- 1. haproxy简介
- 1.1 核心功能
- 1.2 haproxy的关键特性
- 2. haproxy部署安装
- 3. haproxy配置负载均衡(https)
HAProxy是法国开发者 威利塔罗(Willy Tarreau) 在2000年使用C语言开发的一个开源软件,是一款具备高并发(一万以上)、高性能的TCP和HTTP负载均衡器,支持基于cookie的持久性,自动故障切换,支持正则表达式及web状态统计,目前最新TLS版本为9.0
HAProxy是一个使用C语言编写的自由及开放源代码软件,其提供高可用性、负载均衡,以及基于TCP和HTTP的应用程序代理。
HAProxy是一个免费的负载均衡软件,可以运行于大部分主流的Linux *** 作系统上。
HAProxy提供了L4(TCP)和L7(HTTP)两种负载均衡能力,具备丰富的功能。HAProxy的社区非常活跃,版本更新快速。最关键的是,HAProxy具备媲美商用负载均衡器的性能和稳定性。
因为HAProxy的上述优点,它当前不仅仅是免费负载均衡软件的首选,更几乎成为了唯一选择。
1.1 核心功能- 负载均衡:L4和L7两种模式,支持RR/静态RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等丰富的负载均衡算法
- 健康检查:支持TCP和HTTP两种健康检查模式
- 会话保持:对于未实现会话共享的应用集群,可通过Insert cookie/Rewrite cookie/Prefix cookie,以及上述的多种Hash方式实现会话保持
- SSL:HAProxy可以解析HTTPS协议,并能够将请求解密为HTTP后向后端传输
- HTTP请求重写与重定向
- 监控与统计:HAProxy提供了基于Web的统计信息页面,展现健康状态和流量数据。基于此功能,使用者可以开发监控程序来监控HAProxy的状态
- 高性能
通常情况下,HAProxy自身只占用15%的处理时间,剩余的85%都是在系统内核层完成的 - 高稳定性
一旦成功启动,除非 *** 作系统或硬件故障,否则就不会崩溃
haproxy软件包下载官网:https://www.haproxy.org//
//安装依赖包 [root@localhost ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel //创建haproxy用户 [root@localhost ~]# useradd -r -M -s /sbin/nologin haproxy //解压下载好的安装包 [root@localhost src]# ls debug haproxy-2.4.0.tar.gz kernels [root@localhost src]# tar xf haproxy-2.4.0.tar.gz -C /usr/src/ [root@localhost src]# ls debug haproxy-2.4.0 haproxy-2.4.0.tar.gz kernels [root@localhost src]# //编译安装 [root@localhost src]# cd haproxy-2.4.0/ [root@localhost haproxy-2.4.0]# [root@localhost haproxy-2.4.0]# make clean [root@localhost haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc > USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1 [root@localhost haproxy-2.4.0]# make install prefix=/usr/local/haproxy
//配置内核参数 [root@localhost ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf [root@localhost ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf [root@localhost ~]# sysctl -p net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 [root@localhost ~]#
//提供配置文件
[root@localhost ~]# cd /etc/haproxy/
[root@localhost haproxy]# vim haproxy.cfg
[root@localhost haproxy]# cat haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.8.130:80 check inter 2000 fall 5
server web02 192.168.8.137:80 check inter 2000 fall 5
[root@localhost haproxy]#
//haproxy.service文件编写 [root@localhost ~]# cat /usr/lib/systemd/system/haproxy.service [Unit] Description=HAProxy Load Balancer After=syslog.target network.target [Service] ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid ExecReload=/bin/kill -USR2 $MAINPID [Install] WantedBy=multi-user.target [root@localhost ~]#
[root@localhost ~]# systemctl enable --now haproxy.service Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service. [root@localhost ~]# [root@localhost ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* LISTEN 0 128 0.0.0.0:8189 0.0.0.0:* LISTEN 0 128 0.0.0.0:111 0.0.0.0:* LISTEN 0 128 0.0.0.0:80 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 5 127.0.0.1:631 0.0.0.0:* LISTEN 0 128 [::1]:6010 [::]:* LISTEN 0 128 [::]:111 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 5 [::1]:631 [::]:* [root@localhost ~]#
//启用日志 [root@localhost ~]# vim /etc/rsyslog.conf 65 local0.* /var/log/haproxy.log //添加这一行 [root@localhost ~]# systemctl restart rsyslog.service
