目录
1、HAProxy高级功能及配置
配置选项
配置示例
HAProxy状态页
状态页配置项
启用状态页
登录状态页
backend server信息
利用状态页实现haproxy服务器的健康性检查
IP透传
layer 4 与 layer 7
四层负载
七层代理
四层IP透传
七层IP透传
HAProxy配置
web服务器日志格式配置
验证客户端IP地址
报文修改
自定义日志格式
配置选项
配置示例
验证日志格式
HAProxy压缩功能
配置选项
配置示例
验证压缩功能
web服务检测状态
三种状态监测方式
基于应用层http协议进行健康性检测
配置示例
验证http监测
1、HAProxy高级功能及配置
介绍HAProxy高级配置及实用案例
基于cookie的会话保持
cookie value:为当前server指定cookie值,实现基于cookie的会话黏性,相对于基于 source 地址hash 调度算法对客户端的粒度更精准,但同时也加大了haproxy负载,目前此模式使用较少, 已经被session共享服务器代替
注意:不支持 tcp mode,使用 http mode
配置选项
cookie name [ rewrite | insert | prefix ][ indirect ] [ nocache ][ postonly ] [
preserve ][ httponly ] [ secure ][ domain ]* [ maxidle <idle> ][ maxlife ]name: #cookie 的key名称,用于实现持久连接
insert: #插入新的cookie,默认不插入cookie
indirect: #如果客户端已经有cookie,则不会再发送cookie信息
nocache: #当client和haproxy之间有缓存服务器(如:CDN)时,不允许中间缓存器缓存cookie,
因为这会导致很多经过同一个CDN的请求都发送到同一台后端服务器配置示例
listen web_portbind 10.0.0.7:80balance roundrobinmode http #不支持 tcp modelog globalcookie WEBSRV insert nocache indirectserver web1 10.0.0.17:80 check inter 3000 fall 2 rise 5 cookie web1server web2 10.0.0.27:80 check inter 3000 fall 2 rise 5 cookie web2验证cookie信息
浏览器验证:
通过命令行验证:
[root@centos6 ~]# curl -i 10.0.0.7
HTTP/1.1 200 OK
date: Thu, 02 Apr 2020 02:26:08 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Thu, 02 Apr 2020 01:44:28 GMT
etag: "a-5a244f0fd5175"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8
set-cookie: WEBSRV=web2; path=/
cache-control: private10.0.0.27
[root@centos6 ~]#curl -i 10.0.0.7
HTTP/1.1 200 OK
date: Thu, 02 Apr 2020 02:26:15 GMT
server: Apache/2.4.6 (CentOS)
last-modified: Thu, 02 Apr 2020 01:44:13 GMT
etag: "a-5a244f01f8adc"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8
set-cookie: WEBSRV=web1; path=/
cache-control: private10.0.0.17[root@centos6 ~]# curl -b WEBSRV=web1 10.0.0.7
10.0.0.17
[root@centos6 ~]# curl -b WEBSRV=web2 10.0.0.7
10.0.0.27[root@centos6 ~]# curl -vb WEBSRV=web1 10.0.0.7
* About to connect() to 10.0.0.7 port 80 (#0)
* Trying 10.0.0.7... connected
* Connected to 10.0.0.7 (10.0.0.7) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1
zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 10.0.0.7
> Accept: */*
> Cookie: WEBSRV=web1
>
< HTTP/1.1 200 OK
< date: Thu, 02 Apr 2020 02:27:54 GMT
< server: Apache/2.4.6 (CentOS)
< last-modified: Thu, 02 Apr 2020 01:44:13 GMT
< etag: "a-5a244f01f8adc"
< accept-ranges: bytes
< content-length: 10
< content-type: text/html; charset=UTF-8
<
10.0.0.17
* Connection #0 to host 10.0.0.7 left intact
* Closing connection #0
[root@centos6 ~]# curl -vb WEBSRV=web2 10.0.0.7
* About to connect() to 10.0.0.7 port 80 (#0)
* Trying 10.0.0.7... connected
* Connected to 10.0.0.7 (10.0.0.7) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1
zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 10.0.0.7
> Accept: */*
> Cookie: WEBSRV=web2
>
< HTTP/1.1 200 OK
< date: Thu, 02 Apr 2020 02:27:57 GMT
