haproxy deployment

Chapter One: haproxy Introduction

1.1 Introduction

1. HAProxy is a high availability, load balancing, and based on TCP (layer IV) and HTTP (seventh floor) agent software applications, support for virtual hosts, it's free, fast and reliable a solution. HAProxy especially for those large load of web sites that usually they need to maintain or seven treatment sessions. HAProxy run on today's hardware can support thousands of concurrent connections. And its mode of operation makes it really simple to integrate into your current security architecture, while protecting your web server is not exposed to the network.
2. HAProxy implements an event-driven, single process model, this model supports a very large number of concurrent connections. Multi-process or multi-threaded model by memory limitations, restrictions and lock system scheduler restrictions ubiquitous, few can handle thousands of concurrent connections. Because event-driven model to achieve all these tasks have better resources and time management client (User-Space), so do not have these problems. Disadvantages of this model is, on a multi-core system, these programs generally poor scalability. That is why they must be optimized so that each CPU time slice (Cycle) to do more work.
3. HAProxy supports connection refused: because maintaining a connection to open the overhead is very low, sometimes we really need to limit worms (attack bots), that is to say limit their connection open so as to limit their harm. This has been developed and has saved many sites is caught in a small DDoS attack site, this advantage is no other load balancer.
4. HAProxy transparent proxy support (hardware firewall already has the typical features): You can connect to the backend server with client IP address or any other address this feature only played cttproxy patch in Linux 2.4 / 2.6 kernel before you can use this. characteristics are such that while not modify the server for a particular address of the server processing portion flow possible.

1.2 Performance

1. Single process, event-driven model reduces the overhead of context switching and memory footprint.
2. I / O event checker which allows for immediate detection of any connection in the event of any high concurrent connections.
3. Any available, the single buffering mechanism for reading and writing can not copy any data in a manner that will save a lot of cpu cycles and memory bandwidth.
4. By means of a Linux 2.6 (> = 2.6.27.19) splice on () system call, HAProxy forwarded copy can be zero (Zero-copy forwarding), and in Linux 3.5 above may also be implemented in the OS zero copy start (zero-starting )
5. In the fixed-size memory allocator's memory pool can achieve real-time memory allocation, which can significantly reduce the length of time a session is created.
6. Tree Storage: focus on the use of binary elastic developed years ago, achieved with O (log (N)) to maintain a low-overhead timer command, keep running the command queue and queue management polling and least connections.
7. Optimized HTTP headers analysis: Optimizing header analysis function avoids re-read any memory area in the HTTP headers analysis.
8. Carefully reducing the expensive system calls, most of the work completed in the user space, such as reading time, polymerization buffer and file descriptors to enable and disable, etc.

Chapter deploy the installation

2.1 compile and install

打开IP转发 
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
yum -y install gcc systemd-devel #安装依赖
tar xf haproxy-1.8.7.tar.gz #解压
cd haproxy-1.8.7/
make TARGET=linux2628 PREFIX=/usr/local/haproxy
make install PREFIX=/usr/local/haproxy
cp /usr/local/haproxy/sbin/haproxy /usr/sbin/
cp ./examples/haproxy.init /etc/init.d/haproxy
chmod 755 /etc/init.d/haproxy
useradd -r haproxy
mkdir /etc/haproxy

