HAProxy 入门教程
HAProxy是一个免费的负载均衡软件,可以运行于大部分主流的Linux操作系统上。HAProxy提供了L4(TCP)和L7(HTTP)两种负载均衡能力,具备完善的扩展能力, 性能和稳定性都非常好。
HAProxy常用功能:
- 负载均衡:L4和L7两种模式,支持RR/静态RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等丰富的负载均衡算法
- 健康检查:支持TCP和HTTP两种健康检查模式
- 会话保持:对于未实现会话共享的应用集群,可通过Insert Cookie/Rewrite Cookie/Prefix Cookie,以及上述的多种Hash方式实现会话保持
- SSL:HAProxy可以解析HTTPS协议,并能够将请求解密为HTTP后向后端传输
- HTTP请求重写与重定向
- 监控与统计:HAProxy提供了基于Web的统计信息页面,展现健康状态和流量数据。
安装HAProxy:
- Centos
yum -y install haproxy
- Debian/Ubuntu
apt-get -y install haproxy
- Gentoo
emerge -a net-proxy/haproxy
接下来我们准备环境:
Web Server Details:
Server 1: web1.example.com 192.168.1.101
Server 2: web2.example.com 192.168.1.102
Server 3: web3.example.com 192.168.1.103
HAProxy Server:
HAProxy: haproxy 192.168.1.12
HAProxy的配置文件为 /etc/haproxy/haproxy.cfg
, 默认的内容如下:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
添加 HAProxy Listener, 入口流量的请求都将请求到192.168.1.12:80:
frontend Local_Server
bind 192.168.1.12:80
mode http
default_backend My_Web_Servers
添加后端 Web Server, HAProxy收到的请求将转发到三个后端 Web Server
:
backend nodes
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1rnHost:localhost
server web1.example.com 192.168.1.101:80
server web2.example.com 192.168.1.102:80
server web3.example.com 192.168.1.103:80
开启HAProxy的统计信息, 便于我们随时查看HAProxy的运行情况:
listen stats *:1936
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats
最后完整的 /etc/haproxy/haproxy.cfg
如下:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend Local_Server
bind 192.168.1.12:80
mode http
default_backend My_Web_Servers
backend My_Web_Servers
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1rnHost:localhost
server web1.example.com 192.168.1.101:80
server web2.example.com 192.168.1.102:80
server web3.example.com 192.168.1.103:80
listen stats *:1936
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats
你可以通过下述命令验证配置文件的正确性:
haproxy -c -f /etc/haproxy/haproxy.cfg
让上述所有配置生效,需要重新启动 HAProxy:
systemctl restart haproxy
接下来就可以打开浏览器, 验证服务是否正常工作.因为我们的负载均衡策略是 roundrobin, 通过刷新浏览器即可看到依次访问到后端不同节点.