Introduction to ACLs:
The Haproxy ACL is used to make forwarding decisions based on the header of the request packet, the content of the response message, or other environmental state information, which greatly enhances its configuration flexibility. The configuration rule is usually divided into two steps, defining an ACL first, defining a test condition, and then executing a specific action when the condition is met, such as blocking the request or forwarding it to a specific backend.
Syntax:
ACLS <aclname> <criterion> [flags] [operator] <value> ...
Description:
The <aclname>:acl name, which is case-sensitive and can only contain uppercase and lowercase letters, numbers,-(connectors), _ (underscore),. (dot) and: (colon); in Haproxy, ACLs can have duplicate names, which can define multiple test conditions as a common ACL;
<criterion>: Test criteria, that is, what information to initiate testing; The test method can be adjusted by the flags specified by [flags], while some test standards may need to specify an operator for it before <value> [operator];
[Flags]: Currently, the Haproxy ACL supports 3 flags:
-I: Do not distinguish between the case of pattern characters in <value>;
-F: Loads the mode from the specified file;
--: The mandatory closing tag of the marker, used when the string in the pattern is like a marker;
The values supported by the <VALUE>:ACL test condition are in the following four categories:
1, Integer: 1024:65,535 indicates from 1024 to 65535, only positive integers are supported (if a decimal-like identity is typically version tested), and the supported operators are 5, EQ, GE, GT, le and LT, respectively;
2, String: Support the use of "-I" to ignore the case of the character, support the use of "\" to escape, if I is present in the pattern header, you can use the "--" flag bit before it;
3, regular expression;
4,IP address and network address;
PS: You can specify multiple test conditions in the same ACL, which require a logical operator to specify its relationship. There are three types of combination test relationships between conditions: "with" (the default is the operation), "or" (using the | | operator) and "non" (use "!" operator).
Common detection criteria for ACLs:
SYNTAX:DST <ip address>
Syntax:dst_port <integer>
SYNTAX:SRC <ip address>
Syntax:src_port <integer>
Description: Detection of Source address, source port, destination address, destination port
Example
ACL goodguys src 192.168.0.0/16
ACL Goodport Src_port 80
syntax:tcp-request Content <action> [{if | unless} <condition>]
Description: Filtering TCP protocol requests (layer 4) br>
Example:
ACL goodguys src 127.0.0.1
ACL badguys &NBSP;SRC 172.10.0.0/16
tcp-request content reject if badguys
&NBS P Tcp-request content Accept if Goodguys
tcp-request content reject
syntax:http-request <action> [{if | unless} <condition>]
Description: Filtering detection of HTTP protocol request content (layer 7
Example:
ACL nagios src 192.168.129.3
ACL local_net src 192.168 .0.0/16
ACL AUTH_OK Http_auth (L1)
http-request allow if Nagios
& nbsp Http-request Allow if local_net auth_ok
http-request auth Realm Gimme if local_net AUTH_OK
Http-request deny
syntax:hdr (header) < String>
Description: Used to test whether all headers or headers in the request message satisfy the specified condition, when the header is specified, its name is not case-sensitive, and there cannot be any extra white space characters in the parentheses "()".
Example:
ACL valid_conn HDR (Connection)-I close ## Detects if the value of the connection header of the response message is close,-i case-insensitive.
Syntax:hdr_reg (header) <regexp>
Description: Used to test whether all headers or headers in a request message match a regular expression; When a header is specified, its name is not case-sensitive, and there cannot be any extra white space characters in the parentheses "()".
Example
ACL Luochen Hdr_reg (Host)-I. *\.luochen.com
Syntax:method <string>
Description: Test the method used in the HTTP request message.
Example
ACL Mthod method get
syntax:path <string
Description: Test the method used in the HTTP request message.
Example:
ACL index path /index.html
syntax:path_beg < String>
Syntax:path_end <string>
Description: The URL used to test the request ends with the pattern specified in <string>.
Example:
ACLs url_static Path_beg -I/STATIC/IM Ages/javascript/stylesheets
ACL url_static path_end - I. jpg. gif. png. css. JS
Syntax:hdr_beg <string>
Syntax:hdr_end <string>
Description: The first part of the specified header used to test the request message conforms to the <string> specified pattern.
