1 基础知识

1.1 软件的介绍

– HAProxy是一款开源免费、快速、可靠的解决方案
– HAProxy是基于TCP和HTTP协议提供高可用、负载均衡和代理服务

1.2 软件的功能

– 负载均衡
– 高可用
– 代理服务

2 最佳实践

2.1 环境信息

OS = CentOS 7.3 x86_64
IP Address = 10.168.0.70
host name = haproxy.cmdschool.org

2.2 安装前的准备

2.2.1 下载软件包

cd ~
https://www.haproxy.org/download/2.1/src/haproxy-2.1.4.tar.gz

2.2.2 解压软件包

cd ~
tar -xf haproxy-2.1.4.tar.gz

2.2.3 准备编译环境

yum -y install gcc make

2.2.4 关闭SELinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0

2.2.5 开放所需的端口

firewall-cmd --permanent --add-port 8080/tcp 
firewall-cmd --reload
firewall-cmd --list-all

2.3 编译安装

2.3.1 定义编译安装选项

cd ~/haproxy-2.1.4
vim Makefile

根据实际情况定义如下编译选项，

#### Installation options.
PREFIX = /usr
SBINDIR = $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
DOCDIR = $(PREFIX)/doc/haproxy
USE_SYSTEMD = 1
TARGET = linux3100
CPU = generic
ARCH = x86_64

其中“USE_SYSTEMD = 1”参数用于启用systemd的启动方式，另外“TARGET”与“ARCH”的定义可参考如下命令的输出，

uname -a

可见如下提示，

Linux localhost.localdomain 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

2.3.2 编译软件包

cd ~/haproxy-2.1.4
make

如果遇到以下提示，

src/haproxy.c:77:31: fatal error: systemd/sd-daemon.h: No such file or directory
 #include 
                               ^
compilation terminated.
make: *** [src/haproxy.o] Error 1

请使用如下指令解决依赖关系后再从新编译，

yum install -y systemd-devel

2.3.3 安装软件包

cd ~/haproxy-2.1.4
make install

可见如下输出，

‘haproxy’ -> ‘/usr/sbin/haproxy’
‘doc/haproxy.1’ -> ‘/usr/share/man/man1/haproxy.1’
install: creating directory ‘/usr/doc’
install: creating directory ‘/usr/doc/haproxy’
‘doc/configuration.txt’ -> ‘/usr/doc/haproxy/configuration.txt’
‘doc/management.txt’ -> ‘/usr/doc/haproxy/management.txt’
‘doc/seamless_reload.txt’ -> ‘/usr/doc/haproxy/seamless_reload.txt’
‘doc/architecture.txt’ -> ‘/usr/doc/haproxy/architecture.txt’
‘doc/peers-v2.0.txt’ -> ‘/usr/doc/haproxy/peers-v2.0.txt’
‘doc/regression-testing.txt’ -> ‘/usr/doc/haproxy/regression-testing.txt’
‘doc/cookie-options.txt’ -> ‘/usr/doc/haproxy/cookie-options.txt’
‘doc/lua.txt’ -> ‘/usr/doc/haproxy/lua.txt’
‘doc/WURFL-device-detection.txt’ -> ‘/usr/doc/haproxy/WURFL-device-detection.txt’
‘doc/proxy-protocol.txt’ -> ‘/usr/doc/haproxy/proxy-protocol.txt’
‘doc/linux-syn-cookies.txt’ -> ‘/usr/doc/haproxy/linux-syn-cookies.txt’
‘doc/SOCKS4.protocol.txt’ -> ‘/usr/doc/haproxy/SOCKS4.protocol.txt’
‘doc/network-namespaces.txt’ -> ‘/usr/doc/haproxy/network-namespaces.txt’
‘doc/DeviceAtlas-device-detection.txt’ -> ‘/usr/doc/haproxy/DeviceAtlas-device-detection.txt’
‘doc/51Degrees-device-detection.txt’ -> ‘/usr/doc/haproxy/51Degrees-device-detection.txt’
‘doc/netscaler-client-ip-insertion-protocol.txt’ -> ‘/usr/doc/haproxy/netscaler-client-ip-insertion-protocol.txt’
‘doc/peers.txt’ -> ‘/usr/doc/haproxy/peers.txt’
‘doc/close-options.txt’ -> ‘/usr/doc/haproxy/close-options.txt’
‘doc/SPOE.txt’ -> ‘/usr/doc/haproxy/SPOE.txt’
‘doc/intro.txt’ -> ‘/usr/doc/haproxy/intro.txt’