 2.2 write configuration file

/etc/haproxy/haproxy.cfg vim 
#, Ltd. Free Join Settings 
# ------------------------------------- -------------------------------- 
, Ltd. Free Join # global configuration 
 log 127.0.0.1 local3 info # specified server log level 
 chroot / usr / local / haproxy # change the working directory 
 user haproxy # user groups and 
 group HAProxy 
 daemon # manner daemon running 
 maxconn 4000 # maximum connections 
defaults # default configuration 
 log Global 
 mODE HTTP #. 7 layer http; 4 layer tcp to let haproxy support virtual hosts, mode must be set to HTTP 
 the Option HTTPLOG #http log format 
 timeout connect 5000 # connection timeout (in milliseconds) 
        timeout 50000 # client client timeout (in milliseconds) 
        timeout server 50000 # server timeout (in milliseconds) 
 the listen stats 
 the MODE HTTP 
 the bind 10.0.0.19:1080  
 stats enable              
 stats hide-Version 
 stats URI / stats 
 stats ADMIN IF TRUE 
frontend # web_front distal customizable configuration name web_front 
 bind 10.0.0.19:80 # http request initiated by the port 80, and port ip forwards to set 
 MODE http 
 log Global 
 Option httplog # enable http log 
        default_backend http_back 
backend http_back # back-end configuration, http_back name can be customized 
 option httpchk GET /index.html # set the health check page 
 option forwardfor header X-Forwarded-For # deliver real client IP 
 Balance the RoundRobin #roundrobin round Inquiry way 
# ip and port to be forwarded 
 Server elk2 10.0.0.22:80 the Check 2000 Inter Rise Fall 3 3 30 weight 
 Server Elkl 10.0.0.21:80 the Check 2000 Inter Rise Fall 3 3 30 weight 
 Server Elk3 10.0.0.24:80 the Check Inter 2000 rise 3 fall 3 weight 30

2.3 Logging Configuration

Open rsyslog configuration: 
VI /etc/rsyslog.conf 
remove the front two rows below the # 
$ ModLoad imudp 
$ UDPServerRun 514 
and add the following line 
local3 * /var/log/haproxy.log.    
Restart rsyslog 
systemctl the restart rsyslog

2.4 Starting haproxy

service haproxy start　

 

 Chapter III Detailed profiles

• Global section: used to define the process of security-related configuration, performance parameter adjustment, Debug and other service-related configuration.
• Proxy group: used to define the specific implementation of the scheduling, Proxy section comprises
• listen segments: listen directly to identify a mode of operation schedule
• Defined work with the client to communicate: frontend section
• backend group: definition of work and the rear end communicating with the host
• defaults group: definition of listen, frontend, backend default values ​​of certain variables

---

3.1 security configuration and process parameters

chroot / usr / local / haproxy: root detention, haproxy this process as a root directory, and to prevent hijacking haproxy process is set security configuration 
user haproxy: users and groups haproxy processes running 
Group haproxy: 
daemon: Run indicates haproxy daemon in the background, not the foreground (debug mode) 
 log 127.0.0.1 local3 info # local3 is a device, corresponding to /etc/rsyslog.conf configuration, default recovery info log level 
pidfile /var/run/haproxy.pid All PID # daemon to write files 
maxconn 4000 # maximum number of connections　

 

---

Detailed log 3.2log

Syntax: 
 log <address> [len <length>] [the format <the format>] <Facility> [Level max [min Level]] 
 
 
Add Global syslog server. You can define several global server. They will receive the start and exit logs, and all logs from the agent 
address

An IPv4 address, optionally followed by a colon and a UDP port. If you do not specify a port, use the default 514 (standard port of the system log).

IPv6 address, followed by a colon and an optional UDP port. If you do not specify a port, use the default 514 (standard port of the system log).

 Remember that a UNIX domain sockets Notes path chroot system files (chroot ensure that the path can be accessed on the inside) and uid / gid (to ensure proper path writable).

  maximum line length length Optional

Log line greater than this value will be truncated before being transmitted. The reason is the different behavior on the syslog server log line length. All servers support the default of 1024, but some servers only amplify a larger line while others will record them. If the server supports a long line, it might be here to set this value makes sense to avoid long lines cut off. Similarly, if one server lost long, preferably cut them before sending them. Acceptable values ​​are included 80-65535. The default value of 1024 is generally applicable to all standard usage. Some specific time capture or JSON format log may require a larger value. You may also need if your request URI is truncated, please add "tune.http.logurilen".

