haproxy acl 规则
1 按请求的主机头(名)负载
cat haproxy.cfg
- global
- log 127.0.0.1 local1
- maxconn 65000 #最大连接数
- chroot /usr/local/haproxy #安装目录
- uid 99 #用户haproxy
- gid 99 #组haproxy
- daemon #守护进程运行
- nbproc 1 #进程数量
- pidfile /usr/local/haproxy/logs/haproxy.pid #haproxy pid
- defaults
- log global
- mode http #7层 http;4层tcp
- option httplog #http 日志格式
- option httpclose #主动关闭http通道
- option redispatch #serverId对应的服务器挂掉后,强制定向到其他健康的服务器
- option forwardfor
- option dontlognull
- maxconn 50000 #最大连接数
- contimeout 5000 #连接超时(毫秒)
- clitimeout 50000 #客户端超时(毫秒)
- srvtimeout 50000 #服务器超时(毫秒)
- #errorfile 502 /usr/local/haproxy/html/maintain.html
- #errorfile 503 /usr/local/haproxy/html/maintain.html
- #errorfile 504 /usr/local/haproxy/html/maintain.html
- frontend test.com #定义前端服务器(haproxy)
- bind *:80 #监听地址
- acl web-client path_beg -i /vsphere-client
- acl bbs hdr_reg(host) -i ^(bbs.test.com|shequ.test.com|forum)
- acl monitor hdr_beg(host) -i monitor.test.com #定义ACL名称,对应的请求的主机头是monitor.test.com
- acl www hdr_beg(host) -i www.test.com
- use_backend cache.test.com if static
- use_backend monitor.test.com if bbs or monitor
- use_backend www.test.com if www
- use_backend vsphere-client if web-client
- default_backend www.test.com #指定默认的后端服务器
- backend monitor.test.com #定义后端服务器群(web server/apache/nginx/iis..)
- mode http
- option forwardfor #后端服务器(apache/nginx/iis/*),从Http Header中获得客户端IP
- balance leastconn #负载均衡的方式,最小连接
- cookie SERVERID #插入serverid到cookie中,serverid后面可以定义
- option httpchk HEAD /check.html #用来做健康检查html文档
- #option httpchk HEAD /index.php HTTP/1.1\r\nHost:monitor.test.com #HTTP && Host
- server server1 10.0.100.70:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3
- #服务器定义:
- #cookie server1表示serverid为server1;
- #check inter 2000 是检测心跳频率(check 默认 );
- #rise 3 表示 3次正确认为服务器可用;
- #fall 3 表示 3次失败认为服务器不可用;
- #weight 表示权重。
- backend www.test.com
- mode http
- option forwardfor
- balance roundrobin #负载均衡的方式,轮询方式
- cookie SERVERID
- option httpchk HEAD /check.html
- server server1 10.0.100.71:80 cookie server1 check inter 2000 rise 3 fall 3 weight 3
- backend vsphere-client
- mode http
- option forwardfor header ORIG_CLIENT_IP
- balance roundrobin
- server server1 10.0.100.81:80 redir https://192.168.57.81:443 check inter 2000 rise 3 fall 3 weight 3
- backend cache.test.com
- option forwardfor
- #balance uri len 15 #url hash
- balance roundrobin
- server server1 10.0.100.73:80 check inter 2000 rise 3 fall 3 weight 3
- server server2 10.0.100.75:80 check inter 2000 rise 3 fall 3 weight 3
- listen admin_stat #status
- bind 0.0.0.0:8080 #监听端口
- mode http #http的7层模式
- stats refresh 30s #统计页面自动刷新时间
- stats uri /haproxy_stats_url #统计页面URL
- stats realm Haproxy\ Statistics #统计页面密码框上提示文本
- stats auth admin:admin #统计页面用户名和密码设置
- stats hide-version #隐藏统计页面上HAProxy的版本信息
- stats admin if TRUE #手工启用/禁用,后端服务器
2 其它acl 规则
- ###########acl 开始了############
- acl bbs hdr_reg(host) -i ^(bbs.test.com|forum.test.com) #使用正则匹配
- acl bbs_path path_beg -i /bbs #url 目录
- acl youxi path_beg -i /youxi
- acl static path_end -i .html .css .js #url 结尾文件
- acl php path_end -i .php
- acl jsp path_end -i .jsp .do
- use_backend bbs_pool if bbs or bbs_path #注意 "or"
- use_backend youxi_pool if youxi
- use_backend static_pool if static
- use_backend php_pool if php
- use_backend jsp_pool if jsp
- default_backend www.test.com
- ###########acl 结束了############
#acl 参数
acl(关键字) 定义acl(名称) 方法
-i (忽略大小写) [匹配的路径或文件]
hdr_beg(host)
hdr_reg(host)
path_beg
path_end
3 use_backend 参数
- or 用于匹配多个acl 名称
- default_backend 没有满足条件的时候使用默认的后端服务器
参考1
参考2
http://xok.la/2010/07/haproxy.html (404 了囧)
http://jk409.blog.51cto.com/406667/764782 (感谢google)
#
20120610
haproxy 重定向url (301)
- acl web-client path_beg -i /vsphere-client
- use_backend vsphere-client if web-client
- backend vsphere-client
- mode http
- option forwardfor header ORIG_CLIENT_IP
- balance roundrobin
- option httpchk HEAD /check.html
- server server1 10.0.100.81:80 redir https://192.168.57.81:443 check inter 2000 rise 3 fall 3 weight 3
测试192.168.57.82 为 haproxy ,192.168.57.81 为 https server
- curl -ILv http://192.168.57.82/vsphere-client
- * About to connect() to 192.168.57.82 port 80 (#0)
- * Trying 192.168.57.82... connected
- * Connected to 192.168.57.82 (192.168.57.82) port 80 (#0)
- > HEAD /vsphere-client HTTP/1.1
- > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
- > Host: 192.168.57.82
- > Accept: */*
- >
- < HTTP/1.1 302 Found
- HTTP/1.1 302 Found
- < Cache-Control: no-cache
- Cache-Control: no-cache
- < Content-length: 0
- Content-length: 0
- < Location: https://192.168.57.81:443/vsphere-client
- Location: https://192.168.57.81:443/vsphere-client
- < Connection: close
- Connection: close
- <
- * Closing connection #0
- * Issue another request to this URL: 'https://192.168.57.81:443/vsphere-client'
- * About to connect() to 192.168.57.81 port 443 (#0)
- * Trying 192.168.57.81... connected
- * Connected to 192.168.57.81 (192.168.57.81) port 443 (#0)
- * successfully set certificate verify locations:
- * CAfile: none
- CApath: /etc/ssl/certs
- * SSLv3, TLS handshake, Client hello (1):
- * SSLv3, TLS handshake, Server hello (2):
- * SSLv3, TLS handshake, CERT (11):
- * SSLv3, TLS alert, Server hello (2):
- * SSL certificate problem, verify that the CA cert is OK. Details:
- error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
- * Closing connection #0
结束
更多欢迎到此讨论:
37275208
本文转自 dongnan 51CTO博客,原文链接:http://blog.51cto.com/dngood/886547
