操作背景:
前方有一臺haproxy代理機器(115.100.120.57/192.168.1.7),後方兩臺realserver機器(192.168.1.150、192.168.1.151,沒有公網ip,部署了很多站點)
將域名解析到haproxy機器的公網ip,在haproxy配置檔案裡,根據域名轉發至後端realserver上。
haproxy代理配置:根據域名進行轉發(即後端機器不管部署多少個域名,都可以直接在haproxy配置檔案裡通過域名對域名方式直接指定)
nginx代理配置:根據埠進行轉發(即後端機器部署多個域名時,在前面nginx配置裡通過upstream負載到不同的埠上)
----------------------------------------------------------------------------------------------------------
下面是haproxy代理伺服器上的操作
(1)關閉SElinux、配置防火牆 (後端realserver機器的iptables防火牆可以限制只允許代理伺服器訪問)
[root@localhost ~]# vim /etc/config/selinux
SELINUX=disabled
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
[root@localhost ~]# vim /etc/sysconfig/iptables
.......
-A INPUT -s 115.100.120.0/24 -d 224.0.0.18 -j ACCEPT #允許組播地址通訊(這裡,我將機器的公網和私網地址都放了)
-A INPUT -s 192.168.1.0/24 -d 224.0.0.18 -j ACCEPT
-A INPUT -s 115.100.120.0/24 -p vrrp -j ACCEPT #允許 VRRP(虛擬路由器冗餘協)通訊
-A INPUT -s 192.168.1.0/24 -p vrrp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
[root@localhost ~]# /etc/init.d/iptables restart
(2)安裝haproxy
1)安裝編譯工具
[root@localhost ~]# yum install gcc gcc-c++ make openssl-devel kernel-devel
2)安裝 haproxy
下載 haproxy,放到/usr/local/src目錄下
haproxy-1.5.14.tar.gz下載:https://pan.baidu.com/s/1jI8qiyy
提取密碼:u77d
[root@localhost ~]# cd /usr/local/src
[root@localhost src]# ls haproxy-1.5.14.tar.gz
[root@localhost ~]# tar zxvf haproxy-1.5.14.tar.gz
[root@localhost ~]# cd haproxy-1.5.14
接著進行haproxy的編譯安裝,haproxy編譯沒有configure,直接make->make install
[root@localhost haproxy-1.5.14]# make TARGET=linux26 CPU=x86_64 PREFIX=/usr/local/haprpxy USE_OPENSSL=1 ADDLIB=-lz
[root@localhost haproxy-1.5.14]# ldd haproxy | grep ssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f06ae977000)
[root@localhost haproxy-1.5.14]# make install PREFIX=/usr/local/haproxy
編譯引數說明:
TARGET=linux26 : 使用 uname -r 檢視核心,如:2.6.18-371.el5,此時該引數就為linux26
CPU=x86_64 : 使用 uname -r 檢視系統資訊,如 x86_64 x86_64 x86_64 GNU/Linux,此時該引數就為 x86_64
PREFIX : 後面跟的是haprpxy的安裝路徑
USE_OPENSSL=1 ADDLIB=-lz : 支援ssl
3)設定 haproxy
[root@localhost src]# mkdir -p /usr/local/haproxy/conf
[root@localhost src]# mkdir -p /etc/haproxy
[root@localhost src]# cp /usr/local/src/haproxy-1.5.14/examples/haproxy.cfg /usr/local/haproxy/conf/haproxy.cfg
[root@localhost src]# ln -s /usr/local/haproxy/conf/haproxy.cfg /etc/haproxy/haproxy.cfg
[root@localhost src]# cp -r /usr/local/src/haproxy-1.5.14/examples/errorfiles /usr/local/haproxy/errorfiles
[root@localhost src]# ln -s /usr/local/haproxy/errorfiles /etc/haproxy/errorfiles
[root@localhost src]# mkdir -p /usr/local/haproxy/log
[root@localhost src]# touch /usr/local/haproxy/log/haproxy.log
[root@localhost src]# ln -s /usr/local/haproxy/log/haproxy.log /var/log/haproxy.log
[root@localhost src]# cp /usr/local/src/haproxy-1.5.14/examples/haproxy.init /etc/rc.d/init.d/haproxy
[root@localhost src]# chmod +x /etc/rc.d/init.d/haproxy
[root@localhost src]# chkconfig haproxy on
[root@localhost src]# ln -s /usr/local/haproxy/sbin/haproxy /usr/sbin
