Haproxy configuration file Detailed

Haproxy configuration file is divided into two parts, the first part is the global configuration segment (global setting), the second part is the Agent configuration segment (Proxies). The global configuration segment sets some of the features of the haproxy operation, which are primarily related to process management and security directives, performance-tuning directives, and debug-related directives. And the proxy configuration section can be divided into four parts, one is "defaults <name>", this part of the set of instructions on behalf of the public configuration, that is, if you do not explicitly specify a parameter and value in the back of the configuration, the default is to use the value set in defaults; Frontend <name> ", which defines a client-facing configuration that defines a series of listening sockets that can accept client requests and establish a connection with them, and three are" Backednd <name> ", which defines the upstream server group, Define a series of "back-end" servers, the agent will forward the corresponding client's request to these servers, and four is "Listen <name>", through the association "front End" and "back end" defined a complete proxy, usually only for TCP traffic is useful, This is an alternative to frontend and backend, that is, you can define both the front end and the back end in a listen. The names of all agents can only be used in uppercase letters, lowercase letters, numbers,-(midline), _ (underscore),. (dot) and: (colon), in addition, the name of the ACL distinguishes the letter case.

Here is a brief introduction to some of the directives in the global configuration segment:

Directives related to process management and security:

Chroot <jail dir>

Modifying the Haproxy working directory to the specified directory and performing the chroot () operation before discarding the permission can increase the security level of the haproxy, but it is important to ensure that the specified directory is empty and that no user can have write access;

Daemon

Allow Haproxy to work in the background as a daemon, which is equivalent to the function of the "-d" option, and, of course, can be disabled on the command line with the "-db" option;

GID <number>

To run Haproxy with the specified GID, it is recommended to use a GID dedicated to running haproxy to avoid risks due to permissions issues;

Group <group name>

Same as GID, but the specified group name;

Log <address> <facility> [max level [min level]]

Define a global syslog server with up to two definitions;

Log-send-hostname [<string>]

Add the current host name at the header of the syslog message, either the name specified for "string", or the current hostname by default;

Nbproc <number>

Specifies the number of haproxy processes to start, which can only be used for daemon mode haproxy; By default, only one process is started, and in view of many reasons such as debugging difficulties, the multi-process mode is used only in the scenario where a single process can only open a few file descriptors;

Pidfile <pidfile>

PID file path;

UID <number>

Runs the haproxy process with the specified UID identity;

User <user name>

The same UID <number> only the user name is specified here;

Ulimit-n <number>

Sets the maximum number of file descriptors that can be opened per process, which is calculated automatically by default, so it is not recommended to modify this option;

Stats Socket <path>

Define where statistics are saved

Node <name>

Defines the name of the current node for multiple haproxy processes in an HA scenario when the same IP address is shared;

Description <text>

The description information for the current instance.

Most of these directives related to process management and security are not specified and are only understood.

Instructions related to Performance tuning:

Maxconn <number>

Set the maximum number of concurrent connections accepted by each haproxy process, which is equivalent to the command line option "-N", and the value of "ulimit-n" in "process management and security-related directives" is automatically adjusted according to Maxconn;

Maxpipes <number>

Haproxy uses pipe to complete kernel-based TCP message reassembly, which is used to set the maximum number of pipes allowed per process, and each pipe will open two file descriptors, so "ulimit-n" automatically calculates this value as needed; default is maxconn/ 4, it will usually appear too large;

Noepoll

Disabling the epoll mechanism on Linux systems;

Nokqueue

Disabling the kqueue mechanism on the BSE system;

Nopoll

Disable the poll mechanism;

Nosepoll

Disable heuristic epoll mechanism in Linux;

Nosplice

It is forbidden to use kernel TCP reassembly on Linux sockets, which leads to more recv/send system calls, but there are bugs in the TCP reassembly function on the Linux 2.6.25-28 series kernel;

Spread-checks <0..50, in percent>

In a scenario where there are many servers in the Haproxy backend, it may be an unexpected problem to have a unified server health check after a precise interval, which is an optimization for health detection by increasing or decreasing the length of time interval for which it is checked;

Tune.bufsize <number>

Set the size of the buffer, the same memory condition is small, the smaller value can allow Haproxy to accept more concurrent connections, the larger value allows some applications to use large cookie information, the default is 16384, which can be modified at compile time, but it is strongly recommended to use the default value;

