Load Balancing with Haproxy

Load Balancing with Haproxy
First, the concept
Haproxy is a free and open source software written in the C language [1] that provides high availability, load balancing, and application proxies based on TCP and HTTP.
Haproxy is especially useful for Web sites that are heavily loaded, and often require session-hold or seven-tier processing. The haproxy runs on the current hardware and can support tens of thousands of concurrent connections. and its operating mode makes it easy and safe to integrate into your current architecture, while protecting your Web server from being exposed to the web.
Haproxy implements an event-driven, single-process model that supports very large number of concurrent connections. A multi-process or multithreaded model is rarely capable of handling thousands of concurrent connections because of memory limitations, System scheduler restrictions, and ubiquitous lock limits. The event-driven model does not have these problems because it implements all of these tasks in a user space (User-space) that has better resource and time management. The disadvantage of this model is that, on multicore systems, these programs often have poor extensibility. That's why they have to be optimized so that each CPU time slice (Cycle) does more work.
Second, technical characteristics
Haproxy compared to the use of LVS is much simpler, the function is also very rich. Currently, Haproxy supports two main proxy modes: "TCP" is also 4 tiers (mostly for mail servers, internal protocol communications Servers, etc.), and 7 layers (HTTP). In layer 4 mode, haproxy only forwards bidirectional traffic between the client and the server. In 7-tier mode, Haproxy analyzes the protocol and can control the protocol by allowing, rejecting, exchanging, adding, modifying, or deleting requests (request), or in response (response), based on specific rules.
Haproxy Performance
Haproxy uses several common technologies on the OS to maximize performance.
1, single process, event driven model significantly reduce the cost of context switching and memory consumption.
2, O (1) Event Checker allows it to enable instant detection of any connected event in a high concurrent connection.
3, in any available situation, the single-buffering mechanism can not copy any data to complete the read and write operation, which will save a lot of CPU clock cycle and memory bandwidth;
4, with the help of the splice () system call on the Linux 2.6 (>= 2.6.27.19), the haproxy can achieve zero replication forwarding (zero-copy forwarding), and in Linux 3.5 and above the OS can also achieve zero replication boot ( zero-starting);
5. Memory allocator enables immediate memory allocation in a fixed-size memory pool, which significantly reduces the length of time to create a session;
6, Tree storage: Focus on the use of the elastic binary tree developed by the author many years ago, realized with O (log (N)) low overhead to maintain the timer command, keep running queue command and management polling and the least connection queue;
7. Optimized HTTP Header analysis: Optimized header analysis avoids any memory areas being reread during HTTP header parsing;
8, carefully reduce the expensive system calls, most of the work is done in user space, such as time reading, buffer aggregation and file descriptors to enable and disable;
All of these nuances are optimized to achieve a fairly low CPU load on a medium-sized load, even in very high load scenarios, where 5% of user space occupancy and 95% of system space occupancy are also very common. This means that the Haproxy process consumes 20 times times less than the system space consumption. Therefore, it is very important to tune the OS for performance tuning. Even if user space is increased by a factor of up to 10%, the CPU usage is also explained why 7-tier processing has a limited performance impact. As a result, the Haproxy 7-layer performance on high-end systems can easily exceed hardware load balancing devices.
In a production environment, it is also time-critical to use haproxy as an expensive high-end hardware load-balancing device failure failure in a 7-tier process. Hardware load balancing devices process requests at the "message" level, which is difficult to support cross-message requests (request across multiple packets), and they do not buffer any data and therefore have a longer response time. Correspondingly, the software load balancer device uses TCP buffering to establish extremely long requests and has a large response time.
Haproxy Advantages
1, Haproxy can be used as MySQL, mail or other non-web load balancer, we often use it as MySQL (read) load balancing;
2, with a powerful monitoring server status of the page;
3, Haproxy support virtual host;
4, HAProxy can run full 10gbps-new benchmark of HAProxy at ten Gbps using myricom ' s 10GbE NICs (myri-10g pci-express), this as a software-level load balancing, is also a comparison Amazing;