4)配置 haproxy.cfg 引數
[root@localhost src]# cp /usr/local/haproxy/conf/haproxy.cfg /usr/local/haproxy/conf/haproxy.cfg-bak
[root@localhost src]# vim /usr/local/haproxy/conf/haproxy.cfg #可以直接貼上進去使用
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0 info #在本機記錄日誌
maxconn 65535 #每個程式可用的最大連線數
chroot /usr/local/haproxy #haproxy 安裝目錄
uid nobody #執行haproxy的使用者uid(使用id號也行)
gid nobody #執行haproxy的組uid(使用id號也行)
daemon #以後臺守護程式執行
defaults
log global
mode http #執行模式tcp、http、health
retries 3 #三次連線失敗,則判斷服務不可用
option redispatch #如果後端有伺服器當機,強制切換到正常伺服器
stats uri /haproxy #統計頁面 URL 路徑
stats refresh 30s #統計頁面自動重新整理時間
stats realm haproxy-status #統計頁面輸入密碼框提示資訊
stats auth admin:dxInCtFianKtL]36 #統計頁面使用者名稱和密碼
stats hide-version #隱藏統計頁面上 HAProxy 版本資訊
maxconn 65535 #每個程式可用的最大連線數
timeout connect 5000 #連線超時
timeout client 50000 #客戶端超時
timeout server 50000 #服務端超時
frontend http-in #自定義描述資訊
mode http #執行模式tcp、http、health
maxconn 65535 #每個程式可用的最大連線數
bind :80 #監聽80埠
log global
option httplog
option httpclose #每次請求完畢後主動關閉 http 通道
acl is_1 hdr_beg(host) -i testwww.huanqiu.com #規則設定,-i後面是要訪問的域名;多個域名,就寫多個規則,但is_1/2/...要與後面的use_backend 對應
acl is_2 hdr_beg(host) -i testchina.huanqiu.com
acl is_3 hdr_beg(host) -i testworld.huanqiu.com
acl is_4 hdr_beg(host) -i testgame.huanqiu.com
acl is_5 hdr_beg(host) -i testtech.huanqiu.com
acl is_6 hdr_beg(host) -i betawww.huanqiu.com
acl is_7 hdr_beg(host) -i betachina.huanqiu.com
acl is_8 hdr_beg(host) -i betaworld.huanqiu.com
acl is_9 hdr_beg(host) -i betagame.huanqiu.com
acl is_10 hdr_beg(host) -i betatech.huanqiu.com
use_backend test-server if is_1 #如果訪問is_1設定的域名,就負載均衡到下面backend設定的對應test-server上,其他的域名同理
use_backend test-server if is_2
use_backend test-server if is_3
use_backend test-server if is_4
use_backend test-server if is_5
use_backend beta-server if is_6 #如果訪問is_6設定的域名,就負載均衡到下面backend設定的對應beta-server上,其他的域名同理
use_backend beta-server if is_7
use_backend beta-server if is_8
use_backend beta-server if is_9
use_backend beta-server if is_10
backend test-server
mode http
balance roundrobin #設定負載均衡模式,source 儲存 session 值,roundrobin 輪詢模式
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.150:80 weight 1 cookie 3 check inter 2000 rise 2 fall 5 #由於後端同組的機器只有一臺,這裡就設定一臺;如果後端是多臺的話,就都加上,進行負載。
backend beta-server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.151:80 weight 1 cookie 4 check inter 2000 rise 2 fall 5
---------------------------------------------------------
引數解釋
#inter 2000 心跳檢測時間;
rise 2 三次連線成功,表示伺服器正常;
fall 5 三次連線失敗,表示伺服器異常;
weight 1 權重設定
---------------------------------------------------------
[root@localhost ~]#service haproxy start #啟動
[root@localhost ~]#service haproxy stop #關閉
[root@localhost ~]#service haproxy restart #重啟
[root@localhost ~]#service haproxy restart #檢視狀態
5)啟動haproxy日誌
haproxy日誌配置好之後,如上haproxy日誌路徑是/var/log/haproxy.log,但是預設情況下,haproxy日誌是沒有記錄的!
需要做如下設定:
[root@localhost ~]# vim /etc/rsyslog.conf
.............