Tune.chksize <number>

Sets the size of the check buffer in bytes, and a larger value helps to complete text lookups based on strings or patterns in larger pages, but also consumes more system resources;

Tune.maxaccept <number>

Set the Haproxy process kernel scheduling run time can accept the number of connections, a larger value can bring a large throughput rate, the default in single-process mode is 100, multi-process mode is 8, set to 1 can prohibit this limit, generally do not recommend modification;

Tune.maxpollevents <number>

Sets the maximum number of events a system call can handle, the default depends on the OS, which saves bandwidth when the value is less than 200, but increases the network latency slightly, while greater than 200 reduces latency, but slightly increases the amount of network bandwidth consumed;

Tune.maxrewrite <number>

Set the buffer space reserved for the first part of the rewrite or append, it is recommended to use about 1024 of the size, when the need to use more space, Haproxy will automatically increase its value;

Tune.rcvbuf.client <number>

Defines the size, in bytes, of the client core socket receive buffer, which is recommended not to adjust this value;

Tune.rcvbuf.server <number>

Sets the size of the server receive buffer in the kernel socket, in bytes; it is strongly recommended to use the default value;

Tune.sndbuf.client

Defines the size, in bytes, of the client core socket send buffer, which is recommended not to adjust this value;

Tune.sndbuf.server:

Defines the size, in bytes, of the server-side core socket send buffer, which is recommended not to adjust this value;

Most of these instructions are also understood, and in practice, these parameters are not often adjusted.

Debug-related directives:

Debug

This parameter can be enabled when dispatching Haproxy, but should not be enabled in the production environment;

Quiet

Haproxy does not display any related information after startup, which is the same as the parameter "-Q" When you start haproxy on the command line

The agent-related configuration involves too much, the official document is covered by a chapter, in each agent configuration section of the various parts have the appropriate instructions, please refer to http://cbonte.github.io/haproxy-dconv/ Configuration-1.4.html#4, here I have a configuration file instance to introduce briefly.

