Haproxy Proxy Configuration---Transport layer

Haproxy Introduction:

1, HAProxy is a high availability, Load balancing, as well as proxy software based on TCP (layer fourth) and HTTP (seventh tier) applications, supports virtual hosting, which is a free, fast and reliable solution. Haproxy is especially useful for Web sites that are heavily loaded, and often require session-hold or seven-tier processing. Haproxy runs on today's hardware and can support tens of thousands of concurrent connections. and its operating mode makes it easy and safe to integrate into your current architecture, while protecting your Web server from being exposed to the web.

2, HAProxy implements an event-driven, single-process model that supports very large number of concurrent connections. A multi-process or multithreaded model is rarely capable of handling thousands of concurrent connections because of memory limitations, System scheduler restrictions, and ubiquitous lock limits. The event-driven model does not have these problems because it implements all of these tasks on the client side (User-space) with better resource and time management. The disadvantage of this model is that, on multicore systems, these programs often have poor extensibility. That's why they have to be optimized so that each CPU time slice (Cycle) does more work.

3. HAProxy supports connection rejection: because the overhead of maintaining a connection is very low, sometimes we need to limit the attack worms (attack bots), which means restricting their connections to open to limit their harm. This has been developed for a small DDoS attack site and has been saved

A lot of sites, this advantage is not the other load balancer.

4, HAProxy support full transparent proxy (has a typical feature of the hardware firewall): You can use the client IP address or any other address to connect to the back-end server. This feature is only Linux The 2.4/2.6 kernel has cttproxy patches before it can be used. This feature also makes it possible for a particular server to handle part of the traffic without modifying the server's address.

haproxy Performance

Haproxy uses several common technologies on the OS to maximize performance.

1, the single-process, event-driven model significantly reduces the overhead of context switching and memory consumption.

The 2,o (1) Event Checker allows it to enable instant probing of any connected event in a high concurrent connection.

3, in any available case, the single buffering mechanism can not copy any data to complete the read and write operation, which will save a lot of CPU clock cycle and memory bandwidth;

4, with the help of splice () system calls on the Linux 2.6 (>= 2.6.27.19), Haproxy can implement zero-copy forwarding (zero-copy forwarding), and zero-copy booting can be implemented in Linux 3.5 and above ( zero-starting);

5, the memory allocator enables immediate memory allocation in a fixed-size pool of memory, which significantly reduces the length of time to create a session;

6, Tree storage: Focus on the use of elastic binary tree developed by the author years ago, to achieve the low overhead of O (log (N)) to maintain the timer command, keep running queue command and management polling and the least connection queue;

7, optimized HTTP header analysis: Optimized header analysis avoids any memory areas being reread during HTTP header parsing;

8, careful to reduce the expensive system calls, most of the work is done in user space, such as time reading, buffer aggregation and file descriptor activation and disabling;

All of these nuances are optimized to achieve a fairly low CPU load on a medium-sized load, even in very high load scenarios, where 5% of user space occupancy and 95% of system space occupancy are also very common. This means that the Haproxy process consumes 20 times times less than the system space consumption. Therefore, it is very important to tune the OS for performance tuning. Even if user space is increased by a factor of up to 10%, the CPU usage is also explained why 7-tier processing has a limited performance impact. As a result, the Haproxy 7-layer performance on high-end systems can easily exceed hardware load balancing devices.

In a production environment, it is also time-critical to use haproxy as an expensive high-end hardware load-balancing device failure failure in a 7-tier process. Hardware load balancing devices process requests at the "message" level, which is difficult to support cross-message requests (request across multiple packets), and they do not buffer any data and therefore have a longer response time. Correspondingly, the software load balancer device uses TCP buffering to establish extremely long requests and has a large response time.

Haproxy Features:
1, support two kinds of proxy mode: TCP (four layer) and HTTP (seven layer), support virtual host;
2, can add some of the shortcomings of Nginx such as the session of the maintenance, cookie guidance and other work
3, support the URL detection backend server problem detection will be very good to help.
4. More load balancing strategies such as: Dynamic weighted round robin (Round Robin), weighted source address hash (Weighted source hash), weighted URL hash and weighted parameter hash (Weighted Parameter hash) has been implemented
5, simply from the efficiency of the haproxy more than Nginx has a better load balancing speed.
6, Haproxy can load balance MySQL, the back-end of the DB node detection and load balancing.
9. Support Load Balancing algorithm: Round-robin (round robin), Weight-round-robin (with right round), source (original address), RI (request URL),Rdp-cookie (based on cookie)
10, can not do the Web server is the cache.

This article is mainly about the Haproxy four layer protocol-the transport layer, the blogger before the company's network topology diagram is probably the following:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/7F/D2/wKiom1cuJeXTe6EFAAFOz3n-Dug146.png "title=" Haproxy.png "alt=" Wkiom1cujexte6efaafoz3n-dug146.png "/>

1, the office area can not access production, but can access the test machine;

2, production 68 paragraph can go out of the net, 38 paragraph can not.

3, the Office area test server can access production.

The following blogger probably simulates the principle of the next Haproxy four-layer transport layer (ignoring the 7-tier application layer)

Three CentOS machines, the system version centos7--x64, three machines are characterized as follows:

1, 192.168.88.3 (test machine in the office area)

2, two ip:192.168.38.4 and 192.168.88.121 (haproxy agent)

3.192.168.38.5 (production machine)

By testing the 88 and 38 segments are ping different from each other, but the proxy server and 38/88 ping each other through.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7F/CF/wKioL1cuLGWyPLSjAAB1r2MLZfA312.png "title=" ip.png "alt=" Wkiol1culgwyplsjaab1r2mlzfa312.png "/>

First, install the 192.168.38.4 on Haproxy:

#yum Install Haproxy-y

Second, the 192.168.38.5 Apache service installs, launches, and makes an iconic test page:

# yum Install Httpd-y

[Email protected] html]# pwd

/var/www/html

[email protected] html]# cat index.html

Localhost:remote Web

# Systemctl Start httpd

Through the browser test:

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/7F/CF/wKioL1cuK6PTKdBRAAA6Wl3jAy0769.png "title=" Renote.png "alt=" Wkiol1cuk6ptkdbraaa6wl3jay0769.png "/>

Next Configure the agent:

# vim/etc/haproxy/haproxy.cfg

Listen test:80 #运行的端口及主机名

Server S1 192.168.38.5:80 #被代理服务的ip + port

# systemctl Restart Haproxy

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7F/CF/wKioL1cuLaPhQ6CqAAA5HNqYvH8276.png "title=" 38.png "alt=" Wkiol1culaphq6cqaaa5hnqyvh8276.png "/>

88 segment of the only need to access the proxy server is equivalent to access to 38 segments of the Web server, that is, the office area only need to access the test section of the agent can access the production of the Web service is not out of the network, so such an agent is only the transport layer.

This article is from the "LINUX Super Dream" blog, make sure to keep this source http://215687833.blog.51cto.com/6724358/1771122

Haproxy Proxy Configuration---Transport layer