Article Directory
1. ACL rules
1 Overview
- Compared to using LVS for load balancing, Haproxy can provide more powerful functions
- Because Haproxy supports ACL rules, it is used to define Layer 3 to Layer 7 rules to match some special requests. Based on the header of the request message, the content of the corresponding message or some other status information, it can forward responses according to different strategies according to needs.
2. Main functions
The following two main functions can be completed according to ACL rules:
- Set ACL rules to check whether client requests comply with the rules, and directly terminate requests that do not comply with the rules
- Compliance with ACL rules requests the backend server pool specified by backend to perform load balancing based on ACL rules. Those that do not comply can directly interrupt the response, or they can be executed by other server pools.
3. Grammar
- The ACL rules in Haproxy are set in the frontend part, the syntax is:
acl 名称 方法 -i [匹配的路径或文件]
- described as follows:
- acl: defines the keywords of the ACL rules, the name of the ACL that needs to be customized later, the name is case sensitive, and the name can also be the same, so that multiple test conditions can be set as a common ACL
- Method: is used to set the method to implement ACL
- The common methods of ACL defined by Haproxy are as follows:
| Common method | Explanation |
|---|---|
| hdr_beg(host) | Check whether the beginning of the request message header matches the specified pattern |
| hdr_end(host) | Check whether the header and end part of the request message matches the specified pattern |
| hdr_reg(host) | Regular match |
| url_sub | Indicates what string is contained in the request url |
| url_dir | Indicates which strings exist in the request url as part of the address path |
| path_beg | Check whether the requested URL matches the beginning of the path |
| path_end | Check whether the requested URL matches the end of the path |
| dst | target address |
| dst_port | Destination port |
| src | source address |
| src_prot | Source port |
- -i: Ignore case, followed by matching path or file or regular expression. Haproxy options used with ACL rules are use_backend and default_backend, where use_backend needs to be set with a backend instance name, which means that the ACL rules are met Which backend server pool is the backend server pool that receives user requests later; at this time, default_backend indicates which backend server pool is used by default for requests that do not meet the ACL conditions
Two, Haproxy achieves intelligent load balancing
- Haproxy can work in a seven-layer model, so Haproxy's intelligent load balancing can be achieved by setting ACL rules
- This example uses one Haproxy server and three Web servers to simulate a set of Web clusters to set up ACL rules
1. Experimental environment
| CPU name | Roles | operating system | IP address | Main software |
|---|---|---|---|---|
| CentOS 7-1 | Haproxy server | CentOS 7 | 192.168.126.11 | haproxy-1.59.tar.gz |
| CentOS 7-2 | Nginx server 1 | CentOS 7 | 192.168.126.12 | nginx-1.12.2.tar |
| CentOS 7-3 | Nginx server 2 | CentOS 7 | 192.168.126.13 | nginx-1.12.2.tar |
| CentOS 7-4 | Apache server | CentOS 7 | 192.168.126.14 | httpd-2.4.6-67.el7.centos.x86_64 and php-5.4.16-42.el7.x86_64 |
| Win10 | Client | 192.168.126.10 | Windows 10 | Edge browser |
2. Configure Apache server
- The installation and configuration of Haproxy and Nginx will not be repeated. The following only shows the code for installing the Apache server environment, and the test page is set up for subsequent testing
- If necessary, you can go to my previous blog. This experiment is to continue with the previous configuration, just add another Apache server. The portal is as follows:
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
#关闭防火墙及安全策略
yum -y install httpd php
#安装必要软件包
vim /etc/httpd/conf/httpd.conf
#第95行,去掉注释,修改参数
ServerName www.xcf.com:80
vim /var/www/html/test.php
#添加以下测试网页内容
<?php
phpinfo();
?>
systemctl start httpd.service
systemctl enable httpd.service
#开启服务及开机自启动
echo "192.168.126.14 www.xcf.com" >> /etc/hosts
#配置域名映射
- The Apache server is configured, we go to the client Win10 to test
- Because there is no DNS, you need to add a resolution record in the hosts file in the windows host, and then visit http://www.xcf.com/test.php for testing
3. Address-based access control
- If you define the host with the source address of 192.168.126.10 (client) to access the Web cluster, it will be rejected. You can add ACL rules to define the source host, and use the block option to add if after the block option.
- The following releases the complete code of the configuration file
---Haproxy 服务器---
vim /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log /dev/log local0 info
log /dev/log local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
uid 99
gid 99
daemon
debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend main
bind *:80
acl forbid src 192.168.126.10
block if forbid
default_backend webcluster
#listen webcluster 0.0.0.0:80
#option httpchk GET /test.html
#balance roundrobin
#server inst1 192.168.126.12:80 check inter 2000 fall 3
#server inst2 192.168.126.13:80 check inter 2000 fall 3
listen stats
bind 0.0.0.0:8080
stats refresh 30s
stats uri /stats
stats realm Haproxy Manager
stats auth admin:admin
stats hide-version
stats admin if TRUE
backend webcluster
option httpchk GET /test.html
cookie SESSION_COOKIE insert indirect nocache
server inst1 192.168.126.12:80 check inter 2000 fall 3
server inst2 192.168.126.13:80 check inter 2000 fall 3
systemctl restart haproxy.service
#重启服务生效
- Now test to use the client to access the Web cluster http://192.168.126.11/test.html
- Use Apache server to access the Web cluster to test
4. Based on file access control and redirection
- Modify the frontend part of Harpoxy configuration file to redefine ACL rules
vim /etc/haproxy/haproxy.cfg
frontend main
bind *:80
acl forbid src 192.168.126.10
block if forbid
default_backend webcluster
#复制模板,添加以下部分
frontend main
bind *:80
acl denyfile path_end .html
http-request deny if denyfile
errorloc 403 http://www.xcf.com
default_backend webcluster
systemctl restart haproxy.service
- Through the above configuration, it is detected that if the requested page ends with .html, the request will be rejected. If error code 403 is detected, it will directly jump to http://www.xcf.com
- Open the client browser again to access the Web cluster web page for testing
- There have been settings before, here is regarded as "double" denied access, and it is 403, here we try to refresh again, you can see the successful jump
5. Realize intelligent load balancing with dynamic and static separation function
- Modify the backend part of the frontend of the Haproxy configuration file, redefine the ACL rules, and add the backend real server
vim /etc/haproxy/haproxy.cfg
frontend main
bind *:80
acl usr_static path_beg -i /static /images /img /css
acl usr_static path_end -i .html .jpg .png .jpeg .gif .swf .css .xml .txt .pdf
use_backend webcluster if usr_static
default_backend app
backend webcluster
option httpchk GET /test.html
balance roundrobin
server inst1 192.168.126.12:80 check inter 2000 fall 3
server inst2 192.168.126.13:80 check inter 2000 fall 3
backend app
option httpchk GET /test.php
server inst3 192.168.126.14:80 check inter 2000 fall 3
systemctl restart haproxy.service
- Define the ACL name as usr_static. If you are accessing static files that match the suffixes .html, .jpeg, .xml, etc., you will directly jump to the backend of webcluster
- If you access these static files that do not match the definition, you will directly jump to the default backend app response, where you can also set up multiple real servers to form a server cluster
- Visit the test.html and test.php pages in win10 client to test
