1. haproxy簡介
HAProxy是法國開發者 威利塔羅(Willy Tarreau) 在2000年使用C語言開發的一個開源軟體,是一款具備高并發(一萬以上)、高性能的TCP和HTTP負載均衡器,支持基于cookie的持久性,自動故障切換,支持正則運算式及web狀態統計,目前最新TLS版本為9.0
HAProxy是一個使用C語言撰寫的自由及開放源代碼軟體,其提供高可用性、負載均衡,以及基于TCP和HTTP的應用程式代理,
HAProxy是一個免費的負載均衡軟體,可以運行于大部分主流的Linux作業系統上,
HAProxy提供了L4(TCP)和L7(HTTP)兩種負載均衡能力,具備豐富的功能,HAProxy的社區非常活躍,版本更新快速,最關鍵的是,HAProxy具備媲美商用負載均衡器的性能和穩定性,
因為HAProxy的上述優點,它當前不僅僅是免費負載均衡軟體的首選,更幾乎成為了唯一選擇,
1.1 核心功能
- 負載均衡:L4和L7兩種模式,支持RR/靜態RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等豐富的負載均衡演算法
- 健康檢查:支持TCP和HTTP兩種健康檢查模式
- 會話保持:對于未實作會話共享的應用集群,可通過Insert Cookie/Rewrite Cookie/Prefix Cookie,以及上述的多種Hash方式實作會話保持
- SSL:HAProxy可以決議HTTPS協議,并能夠將請求解密為HTTP后向后端傳輸
- HTTP請求重寫與重定向
- 監控與統計:HAProxy提供了基于Web的統計資訊頁面,展現健康狀態和流量資料,基于此功能,使用者可以開發監控程式來監控HAProxy的狀態
1.2 haproxy的關鍵特性
- 高性能
通常情況下,HAProxy自身只占用15%的處理時間,剩余的85%都是在系統內核層完成的 - 高穩定性
一旦成功啟動,除非作業系統或硬體故障,否則就不會崩潰
2. haproxy部署安裝
haproxy軟體包下載官網:https://www.haproxy.org//
//安裝依賴包
[root@localhost ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//創建haproxy用戶
[root@localhost ~]# useradd -r -M -s /sbin/nologin haproxy
//解壓下載好的安裝包
[root@localhost src]# ls
debug haproxy-2.4.0.tar.gz kernels
[root@localhost src]# tar xf haproxy-2.4.0.tar.gz -C /usr/src/
[root@localhost src]# ls
debug haproxy-2.4.0 haproxy-2.4.0.tar.gz kernels
[root@localhost src]#
//編譯安裝
[root@localhost src]# cd haproxy-2.4.0/
[root@localhost haproxy-2.4.0]#
[root@localhost haproxy-2.4.0]# make clean
[root@localhost haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc \
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@localhost haproxy-2.4.0]# make install prefix=/usr/local/haproxy
//配置內核引數
[root@localhost ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@localhost ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
[root@localhost ~]#
//提供組態檔
[root@localhost ~]# cd /etc/haproxy/
[root@localhost haproxy]# vim haproxy.cfg
[root@localhost haproxy]# cat haproxy.cfg
#--------------全域配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------統計頁面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web設定-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.35.137:80 check inter 2000 fall 5
server web02 192.168.35.138:80 check inter 2000 fall 5
[root@localhost haproxy]#
//haproxy.service檔案撰寫
[root@localhost ~]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
[root@localhost ~]#
[root@localhost ~]# systemctl enable --now haproxy.service
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@localhost ~]#
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
[root@localhost ~]#
//啟用日志
[root@localhost ~]# vim /etc/rsyslog.conf
65 local0.* /var/log/haproxy.log //添加這一行
[root@localhost ~]# systemctl restart rsyslog.service
//在web主機上安裝httpd服務
[root@web01 ~]# yum -y install httpd
[root@web01 ~]# echo "web01" > /var/www/html/index.html
[root@web01 ~]# systemctl restart httpd.service
[root@web02 ~]# yum -y install httpd
[root@web02 ~]# echo "web02" > /var/www/html/index.html
[root@web02 ~]# systemctl restart httpd.service
3. haproxy配置負載均衡(https)
//證書生成
[root@web01 ~]# yum -y install openssl
[root@web01 ~]# mkdir ~/keys
[root@web01 ~]# cd keys/
[root@web01 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................+++++
......+++++
e is 65537 (0x010001)
[root@web01 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:passport
Common Name (eg, your name or your server's hostname) []:web01.com
Email Address []:passport@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1
string is too short, it needs to be at least 4 bytes long
A challenge password []:1@2.com
An optional company name []:
[root@web01 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = CN, ST = HuBei, L = WuHan, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com
Getting Private key
[root@web01 keys]# ls
passport.com.crt passport.com.csr passport.com.key
//利用scp命令將證書發送到另外一臺主機上
[root@web01 keys]# scp passport.com.crt passport.com.key 192.168.35.137:/root/
The authenticity of host '192.168.35.137 (192.168.35.137)' can't be established.
ECDSA key fingerprint is SHA256:ECsvugl1DCHfuejtUk08a5piC1AmP1akOaWPFqszmFE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.35.137' (ECDSA) to the list of known hosts.
root@192.168.35.137's password:
passport.com.crt 100% 1294 899.0KB/s 00:00
passport.com.key
//在web兩臺主機上配置https,注意web01需要同樣的步驟
[root@web02 ~]# mkdir /etc/httpd/ssl
[root@web02 ~]# mv passport.com.* /etc/httpd/ssl/
[root@web02 ~]# cd /etc/httpd/ssl/
[root@web02 ssl]# ls
passport.com.crt passport.com.key
[root@web02 ssl]# cd ..
[root@web02 httpd]# ls
conf conf.d conf.modules.d logs modules run ssl state
[root@web02 httpd]# cd conf.d/
[root@web02 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@web02 conf.d]# vim ssl.conf
43 DocumentRoot "/var/www/html" //取消這兩行注釋
44 ServerName www.example.com:443
85 SSLCertificateFile /etc/httpd/ssl/passport.com.crt //修改路徑
93 SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key //修改路徑
//修改組態檔haproxy.cfg
[root@localhost haproxy]# cat haproxy.cfg
#--------------全域配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp //修改為tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------統計頁面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web設定-----------------------
listen webcluster
bind 0.0.0.0:443 //修改埠為443
mode tcp //修改為tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.35.137:443 check inter 2000 fall 5 //修改埠為443
server web02 192.168.35.138:443 check inter 2000 fall 5 //修改埠為443
[root@localhost haproxy]#
[root@localhost haproxy]# systemctl restart haproxy.service
還可以登陸到后臺查看web主機的資訊和運行情況
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/323403.html
標籤:其他
上一篇:記一次前端vue3的單元測驗之Hello world
下一篇:java爬取壁紙