Compared to using LVS for load balancing, Haproxy can provide more powerful functions
Because Haproxy supports ACL rules, it is used to define Layer 3 to Layer 7 rules to match some special requests. Based on the header of the request message, the content of the corresponding message or some other status information, it can forward responses according to different strategies according to needs.
2. Main functions
The following two main functions can be completed according to ACL rules:
Set ACL rules to check whether client requests comply with the rules, and directly terminate requests that do not comply with the rules
Compliance with ACL rules requests the backend server pool specified by backend to perform load balancing based on ACL rules. Those that do not comply can directly interrupt the response, or they can be executed by other server pools.
3. Grammar
The ACL rules in Haproxy are set in the frontend part, the syntax is:
acl 名称 方法 -i [匹配的路径或文件]
described as follows:
acl: defines the keywords of the ACL rules, the name of the ACL that needs to be customized later, the name is case sensitive, and the name can also be the same, so that multiple test conditions can be set as a common ACL
Method: is used to set the method to implement ACL
The common methods of ACL defined by Haproxy are as follows:
Common method
Explanation
hdr_beg(host)
Check whether the beginning of the request message header matches the specified pattern
hdr_end(host)
Check whether the header and end part of the request message matches the specified pattern
hdr_reg(host)
Regular match
url_sub
Indicates what string is contained in the request url
url_dir
Indicates which strings exist in the request url as part of the address path
path_beg
Check whether the requested URL matches the beginning of the path
path_end
Check whether the requested URL matches the end of the path
dst
target address
dst_port
Destination port
src
source address
src_prot
Source port
-i: Ignore case, followed by matching path or file or regular expression. Haproxy options used with ACL rules are use_backend and default_backend, where use_backend needs to be set with a backend instance name, which means that the ACL rules are met Which backend server pool is the backend server pool that receives user requests later; at this time, default_backend indicates which backend server pool is used by default for requests that do not meet the ACL conditions
Two, Haproxy achieves intelligent load balancing
Haproxy can work in a seven-layer model, so Haproxy's intelligent load balancing can be achieved by setting ACL rules
This example uses one Haproxy server and three Web servers to simulate a set of Web clusters to set up ACL rules
1. Experimental environment
CPU name
Roles
operating system
IP address
Main software
CentOS 7-1
Haproxy server
CentOS 7
192.168.126.11
haproxy-1.59.tar.gz
CentOS 7-2
Nginx server 1
CentOS 7
192.168.126.12
nginx-1.12.2.tar
CentOS 7-3
Nginx server 2
CentOS 7
192.168.126.13
nginx-1.12.2.tar
CentOS 7-4
Apache server
CentOS 7
192.168.126.14
httpd-2.4.6-67.el7.centos.x86_64 and php-5.4.16-42.el7.x86_64
Win10
Client
192.168.126.10
Windows 10
Edge browser
2. Configure Apache server
The installation and configuration of Haproxy and Nginx will not be repeated. The following only shows the code for installing the Apache server environment, and the test page is set up for subsequent testing
If necessary, you can go to my previous blog. This experiment is to continue with the previous configuration, just add another Apache server. The portal is as follows:
The Apache server is configured, we go to the client Win10 to test
Because there is no DNS, you need to add a resolution record in the hosts file in the windows host, and then visit http://www.xcf.com/test.php for testing
3. Address-based access control
If you define the host with the source address of 192.168.126.10 (client) to access the Web cluster, it will be rejected. You can add ACL rules to define the source host, and use the block option to add if after the block option.
The following releases the complete code of the configuration file
---Haproxy 服务器---
vim /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log /dev/log local0 info
log /dev/log local1 notice
#log loghost local0 info
maxconn 4096
#chroot /usr/share/haproxy
uid 99
gid 99
daemon
debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend main
bind *:80
acl forbid src 192.168.126.10
block if forbid
default_backend webcluster
#listen webcluster 0.0.0.0:80#option httpchk GET /test.html#balance roundrobin#server inst1 192.168.126.12:80 check inter 2000 fall 3#server inst2 192.168.126.13:80 check inter 2000 fall 3
listen stats
bind 0.0.0.0:8080
stats refresh 30s
stats uri /stats
stats realm Haproxy Manager
stats auth admin:admin
stats hide-version
stats admin if TRUE
backend webcluster
option httpchk GET /test.html
cookie SESSION_COOKIE insert indirect nocache
server inst1 192.168.126.12:80 check inter 2000 fall 3
server inst2 192.168.126.13:80 check inter 2000 fall 3
systemctl restart haproxy.service
#重启服务生效
Now test to use the client to access the Web cluster http://192.168.126.11/test.html
Use Apache server to access the Web cluster to test
4. Based on file access control and redirection
Modify the frontend part of Harpoxy configuration file to redefine ACL rules
vim /etc/haproxy/haproxy.cfg
frontend main
bind *:80
acl forbid src 192.168.126.10
block if forbid
default_backend webcluster
#复制模板,添加以下部分
frontend main
bind *:80
acl denyfile path_end .html
http-request deny if denyfile
errorloc 403 http://www.xcf.com
default_backend webcluster
systemctl restart haproxy.service
Through the above configuration, it is detected that if the requested page ends with .html, the request will be rejected. If error code 403 is detected, it will directly jump to http://www.xcf.com
Open the client browser again to access the Web cluster web page for testing
There have been settings before, here is regarded as "double" denied access, and it is 403, here we try to refresh again, you can see the successful jump
5. Realize intelligent load balancing with dynamic and static separation function
Modify the backend part of the frontend of the Haproxy configuration file, redefine the ACL rules, and add the backend real server
vim /etc/haproxy/haproxy.cfg
frontend main
bind *:80
acl usr_static path_beg -i /static /images /img /css
acl usr_static path_end -i .html .jpg .png .jpeg .gif .swf .css .xml .txt .pdf
use_backend webcluster if usr_static
default_backend app
backend webcluster
option httpchk GET /test.html
balance roundrobin
server inst1 192.168.126.12:80 check inter 2000 fall 3
server inst2 192.168.126.13:80 check inter 2000 fall 3
backend app
option httpchk GET /test.php
server inst3 192.168.126.14:80 check inter 2000 fall 3
systemctl restart haproxy.service
Define the ACL name as usr_static. If you are accessing static files that match the suffixes .html, .jpeg, .xml, etc., you will directly jump to the backend of webcluster
If you access these static files that do not match the definition, you will directly jump to the default backend app response, where you can also set up multiple real servers to form a server cluster
Visit the test.html and test.php pages in win10 client to test