1 基础知识
1.1 软件的介绍
– HAProxy是一款开源免费、快速、可靠的解决方案
– HAProxy是基于TCP和HTTP协议提供高可用、负载均衡和代理服务
1.2 软件的功能
– 负载均衡
– 高可用
– 代理服务
2 最佳实践
2.1 环境信息
OS = CentOS 7.3 x86_64
IP Address = 10.168.0.70
host name = haproxy.cmdschool.org
2.2 安装前的准备
2.2.1 下载软件包
cd ~ wget https://www.haproxy.org/download/2.1/src/haproxy-2.1.4.tar.gz
2.2.2 解压软件包
cd ~ tar -xf haproxy-2.1.4.tar.gz
2.2.3 准备编译环境
yum -y install gcc make
2.2.4 关闭SELinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0
2.2.5 开放所需的端口
firewall-cmd --permanent --add-port 8080/tcp firewall-cmd --reload firewall-cmd --list-all
2.3 编译安装
2.3.1 定义编译安装选项
cd ~/haproxy-2.1.4 vim Makefile
根据实际情况定义如下编译选项,
#### Installation options. PREFIX = /usr SBINDIR = $(PREFIX)/sbin MANDIR = $(PREFIX)/share/man DOCDIR = $(PREFIX)/doc/haproxy TARGET = linux3100 CPU = generic ARCH = x86_64
另外,“TARGET”与“ARCH”的定义可参考如下命令的输出,
uname -a
可见如下提示,
Linux localhost.localdomain 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
2.3.2 编译软件包
cd ~/haproxy-2.1.4 make
2.3.3 安装软件包
cd ~/haproxy-2.1.4 make install
可见如下输出,
‘haproxy’ -> ‘/usr/sbin/haproxy’ ‘doc/haproxy.1’ -> ‘/usr/share/man/man1/haproxy.1’ install: creating directory ‘/usr/doc’ install: creating directory ‘/usr/doc/haproxy’ ‘doc/configuration.txt’ -> ‘/usr/doc/haproxy/configuration.txt’ ‘doc/management.txt’ -> ‘/usr/doc/haproxy/management.txt’ ‘doc/seamless_reload.txt’ -> ‘/usr/doc/haproxy/seamless_reload.txt’ ‘doc/architecture.txt’ -> ‘/usr/doc/haproxy/architecture.txt’ ‘doc/peers-v2.0.txt’ -> ‘/usr/doc/haproxy/peers-v2.0.txt’ ‘doc/regression-testing.txt’ -> ‘/usr/doc/haproxy/regression-testing.txt’ ‘doc/cookie-options.txt’ -> ‘/usr/doc/haproxy/cookie-options.txt’ ‘doc/lua.txt’ -> ‘/usr/doc/haproxy/lua.txt’ ‘doc/WURFL-device-detection.txt’ -> ‘/usr/doc/haproxy/WURFL-device-detection.txt’ ‘doc/proxy-protocol.txt’ -> ‘/usr/doc/haproxy/proxy-protocol.txt’ ‘doc/linux-syn-cookies.txt’ -> ‘/usr/doc/haproxy/linux-syn-cookies.txt’ ‘doc/SOCKS4.protocol.txt’ -> ‘/usr/doc/haproxy/SOCKS4.protocol.txt’ ‘doc/network-namespaces.txt’ -> ‘/usr/doc/haproxy/network-namespaces.txt’ ‘doc/DeviceAtlas-device-detection.txt’ -> ‘/usr/doc/haproxy/DeviceAtlas-device-detection.txt’ ‘doc/51Degrees-device-detection.txt’ -> ‘/usr/doc/haproxy/51Degrees-device-detection.txt’ ‘doc/netscaler-client-ip-insertion-protocol.txt’ -> ‘/usr/doc/haproxy/netscaler-client-ip-insertion-protocol.txt’ ‘doc/peers.txt’ -> ‘/usr/doc/haproxy/peers.txt’ ‘doc/close-options.txt’ -> ‘/usr/doc/haproxy/close-options.txt’ ‘doc/SPOE.txt’ -> ‘/usr/doc/haproxy/SPOE.txt’ ‘doc/intro.txt’ -> ‘/usr/doc/haproxy/intro.txt’
2.3.4 确认安装
haproxy -v
可见如下显示,
HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2021. Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html
2.3.5 获取使用帮助
haproxy -h
可见如下显示,
HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2021. Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html Usage : haproxy [-f ]* [ -vdVD ] [ -n ] [ -N ] [ -p ] [ -m ] [ -C ] [-- *] -v displays version ; -vv shows known build options. -d enters debug mode ; -db only disables background mode. -dM[] poisons memory with (defaults to 0x50) -V enters verbose mode (disables quiet mode) -D goes daemon ; -C changes to before loading files. -W master-worker mode. -q quiet mode : don't display messages -c check mode : only check config files and exit -n sets the maximum total # of connections (uses ulimit -n) -m limits the usable amount of memory (in MB) -N sets the default, per-proxy maximum # of connections (0) -L set local peer name (default to hostname) -p writes pids of all children to this file -dp disables poll() usage even when available -dR disables SO_REUSEPORT usage -dr ignores server address resolution failures -dV disables SSL verify on servers side -sf/-st [pid ]* finishes/terminates old pids. -x get listening sockets from a unix socket -S [,...] new master CLI
2.4 部署编译程序
2.4.1 部署服务控制脚本
cp ~/haproxy-2.1.4/examples/haproxy.init /etc/init.d/haproxy chmod +x /etc/init.d/haproxy vim /etc/init.d/haproxy
修改如下代码,
# [ ${NETWORKING} = "no" ] && exit 0 [ "${NETWORKING}" = "no" ] && exit 0
由于官方提供的脚本定义不够严格,没有修改的情况下执行将显示如下错误,
-bash: [: =: unary operator expected
配置修改后,整体配置显示如下,
#!/bin/sh # # chkconfig: - 85 15 # description: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited \ # for high availability environments. # processname: haproxy # config: /etc/haproxy/haproxy.cfg # pidfile: /var/run/haproxy.pid # Script Author: Simon Matter # Version: 2004060600 # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions elif [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functions else exit 0 fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. # [ ${NETWORKING} = "no" ] && exit 0 [ "${NETWORKING}" = "no" ] && exit 0 # This is our service name BASENAME=`basename $0` if [ -L $0 ]; then BASENAME=`find $0 -name $BASENAME -printf %l` BASENAME=`basename $BASENAME` fi BIN=/usr/sbin/$BASENAME CFG=/etc/$BASENAME/$BASENAME.cfg [ -f $CFG ] || exit 1 PIDFILE=/var/run/$BASENAME.pid LOCKFILE=/var/lock/subsys/$BASENAME RETVAL=0 start() { quiet_check if [ $? -ne 0 ]; then echo "Errors found in configuration file, check it with '$BASENAME check'." return 1 fi echo -n "Starting $BASENAME: " daemon $BIN -D -f $CFG -p $PIDFILE RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $LOCKFILE return $RETVAL } stop() { echo -n "Shutting down $BASENAME: " killproc $BASENAME -USR1 RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $LOCKFILE [ $RETVAL -eq 0 ] && rm -f $PIDFILE return $RETVAL } restart() { quiet_check if [ $? -ne 0 ]; then echo "Errors found in configuration file, check it with '$BASENAME check'." return 1 fi stop start } reload() { if ! [ -s $PIDFILE ]; then return 0 fi quiet_check if [ $? -ne 0 ]; then echo "Errors found in configuration file, check it with '$BASENAME check'." return 1 fi $BIN -D -f $CFG -p $PIDFILE -sf $(cat $PIDFILE) } check() { $BIN -c -q -V -f $CFG } quiet_check() { $BIN -c -q -f $CFG } rhstatus() { status $BASENAME } condrestart() { [ -e $LOCKFILE ] && restart || : } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; condrestart) condrestart ;; status) rhstatus ;; check) check ;; *) echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}" exit 1 esac exit $?