< server: Apache/2.4.6 (CentOS)
< last-modified: Thu, 02 Apr 2020 01:44:28 GMT
< etag: "a-5a244f0fd5175"
< accept-ranges: bytes
< content-length: 10
< content-type: text/html; charset=UTF-8
<
10.0.0.27
* Connection #0 to host 10.0.0.7 left intact
* Closing connection #0HAProxy状态页
通过web界面,显示当前HAProxy的运行状态
官方帮助:
http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#4-stats%20admin状态页配置项
stats enable #基于默认的参数启用stats page
stats hide-version #将状态页中haproxy版本隐藏
stats refresh <delay> #设定自动刷新时间间隔,默认不自动刷新
stats uri <prefix> #自定义stats page uri,默认值:/haproxy?stats
stats realm <realm> #账户认证时的提示信息,示例:stats realm HAProxy\
Statistics
stats auth <user>:<passwd> #认证时的账号和密码,可使用多次,默认:no authentication,可
有多行用户
stats admin { if | unless } <cond> #启用stats page中的管理功能启用状态页
listen statsbind :9999stats enable#stats hide-versionstats uri /haproxy-statusstats realm HAPorxy\ Stats\ Pagestats auth haadmin:123456 #两个用户stats auth admin:123456#stats refresh 30sstats admin if TRUE #安全原因,不建议打开登录状态页
pid = 27134 (process #1, nbproc = 1, nbthread = 1) #pid为当前pid号,process为当前进
程号,nbproc和nbthread为一共多少进程和每个进程多少个线程
uptime = 0d 0h00m04s #启动了多长时间
system limits: memmax = unlimited; ulimit-n = 200029 #系统资源限制:内存/最大打开文件
数/
maxsock = 200029; maxconn = 100000; maxpipes = 0 #最大socket连接数/单进程最大连接数/
最大管道数maxpipes
current conns = 2; current pipes = 0/0; conn rate = 2/sec; bit rate = 0.000 kbps
#当前连接数/当前管道数/当前连接速率
Running tasks: 1/14; idle = 100 % #运行的任务/当前空闲率
active UP: #在线服务器
backup UP: #标记为backup的服务器
active UP, going down: #监测未通过正在进入down过程
backup UP, going down: #备份服务器正在进入down过程
active DOWN, going up: #down的服务器正在进入up过程
backup DOWN, going up: #备份服务器正在进入up过程
active or backup DOWN: #在线的服务器或者是backup的服务器已经转换成了
down状态
not checked: #标记为不监测的服务器
active or backup DOWN for maintenance (MAINT) #active或者backup服务器人为下线的
active or backup SOFT STOPPED for maintenance #active或者backup被人为软下线(人为将
weight改成0)
backend server信息
| session rate(每秒的连接会话信息): | Errors(错误统计信息): |
| cur:每秒的当前会话数量 | Req:错误请求量 |
| max:每秒新的最大会话数量 | conn:错误链接量 |
| limit:每秒新的会话限制量 | Resp:错误响应量 |
| sessions(会话信息): | Warnings(警告统计信息): |
| cur:当前会话量 | Retr:重新尝试次数 |
| max:最大会话量 | Redis:再次发送次数 |
| limit: 限制会话量 | |
| Total:总共会话量 | Server(real server信息): |
| LBTot:选中一台服务器所用的总时间 | Status:后端机的状态,包括UP和DOWN |
| Last:和服务器的持续连接时间 | LastChk:持续检查后端服务器的时间 |
| Wght:权重 | |
| Bytes(流量统计): | Act:活动链接数量 |
| In:网络的字节输入总量 | Bck:备份的服务器数量 |
| Out:网络的字节输出总量 | Chk:心跳检测时间 |
| Dwn:后端服务器连接后都是DOWN的数量 | |
| Denied(拒绝统计信息): | Dwntme:总的downtime时间 |
| Req:拒绝请求量 | Thrtle:server 状态 |
| Resp:拒绝回复量 |
利用状态页实现haproxy服务器的健康性检查
范例:通过curl 命令对haproxy的状态页的访问实现健康检查
[root@centos8 ~]# curl -I http://haadmin:123456@10.0.0.100:9999/haproxy-status
HTTP/1.1 200 OK
cache-control: no-cache
content-type: text/html[root@centos8 ~]# curl -I -u haadmin:123456 http://10.0.0.100:9999/haproxy-
status
HTTP/1.1 200 OK
cache-control: no-cache
content-type: text/html[root@centos8 ~]#echo ?