2.3.4 确认安装

haproxy -v

可见如下显示，

HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2021.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html

2.3.5 获取使用帮助

haproxy -h

可见如下显示，

HA-Proxy version 2.1.4 2020/04/02 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2021.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.4.html
Usage : haproxy [-f ]* [ -vdVD ] [ -n  ] [ -N  ]
        [ -p  ] [ -m  ] [ -C  ] [-- *]
        -v displays version ; -vv shows known build options.
        -d enters debug mode ; -db only disables background mode.
        -dM[] poisons memory with  (defaults to 0x50)
        -V enters verbose mode (disables quiet mode)
        -D goes daemon ; -C changes to  before loading files.
        -W master-worker mode.
        -q quiet mode : don't display messages
        -c check mode : only check config files and exit
        -n sets the maximum total # of connections (uses ulimit -n)
        -m limits the usable amount of memory (in MB)
        -N sets the default, per-proxy maximum # of connections (0)
        -L set local peer name (default to hostname)
        -p writes pids of all children to this file
        -dp disables poll() usage even when available
        -dR disables SO_REUSEPORT usage
        -dr ignores server address resolution failures
        -dV disables SSL verify on servers side
        -sf/-st [pid ]* finishes/terminates old pids.
        -x  get listening sockets from a unix socket
        -S [,...] new master CLI

2.4 部署编译程序

2.4.1 部署服务控制脚本

cp ~/haproxy-2.1.4/contrib/systemd/haproxy.service.in /usr/lib/systemd/system/haproxy.service
vim /usr/lib/systemd/system/haproxy.service

配置修改如下，

[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
EnvironmentFile=-/etc/default/haproxy
#EnvironmentFile=-/etc/sysconfig/haproxy
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
ExecStart=/usr/sbin/haproxy -W -f $CONFIG -p $PIDFILE $EXTRAOPTS
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS
#ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=forking

# The following lines leverage SystemD's sandboxing options to provide
# defense in depth protection at the expense of restricting some flexibility
# in your setup (e.g. placement of your configuration files) or possibly
# reduced performance. See systemd.service(5) and systemd.exec(5) for further
# information.

# NoNewPrivileges=true
# ProtectHome=true
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
# any state files and any other files written using 'ReadWritePaths' or
# 'RuntimeDirectory'.
# ProtectSystem=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# If your SystemD version supports them, you can add: @reboot, @swap, @sync
# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io

[Install]
WantedBy=multi-user.target

重点是修改变量“ExecStart”、“@SBINDIR@”和“Type”，修改完成后我们需要运行以下命令使配置生效，

systemctl daemon-reload

根据“EnvironmentFile”定义的参数，我们需要增加额外选项配置文件

vim /etc/default/haproxy

加入如下内容，

# Add extra options to the haproxy daemon here. This can be useful for
# specifying multiple configuration files with multiple -f options.
# See haproxy(1) for a complete list of options.
EXTRAOPTS="-S /run/haproxy-master.sock"

根据变量“CONFIG”的定义，我们需要部署启动脚本所需的配置文件

mkdir -p /etc/haproxy
cp ~/haproxy-2.1.4/examples/option-http_proxy.cfg /etc/haproxy/haproxy.cfg
cat /etc/haproxy/haproxy.cfg

配置显示如下，

#
# demo config for Proxy mode
#

global
        maxconn         20000
        ulimit-n        16384
        log             127.0.0.1 local0
        uid             200
        gid             200
        chroot          /var/empty
        nbproc          4
        daemon

frontend test-proxy
        bind            192.168.200.10:8080
        mode            http
        log             global
        option          httplog
        option          dontlognull
        option          nolinger
        option          http_proxy
        maxconn         8000
        timeout client  30s

        # layer3: Valid users
        acl allow_host src 192.168.200.150/32
        http-request deny if !allow_host

        # layer7: prevent private network relaying
        acl forbidden_dst url_ip 192.168.0.0/24
        acl forbidden_dst url_ip 172.16.0.0/12
        acl forbidden_dst url_ip 10.0.0.0/8
        http-request deny if forbidden_dst

        default_backend test-proxy-srv


backend test-proxy-srv
        mode            http
        timeout connect 5s
        timeout server  5s
        retries         2
        option          nolinger
        option          http_proxy