The configuration file of the

Three, profile
Haproxy consists of two parts: the global setting and the proxy setting, divided into five sections: Global,defaults,frontend,backend,listen.
Global configuration section for setting global configuration parameters,
Proxy related configuration segments, such as "defaults", "Listen", "frontend" and "backend",
* Process management and security-related parameters
–chroot : Modifying the working directory of the Haproxy to the specified directory and performing the chroot () operation before discarding the permission can increase the security level of the haproxy, although it is important to ensure that the specified directory is empty and that no user can have write permission;
– Daemon: Lets haproxy work in the background as a daemon, which is equivalent to the function of the "-d" option, and, of course, can be disabled on the command line with the "-db" option;
–gid: Run Haproxy with the specified GID, It is recommended to use a GID dedicated to running haproxy to avoid the risk of permission problems;
–group: Same as GID, but specified group name;
–log

[max level [min level]]：定义全局的syslog服务器，最多可以定义两个；
– log-send-hostname []：在syslog信息的首部添加当前主机名，可以为“string”指定的名称，也可以缺省使用当前主机名；
– nbproc ：指定启动的haproxy进程的个数，只能用于守护进程模式的haproxy；默认只启动一个进程，鉴于调试困难等多方面的原因，一般只在单进程仅能打开少数文件描述符的场景中才使用多进程模式；
– pidfile：指定pidfile路径；
– uid：以指定的UID身份运行haproxy进程；
– ulimit-n：设定每进程所能够打开的最大文件描述符数目，默认情况下其会自动进行计算，因此不推荐修改此选项；Linux默认单进程打开文件数为1024个；
– user：同uid，但使用的是用户名；
– stats：用户访问统计数据的接口；
– node：定义当前节点的名称，用于HA场景中多haproxy进程共享同一个IP地址时；
– description：当前实例的描述信息；

Parameters related to performance tuning
–maxconn: Sets the maximum number of concurrent connections accepted by each haproxy process, which is equivalent to the command line option "-N", and the result of the automatic calculation of "Ulimit-n" is set by reference to this parameter;
–maxpipes:haproxy uses pipe to complete kernel-based TCP message reassembly, which is used to set the maximum number of pipes allowed per process, and each pipe will open two file descriptors, so "ulimit-n" automatically calculates this value as needed The default is MAXCONN/4, which usually appears too large;
–noepoll: Disable the epoll mechanism on Linux systems;
–nokqueue: Disabling the kqueue mechanism on the BSE system;
–nopoll: Disable poll mechanism;
–nosepoll: Disable heuristic epoll mechanism in Linux;
–nosplice: It is forbidden to use kernel TCP reassembly on Linux sockets, which leads to more recv/send system calls, but there are bugs in the TCP reassembly function on the Linux 2.6.25-28 series cores;
–spread-checks <0..50, in Percent>: In scenes with many servers in the Haproxy backend, it may be an unexpected problem to have a unified server health check after a precise interval ; This option is used to increase or decrease the length of time interval for which it is checked to a certain random duration;
–tune.bufsize: Set the size of the buffer, the same memory condition is small, the smaller value allows Haproxy to accept more concurrent connections, the larger value allows some applications to use large cookie information, the default is 16384, which can be modified at compile time, However, it is strongly recommended to use the default value;
–tune.chksize: Sets the size of the check buffer, in bytes; a larger value helps to complete text lookups based on strings or patterns in larger pages, but also consumes more system resources;
–tune.maxaccept: Set the haproxy process kernel scheduling run time can accept the number of connections, a larger value can bring a large throughput rate, the default in single-process mode is 100, multi-process mode is 8, set to 1 can prohibit this limit;
–tune.maxpollevents: Sets the maximum number of events a system call can handle, the default depends on the OS, which saves bandwidth when the value is less than 200, but slightly increases network latency, while greater than 200 reduces latency, but slightly increases the amount of network bandwidth consumed;
–tune.maxrewrite: Set the buffer space reserved for the first part of the rewrite or append, it is recommended to use about 1024 of the size, when the need to use more space, Haproxy will automatically increase its value;
–tune.rcvbuf.client:
–tune.rcvbuf.server: Sets the size of the server or client receive buffer in the kernel socket, in bytes; it is strongly recommended to use the default value;