0[root@haproxy ~]#systemctl stop haproxy
[root@centos8 ~]#curl -I http://haadmin:123456@10.0.0.100:9999/haproxy-status
curl: (7) Failed to connect to 10.0.0.100 port 9999: Connection refused
[root@centos8 ~]#echo?
7IP透传
web服务器中需要记录客户端的真实IP地址,用于做访问统计、安全防护、行为分析、区域排行等场景。
layer 4 与 layer 7
- 四层:IP+PORT转发
- 七层:协议+内容交换
四层负载
在四层负载设备中,把client发送的报文目标地址(原来是负载均衡设备的IP地址),根据均衡设备设置的选择web服务器的规则选择对应的web服务器IP地址,这样client就可以直接跟此服务器建立TCP连接并发送数据,而四层负载自身不参与建立连接,而和LVS不同,haproxy是伪四层负载均衡,因为haproxy需要分别和前端客户端及后端服务器建立连接
七层代理
七层负载均衡服务器起了一个反向代理服务器的作用,服务器建立一次TCP连接要三次握手,而client要访问webserver要先与七层负载设备进行三次握手后建立TCP连接,把要访问的报文信息发送给七层负载均衡;然后七层负载均衡再根据设置的均衡规则选择特定的webserver,然后通过三次握手与此台webserver建立TCP连接,然后webserver把需要的数据发送给七层负载均衡设备,负载均衡设备再把数据发送给client;所以,七层负载均衡设备起到了代理服务器的作用,七层代理需要和Client和后端服务器分别建立连接
[root@haproxy ~]# tcpdump tcp -i eth0 -nn port ! 22 -w dump-tcp.pcap -v
[root@haproxy ~]# tcpdump tcp -i eth1 -nn port ! 22 -w dump-tcp2.pcap -v
四层IP透传
#haproxy 配置:
listen web_prot_http_nodesbind 172.16.0.100:80mode tcpbalance roundrobinserver web1 www.wangxiaochun.com:80 send-proxy check inter 3000 fall 3
rise 5#nginx配置:变量proxy_protocol_addr 记录透传过来的客户端IP
http {
log_format main 'remote_addr - remote_user [time_local] "request"
"proxy_protocol_addr"'server {listen 80 proxy_protocol; #启用此项,将无法直接访问此网站,只能通过四层代理访问server_name www.wangxiaochun.com;
......抓包可以看到 continuation 信息中带有客户端的源IP
#nginx在开启proxy_protocol前
[root@internet ~]# curl 172.16.0.100
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>
</html>[root@VM_0_10_centos ~]# tail -f /apps/nginx/logs/nginx.access.log
111.199.187.69 - - [09/Apr/2020:20:48:51 +0800] "PROXY TCP4 10.0.0.100
58.87.87.99 35948 80" sendfileon
111.199.187.69 - - [09/Apr/2020:20:48:54 +0800] "PROXY TCP4 10.0.0.100
58.87.87.99 35952 80" sendfileon
111.199.187.69 - - [09/Apr/2020:20:48:57 +0800] "PROXY TCP4 10.0.0.100
58.87.87.99 35954 80" sendfileon#在nginx服务器上开启日志格式和proxy_protocal
[root@VM_0_10_centos ~]# vim /apps/nginx/conf/nginx.conf
http {
.......
