HAProxy Profile and Configuration File Details (I)

Keywords: Session SSL Unix network

Introduction to HAProxy
HAProxy provides high availability, load balancing and application proxy based on TCP and HTTP, which is suitable for handling seven-tier data requests of high-load sites. Similar proxy services can shield internal real servers from attacks.
HAProxy features and advantages:
1. Supporting primary SSL while supporting both client and server SSL.
2. Support IPv6 and UNIX sockets
3. Support HTTP Keep-Alive
4. Supporting HTTP/1.1 compression and saving broadband
5. Support for optimizing health detection mechanisms (SSL, scripted TCP, check agent...)
6. Support 7-tier load balancing.
7. Reliability and stability are very good.
8. Concurrent connection 40,000-50,000, maximum request processing per unit time 20,000, maximum data processing 10 Gbps.
9. Supports eight load balancing algorithms and session maintenance.
10. Supporting virtual hosts.
11. Support connection rejection and transparent proxy.
12. Have a server status monitoring page.
13. Support ACL.

HAProxy maintains the session for the same client to access the server. There are three solutions: client IP, Cookie and Session
1.HAProxy calculates and saves Hash over client IP to ensure that when the same IP accesses the proxy server, it can be forwarded to a fixed real server.
2.HAProxy relies on the real server to send the client's Cookie information for session maintenance.
3.HAProxy will save the real server's Session and server identity to achieve session retention.
(HAProxy only requires back-end servers to be able to connect to the network, and there is no complicated ARP configuration like LVS)
HAProxy's eight load balancing algorithms:
Roundrobin: Weight-based rotation.
2.static-rr: Weight-based rotation. Static algorithm, runtime changes cannot take effect
3.source: An algorithm based on request source IP. hash the source IP of the request, and then divide the result from the total weight of the back-end server and forward it to a matching server. Make the same IP client request always be forwarded to a specific back-end server.
4.leastconn: Minimum connection. (Suitable for database load balancing, not for short session environments)
5.uri: hash the partial or global URIs, subtract the total weight from the server, and forward to the matching back end.
6.uri_param: Forwarding according to the parameters in the URL path ensures that the same user requests are distributed to the same machine without changing the number of back-end servers.
7. HDR (< name >): Forward according to http header, if there is no http header. Simple rotation is used.
HAProxy Main Mode of Work
1.tcp mode: In this mode, a full-duplex connection will be established between the client and the server, and there will be no simple mode of processing the 7-tier messages. By default, this mode is commonly used for SSL, SSH, SMTP applications.
2.http mode (commonly used): In this mode, client requests are analyzed in depth before forwarding to the back-end server, and all requests that are not compatible with RFC format are rejected.
HAProxy Architecture Diagram

HAProxy Installation and Configuration File Parameters
HAProxy Installation
  1. yum install haproxy -y
HAProxy environment
  1. Configuration file: /etc/haproxy/haproxy.cfg
  2. Global global configuration segment
  3. Process and security configuration-related parameters
  4. Performance tuning related parameters
  5. Debug-related parameters
  6. (proxies agent configuration section)
  7. Default default configuration (three default parameters for fronttend backend listen)
  8. frontend front-end defines a series of listening set bytes to receive client requests
  9. Backend backend defines a series of back-end servers that request forwarding
  10. listen front-end and back-end direct correlation
Configuration file details
  1. global
  2.    chroot dir #Working directory chroot
  3. #Global log configuration, using the local 3 log device in the rsyslog service of 127.0.0.1, level info
  4. log 127.0.0.1 local3 info
  5. #Maximum concurrency per process
  6. maxconn 4096
  7.  #Number of background processes
  8. nbproc 1
  9.  #user
  10. user nobody
  11. group nobody
  12. #Background Program Mode Work
  13. daemon
  14.    #HAProxy pid File Storage Directory
  15. pidfile /var/run/haproxy-private.pid
  16.    #tune.bufsize 16384 sets buffer(B)
  1. defaults
  2. #Mode (tcp http health)
  3. mode http
  4. #Connect back-end server retry times, exceed marked unavailable
  5.    retries 3
  6. timeout connect 10S #Maximum Waiting Time for Connecting Servers (ms)
  7. timeout client 20s #The longest waiting time for connecting clients to send data.
  8. timeout server 30s #The longest waiting time for the server to reply to the client.
  9. timeout check 5s #Detection timeout for back-end servers.    
  1. frontend www #Define a front-end virtual node named www
  2.    # Bind [<address>: <port_range>] interface <interface> listener socket definition
  3.    bind *:80
  4.    mode http
  5. option httplog #Enable logging of HTTP requests.
  6.    option forwardfor #Client IP can be obtained by enabling back-end server
  7. option httpclose #After the client and server complete a connection request, HAProxy actively closes the TCP link (optimization option)
  8.    log global #Use global log configuration
  9. default_backend htmpool #Specify the backend service pool (backend defines htmpool)