$ModLoad imudp #去掉這行註釋
$UDPServerRun 514 #去掉這會註釋,rsyslog 預設情況下,需要在514埠監聽UDP
local0.* /var/log/haproxy.log #新增這一行,這個日誌檔案是在上面設定的
重啟rsyslog服務
[root@localhost ~]# /etc/init.d/rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
訪問網站,檢視haproxy日誌:
[root@kvm-server conf]# tail -f /var/log/haproxy.log
tail: inotify cannot be used, reverting to polling
Sep 21 15:17:22 localhost haproxy[85360]: 124.65.197.154:2546 [21/Sep/2016:15:17:22.719] http-in test-server/web01 0/0/1/130/131 200 2692 - - --VN 4/4/0/0/0 0/0 "GET / HTTP/1.1"
Sep 21 15:17:22 localhost haproxy[85360]: 124.65.197.154:2546 [21/Sep/2016:15:17:22.719] http-in test-server/web01 0/0/1/130/131 200 2692 - - --VN 4/4/0/0/0 0/0 "GET / HTTP/1.1"
Sep 21 15:17:24 localhost haproxy[85360]: 124.65.197.154:11482 [21/Sep/2016:15:17:22.719] http-in test-server/web01 1754/0/1/44/1799 404 615 - - --VN 3/3/0/0/0 0/0 "GET /upload/20160325/201603251450171458888617180-100.jpg HTTP/1.1"
Sep 21 15:17:24 localhost haproxy[85360]: 124.65.197.154:11482 [21/Sep/2016:15:17:22.719] http-in test-server/web01 1754/0/1/44/1799 404 615 - - --VN 3/3/0/0/0 0/0 "GET /upload/20160325/201603251450171458888617180-100.jpg HTTP/1.1"
Sep 21 15:17:40 localhost haproxy[85360]: 124.65.197.154:13161 [21/Sep/2016:15:17:22.719] http-in http-in/<NOSRV> -1/-1/-1/-1/17980 400 187 - - CR-- 2/2/0/0/0 0/0 "<BADREQ>"
Sep 21 15:17:40 localhost haproxy[85360]: 124.65.197.154:13161 [21/Sep/2016:15:17:22.719] http-in http-in/<NOSRV> -1/-1/-1/-1/17980 400 187 - - CR-- 2/2/0/0/0 0/0 "<BADREQ>"
6)檢視統計頁面的情況
可以根據haproxy.cfg裡面配置的url進行訪問(使用者名稱和密碼也在配置檔案裡)
比如:
http://testwww.huanqiu.com/haproxy
到此,haproxy的反向代理配置就已經結束了。
只有後端realserver的nginx裡對於域名配置ok,就可以直接訪問域名,通過haproxy代理轉發到後端realserver上了~~
*******************************************************************************************************************
上面配置的haproxy是針對http方式的代理
下面接著說下haproxy針對https方式的代理
由於前面提到haproxy在編譯安裝的時候,已經支援ssl了
現在就需要新增pem證書即可!
由於在其他伺服器上已經有了在用的證書,購買的*萬用字元的證書,所以直接拿過來用即可
證書存放路徑例如是/usr/local/haproxy/ssl
[root@localhost ~]# mkdir /usr/local/haproxy/ssl
[root@localhost ~]# cd /usr/local/haproxy/ssl
[root@localhost ssl]# ls
huanqiu.cer huanqiu.key
製作成pem證書
[root@localhost ssl]# cat huanqiu.cer huanqiu.key | tee huanqiu.pem
[root@localhost ssl]# ls
huanqiu.cer huanqiu.key huanqiu.pem
----------------------------------------------------------------------------------------------------
如果沒有提前準備好的證書,就需要手動建立,建立方法如下:
[root@localhost ssl]# openssl genrsa -des3 -out huanqiu.key 1024
Generating RSA private key, 1024 bit long modulus
................................++++++
....................................++++++
e is 65537 (0x10001)
Enter pass phrase for huanqiu.key: #提示輸入密碼,比如這裡我輸入123456
Verifying - Enter pass phrase for huanqiu.key: #確認密碼,繼續輸入123456
[root@localhost ssl]# ls #檢視,已生成CSR(Certificate Signing Request)檔案
huanqiu.key
[root@localhost ssl]# openssl req -new -key huanqiu.key -out huanqiu.csr
Enter pass phrase for huanqiu.key: #輸入123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #國家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #地區名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu #公司名
Organizational Unit Name (eg, section) []:Technology #部門
Common Name (eg, your name or your server's hostname) []:huanqiu #CA主機名