log_format main 'remote_addr -remote_user [time_local] "request"
"$proxy_protocol_addr"'sendfile on;keepalive_timeout 65;client_max_body_size 100m;server {listen 80 default_server proxy_protocol ;
......#nginx在开启proxy_protocol后,可以看客户端真实源IP
[root@VM_0_10_centos ~]# tail -f /apps/nginx/logs/nginx.access.log
111.199.187.69 - - [09/Apr/2020:20:52:52 +0800] "GET / HTTP/1.1"
"172.16.0.200"sendfileon七层IP透传
当haproxy工作在七层的时候,如何透传客户端真实IP至后端服务器
HAProxy配置
在由haproxy发往后端主机的请求报文中添加“X-Forwarded-For”首部,其值为前端客户端的地址;用于向后端主发送真实的客户端IP
option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
[ except <network> ]:请求报请来自此处指定的网络时不予添加此首部,如haproxy自身所在网络
[ header <name> ]:使用自定义的首部名称,而非“X-Forwarded-For”,示例:X-client
[ if-none ] 如果没有首部才添加首部,如果有使用默认值范例:
#haproxy 配置
defaultsoption forwardfor #此为默认值,首部字段默为:X-Forwarded-For
#或者自定义首部为X-client:
option forwardfor except 127.0.0.0/8 header X-client#listen配置
listen web_hostbind 10.0.0.7:80mode httplog globalbalance randomserver web1 10.0.0.17:80 weight 1 check inter 3000 fall 2 rise 5server web2 10.0.0.27:80 weight 1 check inter 3000 fall 2 rise 5web服务器日志格式配置
配置web服务器,记录负载均衡透传的客户端IP地址
#apache 配置:
LogFormat "%{X-Forwarded-For}i %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%
{User-Agent}i\"" combined#nginx 日志格式:
proxy_add_x_forwarded_for:包括客户端IP和中间经过的所有代理的IPhttp_x_forwarded_For:只
有客户端IPlog_format main '"proxy_add_x_forwarded_for" -remote_user [time_local]
"request" ''statusbody_bytes_sent "http_referer" ''"http_user_agent" $http_x_forwarded_For';[root@centos8 ~]#tail /var/log/nginx/access.log
"172.16.0.200, 10.0.0.100" 10.0.0.100 - - [09/Apr/2020:19:10:16 +0800] "GET /
HTTP/1.1" 200 4057 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" "172.16.0.200"#tomcat 配置:conf目录下的server.xml
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"prefix="localhost_access_log" suffix=".txt"pattern="%{X-Forwarded-For}i %h %l %u %t "%r" %s %b" /> 验证客户端IP地址
apache日志:
[root@centos7 ~]#vim /etc/httpd/conf/httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%
{User-Agent}i\"" combined
[root@centos7 ~]#systemctl restart httpd[root@centos6 ~]#hostname -I
10.0.0.6
[root@centos6 ~]#curl http://10.0.0.7
10.0.0.17
[root@centos7 ~]#tail -f /var/log/httpd/access_log
10.0.0.6 10.0.0.7 - - [01/Apr/2020:01:08:31 +0800] "GET / HTTP/1.1" 200 10 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3
libidn/1.18 libssh2/1.4.2"
10.0.0.6 10.0.0.7 - - [01/Apr/2020:01:08:33 +0800] "GET / HTTP/1.1" 200 10 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3
libidn/1.18 libssh2/1.4.2报文修改
在http模式下,基于实际需求修改客户端的请求报文与响应报文,通过reqadd和reqdel在请求报文添加删除字段,通过rspadd与rspidel在响应报文中添加与删除字段。
注意:此功能的以下相关指令在2.1版本中已经取消
官方文档:参看2.0的帮助文档
http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-rspadd
#在向后端服务器转发的请求报文尾部添加指定首部reqadd <string> [{if | unless} <cond>]示例:reqadd X-Via:\ HAPorxy#在向后端服务器转发的请求报文中删除匹配正则表达式的首部reqdel <search> [{if | unless} <cond>]reqidel <search> [{if | unless} <cond>] #忽略大小写示例:reqidel user-agent#在向前端客户端转发的响应报文尾部添加指定首部rspadd <string> [{if | unless} <cond>] 示例:rspadd X-Via:\ HAPorxy rspadd Server:\ wanginx#从向前端客户端转发的响应报文中删除匹配正则表达式的首部rspdel <search> [{if | unless} <cond>]rspidel <search> [{if | unless} <cond>] #忽略大小写示例:rspidel ^server:.* #从响应报文删除server信息rspidel X-Powered-By:.* #从响应报文删除X-Powered-By信息,一般此首部字段保存php版本信息2.1版本以上用下面指令http-request和http-response代替
官方文档:
http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4-http-request
http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#4-http-response配置说明:
http-request add-header <name> <fmt> [ { if | unless } <condition> ]
示例:http-request add-header X-Haproxy-Current-Date %T
