haproxy访问控制与动静分离
acl 语法:
1
|
acl <acl_name> <criterion> [flags] [operator] <value> |
acl_name:自定义的acl名称,区分大小写,只能包含、字母、数字、"-"、 "_" 、":" 、 "."
criterion:检查条件
flag:标志位,例如:
-i:不区分大小写
operation:操作符,做数值比较,例如:eq(=)、ge(>=)、gt(>)、le(<=)、lt(<)
value:指定的值。可以是数值,也可是字符串。
数据类型为int时
例如: 1024:65535
数据类型为string时:
支持-i选项
支持正则表达式
支持IP address and networks
检查标准:
dst <ip_address> :目标地址
dst_port <integer>:目标端口
src <ip_address>:源地址
src_port <integer>:源端口
ACL基于tcp做4层访问控制
Example
1
2
|
tcp-request content accept [{ if | unless} condition ]
tcp-request content accept reject |
只能在frontend、listen区段中定义
Example:
1
2
3
|
acl goodguys src 10.0.0.0/24 tcp-request content accept if googuys
tcp-request content reject |
解释:只允许10.0.0.0/24网段的用户访问,其他的都拒绝
实例:
1
2
3
4
5
6
7
8
9
10
11
|
listen statistics bind *:8010
stats enable
stats uri /haadmin ?stats
stats auth admin:admin
stats admin if TRUE
acl whitelist src 172.16.0.0 /16
acl blacklist src 172.16.100.10 /24
tcp-request content reject if blacklist
tcp-request content accept if whitelist
tcp-request content reject
|
解释:允许172.16.0.0/16网段的用户访问本地的http://127.0.0.1/haadmin?stats页面,但拒绝172.16.100.10/24这个IP访问
ACL基于http做七层访问控制
Example:
1
2
3
4
5
6
7
8
|
acl nagios src 192.168.129.3 acl local_net src 192.168.0.0 /16
acl auth_ok http_auth(L1) http-request allow if nagios
http-request allow if local_net auth_ok
http-request auth reaml Gimme if local_net auth_ok
http-request deny |
Example:
1
2
|
acl auth_ok http_auth_group(L1) G1 http-request auth unless auth_ok |
检查标准:
1
|
hdr(header) <string>: |
检查首部,并且首部中的指定header必须是后面的字符串。
例如:
1
|
hdr(Content) -i close |
解释:检查Content首部,且必须为close。忽略大小写
hdr_beg <string>
用于测试请求报文的指定首部的开头部分是否符合<string>指定的模式。例如,下面的例子用记测试请求是否为提供静态内容的主机img、video、download或ftp。
1
|
acl host_static hdr_beg(host) -i img. video. download. ftp .
|
hdr_end <string>
用于测试请求报文的指定首部的结尾部分是否符合<string>指定的模式
1
|
hdr_reg(header) <regex> |
对首部的值做正则表达式匹配
例如:
1
|
acl vhost hdr_reg(Host) -i .*\.magedu.com |
解释:匹配magedu.com域内所有Host虚拟主机,并定义成vhost这个acl规则
1
|
http_first_req |
检查http协议的第一次请求
1
|
method <string> |
检测http请求报文中使用的方法
path
检查http请求url中的path路径
http请求的url格式为
1
|
|
例如:
1
|
acl index path -i /index .html
|
解释:检查请求的path是否为/index.html(不区分大小写),并定义成path
path_beg <string>
用于测试请求的URL是否以<string>指定的模式开头。下面的例子用于测试URL是否以/static、/images、/javascript或/stylesheets头。
1
|
acl url_static path_beg -i /static /images /javascript /stylesheets
|
path_end <string>
用于测试请求的URL是否以<string>指定的模式结尾。例如,下面的例子用户测试URL是否以jpg、gif、png、css或js结尾。
1
|
acl url_static path_end -i .jpg .gif .png .css .js |
path_reg <regex>
对path做正则匹配
url <string>
对url做精确指定,url为
1
|
/path ;params?query #fragment
|
url_beg <string>
检查url是否以指定内容开头
url_end <string>
检查url是否以指定内容结尾
ACL组合多个条件
ACL条件判断操作符:and、or、!
Example:
1
2
3
4
5
6
|
acl url_static path_beg /static /image /img /css
acl url_static path_end .gif .png .jpg .css .js acl host_www hdr_beg(host) -i www acl host_static hdr_beg(host) -i img. video. download. ftp .
use_backend static if host_static or url_static
use_backend www if host_www
|
解释: 前面两个acl同名,表示满足任何一个都可以。即以static 、image、css开头或者以gif、png、jpg、css、js结尾的path都定义成static(静态页面)
第三条:检查host首部,以www开头的定义成host_www
第四条:检查host首部,以img、video、download、ftp开头的定义成host_static
第五条:如果满足条件则使用static后端(实例中没有配)
第六条:如果虚拟主机是以www开头的,则使用www后端(实例中没有配置)
HAproxy 基于ACL做动静分离配置样例:
动静分离示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
global log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy .pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0 /8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 30000
listen stats mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin ?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend http- in
bind *:80
mode http
log global
option httpclose // 使用短链接
option logasap // 在收到http请求时开始记录日志。默认是请求结束才开始记录
option dontlognull // 不记录空信息(即建立连接后,如果没有任何请求,不会产生日志)
capture request header Host len 20 // 记录请求报文中虚拟主机,长度为20个字符
capture request header Referer len 60 // 记录请求报文中Referer(跳转的上一级)
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .jpeg .gif .png .css .js
use_backend static_servers if url_static
default_backend dynamic_servers
backend static_servers balance roundrobin
server imgsrv1 172.16.200.7:80 check maxconn 6000
server imgsrv2 172.16.200.8:80 check maxconn 6000
backend dynamic_servers cookie srv insert nocache
balance roundrobin
server websrv1 172.16.200.7:80 check maxconn 1000 cookie websrv1
server websrv2 172.16.200.8:80 check maxconn 1000 cookie websrv2
server websrv3 172.16.200.9:80 check maxconn 1000 cookie websrv3
|
负载均衡MySQL服务的配置实例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy .pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults mode tcp
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 600
listen stats mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin ?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend mysql bind *:3306
mode tcp
log global
default_backend mysqlservers
backend mysqlservers balance leastconn
server dbsrv1 192.168.10.11:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
server dbsrv2 192.168.10.12:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
|
HAProxy为RabbitMQ做负载均衡的配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
global log 127.0.0.1 local2 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy .pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults log global
option tcplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout connect 5s
timeout client 1m
timeout server 1m
timeout check 5s
maxconn 6000
listen stats bind *:1080
mode http
stats refresh 30s
stats auth admin:admin
stats enable
stats admin if TRUE
stats uri /hadmin ?stats
stats realm Haproxy Manager
option httplog
log global
frontend mq_web_console 0.0.0.0:15672 mode http
maxconn 3000
log global
no option dontlognull
option httplog
default_backend mq_web_console
backend mq_web_console mode http
balance roundrobin
server node1 172.16.42.131:15672 check maxconn 2000
server node2 172.16.42.135:15672 check maxconn 2000
frontend mq_cluster 0.0.0.0:5672 mode tcp
maxconn 3000
log global
option tcplog
default_backend mq_cluster
backend mq_cluster option tcplog
mode tcp
balance roundrobin
server node1 172.16.42.131:5672 check inter 5s rise 2 fall 3
server node2 172.16.42.135:5672 check inter 5s rise 2 fall 3
|