Project Practice 4-haproxy Server Load balancer and ACL control, haproxyacl

Project Practice 4-haproxy Server Load balancer and ACL control, haproxyacl

 

Haproxy implements advanced Load Balancing

Environment: With the development of the company's business, the company's server Load balancer service has achieved layer-4 Server Load balancer, but the business complexity has increased, the company requires the mobile phone site as a separate service to provide, if you do not provide services with the pc site, you need to perform layer-7 rule load balancing. The O & M director asks whether a service can achieve layer-7 load balancing, it can achieve layer-4 load balancing, with high performance, easy configuration management, and open source.

General Project Flowchart, See http://www.cnblogs.com/along21/p/7435612.html

For details about Haproxy and the meanings of relevant code segments, see.Http://www.cnblogs.com/along21/p/7899771.html

Prerequisites:

① Both servers use the yum method to install the haproxy and keepalived services.

Yum-y install haproxy

Yum-y install keepalived

② Iptables-F & setenforing clear the firewall policy and disable selinux

Practice 1: Implement ha Architecture Based on Haproxy + Keepalived Load Balancing 1. Environment preparation:

Machine name	IP configuration	Service role	Remarks
Haproxy-server-master	VIP: 172.17.100.100 DIP: 172.17.1.6	Server Load balancer Master Server	Configure keepalived
Haproxy-server-backup	VIP: 172.17.100.100 DIP: 172.17.11.11	Server Load balancer Slave Server	Configure keepalived
Rs01	RIP: 172.17.1.7	Backend servers
Rs02	RIP: 172.17.22.22	Backend servers

 

2. Configure the master and slave nodes of keepalived.

(1) InHaproxy-server-master:

Vim/etc/keepalived. conf

! Configuration File for keepalivedglobal_defs {icationication_email {root @ localhost} icationication_email_from root@along.com smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id success} vrrp_script chk_haproxy {# defines a script, if haproxy service is disabled, the script "killall-0 haproxy" interval 2 fall 2 rise 2 weight-4} vrrp_instance VI_1 {state MASTER interface eth0 virtual_router_id 191 priority 100 advert_int 1 authentication {auth_type PASS auth_pass along} virtual_ipaddress {172.17.100.100} track_script {# execution script chk_haproxy }}

Service keepalived start enable the keepalived service

After the service is enabled, you can view that the VIP has been generated.

(2) InHaproxy-server-master from: You only need to change the master to slave, and the priority is reduced.

Vim/etc/keepalived. conf

! Configuration File for keepalivedglobal_defs {   notification_email {        root@localhost   }   notification_email_from root@along.com   smtp_server 127.0.0.1   smtp_connect_timeout 30   router_id keepalived_haproxy}vrrp_instance VI_1 {    state BACKUP    interface eth0    virtual_router_id 191    priority 98    advert_int 1    authentication {        auth_type PASS        auth_pass along    }    virtual_ipaddress {        172.17.100.100    }}

 

Service keepalived start enable the keepalived service

3. Configure haproxy. There are two segments in total, and four segments in the second segment. The two haproxy segments can be configured in the same way.

(1) first segment: global segment

global    log         127.0.0.1 local2    chroot      /var/lib/haproxy    pidfile     /var/run/haproxy.pid    maxconn     40000    user        haproxy    group       haproxy    daemon    stats socket /var/lib/haproxy/stats

(2) second section: proxies proxy settings

① Ults default parameter setting section defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor counter t 127.0.0.0/8 option redispatch retries 3 timeout http-request 10 s timeout queue 1 m timeout connect 10 s timeout client 1 m timeout server 1 m timeout http-keep-alive 10 s timeout check 10 s maxconn 3000 ② listen section listen statsbind 0.0.0.0: 1080 stats enablestats hide-versionstats uri/haproxyadminstats auth along: alongstats admin if TRUE ③ frontend establish a connection with the client to open the frontend webbind of the service listening port segment: 80default_backend lnmp-server ④ backend: backend lnmp-server balance roundrobin option httpchk GET/index.html server lnmpserver1 172.17.1.7: 80 check inter 3000 rise 3 fall 5 server lnmpserver2 accept: 80 check inter 3000 rise 3 fall 5

 

Enable service haproxy start

4. Open the prepared web server on the backend server

Systemctl start nginx

Systemctl start php-fpm

Systemctl start mariadb

5. Test

(1) Access http: // 172.17.100.100: 1080/haproxyadmin on the webpage to go to the status monitoring page. You can control your own backend services.