http-request del-header <name> [ { if | unless } <condition> ]http-response add-header <name> <fmt> [ { if | unless } <condition> ]
http-response del-header <name>
#示例:
http-response del-header Server范例:
#添加向后端报务器发起的请求报文首部
vim haproxy.cfg
frontend main *:80
# bind *:80default_backend websrvsreqadd testheader:\ haporxyserver 加此行,只有一 个空格,并需要转义#在后端httpd服务器
vim /etc/httpd/conf/httpd.conf
LogFormat "%{testheader}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\"" combined#查看日志
tail –f /var/log/httpd/acesss_log范例:
#添加响应报文首部
vim haproxy.cfg
frontend main *:80
# bind *:80default_backend websrvsrspadd X-Via:\ HAPorxy-1 #加此行maxconn 5000#客户端访问调试模式,查看reponse headers,看到
Server: Apache/2.2.15 (CentOS) 系统自带显示
X-Via: HAPorxy-1范例:
#删除响应报文中的server首部
vim haproxy.cfg
frontend main *:80
# bind *:80default_backend websrvsrspadd X-Via:\ HAPorxy-1rspdel Server 或者 rspidel server #加此行 ,忽略大小写rspidel X-Powered-By:.* #删除Php版本maxconn 5000#客户端访问调试模式,查看reponse headers,看到
Server: Apache/2.2.15 (CentOS) 此行消失
X-Via: HAPorxy-1范例:
#增加响应报文的首部,实现伪装Server首部
vim haproxy.cfg
frontend main *:80
# bind *:80default_backend websrvsrspadd X-Via:\ HAPorxy-1rspdel Server #或者 rspidel serverrspadd Server:\ wanginx #增加此行[root@internet ~]#curl -i 172.16.0.100
HTTP/1.1 200 OK
date: Thu, 09 Apr 2020 08:32:10 GMT
last-modified: Thu, 09 Apr 2020 01:23:18 GMT
etag: "f-5a2d17630635b"
accept-ranges: bytes
content-length: 15
content-type: text/html; charset=UTF-8
server: wanginxRS1 10.0.0.17范例:
[root@centos7 ~]#vim /etc/haproxy/haproxy.cfg
listen web_portbind 10.0.0.7:80http-request add-header X-Haproxy-Current-Date %Thttp-response del-header servermode httplog globaloption httpchkhttp-check expect status 200server web1 10.0.0.17:80 check inter 3000 fall 2 rise 5server web2 10.0.0.27:80 check inter 3000 fall 2 rise 5#查看后端服务器日志
tail –f /var/log/httpd/acesss_log
10.0.0.7 - - [05/Apr/2020:20:13:48 +0800] "GET / HTTP/1.1" 200 10 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) l
ibcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
"05/Apr/2020:12:13:48 +0000"自定义日志格式
log global 开启日志功能,默认只会在记录下面格式的日志
[root@haproxy ~]#tail /var/log/haproxy.log
Apr 9 19:38:46 localhost haproxy[60049]: Connect from 172.16.0.200:54628 to
172.16.0.100:80 (web_prot_http_nodes/HTTP)option httplog 可以将http格式记录下,并且可以使用相关指令将特定信息记录在haproxy的日志中但一般不建议开启,这会加重 HAProxy 负载
配置选项
log global #开启记录日志,默认不开启
option httplog #开启记录httplog日志格式选项
capture cookie <name> len <length> #捕获请求和响应报文中的 cookie并记录日志 capture request header <name> len <length> #捕获请求报文中指定的首部内容和长度并记录日志
capture response header <name> len <length> #捕获响应报文中指定的内容和长度首部并记录日志#示例:
log global
option httplog
capture request header Host len 256
capture request header User-Agent len 512
capture request header Referer len 15
capture request header X-Forwarded-For len 15只开启日志功能log global和option httplog,记录日志格式如下
[root@haproxy ~]#tail /var/log/haproxy.log
Apr 9 19:42:02 localhost haproxy[60236]: 172.16.0.200:54630
[09/Apr/2020:19:42:02.623] web_prot_http_nodes web_prot_http_nodes/web1 0/0/1/1/2
200 4264 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"配置示例
listen web_hostbind 10.0.0.7:80mode httpbalance roundrobinlog global #开启日志功能option httplog #开启httplog日志格式选项capture request header User-Agent len 512 #记录日志信息capture request header Host len 256 #记录日志信息cookie SERVER-COOKIE insert indirect nocacheserver web1 10.0.0.17:80 cookie web1 check inter 3000 fall 3 rise 5server web2 10.0.0.27:80 cookie web2 check inter 3000 fall 3 rise 5验证日志格式
[root@centos7 ~]#tail -n3 /var/log/haproxy.log
Apr 2 12:44:26 localhost haproxy[27637]: 10.0.0.6:50004
