Use of haproy

I. haproxy experiment environment topology:

Ii. haproxy Configuration:

Global settings: global configuration segment

It is mainly used to define the features of the haproxy process itself;

Proxies: proxy configuration segment

Backend: backend server group

Frontend: defines the customer-oriented listening address and port, and the associated backend server group;

Listen: A combination method that directly defines frontend and related backend mechanisms;

Defaults: defines the default configuration;

Iii. configuration parameters in global

* Process management and security-related parameters

-Chroot <jail dir>: modifies the working directory of haproxy to the specified directory and executes the chroot () operation before giving up permissions. This improves the security level of haproxy, however, make sure that the specified directory is empty and no user can write data;

-Daemon: enables haproxy to work in the background as a daemon. It is equivalent to the "-d" option. Of course, you can also disable it with the "-DB" option in the command line;

-Gid <number>: Run haproxy with the specified gid. We recommend that you use a GID dedicated to running haproxy to avoid risks caused by permission issues;

-Group <Group Name>: Same as the GID, but the specified group name;

-Log <address> <Facility> [Max level [min level]: defines a global syslog server. Up to two syslog servers can be defined;

-Log-send-hostname [<string>]: add the current host name in the syslog information header, which can be the name specified by "string" or the current host name by default;

-Nbproc <number>: specifies the number of haproxy processes started. It can only be used for haproxy in daemon mode. By default, only one process is started. Due to debugging difficulties and other reasons, generally, the multi-process mode is used only when a single process can only open a few file descriptors;

-Pidfile:

-UID: run the haproxy process as the specified uid;

-Ulimit-N: specifies the maximum number of file descriptors that can be opened by each process. By default, this parameter is automatically calculated. Therefore, this option is not recommended;

-User: Same as uid, but the user name is used;

-Stats:

-Node: defines the name of the current node. It is used when multiple haproxy processes share the same IP address in the HA scenario;

-Description: The description of the current instance;

* Performance Adjustment Parameters

-Maxconn <number>: sets the maximum number of concurrent connections accepted by each haproxy process, which is equivalent to the command line option "-n "; the automatic calculation result of "ulimit-N" is set according to this parameter;

-Maxpipes <number>: haproxy uses pipe to reorganize kernel-based TCP packets. This option is used to set the maximum number of pipe allowed by each process. Each pipe opens two file descriptors, therefore, this value is automatically increased when "ulimit-n" is calculated as needed. The default value is maxconn/4, which usually appears too large;

-Noepoll: Disable the epoll mechanism on Linux;

-Nokqueue: Disable the kqueue mechanism on the BSE system;

-Nopoll: Disable the poll mechanism;

-Nosepoll: Disable the heuristic epoll mechanism in Linux;

-Nosplice: Disable kernel TCP reorganization on Linux sockets, which leads to more Recv/send system calls. However, in Linux 2.6.25-28 series kernels, the TCP reorganization function has a bug;

-Spread-Checks <0 .. 50, in percent>; this option is used to increase or decrease the random duration of the check interval;

-Tune. bufsize <number>: Set the buffer size. The same memory condition is small. A smaller value can enable haproxy to accept more concurrent connections, A large value allows some applications to use large cookie information. The default value is 16384, which can be modified during compilation. However, we strongly recommend that you use the default value;

-Tune. chksize <number>: set the size of the check buffer, in bytes. A larger value helps you complete text search based on strings or modes on a large page, but it will also occupy more system resources. We do not recommend that you modify them;

-Tune. maxaccept <number>: set the number of connections that can be accepted at one time during the kernel scheduling of the haproxy process. A large value can increase the throughput. The default value is 100 in single process mode, in multi-process mode, the value 8 is set to-1 to disable this restriction. It is not recommended to modify it;

-Tune. maxpollevents <number>: sets the maximum number of events that can be handled by a system call. The default value depends on the OS. If the value is smaller than 200, the bandwidth can be saved, but the network latency will be slightly increased, when the bandwidth is greater than 200, the latency is reduced, but the usage of network bandwidth is slightly increased;

-Tune. maxrewrite <number>: Set to the buffer space reserved for the first rewrite or append. It is recommended that the size of around 1024 be used. When a larger space is required, haproxy will automatically increase its value;

-Tune. rcvbuf. client <number>:

-Tune. rcvbuf. server <number>: Set the buffer size received by the server or client in the kernel socket, in bytes. The default value is strongly recommended;

-Tune. sndbuf. Client:

-Tune. sndbuf. Server:

* Debug-related parameters

-Debug

-Quiet

4. Agent configuration details:

The agent-related configuration can be in the following configuration section.