(2) Two machines, not a group, can be broken down.

One backend server goes down and haproxy will schedule it to another server to continue providing services

When a master haproxy goes down, keepalived will shift the VIP to the top and continue to provide services.

 

Practice 3: Implement static/dynamic separation based on ACL control

Principle:Acl: Access Control List for implementationRequest Message Header,Response Message ContentOrOthersEnvironment status information to make forwarding decisions, which greatly enhances the configuration elasticity. Its Configuration RulesUsually divided into two stepsFirst, goDefine ACLDefine a test condition, and thenPerform a specific action when conditions are met.Such as blocking requests or forwarding requests to a specific backend.

1. Environment preparation:

 

Machine name	IP configuration	Service role	Remarks
Haproxy-server	172.17.2.7	Server Load balancer	Configure keepalived ACL control
Rs01	RIP: 192.168.30.107	Static Server	Xiaomi webpage
Rs02	RIP: 192.168.30.7	Dynamic Server	Xiaomi webpage

2. Define the ACL and backend server on haproxy

Do not modify the global and default segments before vim/etc/haproxy. cfg.

① Define listen statsbind 0.0.0.0: 1080 stats enablestats hide-versionstats uri/login auth along: alongstats admin if TRUE ② define ACLfrontend web bind: 80 acl staticfile path_end in the frontend segment. jpg. png. bmp. htm. html. css. js acl appfile path_end. php use_backend servers if staticfile has been reset RVs ③ set backend cluster group staticsrvs balance roundrobin server staticweb 192.168.30.107: 80 check inter 3000 rise 3 fall 3 backend servers RVs balance servers server appweb 192.168.30.7: 80 check inter 3000 rise 3 fall 3

 

3. Enable the backend web Service

Systemctl start nginx

Systemctl start php-fpm

Systemctl start mariadb

 

4. Test Results

(1) When the backend server is normal

Web detection page, everything is normal

 

(2) When the backend Static Page service cluster is down and no static page is displayed, it indicates that the dynamic/static page separation is successful.

 

 

Experiment 4: Permission control and session persistence based on ACL 1. Environment preparation:

 

Machine name	IP configuration	Service role	Remarks
Haproxy-server	172.17.2.7	Server Load balancer	Configure keepalived ACL control
Rs01	RIP: 192.168.30.107	Backend servers	Xiaomi webpage
Rs02	RIP: 192.168.30.7	Backend servers	Xiaomi webpage

2. The haproxy defines the ACL and the backend server.

Do not modify the global and default segments before vim/etc/haproxy. cfg.

① Define the listen statsbind 0.0.0.0: 1080 stats enablestats hide-versionstats uri/haproxyadminstats auth along: alongstats admin if TRUE ② define the ACL in the frontend segment, and control the user permissions of frontend web bind: 80 acl allow_src src 172.17.0.0/16 block unless allow_src default_backend multicast RVs ③ set backend cluster group, set cookie, session persistence backend staticsrvs balance roundrobin cookie SRV insert nocache server appweb1 192.168.30.107: 80 check inter 3000 rise 3 fall 3 cookie srv1 server appweb2 192.168.30.7: 80 check inter 3000 rise 3 fall 3 cookie srv2

 

3. Enable the backend web Service

Systemctl start nginx

Systemctl start php-fpm

Systemctl start mariadb

 

4. Detection results

(1) detect permission Control

① Access from machines in 172.17.0.0 is normal

 

② Access from machines outside the CIDR block is rejected

 

 

(2) detect session persistence

① Create two test pages at the two backend respectively

Vim ../test.html

Servers 1/2

② Test

To test curl, add-B SRV = the specified cookie for access.

Curl-B SRV = srv1 172.17.2.7/test.html

Curl-B SRV = srv2 172.17.2.7/test.html

 

 

Practice 4: Implement ssl encryption for haproxy 1. Generate a self-signed certificate

Cd/etc/pki/tls/certs

Make/etc/haproxy. pem

Ls/etc/haproxy. pem does generate the certificate and key file

2. Set in haproxy

Frontend web bind: 80 bind: 443 ssl crt/etc/haproxy. pem listens to port 443, and is ssl-encrypted redirect scheme https if! {Ssl_fc} implements 302 redirection and redirects 80 to port 443.

3. webpage access https: // 172.17.11.11/