        # layer7: Only GET method is valid
        acl valid_method        method GET
        http-request deny if !valid_method

        # layer7: protect bad reply
        http-response deny if { res.hdr(content-type) audio/mp3 }

根据配置文件“GID”和“UID”的定义，我们需要使用如下命令创建运行用户

groupadd  -g 200 haproxy
useradd -u 200 -g 200 -d /var/spool/haproxy -s /sbin/nologin haproxy

2.4.2 尝试启动服务

systemctl start haproxy.service

如果遇到如下提示，

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

我们建议通过以下命令查看日志查找问题的根源，

tail -n 50 /var/log/messages

可见如下提示，

Apr 15 22:33:14 localhost haproxy: [ALERT] 105/223314 (14715) : Starting frontend test-proxy: cannot bind socket [192.168.200.10:8080]
Apr 15 22:33:14 localhost systemd: haproxy.service: control process exited, code=exited status=1
Apr 15 22:33:14 localhost systemd: Failed to start HAProxy Load Balancer.
Apr 15 22:33:14 localhost systemd: Unit haproxy.service entered failed state.
Apr 15 22:33:14 localhost systemd: haproxy.service failed.

根据提示使用如下命令修改配置，

vim /etc/haproxy/haproxy.cfg

我们修改如下配置，

[...]
frontend test-proxy
        bind            0.0.0.0:8080
        [...]

然后我们再次使用以下命令尝试启动，

systemctl start haproxy.service

服务启动成功，我们抱着严谨的精神再次查看日志文件，可见如下提示，

Apr 15 22:39:12 localhost haproxy: [ALERT] 105/223912 (14754) : [/usr/sbin/haproxy.main()] FD limit (16384) too low for maxconn=20000/maxsock=40028. Please raise 'ulimit-n' to 40028 or more to avoid any trouble.This will fail in >= v2.3

我们再次根据提示修改配置文件，

[...]
global
        [...]
        ulimit-n        40039
        [...]

修改完成后，我们需要重启服务使配置生效，

systemctl restart haproxy.service

最后我们使用如下命令查看配置，

cat /etc/haproxy/haproxy.cfg

整体配置如下，

#
# demo config for Proxy mode
#

global
        maxconn         20000
        ulimit-n        40039
        log             127.0.0.1 local0
        uid             200
        gid             200
        chroot          /var/empty
        nbproc          4
        daemon

frontend test-proxy
        bind            0.0.0.0:8080
        mode            http
        log             global
        option          httplog
        option          dontlognull
        option          nolinger
        option          http_proxy
        maxconn         8000
        timeout client  30s

        # layer3: Valid users
        acl allow_host src 192.168.200.150/32
        http-request deny if !allow_host

        # layer7: prevent private network relaying
        acl forbidden_dst url_ip 192.168.0.0/24
        acl forbidden_dst url_ip 172.16.0.0/12
        acl forbidden_dst url_ip 10.0.0.0/8
        http-request deny if forbidden_dst

        default_backend test-proxy-srv


backend test-proxy-srv
        mode            http
        timeout connect 5s
        timeout server  5s
        retries         2
        option          nolinger
        option          http_proxy

        # layer7: Only GET method is valid
        acl valid_method        method GET
        http-request deny if !valid_method

        # layer7: protect bad reply
        http-response deny if { res.hdr(content-type) audio/mp3 }

2.4.3 设置服务开机自动启动

systemctl enable haproxy.service

另外，常用服务控制命令如下，

systemctl start haproxy.service
systemctl stop haproxy.service
systemctl reload haproxy.service
systemctl restart haproxy.service
systemctl status haproxy.service

参阅文档
=======================

官方文档
—————-
https://www.haproxy.org/download/2.1/doc/management.txt
https://www.haproxy.org/#docs

软件下载
——————
https://www.haproxy.org/download/
https://www.haproxy.org/#down

官方首页
—————–
https://www.haproxy.org/

官方github
—————-
http://git.haproxy.org/

安装参阅文档
—————
https://linuxscriptshub.com/install-haproxy-centos-7/

如何编译出systemd控制脚本
———————–
https://discourse.haproxy.org/t/failing-to-start-with-systemd-and-unexplained-issues/849/6

limit的配置方法
——————–
https://docs.oracle.com/cd/E19476-01/821-0505/file-descriptor-requirements.html