Proxy related configuration section:
The "Defaults" segment is used to provide default parameters for all other configuration segments, which configure the default configuration parameters to be reset by the next "defaults".
The "Frontend" segment is used to define a series of listening sockets that can accept client requests and establish a connection with them.
The "backend" segment is used to define a series of "back-end" servers that the agent forwards requests from the corresponding client.
The "Listen" segment defines a complete proxy by associating "frontend" and "backend," which is usually useful only for TCP traffic.
The names of all agents can only be used in uppercase letters, lowercase letters, numbers,-(midline), _ (underscore),. (dot number) and: (colon). Additionally, the ACL names are case-sensitive.

Balance Keywords
Defines a load balancing algorithm that can be used for "defaults", "Listen", and "backend". Used to pick a server in a load balancing scenario that applies only to conditions where persistent information is not available or when a connection needs to be re-dispatched to another server.
The supported algorithms are:
Roundrobin: This is the most balanced and fair algorithm when the server's processing time is evenly distributed, based on the weight of the round call. This algorithm is dynamic, which means that its weights can be adjusted at run time, although, on design, each back-end server can only accept up to 4,128 connections and supports slow boot.
STATIC-RR: Called based on weights, similar to Roundrobin, but for static methods, adjusting their server weights at run time does not take effect, however, there is no limit on the number of back-end server connections; Slow startup is not supported, and in high load situations, A large number of connections are immediately allocated when the server is back online.
Leastconn (WLC): for raised here connected sessions, new connection requests are distributed to back-end servers with a minimum number of connections; This algorithm is recommended in scenarios with longer sessions, such as LDAP, SQL, and so on, which are not very suitable for shorter session application layer protocols such as HTTP The algorithm is dynamic and can be resized at run time;
Source: Hash operation of the originating address of the request and distribution to a matching server by dividing the total number of weights of the backend server; This allows the same client IP request to always be dispatched to a particular server, but when the total server weight changes If a server is down or a new server is added, many client requests may be distributed to servers that are different from the previous request, and are often used to load balance TCP-based protocols without cookies, which are implicitly static but can also be modified using Hash-type;
1, the original address hash, the first time scheduling using the WLC
SOURCE:IP layer, multiple requests located behind the same NAT server are directed to the same upstream server, which is not conducive to load balancing, and is generally only used when cookie insertion is not supported and the session needs to be maintained.
Cookie: Application layer, with better load balancing effect;
2,hash/weight%ip: divided by weight modulo
URI: Hashes the left half of the URI (the part before the "problem" tag) or the entire URI and distributes it to a matching server by dividing it by the total weight of the server; This allows requests for the same URI to always be dispatched to a particular server, unless the server's total weight has changed This algorithm is often used for proxy caches or anti-virus proxies to increase the cache hit ratio; it should be noted that this algorithm applies only to HTTP back-end server scenarios, which are implicitly considered static algorithms, but can also be modified using Hash-type;
Url_param: The parameters specified for the URL are retrieved in each HTTP GET request, and if the specified parameter is found and is given a value by the equals sign "=", then this value will be hashed and distributed to a matching server by dividing the total weight of the server This algorithm can ensure that a request for the same user ID is sent to the same server by tracing the user's identity in the request, unless the total weight of the server changes, or if the specified parameter is not present in a request or if it does not have a valid value, the call algorithm is used to dispatch the corresponding request; the algorithm defaults to static , but it can also use Hash-type to modify this feature;
HDR (): For each HTTP request, the specified HTTP header is retrieved, and if the corresponding header does not appear or it does not have a valid value, the corresponding request is dispatched using the round-robin algorithm; there is an optional option "use_domain_only", You can only calculate the domain name portion (for example, by www.feiyu.com, only the hash value of the Feiyu string) to reduce the computation of the hash algorithm when you specify that the header of a similar host class is retrieved, but it can also use Hash-type to modify the attribute;
Rdp-cookie (name), which indicates that each TCP request is locked and hashed according to the cookie (name).