haproxy

haproxy概述

haproxy是一款高性能的負載均衡軟體，因為其專注于負載均衡這一些事情，因此與nginx比起來在負載均衡這件事情上做更好，更專業，

haproxy的特點

支持tcp / http 兩種協議層的負載均衡，使得其負載均衡功能非常豐富，
支持8種左右的負載均衡演算法，尤其是在http模式時，有許多非常實在的負載均衡演算法，適用各種需求，
性能非常優秀，基于單行程處理模式（和Nginx類似）讓其性能卓越，
擁有一個功能出色的監控頁面，實時了解系統的當前狀況，
功能強大的ACL支持，給用戶極大的方便，

haproxy演算法：
1.roundrobin
基于權重進行輪詢,在服務器的處理時間保持均勻分布時,這是最平衡,最公平的演算法.此演算法是動態的,這表示其權重可以在運行時進行調整.
2.static-rr
基于權重進行輪詢,與roundrobin類似,但是為靜態方法,在運行時調整其服務器權重不會生效.不過,其在后端服務器連接數上沒有限制
3.leastconn
新的連接請求被派發至具有最少連接數目的后端服務器

haproxy安裝

環境說明：

主機名	ip	職責
haproxy	192.168.200.165	Haprosy
RS1	192.168.200.159	web界面
RS2	192.168.200.161	web界面

haproxy軟體包下載官網: haproxy.org

[root@haproxy ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel

#創建haproxy用戶
[root@haproxy ~]# useradd -r -M -s /sbin/nologin haproxy

[root@haproxy src]# tar xf haproxy-2.4.0.tar.gz 
[root@haproxy src]# ls
debug  haproxy-2.4.0  haproxy-2.4.0.tar.gz  kernels
[root@haproxy src]# cd haproxy-2.4.0
[root@haproxy haproxy-2.4.0]# make clean
[root@haproxy haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@haproxy haproxy-2.4.0]# make install prefix=/usr/local/haproxy

// 另外兩個主機上安裝httpd
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# echo "work1" > /var/www/html/index.html
[root@RS1 ~]# ss -anlt
State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
LISTEN   0        128                    *:80                  *:*      
LISTEN   0        128                 [::]:22               [::]:* 

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
[root@RS1 ~]# echo "work2" > /var/www/html/index.html
[root@RS2 ~]# ss -anlt
State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
LISTEN   0        128                    *:80                  *:*      
LISTEN   0        128                 [::]:22               [::]:*

配置內核引數

[root@haproxy ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@haproxy ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@haproxy ~]# sysctl  -p 
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

提供組態檔

[root@haproxy ~]# mkdir /etc/haproxy
[root@haproxy ~]# cat /etc/haproxy/haproxy.cfg 
#--------------全域配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode http
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------統計頁面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web設定-----------------------
listen webcluster
    bind 0.0.0.0:80
    mode http
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    cookie SESSION_COOKIE insert indirect nocache
    server web01 192.168.200.159:80 check inter 2000 fall 5
    server web02 192.168.200.161:80 check inter 2000 fall 5

haproxy.service檔案撰寫

[root@haproxy ~]# cat /usr/lib/systemd/system/haproxy.service 
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target

[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg   -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg  -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 

[Install]
WantedBy=multi-user.target

[root@haproxy ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@localhost ~]# ss -anlt
State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
LISTEN   0        128              0.0.0.0:8189          0.0.0.0:*      
LISTEN   0        128              0.0.0.0:80            0.0.0.0:*      
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
LISTEN   0        128                 [::]:22               [::]:*     

// 啟動日志
[root@haproxy ~]# vim /etc/rsyslog.conf
local0.*                        /var/log/haproxy.log
[root@haproxy ~]# systemctl restart rsyslog

在這里插入圖片描述

haproxy配置負載均衡（https）

證書生成

[root@RS1 ~]# yum -y install openssl
[root@RS1 ~]# mkdir ~/keys
[root@RS1 ~]# cd keys
[root@RS1 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................+++++
....................+++++
e is 65537 (0x010001)
[root@RS1 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:passport
Common Name (eg, your name or your server's hostname) []:web01.com
Email Address []:passport@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1
string is too short, it needs to be at least 4 bytes long
A challenge password []:1@2.com
An optional company name []:
[root@RS1 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = CN, ST = HuBei, L = WuHan, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com
Getting Private key
[root@RS1 keys]# ls
passport.com.crt  passport.com.csr  passport.com.key
[root@RS1 keys]# scp passport.com.crt passport.com.key 192.168.200.161:/root/
The authenticity of host '192.168.200.161 (192.168.200.161)' can't be established.
ECDSA key fingerprint is SHA256:0Ynm9bqYhmtwF8Jdpj7HYZ4c9A9/EGj6sxSYC91sKFk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.200.161' (ECDSA) to the list of known hosts.
root@192.168.200.161's password: 
passport.com.crt                      100% 1294     1.2MB/s   00:00    
passport.com.key                      100% 1679   584.2KB/s   00:00

RS上配置https

[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir  /etc/httpd/ssl
[root@RS2 ~]# mv passport.com.* /etc/httpd/ssl/
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
passport.com.crt  passport.com.key
[root@RS2 ssl]# cd ..
[root@RS2 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl  state
[root@RS2 httpd]# cd conf.d/
[root@RS2 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@RS2 conf.d]# vim ssl.conf  
#找到此兩行，取消注釋
DocumentRoot "/var/www/html"
ServerName www.example.com:443

#修改此兩行路徑
SSLCertificateFile /etc/httpd/ssl/passport.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -anlt
State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
LISTEN   0        128                    *:80                  *:*      
LISTEN   0        128                 [::]:22               [::]:*      
LISTEN   0        128                    *:443                 *:*

修改組態檔

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg 
#--------------全域配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000

    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode tcp             //模式改為tcp
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3    
#--------------統計頁面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web設定-----------------------
listen webcluster
    bind 0.0.0.0:443       //埠改為443
    mode tcp               //模式改為tcp
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    cookie SESSION_COOKIE insert indirect nocache
    server web01 192.168.200.159:443 check inter 2000 fall 5      //埠改為443
    server web02 192.168.200.161:443 check inter 2000 fall 5     //埠改為443

[root@haproxy haproxy]# systemctl restart haproxy.service

在這里插入圖片描述

轉載請註明出處，本文鏈接：https://www.uj5u.com/ruanti/323879.html

標籤：其他

上一篇：帶有Intersect表和對應Linq查詢的物體框架

下一篇：是否可以恢復您使用Github網站洗掉的已洗掉分支？