  Log format used when generating system log message format

• rfc3164 RFC3164 syslog message format. This is the default setting.
• rfc5424 RFC5424 syslog message format.

  facility must be one of 24 standard syslog facility

mail the User auth syslog daemon Kern LPR News 
        uucp cron auth2 the FTP ntp Audit Alert cron2 
        local0 local1 local2 local3 local4 local5 local6 local7 
can specify an optional level to filter outgoing messages. By default, all messages are sent. If the maximum level is specified, only with. The severity of the message as important to this level at least. The optional minimum level can be specified. If set, the log will be issued even higher than this level to a more severe level. This is to avoid transmission of all "emerg" message on the terminal log certain default system configuration.

3.3 proxies proxy configuration section

Proxy Configuration section:

defaults <name> # frontend, backend , listen to the default configuration provides 
 frontend <name> # front end, corresponding to Nginx, {} Server 
 backend <name> # rear end, corresponding to Nginx, {} upstream 
 the listen <name> also has a front end and back-end for one environment 
 mode http # default mode mode {tcp | http | health} , tcp 4 layers, http seven layers, health will only return the OK 
 log, Ltd. Free Join # apply global logging configuration 
 option httplog # enable logging of HTTP requests, haproxy default logging is not recorded HTTP request logs 
 enable this option dontlognull #, are not recorded in the log empty connection. The so-called air is connected upstream of the load balancer or monitoring system in order to detect whether the service is available when alive, require periodic connection or a fixed component or acquired page, or to detect whether the port scan monitor or the like is referred to in the opening operation air link; official document annotation, if the service is no other upstream load balancer, it is not recommended to use this parameter, because malicious scanning on the Internet or other actions will not be recorded 
 option http-server-close # each after completion of the request to close the active channel http
 option forwardfor except 127.0.0.0/8 # If the application on the server wants to record the IP address of the client initiated the request, you need to configure this option on HAProxy, IP information such HAProxy will send the client to the server, add the HTTP request "X-Forwarded-For" field. Enabled X-Forwarded-For, is inserted into the head end IP customer requests sent to the back-end server, the back-end server to get the real IP client.  
 maxconn 3000 # maximum number of connections available to each process
 option redispatch # When using a cookie, haproxy will be serverID of its back-end server requests inserted into the cookie, in order to ensure SESSION persistent session; but this time, if the back-end server dawdle off, but the client's cookie It will not refresh, if you set this parameter, will be directed to the customer's request to force the other back-end server, to ensure the normal services. 
 retries 3 # define backend server connection failure reconnection times, the number of connection failures will exceed this value will correspond marked as unavailable backend server 
 timeout http-request 10s #http request time 
 timeout queue 1m # a request queue in timeout 
 timeout connect 10s # connection timeout 
 timeout client 1m # client timeout 
 timeout server 1m # server timeout 
 timeout http-keep-alive 10s # set http-keep-alive timeout 
 timeout check 10s # detection timeout time 
 acl url_static path_end -i .jpg .png .gif .css .js 
 use_backend static IF url_static
 frontend main *: 80 # Listener address 80 
 ACL url_static path_beg -i / static / Images / JavaScript / stylesheets 
 default_backend my_webserver # define a front end portion my_app named. Here the corresponding request is forwarded to the backend 
 backend static # using static and dynamic separation (if url_path match .jpg .gif .png .css .js static file is accessed after the end) 
 Balance of the RoundRobin # load balancing algorithm (#banlance roundrobin wheel exercise, balance source to save the session value, support for static-rr, leastconn, first, uri and other parameters) 
 server static 127.0.0.1:80 the Check # static file is deployed in the machine (can also be deployed in other machines or squid caching server) 
 backend my_webserver # define a rear end portion my_webserver named. PS: Here my_webserver just a custom name only, but the term default_backend value consistent with the need to configure the frontend inside 
 balance roundrobin # load balancing algorithm 
 multiple back-end server web01 172.31.2.33:80 check inter 2000 fall 3 weight 30 # defined 
 server web02 172.31.2.34:80 check inter 2000 fall 3 weight more than the rear end 30 #define 
 server web03 172.31.2.35:80 check inter 2000 fall 3 weight more than the rear end 30 #define　