获取脚本使用帮助,
/etc/init.d/haproxy
可见如下提示,
Usage: haproxy {start|stop|restart|reload|condrestart|status|check}
根据脚本变量“CFG”的定义,我们需要使用以下命令准备配置文件
mkdir -p /etc/haproxy cp ~/haproxy-2.1.4/examples/option-http_proxy.cfg /etc/haproxy/haproxy.cfg cat /etc/haproxy/haproxy.cfg
可见如下配置,
# # demo config for Proxy mode # global maxconn 20000 ulimit-n 16384 log 127.0.0.1 local0 uid 200 gid 200 chroot /var/empty nbproc 4 daemon frontend test-proxy bind 192.168.200.10:8080 mode http log global option httplog option dontlognull option nolinger option http_proxy maxconn 8000 timeout client 30s # layer3: Valid users acl allow_host src 192.168.200.150/32 http-request deny if !allow_host # layer7: prevent private network relaying acl forbidden_dst url_ip 192.168.0.0/24 acl forbidden_dst url_ip 172.16.0.0/12 acl forbidden_dst url_ip 10.0.0.0/8 http-request deny if forbidden_dst default_backend test-proxy-srv backend test-proxy-srv mode http timeout connect 5s timeout server 5s retries 2 option nolinger option http_proxy # layer7: Only GET method is valid acl valid_method method GET http-request deny if !valid_method # layer7: protect bad reply http-response deny if { res.hdr(content-type) audio/mp3 }
根据配置的GID与UID参数,我们需要创建以下运行用户
groupadd -g 200 haproxy useradd -u 200 -g 200 -d /var/spool/haproxy -s /sbin/nologin haproxy
2.4.2 执行配置检查
/etc/init.d/haproxy check
可见如下提示,
Configuration file is valid
2.4.3 尝试启动服务
/etc/init.d/haproxy start
你可能会遇到以下提示信息,
Starting haproxy (via systemctl): Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details. [FAILED]
我们可通过如下命令尝试查阅日志解决,
tail -f /var/log/messages
可见如下提示,
Apr 15 21:36:09 localhost haproxy: Starting haproxy: [ALERT] 105/213609 (2369) : Starting frontend test-proxy: cannot bind socket [192.168.200.10:8080] Apr 15 21:36:09 localhost haproxy: [FAILED]
根据提示我们使用如下命令修改配置文件,
vim /etc/haproxy/haproxy.cfg
修改如下配置参数,
[...] frontend test-proxy bind 0.0.0.0:8080 [...]
再次尝试启动服务,
/etc/init.d/haproxy start
可见如下提示信息,
Starting haproxy (via systemctl): [ OK ]
抱着严谨的态度再次查阅日志,
tail -f /var/log/messages
可见如下提示,
Apr 15 21:43:03 localhost haproxy: Starting haproxy: [ALERT] 105/214303 (2401) : [/usr/sbin/haproxy.main()] FD limit (16384) too low for maxconn=20000/maxsock=40014. Please raise 'ulimit-n' to 40014 or more to avoid any trouble.This will fail in >= v2.3 Apr 15 21:43:03 localhost haproxy: [ OK ]
根据提示我们使用如下命令修改配置文件,
vim /etc/haproxy/haproxy.cfg
修改如下配置参数,
global [...] ulimit-n 40014 [...]
然后重启服务,
/etc/init.d/haproxy restart
最后,我们使用以下命令查看配置,
cat /etc/haproxy/haproxy.cfg
配置显示如下,
# # demo config for Proxy mode # global maxconn 20000 ulimit-n 40014 log 127.0.0.1 local0 uid 200 gid 200 chroot /var/empty nbproc 1 daemon frontend test-proxy bind 0.0.0.0:8080 mode http log global option httplog option dontlognull option nolinger option http_proxy maxconn 8000 timeout client 30s # layer3: Valid users acl allow_host src 192.168.200.0/32 http-request deny if !allow_host # layer7: prevent private network relaying acl forbidden_dst url_ip 192.168.0.0/24 acl forbidden_dst url_ip 172.16.0.0/12 acl forbidden_dst url_ip 10.0.0.0/8 http-request deny if forbidden_dst default_backend test-proxy-srv backend test-proxy-srv mode http timeout connect 5s timeout server 5s retries 2 option nolinger option http_proxy # layer7: Only GET method is valid acl valid_method method GET http-request deny if !valid_method # layer7: protect bad reply http-response deny if { res.hdr(content-type) audio/mp3 }
2.4.4 配置服务开机启动
chkconfig haproxy on
另外,服务控制命令如下,
/etc/init.d/haproxy start /etc/init.d/haproxy stop /etc/init.d/haproxy reload /etc/init.d/haproxy restart /etc/init.d/haproxy status
参阅文档
=======================
官方文档
—————-
https://www.haproxy.org/download/2.1/doc/management.txt
https://www.haproxy.org/#docs
软件下载
——————
https://www.haproxy.org/download/
https://www.haproxy.org/#down
官方首页
—————–
https://www.haproxy.org/
官方github
—————-
http://git.haproxy.org/
安装参阅文档
—————
https://linuxscriptshub.com/install-haproxy-centos-7/
如何编译出systemd控制脚本
———————–
https://discourse.haproxy.org/t/failing-to-start-with-systemd-and-unexplained-issues/849/6
limit的配置方法
——————–
https://docs.oracle.com/cd/E19476-01/821-0505/file-descriptor-requirements.html
没有评论