[[email protected] haproxy]# cat haproxy.cfg#--------------------------------------------- ------------------------# example configuration for a possible web  application.  see the# full configuration options online.##    http://haproxy.1wt.eu/download/1.4/doc/configuration.txt##---------------------------------------------- -----------------------#---------------------------------------------------------------------# global  settings#---------------------------------------------------------------------global     # to have these messages end up in /var/log/haproxy.log you  will    # need to:    #    #  1)  configure syslog to accept network log events.  this is  done    #    by adding the  '-R '  option to the syslogd_ options in    #    /etc/sysconfig/syslog    #     # 2)  configure local2 events to go to the  /var/log/haproxy.log    #   file. a line like the  following can be added to    #   /etc/sysconfig/ syslog    #    #    local2.*                         /var/log/haproxy.log    # #设置把haproxy的日志发往本地的rsyslog服务      log         127.0.0.1 local2# the Haproxy process is limited to the directory specified by Chroot. This directory permission needs to be set to users other than the Haproxy user with write permissionNo, and is an empty directory path to the     chroot      /var/lib/haproxy#pid file      pidfile     /var/run/haproxy.pid# set the maximum number of concurrent connections allowed by proxy, This value can be inherited if the Maxconn value of the server is not specified in backend     maxconn     4000# The user running Haproxy     user        haproxy# the group running Haproxy     group       haproxy# let Haproxy run the daemon in the background      daemon    # turn on stats unix socket# define where statistics are saved     stats socket /var/lib/haproxy/stats#---------------------------------------- -----------------------------# common defaults that all the  ' Listen '  and   ' backend '  sections will# use if not designated in their  block#---------------------------------------------------------------------#默认设置defaults # Set the operating mode of Haproxy, there are three kinds of {http|tcp|health}    mode                      http# setting log to inherit settings for global configuration segments     log          The             global# indicates that the log function for logging HTTP requests begins to open. See the keyword Matrix section of the official documentation in detail     option                   httplog# If an empty connection is generated, the log for this empty connection will not be logged      option                   dontlognull# Open the server-side shutdown feature in the HTTP protocol, which enables long connections so that sessions can be reused so that each log record is recorded     option  http-server-close# if an application on the upstream server wants to log the IP address of the client that originated the request, Haproxy sends the client's IP information to the upstream server, adding the "x-forwarded-for" field to the HTTP request. But when it is Haproxy's own health detection mechanism to access the upstream server, such access logs should not be recorded in the log, so use except to exclude 127.0.0.0, namely Haproxy body.     option forwardfor       except 127.0.0.0/ 8# when a session with an upstream server fails (a server failure or other reason), the session is redistributed to another healthy server, and the session is directed to the recovered server when the original failed server resumes. You can also use the "retries" keyword to set the number of attempts to connect when the decision session fails,    option                   redispatch# automatically ends the link that the current queue handles longer when the haproxy load is high     option    abortonclose# the maximum number of attempts to connect to the upstream server, exceeding this value to consider the backend server unavailable      retries                  3# the time-out period for the client to send HTTP requests     timeout http-request    10s# When the upstream server is in a high load response haproxy, the request sent by Haproxy is placed in a queue, Timeout queue defines the time-out to put in the queue.     timeout queue           1m #haproxy与后端服务器连接超时时间, if the same LAN can be set for a smaller time     timeout connect         5s# defines the client connection to the Haproxy, the data transfer is complete, No more data transfer, i.e. timeout for inactive connections     timeout client           1m# defines the timeout period for Haproxy and upstream server inactive connections     timeout server           1m# set the maximum time-out for new HTTP request connections, freeing up resources as soon as possible, saving resources      timeout http-keep-alive 10s# Maximum time-out time for health detection     timeout check            10s# Maximum number of concurrent connections     maxconn                  3000#--------------- ------------------------------------------------------# main frontend which proxys to  the backends#---------------------------------------------------------------------#frontend    main *:5000#    acl url_static       path_beg        -i /static /images /javascript /stylesheets#     acl url_static       path_end        -i .jpg .gif .png .css .js##    use_backend  static          if url_static#     default_backend             app####### Monitoring Statistics page settings ########### #listen  stats# listening Port     bind 0.0.0.0:1088# log settings, level has [emerg   alert  crit   err    warning notice info   debug]    log 127.0.0.1 local3 err# enable statistical reporting, is a default parameter      stats enable# Hide Statistics page on haproxy versionThis Information     stats hide-version# statistics page Refresh time     stats refresh 10s #进入统计页面密码框上的提示文字     stats realm haproxy\ stats# Enter the user name and password on the statistics page      stats auth admin:admin# the landing URI address of the statistics page     stats uri /admin? admin# When the statistics page opens and then opens the management function to the backend server     stats admin if true### #frontend配置 ###### frontend server1_80_in# 80 port bound to any address     bind *:80#haproxy run as HTTP      mode http# defines two acl    acl is_static path_beg -i that can implement a matching static file  /static /image /javascript    acl is_static path_end -i  .html .png .jpg .gif .jpeg .css .js# defines when the ACL that is matched to the is_static is forwarded to STATIC_ Servers this backend server group     use_backend  static_servers if is_static# default forwarding rules     default_backend app_servers### #backend配置 ###### #backend  static_servers# static server group using Roundrobin algorithm      balance roundrobin# defines the upstream server and the various properties, the server every 1500 milliseconds for a health check, if the server can not be contacted for 3 consecutive times that the server failure, if the connection is continuously detected 2 times the service is online, It is considered that this service is available     server nod2_static_192.168.0.202 192.168.0.202:80 minconn  10 maxconn 2000 check inter 1500 fastinter 1000 downinter  1000 rise 2 fall 3 weight 1backend app_servers# defines a dynamic server's scheduling algorithm as source, The Hash-type parameter is provided and the source becomes a dynamic algorithm         balance source     hash-type consistent    server nod1_appserver_192.168.0.201  192.168.0.201:80 minconn 10 maxconn 200 check inter 1500 rise 3  fall 3 weight 1

This configuration file implements a simple static and dynamic separation effect, and the meanings of each configuration line are commented in the configuration file.

Resources:

Marco Class notes

Http://cbonte.github.io/haproxy-dconv/configuration-1.4.html

This article is from the "focus on operations, and Linux Dances" blog, please be sure to keep this source http://zhaochj.blog.51cto.com/368705/1659610

Haproxy configuration file Detailed