HAProxy的高级配置选项-ACL篇之匹配访问路径案例-阿里云开发者社区

HAProxy的高级配置选项-ACL篇之匹配访问路径案例

2024-09-02 99

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： 这篇文章介绍了HAProxy的高级配置选项，特别是如何使用ACL（访问控制列表）匹配访问路径以实现不同请求路径的流量分发到不同后端服务器的案例，通过实战配置展示了如何基于URL路径将请求定向到处理静态或动态内容的服务器。

作者：尹正杰
版权声明：原创作品，谢绝转载！否则将追究法律责任。

一.试验环境概述

1>.操作平台介绍

[root@node101.yinzhengjie.org.cn ~]# uname -r
3.10.0-957.el7.x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# uname -m
x86_64
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# free -h
              total        used        free      shared  buff/cache   available
Mem:           7.6G        126M        7.4G        8.6M        129M        7.3G
Swap:          7.9G          0B        7.9G
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

172.30.1.101 node101.yinzhengjie.org.cn node101.yinzhengjie.com
172.30.1.102 node102.yinzhengjie.org.cn
172.30.1.103 node103.yinzhengjie.org.cn
172.30.1.104 node104.yinzhengjie.org.cn
172.30.1.105 node105.yinzhengjie.org.cn
172.30.1.106 node106.yinzhengjie.org.cn
172.30.1.107 node107.yinzhengjie.org.cn
172.30.1.108 node108.yinzhengjie.org.cn
[root@node101.yinzhengjie.org.cn ~]# 
[root@node101.yinzhengjie.org.cn ~]#

2>.试验架构说明

　　node102.yinzhengjie.org.cn:
　　　　haproxy服务器

　　node103.yinzhengjie.org.cn:
　　　　Apache httpd模拟静态数据，如存放的图片，html,css,javascript等。  
　　node104.yinzhengjie.org.cn:
　　　　"Nginx + php环境"模拟动态数据,php程序等。

二.部署Nginx服务器处理动态页面

1>.安装epel源

[root@node104.yinzhengjie.org.cn ~]# yum -y install epel-release

2>.安装nginx和php

[root@node104.yinzhengjie.org.cn ~]# yum -y install nginx php-fpm

3>.修改nginx的配置文件，添加一个匹配php文件的localtion

[root@node104.yinzhengjie.org.cn ~]# vim /etc/nginx/nginx.conf
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]# egrep -v "^ *#|^$" /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        location ~ \.php$ {
            root           html;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
        error_page 404 /404.html;
            location = /40x.html {
        }
        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]# nginx -t　　　　　　　　　　　　　　#检查nginx的配置文件是否正确
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@node104.yinzhengjie.org.cn ~]#

4>.启动nginx和php服务

[root@node104.yinzhengjie.org.cn ~]# ss -ntl
State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port              
LISTEN      0      128                    *:22                                 *:*                  
LISTEN      0      128                   :::22                                :::*                  
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]# systemctl start nginx php-fpm
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]# ss -ntl
State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port              
LISTEN      0      128            127.0.0.1:9000                               *:*                  
LISTEN      0      128                    *:80                                 *:*                  
LISTEN      0      128                    *:22                                 *:*                  
LISTEN      0      128                   :::80                                :::*                  
LISTEN      0      128                   :::22                                :::*                  
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]#

5>.创建php的测试页面,并通过浏览器访问"http://node104.yinzhengjie.org.cn/index.php"

[root@node104.yinzhengjie.org.cn ~]# vim /usr/share/nginx/html/index.php
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]# cat /usr/share/nginx/html/index.php
<?php
    phpinfo();
?>
[root@node104.yinzhengjie.org.cn ~]# 
[root@node104.yinzhengjie.org.cn ~]#