Email Address []:wangshibo@huanqiu.com #郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #證書請求金鑰,CA讀取證書的時候需要輸入密碼
An optional company name []:huanqiu #-公司名稱,CA讀取證書的時候需要輸入名稱
[root@localhost ssl]# ls
huanqiu.csr huanqiu.key
[root@localhost ssl]# cp huanqiu.key huanqiu.key.bak
[root@localhost ssl]# openssl rsa -in huanqiu.key.bak -out huanqiu.key
Enter pass phrase for huanqiu.key.bak: #輸入123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in huanqiu.csr -signkey huanqiu.key -out huanqiu.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@huanqiu.com
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r--r-- 1 root root 960 Sep 12 16:01 huanqiu.crt
-rw-r--r-- 1 root root 769 Sep 12 15:59 huanqiu.csr
-rw-r--r-- 1 root root 887 Sep 12 16:01 huanqiu.key
-rw-r--r-- 1 root root 963 Sep 12 16:01 huanqiu.key.bak
----------------------------------------------------------------------------------------------------
接著在haproxy.cfg裡新增ssl代理的配置內容
比如:配置https://testwww.xqshijie.com和https://betawww.xqshijie.com的代理內容,分別轉發到192.168.1.150和192.168.1.151上(如果是多個域名的https方式代理,同理,直接在下面對應區域新增配置即可)
[root@linux-node1 conf]# pwd
/usr/local/haproxy/conf
[root@linux-node1 conf]# cat haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0 info
maxconn 65535
chroot /usr/local/haproxy
uid nobody
gid nobody
daemon
defaults
log global
mode http
retries 3
option redispatch
stats uri /haproxy
stats refresh 30s
stats realm haproxy-status
stats auth admin:dxInCtFianKtL]36
stats hide-version
maxconn 65535
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http-in
mode http
maxconn 65535
bind :80
log global
option httplog
option httpclose
acl is_1 hdr_beg(host) -i testwww.huanqiu.com
acl is_2 hdr_beg(host) -i testchina.huanqiu.com
acl is_3 hdr_beg(host) -i testworld.huanqiu.com
acl is_4 hdr_beg(host) -i testgame.huanqiu.com
acl is_5 hdr_beg(host) -i testtech.huanqiu.com
acl is_6 hdr_beg(host) -i betawww.huanqiu.com
acl is_7 hdr_beg(host) -i betachina.huanqiu.com
acl is_8 hdr_beg(host) -i betaworld.huanqiu.com
acl is_9 hdr_beg(host) -i betagame.huanqiu.com
acl is_10 hdr_beg(host) -i betatech.huanqiu.com
use_backend test-server if is_1
use_backend test-server if is_2
use_backend test-server if is_3
use_backend test-server if is_4
use_backend test-server if is_5
use_backend beta-server if is_6
use_backend beta-server if is_7
use_backend beta-server if is_8
use_backend beta-server if is_9
use_backend beta-server if is_10
use_backend test-server if is_11
listen TEST_APP_SSL
bind *:443 ssl crt /usr/local/haproxy/ssl/xqshijie.pem
reqadd X-Forwarded-Proto:\ https
mode http
acl is_a hdr_beg(host) -i testwww.huanqiu.com
acl is_b hdr_beg(host) -i betawww.huanqiu.com
use_backend test-server if is_a
use_backend beta-server if is_b
backend test-server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.150:80 weight 1 cookie 3 check inter 2000 rise 2 fall 5
backend beta-server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.151:80 weight 1 cookie 4 check inter 2000 rise 2 fall 5
重啟haproxy服務
[root@linux-node1 conf]# service haproxy restart
這樣,訪問https://testwww.huanqiu.com和https://betawww.huanqiu.com的請求就會被haproxy代理轉發到
後端192.168.1.150和192.168.1.151伺服器上對應域名的443埠!
到此,haproxy的http和https方式的代理部署均已完成!