-Defaults <Name>

-Frontend <Name>

-Backend <Name>

-Listen <Name>

The "ults" section is used to provide default parameters for all other configuration segments. The default configuration parameters can be reset by the next "defaults.

The frontend segment is used to define a series of listening sockets that can accept client requests and establish a connection with it.

The "backend" section defines a series of "backend" servers. The proxy forwards requests from the corresponding clients to these servers.

The "listen" section defines a complete proxy by associating the "front-end" and "backend", which is usually only useful for TCP traffic.

The names of all proxies can only contain uppercase letters, lowercase letters, numbers, hyphens (-), underscores (_), periods (.), and colons (colons ). In addition, the ACL name is case sensitive.

 V. Simple implementation of haproxy:

[[Email protected] ~] # Vim/etc/haproxy. CFG defaults 43 mode HTTP 44 log Global 45 option httplog 46 option dontlognull 47 option http-server-close 48 option forwardfor counter t 127.0.0.0/8 49 option redispatch 50 retries 3 51 timeout http-request 10 s 52 timeout queue 1 m 53 timeout connect 10 s 54 timeout client 1 m 55 timeout Server 1 m 56 timeout http-keep-alive 10 s 57 timeout check 10 s 58 maxconn 3000 59 frontend main *: 80 60 default_backend webservers 61 62 backend webservers 63 balance roundrobin // scheduling algorithm 64 server S1 192.168.1.11: 80 // host 65 server S2 192.168.1.22: 80

In this case, the Service haproxy restart uses a browser to access 172.16.249.220/index.html and we can see that web1 and web2 are polling and scheduling. :

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/DC/wKioL1QcJWLS-2VEAABx6XoU_Do360.jpg "style =" float: none; "Title =" p1.png "alt =" wKioL1QcJWLS-2VEAABx6XoU_Do360.jpg "/>

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/DA/wKiom1QcJUfj14J4AAB69tSb6vQ914.jpg "style =" float: none; "Title =" p2.png "alt =" wkiom1qcjufj14j4aab69tsb6vq914.jpg "/>

Note: in actual application, the resources on the two web servers should be the same. Here, to facilitate the demonstration, haproxy calls the two servers using polling, and intentionally serves as different.

Vi. Scheduling Algorithm:

Roundrobin: WRR, dynamic

Static-rr: WRR, static

Leastconn: wlc, dynamic used to establish persistent connections

Source: It is recommended for TCP-based debugging and does not support cookie insertion mode. It is determined by the hash-type parameter as either dynamic or static

Ipvs: Sh

Nginx: ip_hash

Uri: scheduling is based on the left half of the URI in the Request Message (the part before the query condition) or all of the Uris. It is often used in scenarios where the backend server is the cache server;

It is determined by the hash-type parameter as either dynamic or static

Url_params: Used in scenarios where backend servers need to authenticate users;

It is determined by the hash-type parameter as either dynamic or static

HDR (<Name>): determined by the hash-type parameter as either dynamic or static

Scheduling Based on the value of the specified HTTP header in the user Request Message

HDR (host): generally used to send requests to the same virtual host to the same backend server;

Use_domain_only: only use the domain name when calculating the hash value. For example:

Web.guzenghui.com and www.guzenghui.com belong to the same virtual host because they belong to the same domain. In this case, we can use use_domain_only to set the domain name only when calculating the hash value.

The source scheduling algorithm is used to bind a session. However, this binding method is based on the source address. When the IP address is missing, most of them use the NAT protocol, that is, Source Address binding, this is obviously unreasonable when everyone accesses the same server. Therefore, we should use other methods (such as using cookie binding) in specific scenarios ).

7. Cookie-based binding:

[[Email protected] ~] # Vim/etc/haproxy. cfgbackend webservers 63 balance roundrobin 64 cookie webserver insert nocache // define the cookie name as webserver 65 server S1 192.168.1.11: 80 cookie S1 // define server uses cookie 66 server S2 192.168.1.22: 80 cookie S2 [[email protected] ~] # Service haproxy reload

After defining the cookie, We will bind it to the server you accessed for the first time no matter how we refresh it. We can see the cookie information below:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/DA/wKiom1QcNeiCSt11AAMM7GBxaHU518.jpg "Title =" p3.png "alt =" wkiom1qx0icst11aamm7gbxahu518.jpg "/>

Haproxy working mode: the protocol level that occurs during Scheduling

HTTP: Only servers used for HTTP protocol Scheduling

In-depth analysis of application layer data. Therefore, layer-7 filtering, processing, and conversion are supported.

TCP: Non-HTTP server scheduling, including https

The default mode does not check the application-layer protocol. You cannot use a scheduling algorithm such as the HDR class that needs to detect the application-layer protocol.