  1. backend htmpool #Define a real server group called htmpool
  2. mode http
  3. option redispatch #For cookies to maintain the environment. (If the back-end server fails, the client cookie will not be refreshed to force user requests to the normal server)
  4. option abortonclose #When load balancing is high, the connection with the current queue processing time is automatically terminated
  5.    balance roundrobin #Load balancing algorithm.
  6.    cookie SERVERID #Allow insertion of SERVERID into cookies. The following server can use cookie definitions
  7.    #option httpchk <method> <url> <vesion>
  8.     #mothod: OPTION, GET, HEAD (where HEAD only detects whether the return status code 200 is faster and simpler)
  9.    option httpchk GET /index.php #Enabling HTTP Service Status Detection
  10.    #server <name> <address>[:port] [param*]
  11.     #[param*] Set parameters for the back end
  12. #Cookie server 1 specifies that the back-end server sets cookie values to achieve a persistent connection. The specified cookie values are checked when requested. For the first time, this cookie value will be selected and the back-end server will be used all the time.
  13.     #weight num weight
  14.     #check Enables Backend Execution of Health Testing
  15. #Internum health status detection interval
  16.     #Number of Successful Detections Needed for rise num Transition from Fault State to Normal State
  17.     #Number of failures required for fall num to switch from normal to normal
  18.     #backup Sets up Real Server backup Server, which is not enabled on all Real Servers
  19.    server web1 192.168.1.186:80 cookie server1 weight 6 check inter 2000 rise 2 fall 3
  20.    server web2 192.168.1.188:80 cookie server2 weight 6 check inter 2000 rise 2 fall 3
  1. listen admin_stats #Define HAProxy monitoring page
  2. bind 0.0.0.0:9188
  3. mode http
  4. log 127.0.0.1 local3 err
  5. stats refresh 30s #HAProxy monitors page statistics for automatic refresh times.
  6. stats uri /haproxy-status #Set the monitor page URL path. http//IP:9188/haproxy-status can be viewed
  7. stats realm welcome login\ Haproxy #Statistical page password box prompt information
  8. stats auth admin:123456 #Login statistics page user and password
  9. stats hide-version #Hide HAProxy version information
  10. stats admin if TRUE #After setting up TURE, you can start and shut down the back-end real server manually on the monitoring page.   
ACL permissions
  1. #3.4 Layer matching dst,src objective IP Sum source IP(Write infrontendMedium)
  2. #Prohibit 192.168.0.0/24 segment user access
  3. acl bad src 192.168.0.0/24
  4. block if bad
  5. #Seven-level matching req.hdr ([<>name [,<occ>])
  6. #When a user accesses www.server2.com (header regular matching), the proxy forwards to server2-i is case-insensitive
  7. acl www hdr_reg(host) -i ^(www.server2.com)$
  8. use_backend server2 if www
  9. #Other acl settings
  10. acl url_static path_end .git .png .css .js (URL End of Request)
  11. acl host_www hdr_beg(host) -i www
  12. acl host_static hdr_beg(host) -i img. video. download. ftp. (Beginning of domain name)
Log configuration
  1. vim /etc/rsyslog.d/haproxy.conf
  2. $ModLoad imudp
  3. $UDPServerRun 514
  4. local3.* /var/log/haproxy
  5. systemctl restart rsyslog
   
Reference Blog: http://51eat.blog.51cto.com/11892702/1891934 

Posted by wgordonw1 on Wed, 17 Apr 2019 09:36:34 -0700