----------------------------------------------------------------------------------------------------------------------------------
下面說下haproxy代理非http/https方式的配置,比如代理mysql、ftp等其他埠~
當代理非80/443埠是,mode模式就是tcp了
所以要註釋掉或去掉上面配置在haproxy.cnf裡defaults局域的mode https的預設配置
[root@linux-node1 conf]# cat haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1 local0 info
maxconn 65535
chroot /usr/local/haproxy
uid nobody
gid nobody
daemon
defaults
log global
# mode http
retries 3
option redispatch
stats uri /haproxy
stats refresh 30s
stats realm haproxy-status
stats auth admin:dxInCtFianKtL]36
stats hide-version
maxconn 65535
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http-in
mode http
maxconn 65535
bind :80
log global
option httplog
option httpclose
acl is_1 hdr_beg(host) -i testwww.huanqiu.com
acl is_2 hdr_beg(host) -i testchina.huanqiu.com
acl is_3 hdr_beg(host) -i testworld.huanqiu.com
acl is_4 hdr_beg(host) -i testgame.huanqiu.com
acl is_5 hdr_beg(host) -i testtech.huanqiu.com
acl is_6 hdr_beg(host) -i betawww.huanqiu.com
acl is_7 hdr_beg(host) -i betachina.huanqiu.com
acl is_8 hdr_beg(host) -i betaworld.huanqiu.com
acl is_9 hdr_beg(host) -i betagame.huanqiu.com
acl is_10 hdr_beg(host) -i betatech.huanqiu.com
use_backend test-server if is_1
use_backend test-server if is_2
use_backend test-server if is_3
use_backend test-server if is_4
use_backend test-server if is_5
use_backend beta-server if is_6
use_backend beta-server if is_7
use_backend beta-server if is_8
use_backend beta-server if is_9
use_backend beta-server if is_10
use_backend test-server if is_11
listen TEST_APP_SSL
bind *:443 ssl crt /usr/local/haproxy/ssl/xqshijie.pem
reqadd X-Forwarded-Proto:\ https
mode http
acl is_a hdr_beg(host) -i testwww.huanqiu.com
acl is_b hdr_beg(host) -i betawww.huanqiu.com
use_backend test-server if is_a
use_backend beta-server if is_b
backend test-server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.150:80 weight 1 cookie 3 check inter 2000 rise 2 fall 5
backend beta-server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
option httpclose
option forwardfor
server web01 192.168.1.151:80 weight 1 cookie 4 check inter 2000 rise 2 fall 5
listen mysql_73 0.0.0.0:33061 #代理mysql埠
mode tcp
option tcplog
balance roundrobin
option tcpka
option httpchk
option mysql-check user haproxy
server 10.68.250.73 10.68.250.73:3306 weight 1 check inter 1s rise 2 fall 2
listen mysql_164 0.0.0.0:33062
mode tcp
option tcplog
balance roundrobin
option tcpka
option httpchk
option mysql-check user haproxy
server 10.68.250.164 10.68.250.164:3306 weight 1 check inter 1s rise 2 fall 2
frontend ftp_service #代理ftp(被動模式,埠範圍:40000-40003)
mode tcp
bind *:2021
default_backend ftp_server
frontend ftp
mode tcp
bind *:40000-40003
default_backend ftp_server_data
backend ftp_server
mode tcp
server ftp 10.68.250.198 check port 2021 inter 10s rise 1 fall 2
backend ftp_server_data
mode tcp
server ftp 10.68.250.198 check port 2021 inter 10s rise 1 fall 2
listen node1-9200 0.0.0.0:19200 #本機19200埠代理192.168.1.160的9200埠
mode tcp
option tcplog
balance roundrobin
server 192.168.1.160 192.168.1.160:9200 weight 1 check inter 1s rise 2 fall 2
listen node2-9200 0.0.0.0:19201 #本機19200埠代理192.168.1.160的9200埠
mode tcp
option tcplog
balance roundrobin
server 192.168.1.160 192.168.1.161:9200 weight 1 check inter 1s rise 2 fall 2
重啟haproxy(重啟時的WARNING不影響)
[root@kvm-server conf]# /etc/init.d/haproxy restart
對以上的開放埠要在防火牆iptables裡開通
[root@linux-node1 conf]# cat /etc/sysconfig/iptables
.............
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33061 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33062 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2021 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 40000:40003 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 19200 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 19201 -j ACCEPT
以上就是haproxy代理mysql、ftp及其他埠的配置~~~
----------------------------------------------------------------------------------
如下設定,通過haproxy將本機8080和80埠分別反向代理到192.168.34.37的8080以及192.168.72.242的80埠。
[root@ha01 conf]# cat haproxy.cfg
#
# demo config for Proxy mode
#
global
maxconn 20000
ulimit-n 65535
log 127.0.0.1 local0
uid 99
gid 99
chroot /var/empty
nbproc 4
daemon
listen wiki
bind :8080
mode tcp
timeout connect 10000ms
timeout client 5000ms
timeout server 5000ms
server t1 192.168.34.37:8080
listen caf
bind :81
mode http
timeout connect 10000ms
timeout client 5000ms
timeout server 5000ms
server t1 192.168.72.242:81