HAProxy advanced configuration options -ACL chapter of policy-based access control
Author: Yin Zhengjie
Copyright: original works, declined to reprint! Otherwise held liable.
A. Installing Apache Httpd and preparation of test data
1> Test Architecture Description
node102.yinzhengjie.org.cn:
Haproxy server
node105.yinzhengjie.org.cn:
Test server, client simulation
node106.yinzhengjie.org.cn:
Apache httpd server
node107.yinzhengjie.org.cn:
Apache httpd server
node108.yinzhengjie.org.cn:
Apache httpd server
2> Install Apache httpd service
This process is relatively simple, I am here to skip directly, and can refer to my previous notes: https: //www.cnblogs.com/yinzhengjie/p/12114195.html
II. Based on the real case of the source address access control
1> write haproxy profile
[[email protected] ~]# cat /etc/haproxy/haproxy.cfg global maxconn 100000 chroot /yinzhengjie/softwares/haproxy stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin user haproxy group haproxy daemon nbproc 2 cpu-map 1 0 cpu-map 2 1 nbthread 2 pidfile /yinzhengjie/softwares/haproxy/haproxy.pid log 127.0.0.1 local5 info defaults option http-keep-alive option forwardfor option redispatch option abortonclose maxconn 100000 mode http timeout connect 300000ms timeout client 300000ms timeout server 300000ms errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html listen status_page bind 172.30.1.102:8888 stats enable stats uri /haproxy-status stats auth admin: yinzhengjie stats realm "Welcome to the haproxy load balancer status page of YinZhengjie" stats hide-version stats admin if TRUE stats refresh 5s frontend WEB_PORT_80 bind 172.30.1.102:80 mode http acl hacker_deny src 172.30.1.254 http-request deny if hacker_deny http-request allow default_backend backup_web backend web_server server web01 172.30.1.104:80 check inter 3000 fall 3 rise 5 backup server web02 172.30.1.106:80 check inter 3000 fall 3 rise 5 server web03 172.30.1.107:80 check inter 3000 fall 3 rise 5 backend backup_web server web01 172.30.1.108:80 check inter 3000 fall 3 rise 5 [[email protected] ~]# [[email protected] ~]# systemctl restart haproxy [[email protected] ~]#
2> View haproxy listening port and process information
[[email protected] ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 172.30.1.102:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 172.30.1.102:8888 *:* LISTEN 0 128 :::22 :::* [[email protected] ~]# [[email protected] ~]# ps -ef | grep haproxy | grep -v grep root 20704 1 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 20708 20704 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 20709 20704 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid [[email protected] ~]# [[email protected] ~]#
3> View haproxy status page (http://node102.yinzhengjie.org.cn:8888/haproxy-status)
III. Configuration verification haproxy
1>.IP地址为"172.30.1.254"的客户端访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示
2>.使用"node105.yinzhengjie.org.cn"节点访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示