Example
ACL host_static Hdr_beg (host)-I img. Video. Download. Ftp.
ACL host_static hdr_end (host)-I. jpg. gif. png. css. js
Haproxy configuration of static and dynamic separation (topology diagram below):
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/74/3C/wKioL1YXMqOw2jyjAAHxe2a-6a8804.jpg "title=" 2.png " alt= "Wkiol1yxmqow2jyjaahxe2a-6a8804.jpg"/>
Configure in the Haproxy configuration file:
Global
Log 127.0.0.1 Local2
Chroot/var/lib/haproxy
Pidfile/var/run/haproxy.pid
Maxconn 4000
User Haproxy
Group Haproxy
Daemon
# Turn on stats UNIX socket
Stats Socket/var/lib/haproxy/stats
Defaults
Mode http
Log Global
Option Httplog
Option Dontlognull
Option Http-server-close
Option Forwardfor except 127.0.0.0/8
Option Redispatch
Retries 3
Timeout Http-request 10s
Timeout Queue 40s
Timeout Connect 10s
Timeout client 30s
Timeout server 30s
Timeout Http-keep-alive 10s
Timeout Check 10s
Maxconn 30000
Listen stats
Mode http
Bind *:1080
Stats enable
Stats Hide-version
Stats Uri/haproxyadmin?stats
Stats Realm Haproxy\ Statistics
Stats Auth Admin:admin
Stats Admin If TRUE
Frontend http-in
Bind *:80
Mode http
Log Global
Option Httpclose
Option Logasap
Option Dontlognull
Capture Request Header Host Len 20
Capture request Header Referer Len 60
ACL url_static path_beg-i/static/images/javascript/stylesheets
ACL url_static path_end-i. jpg. jpeg. gif. png. css. js. html
ACL host_static Hdr_beg (host)-i img. video. Download. ftp.
ACL url_php path_end-i. php
Use_backend static_servers if url_static or host_static
Default_backend Dynamic_servers If url_php
Backend Static_servers
Balance Roundrobin
Server IMGSRV1 192.168.10.112:80 Check Port intval 2 rise 1 Fall 2 Maxconn 6000
Backend Dynamic_servers
Cookie Web1 Insert NoCache
Balance Roundrobin
Server Web1 192.168.10.113:80 Check Port intval 2 rise 1 Fall 2 Maxconn $ cookie Web1
Sample configuration for the load Balancer MySQL service (here are just the configuration parameters):
Global
Log 127.0.0.1 Local2
Chroot/var/lib/haproxy
Pidfile/var/run/haproxy.pid
Maxconn 4000
User Haproxy
Group Haproxy
Daemon
# Turn on stats UNIX socket
Stats Socket/var/lib/haproxy/stats
Defaults
Mode http
Log Global
Option Httplog
Option Dontlognull
Option Http-server-close
Option Forwardfor except 127.0.0.0/8
Option Redispatch
Retries 3
Timeout Http-request 10s
Timeout Queue 40s
Timeout Connect 10s
Timeout client 30s
Timeout server 30s
Timeout Http-keep-alive 10s
Timeout Check 10s
Maxconn 30000
Listen stats
Mode http
Bind *:1080
Stats enable
Stats Hide-version
Stats Uri/haproxyadmin?stats
Stats Realm Haproxy\ Statistics
Stats Auth Admin:admin
Stats Admin If TRUE
Frontend MySQL
Bind *:3306
Mode TCP
Log Global
Default_backend mysqlservers
Backend Mysqlservers
Balance Leastconn
Server Dbserver1 192.168.10.112:3306 Check Port 3306 intval 2 rise 1 Fall 2 maxconn 300
Server Dbserver2 192.168.10.113:3306 Check Port 3306 intval 2 rise 1 Fall 2 Maxconn
This article is from "Luo Chen's blog" blog, please be sure to keep this source http://luochen2015.blog.51cto.com/9772274/1701153
Haproxy realization of static and dynamic separation mechanism