 

3.4 Balance configured scheduling algorithm

balance: Server scheduling algorithm within backend server group 
 Balance <algorithm> [<arguments>] 
 Balance url_param <param> [check_post]

haproxy the same scheduling algorithm is divided into dynamic and static scheduling algorithm scheduling algorithm , to distinguish between different concepts of static and dynamic scheduling algorithms and the scheduling algorithm nginx, nginx can be scheduled according to the load condition with back-end servers to distinguish the difference between static and dynamic scheduling algorithm while haproxy in accordance with the algorithm is not to support the immediate run-time to distinguish between the entry into force of static and dynamic algorithm .　　

roundrobin: weight-based polling, dynamic algorithms, support for the right to adjust the operating heavy to support slow start; each backend backend support up to 4095 
 Server Server Options: weight # 
 static-rr: a weight-based polling, static algorithm, not adjusting weights supported and run slow start; backend host unlimited number 
 leastconn: weighted least connections, dynamic algorithm, the servers are connected to a rear end receiving a new connection priority allocation, polling of the same connection, the scenes for long, e.g. MySQL, LDAP, etc., are not suitable for HTTP 
 First: the location server in the list, a top-down scheduling; number of connections the server front reaches the upper limit, the new request will be assigned to the next station service 
 source: the source address of the hash, the new press connection weight distribution, allocation of a subsequent connection request by the source

 3.5 server settings

server <name> <address> [ : [port]] [param *] 
 Each server and its backend host defined options server <name> <address> [ : port] [settings ...] default-server [settings. ..] 
 <name>: internal name server on the haproxy; warning message appears in the log and 
 <address>: address of the server, supports host name 
 [: [port]]: port mapping; is omitted, showing the bind with the bound given port 
 [param *]: parameter 
 check: do current health detection server, used only for detecting four 
 Note: httpchk, "smtpchk", " mysql-check", "pgsql-check" and "sslhello-chk" a method for detecting the application layer defines 
 addr: IP address used to detect the 
 port: this port is for detecting 
 inter <delay>: time interval between two consecutive detection, the default is 2000ms 
 Rise <COUNT>: number of consecutive detection results "success" before marking a server as available; the default is 2 
 Fall <COUNT>: the number of consecutive detection result is "failed" before marking a server is unavailable; the default is 3 
 cookie <value>: the currently specified value of the cookie server, to achieve sticky cookie-based session 
 disabled: marked unavailable 
 redir <prefix>
 weight <weight>: weight 256,0 default maximum value of 1 means no involvement load balancing (not scheduled) 
 backlog <backlog>: When the number of connections reaches the server after the backup queue length limit 
 backup: to set the current server standby server 
 default-server [param *] default setting for the backend server in

3.6 interface to enable the relevant statistical parameters

stats enable enable statistics page; enable the stats page default parameters based on 
 stats uri: / haproxy stats uri defaults? 
 stats realm: HAProxy Statistics enable statistics and set up authentication realm 
 stats auth: no authentication with authentication and permissions granted access account the statistics 
 stats uri <prefix> custom Page uri stats 
 stats auth <the User>: <passwd> when the authentication account and password, you can use multiple 
 stats realm <realm> realm when authentication 
 stats hide-version hidden version 
 stats refresh <delay> set automatic refresh interval 
 stats admin {if | unless} < cond> enable stats page management functions

3.7 Connection timed out

timeout client <timeout> client longest idle connection timeout period default milliseconds 
 timeout server <timeout> long connection timeout backend server longest idle 
 timeout http-keep-alive <timeout > long-lasting durable connection 
 timeout http-request < timeout> once full maximum waiting HTTP request long 
 timeout duration connect <timeout> successfully connect to the backend server maximum waiting 
 timeout client-fin <timeout> length client idle semijoin 
 timeout server-fin <timeout> backend server half idle connection duration

Chapter IV Detailed ACL

haproxy the ACL for implementation to make forwarding decisions based on the headers, response packet content or other environmental status information request message, which greatly increased its configuration flexibility. Rule disposed generally divided into two, first define the ACL, either a defined test conditions, and then perform a specific action when the condition is met, or block access to a specific backend forward.

