包进行条件匹配和过滤。

域名匹配

haproxy配置

[[email protected] conf.d]#cat acl.cfg 
frontend WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance leastconn
	option httplog
######### acl setting
	acl pc_domain hdr_dom(host)     -i www.kktb.org
	acl mobile_domain hdr_dom(host) -i mobile.kktb.org
######## acl hosts
	use_backend pc_hosts   if pc_domain
	use_backend mobile_hosts if mobile_domain
	default_backend pc_hosts 

######## backend hosts
backend mobile_hosts
	mode http
	server web1 10.0.0.17:80 check inter 3000 fall 2 rise 5

backend pc_hosts
	mode http
	server web2 10.0.0.27:80 check inter 3000 fall 2 rise 5

测试

[[email protected] ~]#curl www.kktb.org
10.0.0.27
[[email protected] ~]#curl mobile.kktb.org
10.0.0.17
[[email protected] ~]#curl kktb.org
10.0.0.27

匹配浏览器类型

[[email protected] ~]#cat /etc/haproxy/conf.d/browser.cfg 
frontend WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance roundrobin 
	option httplog
######### acl setting
	acl acl_user_agent    hdr_sub(User-Agent)     -i curl wget 
	acl acl_user_agent_ab hdr_sub(User-Agent) -i ApacheBench
######## acl hosts
	redirect prefix http://www.baidu.com if acl_user_agent
	http-request deny                    if acl_user_agent_ab
	default_backend pc_hosts

######## backend hosts
backend mobile_hosts
	mode http
	server web1 10.0.0.17:80 check inter 3000 fall 2 rise 5

backend pc_hosts
	mode http
	server web2 10.0.0.27:80 check inter 3000 fall 2 rise 5

测试

[[email protected] ~]#curl -I 10.0.0.7
HTTP/1.1 302 Found
content-length: 0
location: http://www.baidu.com/
cache-control: no-cache

使用ab工具访问

[[email protected] ~]#ab -n1 -c 1 http://10.0.0.7/
This is ApacheBench, Version 2.3 <$Revision: 1807734 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 10.0.0.7 (be patient).....done


Server Software:        
Server Hostname:        10.0.0.7
Server Port:            80

Document Path:          /
Document Length:        93 bytes

Concurrency Level:      1
Time taken for tests:   0.002 seconds
Complete requests:      1
Failed requests:        0
Non-2xx responses:      1
Total transferred:      208 bytes
HTML transferred:       93 bytes
Requests per second:    631.71 [#/sec] (mean)
Time per request:       1.583 [ms] (mean)
Time per request:       1.583 [ms] (mean, across all concurrent requests)
Transfer rate:          128.32 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        1    1   0.0      1       1
Processing:     1    1   0.0      1       1
Waiting:        1    1   0.0      1       1
Total:          2    2   0.0      2       2

查看日志

Jun 20 13:20:53 localhost haproxy[2316]: 10.0.0.80:40790 [20/Jun/2022:13:20:53.892] WEB_PORT_80 WEB_PORT_80/<NOSRV> 0/-1/-1/-1/0 403 192 - - PR-- 1/1/0/0/0 0/0 "GET / HTTP/1.0"
Jun 20 13:20:53 centos7 haproxy[2316]: 10.0.0.80:40790 [20/Jun/2022:13:20:53.892] WEB_PORT_80 WEB_PORT_80/<NOSRV> 0/-1/-1/-1/0 403 192 - - PR-- 1/1/0/0/0 0/0 "GET / HTTP/1.0"

匹配访问路径实现动静分离

[[email protected] conf.d]#cat dynamic_static_url.cfg 
frontend WEB_PORT_80
	bind 10.0.0.7:80
	mode http
	log global
	balance roundrobin 
	option httplog
######### acl setting
	acl acl_static path_beg -i /static /images /javascript
	acl acl_static path_end -i .jpg .jpeg .png .gif .css .js .html .htm
	acl acl_app path_beg -i /api

######## acl hosts
	use_backend static_hosts if acl_static
	use_backend app_hosts    if acl_app
	default_backend app_hosts

######## backend hosts
backend static_hosts
	mode http
	server web1 10.0.0.17:80 check inter 3000 fall 2 rise 5

backend app_hosts
	mode http
	server web2 10.0.0.27:80 check inter 3000 fall 2 rise 5

后端

[[email protected] html]#mkdir {static,images,javascript}
[[email protected] html]#echo "`hostname -I`" >> static/index.html

测试

[[email protected] ~]#curl 10.0.0.7/static/index.html
10.0.0.17