haproxy 安装

说明

HAProxy的核心功能

• 负载均衡：L4和L7两种模式，支持RR/静态RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等丰富的负载均衡算法
• 健康检查：支持TCP和HTTP两种健康检查模式
• 会话保持：对于未实现会话共享的应用集群，可通过Insert Cookie/Rewrite Cookie/Prefix Cookie，以及上述的多种Hash方式实现会话保持
• SSL：HAProxy可以解析HTTPS协议，并能够将请求解密为HTTP后向后端传输
• HTTP请求重写与重定向
• 监控与统计：HAProxy提供了基于Web的统计信息页面，展现健康状态和流量数据。基于此功能，使用者可以开发监控程序来监控HAProxy的状态

下图是HAProxy的架构：

安装配置

根据不同的操作系统下载安装不同的版本

RHEL 6安装包下载
haproxy-1.5.10.tar.gz：点此下载

RHEL 7安装包下载
haproxy-1.5.10_rhel7.zip：点此下载

RHEL 6安装配置

假设安装在/home/eim/目录下
tar -zxvf haproxy-1.5.10.tar.gz
配置系统启动服务
vim /etc/init.d/haproxy

修改启动脚本的实际路径

    config="/home/eim/haproxy-1.5.10/haproxy.cfg"
    exec="/home/eim/haproxy-1.5.10/sbin/haproxy"

#!/bin/bash
#
# haproxy
#
# chkconfig: 35 85 15
# description: HAProxy is a free, very fast and reliable solution \
# offering high availability, load balancing, and \
# proxying for TCP and HTTP-based applications
# processname: haproxy
# config: /etc/haproxy.cfg
# pidfile: /var/run/haproxy.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

config="/home/eim/haproxy/haproxy.cfg"
exec="/home/eim/haproxy/sbin/haproxy"
prog=$(basename $exec)

[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

lockfile=/var/lock/subsys/haproxy

check() {
    $exec -c -V -f $config
}

start() {
    $exec -c -q -f $config
    if [ $? -ne 0 ]; then
        echo "Errors in configuration file, check with $prog check."
        return 1
    fi

    echo -n $"Starting $prog: "
    # start it up here, usually something like "daemon $exec"
    daemon $exec -D -f $config -p /var/run/$prog.pid
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    # stop it here, often "killproc $prog"
    killproc $prog 
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    $exec -c -q -f $config
    if [ $? -ne 0 ]; then
        echo "Errors in configuration file, check with $prog check."
        return 1
    fi
    stop
    start
}

reload() {
    $exec -c -q -f $config
    if [ $? -ne 0 ]; then
        echo "Errors in configuration file, check with $prog check."
        return 1
    fi
    echo -n $"Reloading $prog: "
    $exec -D -f $config -p /var/run/$prog.pid -sf $(cat /var/run/$prog.pid)
    retval=$?
    echo
    return $retval
}

force_reload() {
    restart
}

fdr_status() {
    status $prog
}

case "$1" in
    start|stop|restart|reload)
        $1
        ;;
    force-reload)
        force_reload
        ;;
    checkconfig)
        check
        ;;
    status)
        fdr_status
        ;;
    condrestart|try-restart)
      [ ! -f $lockfile ] || restart
    ;;
    *)
        echo $"Usage: $0 {start|stop|status|checkconfig|restart|try-restart|reload|force-reload}"
        exit 2
esac

配置开机自启动

chmod +x /etc/init.d/haproxy
chkconfig --add haproxy
chkconfig --level 2345 haproxy on

启动、停止、重新加载

service haproxy start
service haproxy stop
# 修改haproxy配置文件后，需执行以下命令重载配置
service haproxy reload

# 命令行启动
/data/haproxy-1.5.10/sbin/haproxy -D -f /date/haproxy-1.5.10/haproxy.cfg -p /var/run/haproxy.pid
# 命令行手动重载
/data/haproxy-1.5.10/sbin/haproxy -D -f /data/haproxy-1.5.10/haproxy.cfg -p /var/run/haproxy.pid -sf 已运行haprpoxy进程pid

RHEL 7安装配置

假设安装在/data/目录下
unzip haproxy-1.5.10_rhel7.zip

配置为系统服务，并开机自动启动。如果修改了安装目录，需要同时修改启动脚本haproxy.service的路径

cp haproxy-1.5.10_rhel7/haproxy.service  /etc/systemd/system
systemctl daemon-reload
systemctl enable haproxy

启动、停止、重新加载

systemctl  start haproxy
systemctl  status haproxy
systemctl  reload haproxy
systemctl  stop haproxy