4.1 ACL syntax

 acl <aclname> <criterion> [flags] [operator] [<value>] ...

4.2 Detailed grammar

 1、aclname

 ACL name, sensitive characters, and which contain only lowercase letters, numbers, - (cable), _ (underscore), (dot) :( and colon); HAProxy in, ACL may be the same name, this. a plurality of test conditions can be defined as a common ACL; 

2、criterion

  Check the specified conditions, testing standards, that initiated what information the test; the test mode can be adjusted by the [flags] specifies the flag; and some testing standards may also need to assign a prior operator [operator]; 
Conditions: 
  dst target IP 
 dst_port goal PORT 
 src source IP 
 src_port source PORT

　　

3, [flags]: flag 

-i: ignore case when matching all subsequent models. 
-f: loading mode from the file. 
-m: Use specific pattern matching method 
-n: Prohibition DNS resolution 
-M: like a map file to load the same file -f points. 
-u: unique identification of mandatory ACL 
-: Forced end mark.

　　

 4, value type

- boolean: true or false 
 - integer or integer range: integer 
 - IP address / network: IP address, network address 
 - string (exact, substring, suffix , prefix, subdir, domain) 
  matches the specified value header 
  exact: exact matching 
  substring : substring matching 
  suffix: suffix matching 
  prefix: prefix matching 
  the subdir: sub-path matching 
  domain: domain substring matching 
 - regular expression: regular expression matching 
 - hex block: 16 blocks hexadecimal numbers

 A plurality of test conditions can be specified in the same acl, these test conditions which specify the relationship between the logical operators. The relationship between the test composition, there are three conditions: "and" (that is, the default operation) "or" (using "||" operator) and the "non" ( "!" Operator use).

5, [operator] matches integer

eq, ge, gt, le, lt 
 match string: 
 -m Method: Specifies the pattern matching method 
 wherein the -m option mode flag may be used as matching method should be noted that some methods have been designated without default statement, e.g. int, IP 
 "found": only to detect the presence of the specified data stream, without any comparison 
 "bool": returns a Boolean value check result. No matching pattern, matches a Boolean value or integer mismatches 0 and false, other values can match 
 "int": Match integer type data; can handle both integer and Boolean type samples, 0 represents false,. 1 representatives to true 
 "IP": matching IPv4, IPv6 address type data. This mode is only compatible with the IP address, no special designated 
 "bin": matching binary data 
 "len": integer value matching the length of the sample 
 "str": exact match, according to the text string match 
 "sub": substring matching, matching text contains the substring 
 "reg": regular match, according to the regular expression matching text list 
 "beg": prefix match, checks whether the text is to begin with a specified string 
 "end": suffix match, checks whether the end of the text string to specify 
 "dir": match a subdirectory, to check the text portion "/" as the content whether it contains the specified delimiter string 
 "dom": Domain matching. Check to part of the text. "" As the separators if they contain the content of a specified string

 Chapter V configuration HAProxy support https protocol

Session configuration ssl support 
 the bind *: CRT 443 ssl / the PATH / the TO / SOME_PEM_FILE 
 ssl: ssl required to use the session 
 crt: Path specified certificate file -> certificate and private key files that are within 
 the request port 80 to re-set 443 
 the bind *: 80 
  the redirect HTTPS scheme ssl_fc} {IF! 
 scheme: protocol 
 ssl_fc: If the front end of the non-ssl request, the redirect (need to define, because it is built, a direct call ssl_fc) 
 delivery protocol requested by the user and to the rear port 
 Http_Request SET-header-X-Forwarded-port% [dst_port] 
 Http_Request the Add-X-header-Proto-Forwared ssl_fc} {IF HTTPS

　　

 

 

---