haproxy acl 规则 http://dngood.blog.51cto.com/446195/886547/
1 按请求的主机头(名)负载
cat haproxy.cfg
1. global
2. log 127.0.0.1 local1
3. maxconn 65000 #最大连接数
4. chroot /usr/local/haproxy #安装目录
5. uid 99 #用户haproxy
6. gid 99 #组haproxy
7. daemon #守护进程运行
8. nbproc 1 #进程数量
9. pidfile /usr/local/haproxy/logs/haproxy.pid #haproxy pid
10.
11.defaults
12. log global
13. mode http #7层 http;4层tcp
14. option httplog #http 日志格式
15. option httpclose #主动关闭http通道
16. option redispatch #serverId对应的服务器挂掉后,强制定向到其他健康的服务器
17. option forwardfor
18. option dontlognull
19. maxconn 50000 #最大连接数
20. contimeout 5000 #连接超时(毫秒)
21. clitimeout 50000 #客户端超时(毫秒)
22. srvtimeout 50000 #服务器超时(毫秒)
23.
24. #errorfile 502 /usr/local/haproxy/html/maintain.html
25. #errorfile 503 /usr/local/haproxy/html/maintain.html
26. #errorfile 504 /usr/local/haproxy/html/maintain.html
27.
28.
29.frontend test.com #定义前端服务器(haproxy)
30. bind *:80 #监听地址
31. acl web-client path_beg -i /vsphere-client
32. acl bbs hdr_reg(host) -i ^(bbs.test.com|shequ.test.com|forum)
33. acl monitor hdr_beg(host) -i monitor.test.com #定义ACL名称,对应的请求的主机头是monitor.test.com
34. acl www hdr_beg(host) -i www.test.com
35. use_backend cache.test.com if static
36. use_backend monitor.test.com if bbs or monitor
37. use_backend www.test.com if www
38. use_backend vsphere-client if web-client
39.
40. default_backend www.test.com #指定默认的后端服务器
41.
42.
43.backend monitor.test.com #定义后端服务器群(web server/apache/nginx/iis..)
44. mode http
45. option forwardfor #后端服务器(apache/nginx/iis/*),从Http Header中获得客户端IP
46. balance leastconn #负载均衡的方式,最小连接
47. cookie SERVERID #插入serverid到cookie中,serverid后面可以定义
48. option httpchk HEAD /check.html #用来做健康检查html文档
49. #option httpchk HEAD /index.php HTTP/1.1\r\nHost:monitor.test.com #HTTP && Host
50. server server1 10.0.100.70:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3
51. #服务器定义:
52. #cookie server1表示serverid为server1;
53. #check inter 2000 是检测心跳频率(check 默认 );
54. #rise 3 表示 3次正确认为服务器可用;
55. #fall 3 表示 3次失败认为服务器不可用;
56. #weight 表示权重。
57.
58.backend www.test.com
59. mode http
60. option forwardfor
61. balance roundrobin #负载均衡的方式,轮询方式
62. cookie SERVERID
63. option httpchk HEAD /check.html
64. server server1 10.0.100.71:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3
65.
66.backend vsphere-client
67. mode http
68. option forwardfor header ORIG_CLIENT_IP
69. balance roundrobin
70. server server1 10.0.100.81:80 redir https://192.168.57.81:443 check inter 2000 rise 3 fall 3 weight 3
71.
72.backend cache.test.com
73. option forwardfor
74. #balance uri len 15 #url hash
75. balance roundrobin
76. server server1 10.0.100.73:80 check inter 2000 rise 3 fall 3 weight 3
77. server server2 10.0.100.75:80 check inter 2000 rise 3 fall 3 weight 3
78.
79.listen admin_stat #status
80. bind 0.0.0.0:8080 #监听端口
81. mode http #http的7层模式
82. stats refresh 30s #统计页面自动刷新时间
83. stats uri /haproxy_stats_url #统计页面URL
84. stats realm Haproxy\ Statistics #统计页面密码框上提示文本
85. stats auth admin:admin #统计页面用户名和密码设置
86. stats hide-version #隐藏统计页面上HAProxy的版本信息
87. stats admin if TRUE #手工启用/禁用,后端服务器
2 其它acl 规则
1. ###########acl 开始了############
2. acl bbs hdr_reg(host) -i ^(bbs.test.com|forum.test.com) #使用正则匹配
3. acl bbs_path path_beg -i /bbs #url 目录
4. acl youxi path_beg -i /youxi
5. acl static path_end -i .html .css .js #url 结尾文件
6. acl php path_end -i .php
7. acl jsp path_end -i .jsp .do
8.
9. use_backend bbs_pool if bbs or bbs_path #注意 "or"
10.use_backend youxi_pool if youxi
11.use_backend static_pool if static
12.use_backend php_pool if php
13.use_backend jsp_pool if jsp
14.default_backend www.test.com
15.###########acl 结束了############
#acl 参数
acl(关键字) 定义acl(名称) 方法 -i (忽略大小写) [匹配的路径或文件]
hdr_beg(host)
hdr_reg(host)
path_beg
path_end
3 use_backend 参数
1. or 用于匹配多个acl 名称
2. default_backend 没有满足条件的时候使用默认的后端服务器
#
haproxy 重定向url (301)
1. acl web-client path_beg -i /vsphere-client
2.
3. use_backend vsphere-client if web-client
4.
5. backend vsphere-client
6. mode http
7. option forwardfor header ORIG_CLIENT_IP
8. balance roundrobin
9. option httpchk HEAD /check.html
10. server server1 10.0.100.81:80 redir https://192.168.57.81:443 check inter 2000 rise 3 fall 3 weight 3
测试192.168.57.82 为 haproxy ,192.168.57.81 为 https server
1. curl -ILv http://192.168.57.82/vsphere-client
2. * About to connect() to 192.168.57.82 port 80 (#0)
3. * Trying 192.168.57.82... connected
4. * Connected to 192.168.57.82 (192.168.57.82) port 80 (#0)
5. > HEAD /vsphere-client HTTP/1.1
6. > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
7. > Host: 192.168.57.82
8. > Accept: */*
9. >
10.< HTTP/1.1 302 Found
11.HTTP/1.1 302 Found
12.< Cache-Control: no-cache
13.Cache-Control: no-cache
14.< Content-length: 0
15.Content-length: 0
16.< Location: https://192.168.57.81:443/vsphere-client
17.Location: https://192.168.57.81:443/vsphere-client
18.< Connection: close
19.Connection: close
20.
21.<
22.* Closing connection #0
23.* Issue another request to this URL: 'https://192.168.57.81:443/vsphere-client'
24.* About to connect() to 192.168.57.81 port 443 (#0)
25.* Trying 192.168.57.81... connected
26.* Connected to 192.168.57.81 (192.168.57.81) port 443 (#0)
27.* successfully set certificate verify locations:
28.* CAfile: none
29. CApath: /etc/ssl/certs
30.* SSLv3, TLS handshake, Client hello (1):
31.* SSLv3, TLS handshake, Server hello (2):
32.* SSLv3, TLS handshake, CERT (11):
33.* SSLv3, TLS alert, Server hello (2):
34.* SSL certificate problem, verify that the CA cert is OK. Details:
35.error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
36.* Closing connection #0