# 命令行启动
/data/haproxy-1.5.10_rhel7/sbin/haproxy -D -f /data/haproxy-1.5.10_rhel7/haproxy.cfg -p /var/run/haproxy.pid
# 命令行手动重载
/data/haproxy-1.5.10_rhel7/sbin/haproxy -D -f /data/haproxy-1.5.10_rhel7/haproxy.cfg -p /var/run/haproxy.pid -sf 已运行haprpoxy进程pid

代理配置

cd /home/data/haproxy-1.5.10
vim haproxy.cfgglobal

    log 127.0.0.1    local0
    log 127.0.0.1    local1 notice
    # log loghost    local0 info
    maxconn 65535
    # 多进程
    nbproc 4
    # 修改以下路径为安装目录
    chroot /home/data/haproxy-1.5.10
    pidfile /var/run/haproxy.pid
    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
    tune.ssl.default-dh-param 2048
    uid 99
    gid 99
    daemon


    ##代理tcp端口，并且有多台服务器处理该端口请求
listen imserver 0.0.0.0:5888
        mode tcp
        balance leastconn
        tcp-request inspect-delay 5s
        server imserver01 10.10.110.101:5222 check inter 10s
        server imserver02 10.10.110.102:5222 check inter 10s

    # 代理redis集群master节点
listen redis 0.0.0.0:36379
        mode tcp
        option tcp-check
        balance roundrobin
        tcp-check send PING\r\n
        tcp-check expect string +PONG
#       tcp-check send AUTH\ <your-passphrase>\r\n
#       tcp-check expect string +OK
        tcp-check send info\ replication\r\n
        tcp-check expect string role:master
        tcp-check send QUIT\r\n
        tcp-check expect string +OK
        server redis-1 10.10.15.111:6379 check inter 10s
        server redis-2 10.10.15.112:6379 check inter 10s
        server redis-3 10.10.15.113:6379 check inter 10s


    ##代理http端口
frontend http_in
    ##使用http的方式代理
        bind *:6555  
        bind *:80   ##可配置多个端口来代理
    ##使用https的方式代理，如何生成证书文件，在以下有说明
        bind *:443 ssl crt /home/data/haproxy-1.5.10/ssl/eim.pem
        ##以下表示将用户的http请求转换成https请求
        http-response replace-value Location  ^http://10\.10\.110\.53/(.*)$ https://10.10.110.53/\1
        http-response replace-value Location  ^http://weixin\.bjhuarun\.com/(.*)$ https://weixin.bjhuarun.com/\1 #redirect scheme https if !{ ssl_fc } 

##限制HTTP请求方法 
acl invalid_method method HEAD OPTIONS TRACE SEARCH COPY MOVE PROPFIND PROPPATCH MKCOL LOCK UNLOCK PUT DELETE
http-request deny if invalid_method
## 限制部分url地址访问源 公司公网网段( 121.15.129.225/27 116.31.88.83/29 ) 
acl login_beg path_beg /login /dubbo-admin /config-toolkit /manager /console 
acl login_redirect_beg path_beg /login/redirect 
acl internal_src src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 121.15.129.225/27 116.31.88.83/29 
block if !internal_src login_beg !login_redirect_beg 
## 防止中间人host header攻击 
acl white_host hdr_reg(host) -i weixin.bjhuarun.com 10.10.110.101 block if !white_host 
##以下表示请求以/fs/开头，则分发给fs-server服务器处理 
acl fs-server path_beg -i /fs/ 
use_backend fs-server if fs-server 
##以下表示请求以/api/fs/ /cloudfs /upgrade/api/fs开头，则分发给cloudfs服务器处理 
acl cloudfs-server path_beg -i /api/fs/ /cloudfs /upgrade/api/fs 
use_backend cloudfs-server if cloudfs-server 
##以下表示请求在以上路径都不符合时，使用该后台服务器处理 
default_backend cas 
backend cloudfs-server 
　　mode http 
　　option forwardfor 
　　reqrep ^([^\ :]*)\ /api/fs/(.*) \1\ /cloudfs/api/fs/\2 reqrep ^([^\ :]*)\ /upgrade/api/fs/(.*) \1\ /cloudfs/api/fs/\2 
　　server wget 10.10.110.102:8081 check inter 10s 

backend fs-server 
　　mode http 
　　option forwardfor 
　　server wget 10.10.110.102:8081 check inter 10s
 ##当有多个后台服务器处理同一个请求时，则按照如下配置 
backend cas 
mode http 
option forwardfor 
balance source 
# 七层健康检查，多个后端server的情况必须使用七层检查 
option httpchk GET / 
server cas01 10.10.110.101:8080 check inter 10s 
server cas02 10.10.110.102:8080 check inter 10s
 # 代理后端为HTTPS 应用 
backend bjhuarun-server
 mode http 
option forwardfor 
server bjhuarun www.bjhuarun.com:443 check ssl verify none inter 10s