作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.安装Apache Httpd及准备测试数据
1>.试验架构说明
node102.yinzhengjie.org.cn:
Haproxy服务器
node105.yinzhengjie.org.cn:
测试服务器,模拟客户端
node106.yinzhengjie.org.cn:
Apache httpd服务器
node107.yinzhengjie.org.cn:
Apache httpd服务器
node108.yinzhengjie.org.cn:
Apache httpd服务器
2>.安装Apache httpd服务
此过程相对简单,我这里就直接略过了,可参考我之前的笔记:https://www.cnblogs.com/yinzhengjie/p/12114195.html
二.基于源地址访问控制案例实战
1>.编写haproxy的配置文件
[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /yinzhengjie/softwares/haproxy
stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin
user haproxy
group haproxy
daemon
nbproc 2
cpu-map 1 0
cpu-map 2 1
nbthread 2
pidfile /yinzhengjie/softwares/haproxy/haproxy.pid
log 127.0.0.1 local5 info
defaults
option http-keep-alive
option forwardfor
option redispatch
option abortonclose
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html
listen status_page
bind 172.30.1.102:8888
stats enable
stats uri /haproxy-status
stats auth admin:yinzhengjie
stats realm "Welcome to the haproxy load balancer status page of YinZhengjie"
stats hide-version
stats admin if TRUE
stats refresh 5s
frontend WEB_PORT_80
bind 172.30.1.102:80
mode http
acl hacker_deny src 172.30.1.254
http-request deny if hacker_deny
http-request allow
default_backend backup_web
backend web_server
server web01 172.30.1.104:80 check inter 3000 fall 3 rise 5 backup
server web02 172.30.1.106:80 check inter 3000 fall 3 rise 5
server web03 172.30.1.107:80 check inter 3000 fall 3 rise 5
backend backup_web
server web01 172.30.1.108:80 check inter 3000 fall 3 rise 5
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy
[root@node102.yinzhengjie.org.cn ~]#
2>.查看haproxy的监听端口和进程信息
[root@node102.yinzhengjie.org.cn ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 172.30.1.102:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 172.30.1.102:8888 *:*
LISTEN 0 128 :::22 :::*
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy | grep -v grep
root 20704 1 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy 20708 20704 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy 20709 20704 0 20:25 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]#
3>.查看haproxy的状态页(http://node102.yinzhengjie.org.cn:8888/haproxy-status)
三.验证haproxy的配置
1>.IP地址为"172.30.1.254"的客户端访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示
2>.使用"node105.yinzhengjie.org.cn"节点访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示