Establishes a full-duplex connection between the client and the backend server.

8. server or default server parameters:

Backup: set as a backup server. Other servers in the Server Load balancer scenario cannot be used to enable this server;

Check: Start the health check for this server. You can use other parameters to perform more precise settings, such:

Inter <delay>: sets the interval for health check, in milliseconds. The default value is 2000. You can also use fastinter and downinter to optimize the Delay Based on the server status;

Rise <count>: set the number of times an offline server needs to be successfully checked during health check from offline to normal;

Fall <count>: the number of times the server needs to be checked to switch from normal to unavailable;

Cookie <value>: Set the cookie value for the specified server. The value specified here will be checked when the request is sent. The server selected for this value for the first time will be selected in subsequent requests, its purpose is to implement the persistent connection function;

Maxconn <maxconn>: specifies the maximum number of concurrent connections accepted by this server. If the number of connections sent to this server is greater than the value specified here, it will be placed in the Request queue, wait for other connections to be released;

Maxqueue <maxqueue>: sets the maximum length of the Request queue;

Observe <mode>: checks whether the server is healthy by observing the communication status of the server. The default value is disabled. The supported types include "layer4" and "layer7 ", "layer7" can only be used in HTTP Proxy scenarios;

Redir <prefix>: Enable the redirection function to send get and head requests sent to this server to respond with a 302 status code. Note that/cannot be used after the prefix /, the relative address cannot be used to avoid loops. For example:

Server srv1 172.16.100.6: 80 redir http://imageserver.magedu.com check

Weight <weight>: weight. The default value is 1. The maximum value is. 0 indicates that the Server Load balancer instance is not involved;

Backup server implementation:

Modify the haproxy configuration file as follows:

62 backend webservers 63 balance roundrobin 64 # cookie webserver insert nocache 65 server S1 192.168.1.11: 80 check port 80 66 server S2 192.168.1.22: 80 check port 80 67 server B1 127.0.0.1: 8080 backup // because haproxy is already listening on port 80, your web service should be listening on another port, in this case, you need to start your web service and provide the "this is weihu Zhong" Web page content"

In this case, we will stop the web1 and web2 service backup servers, as shown in:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/DC/wKioL1QcQw6wJjXbAADEMI8EPws665.jpg "Title =" p4.png "alt =" wkiol1qcqw6wjjxbaademi8epws665.jpg "/>

Note that only standby servers of both servers can be used.

9. Set Detection Status page

Modify the haproxy configuration file:

Backend webservers 63 balance roundrobin 64 # cookie webserver insert nocache 65 server S1 192.168.1.11: 80 check port 80 66 server S2 192.168.1.22: 80 check port 80 67 server B1 127.0.0.1: 8080 backup 68 stats enable // Add the previous one.

Now we can access the status page as follows:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/DB/wKiom1QcRxqRMInxAAa8HP_stuI322.jpg "Title =" p5.png "alt =" wkiom1qcrxqrminxaaa8hp_stui322.jpg "/> below are some parameters used with stats enable

Stats enable stats hide-version // hide the haproxy version stats scope. Stats uri/haproxyadmin? Stats stats realm haproxy \ statistics stats auth statsadmin: Password stats auth statsmaster: Password

The stats admin parameter must be added to the management function provided on this page, but this parameter must follow the conditional expression. The syntax example is as follows:

Stats admin {if | unless} <cond>

Enable the management level function of the statistical report page when the specified conditions are met. It allows you to enable or disable servers through web interfaces. However, for security reasons, the statistical report page should be read-only as much as possible. In addition, if the haproxy multi-process mode is enabled, enabling this management level may cause abnormal behavior.

Currently, the POST request method is restricted from using only the buffer minus the reserved space. Therefore, the server list cannot be too long. Otherwise, the request will not work properly. Therefore, we recommend that you adjust only a few servers at a time. The following are two cases. The first limit is that the management level function can only be enabled when the report page is opened on the local machine, and the second defines that Only Authenticated Users are allowed to use the management level function.

backend stats_localhost    stats enable    stats admin if LOCALHOST

backend stats_auth    stats enable    stats auth  haproxyadmin:password    stats admin if TRUE

Shows the effect:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/DD/wKioL1QcS1GSaMtUAAHB3RwPOmo424.jpg "Title =" p6.png "alt =" wkiol1qcs1gsamtuaahb3rwpomow.jpg "/>

So far, our basic usage of haproxy has been completed.

This article from the "Linux O & M" blog, please be sure to keep this source http://germanygu.blog.51cto.com/3574209/1555366

Use of haproy