//在web主机上安装httpd服务 [root@web01 ~]# yum -y install httpd [root@web01 ~]# echo "web01" > /var/www/html/index.html [root@web01 ~]# systemctl restart httpd.service [root@web02 ~]# yum -y install httpd [root@web02 ~]# echo "web02" > /var/www/html/index.html [root@web02 ~]# systemctl restart httpd.service
//证书生成 [root@web01 ~]# yum -y install openssl [root@web01 ~]# mkdir ~/keys [root@web01 ~]# cd keys/ [root@web01 keys]# openssl genrsa -out passport.com.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .............................+++++ ......+++++ e is 65537 (0x010001) [root@web01 keys]# openssl req -new -key passport.com.key -out passport.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HuBei Locality Name (eg, city) [Default City]:WuHan Organization Name (eg, company) [Default Company Ltd]:test Organizational Unit Name (eg, section) []:passport Common Name (eg, your name or your server's hostname) []:web01.com Email Address []:passport@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:1 string is too short, it needs to be at least 4 bytes long A challenge password []:1@2.com An optional company name []: [root@web01 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt Signature ok subject=C = CN, ST = HuBei, L = WuHan, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com Getting Private key [root@web01 keys]# ls passport.com.crt passport.com.csr passport.com.key
//利用scp命令将证书发送到另外一台主机上 [root@web01 keys]# scp passport.com.crt passport.com.key 192.168.8.137:/root/ The authenticity of host '192.168.8.137 (192.168.8.137)' can't be established. ECDSA key fingerprint is SHA256:ECsvugl1DCHfuejtUk08a5piC1AmP1akOaWPFqszmFE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.8.137' (ECDSA) to the list of known hosts. root@192.168.8.137's password: passport.com.crt 100% 1294 899.0KB/s 00:00 passport.com.key 100% 1675 1.4MB/s 00:00
//在web两台主机上配置https,注意web01需要同样的步骤 [root@web02 ~]# mkdir /etc/httpd/ssl [root@web02 ~]# mv passport.com.* /etc/httpd/ssl/ [root@web02 ~]# cd /etc/httpd/ssl/ [root@web02 ssl]# ls passport.com.crt passport.com.key [root@web02 ssl]# cd .. [root@web02 httpd]# ls conf conf.d conf.modules.d logs modules run ssl state [root@web02 httpd]# cd conf.d/ [root@web02 conf.d]# ls autoindex.conf README ssl.conf userdir.conf welcome.conf [root@web02 conf.d]# vim ssl.conf 43 documentRoot "/var/www/html" //取消这两行注释 44 ServerName www.example.com:443 85 SSLCertificateFile /etc/httpd/ssl/passport.com.crt //修改路径 93 SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key //修改路径
//启动服务 [root@web02 conf.d]# systemctl restart httpd [root@web02 conf.d]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:*
//web01配置过程请参考web02
[root@web01 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6011 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 [::1]:6011 [::]:*
LISTEN 0 128 *:443 *:*
[root@web01 ~]#
//修改配置文件haproxy.cfg
[root@localhost haproxy]# cat haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp //修改为tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443 //修改端口为443
mode tcp //修改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.8.130:443 check inter 2000 fall 5 //修改端口为443
server web02 192.168.8.137:443 check inter 2000 fall 5 //修改端口为443
[root@localhost haproxy]#
[root@localhost haproxy]# systemctl restart haproxy.service
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)