三.部署Apache httpd服务器处理静态页面

1>.安装apache httpd服务器

[root@node103.yinzhengjie.org.cn ~]# yum -y install httpd

2>.创建测试数据

[root@node103.yinzhengjie.org.cn ~]# rz　　　　　　　　　　　　　　　　　　　　#随便上传一张测试图片即可

[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# ll
total 120
-rw-r--r-- 1 root root 122026 Dec 16 19:58 02.迪丽热巴.jfif
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# file 02.迪丽热巴.jfif 
02.迪丽热巴.jfif: JPEG image data, JFIF standard 1.01
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# mkdir -pv  /var/www/html/images
mkdir: created directory ‘/var/www/html/images’
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# mv 02.迪丽热巴.jfif /var/www/html/images/01.jpeg
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# ll -R /var/www/html/
/var/www/html/:
total 0
drwxr-xr-x 2 root root 21 Jan  5 20:15 images

/var/www/html/images:
total 120
-rw-r--r-- 1 root root 122026 Dec 16 19:58 01.jpeg
[root@node103.yinzhengjie.org.cn ~]#

3>.启动httpd服务并使用浏览器访问上一步创建的图片(http://node103.yinzhengjie.org.cn/images/01.jpeg)

[root@node103.yinzhengjie.org.cn ~]# ss -ntl
State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port              
LISTEN      0      128                    *:22                                 *:*                  
LISTEN      0      128                   :::22                                :::*                  
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# systemctl start httpd
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]# ss -ntl
State       Recv-Q Send-Q     Local Address:Port                    Peer Address:Port              
LISTEN      0      128                    *:80                                 *:*                  
LISTEN      0      128                    *:22                                 *:*                  
LISTEN      0      128                   :::22                                :::*                  
[root@node103.yinzhengjie.org.cn ~]# 
[root@node103.yinzhengjie.org.cn ~]#

四.配置haproxy基于访问路径匹配案例

1>.编辑haproxy的配置文件

[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg
global
    maxconn 100000
    chroot /yinzhengjie/softwares/haproxy
    stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin
    user haproxy
    group haproxy
    daemon
    nbproc 2
    cpu-map 1 0
    cpu-map 2 1
    nbthread 2
    pidfile /yinzhengjie/softwares/haproxy/haproxy.pid
    log 127.0.0.1 local5 info

defaults
    option http-keep-alive
    option  forwardfor
    option redispatch
    option abortonclose
    maxconn 100000
    mode http
    timeout connect 300000ms
    timeout client  300000ms
    timeout server  300000ms
    errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html
listen status_page
    bind 172.30.1.102:8888
    stats enable
    stats uri /haproxy-status
    stats auth    admin:yinzhengjie
    stats realm "Welcome to the haproxy load balancer status page of YinZhengjie"
    stats hide-version
    stats admin if TRUE
    stats refresh 5s

frontend WEB_PORT_80
    bind 172.30.1.102:80
    mode http
    #定义ACL匹配所有以".php"结尾的文件的php程序
    acl php_server path_end -i .php
    #将php的请求交给nginx服务器去处理.
    use_backend nginx_php if php_server
    #定义ACL匹配所有访问路径
    acl static_path path_beg -i /static /images /javascript
    #将图片的请求交给httpd服务器去处理.
    use_backend apache_httpd if static_path
    default_backend backup_web

backend nginx_php
    server web04 172.30.1.104:80  check inter 3000 fall 3 rise 5

backend apache_httpd
    server web03 172.30.1.103:80  check inter 3000 fall 3 rise 5

backend backup_web
    server web03 172.30.1.108:80  check inter 3000 fall 3 rise 5 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy　　　　　　　　　　　　　　#别忘记重启haproxy使得配置文件生效哟~
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]#

2>.查看haproxy的监听端口和进程信息

[root@node102.yinzhengjie.org.cn ~]# ss -ntl
State       Recv-Q Send-Q                           Local Address:Port                                          Peer Address:Port              
LISTEN      0      128                               172.30.1.102:80                                                       *:*                  
LISTEN      0      128                                          *:22                                                       *:*                  
LISTEN      0      128                               172.30.1.102:8888                                                     *:*                  
LISTEN      0      128                                         :::22                                                      :::*                  
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy | grep -v grep
root     20587     1  0 20:09 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy  20589 20587  0 20:09 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy  20590 20587  0 20:09 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]#

3>.查看haproxy的状态页(http://node102.yinzhengjie.org.cn:8888/haproxy-status)