[02/Apr/2020:12:44:26.817] web_port web_port/web1 0/0/0/2/3 200 42484 - - --NI
1/1/0/0/0 0/0 {curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1
zlib/1.2.3 libidn/1.18 libssh2/1.4.2|10.0.0.7} "GET /test.php HTTP/1.1"
Apr 2 12:44:27 localhost haproxy[27637]: 10.0.0.6:50006
[02/Apr/2020:12:44:27.294] web_port web_port/web2 0/0/0/1/1 404 370 - - --NI
1/1/0/0/0 0/0 {curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1
zlib/1.2.3 libidn/1.18 libssh2/1.4.2|10.0.0.7} "GET /test.php HTTP/1.1"
Apr 2 12:44:27 localhost haproxy[27637]: 10.0.0.6:50008
[02/Apr/2020:12:44:27.840] web_port web_port/web1 0/0/0/3/4 200 42484 - - --NI
1/1/0/0/0 0/0 {curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1
zlib/1.2.3 libidn/1.18 libssh2/1.4.2|10.0.0.7} "GET /test.php HTTP/1.1"HAProxy压缩功能
对响应给客户端的报文进行压缩,以节省网络带宽,但是会占用部分CPU性能,建议在后端服务器开启压缩功能,而非在HAProxy上开启压缩
配置选项
compression algo <algorithm> ... #启用http协议中的压缩机制,常用算法有gzip,
deflate
<algorithm>支持下面类型:identity #debug调试使用的压缩方式gzip #常用的压缩方式,与各浏览器兼容较好deflate #有些浏览器不支持raw-deflate #新式的压缩方式compression type <mime type> ... #要压缩的文件类型#示例:
compression algo gzip deflate
compression type text/html text/csstext/plain配置示例
listen web_hostbind 10.0.0.7:80mode httpbalance roundrobinlog globaloption httplogcompression algo gzip deflatecompression type compression type text/plain text/html text/css text/xmltext/javascript application/javascriptserver web1 10.0.0.17:80 cookie web1 check inter 3000 fall 3 rise 5server web2 10.0.0.27:80 cookie web2 check inter 3000 fall 3 rise 5#后端服务器准备一个文本文件
[root@centos7 ~]#ll /var/www/html/m.txt -h
-rwxr-xr-x 1 root root 772K Apr 2 12:56 /var/www/html/m.txt验证压缩功能
[root@centos6 ~]#curl -is --compressed 10.0.0.7/m.txt|less
HTTP/1.1 200 OK
date: Thu, 02 Apr 2020 05:00:26 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
last-modified: Thu, 02 Apr 2020 04:56:25 GMT
etag: W/"c0ef6-5a2479f7aee68"
accept-ranges: bytes
content-type: text/plain; charset=UTF-8
set-cookie: WEBSRV=web1; path=/
cache-control: private
content-encoding: deflate
transfer-encoding: chunked
vary: Accept-EncodingFeb 2 18:49:27 centos7 journal: Runtime journal is using 6.0M (max allowed
48.6M, trying to leave 72.9M free of 480.1M available → current limit 48.6M).
Feb 2 18:49:27 centos7 kernel: Initializing cgroup subsys cpuset
Feb 2 18:49:27 centos7 kernel: Initializing cgroup subsys cpu
Feb 2 18:49:27 centos7 kernel: Initializing cgroup subsys cpuacct
......
web服务检测状态
三种状态监测方式
基于四层的传输端口做状态监测,此为默认方式
基于指定 URI 做状态监测
基于指定 URI 的request请求头部内容做状态监测,建议使用此方式基于应用层http协议进行健康性检测
基于应用层http协议,采有不同的监测方式,对后端real server进行状态监测
option httpchk #启用七层健康性检测,对tcp 和 http 模式都支持,默认为:OPTIONS /
HTTP/1.0
option httpchk <uri>
option httpchk <method> <uri>
option httpchk <method> <uri> <version>#期望以上检查得到的响应码
http-check expect [!] <match> <pattern>
#示例:
http-check expect status 200
http-check expect ! rstatus ^5<version> is the optional HTTP version string. It defaults to "HTTP/1.0"but some servers might behave incorrectly in HTTP 1.0, so turningit to HTTP/1.1 may sometimes help. Note that the Host field ismandatory in HTTP/1.1, and as a trick, it is possible to pass itafter "\r\n" following the version string.配置示例
listen web_hostbind 10.0.0.7:80mode httpbalance roundrobin#option httpchk GET /monitor/check.html #默认HTTP/1.0#option httpchk GET /monitor/check.html HTTP/1.0#option httpchk GET /monitor/check.html HTTP/1.1 #注意:HTTP/1.1强制要求必须有Host字段option httpchk HEAD /monitor/check.html HTTP/1.1\r\nHost:\ 10.0.0.7 #使用HEAD减少网络流量cookie SERVER-COOKIE insert indirect nocacheserver web1 10.0.0.17:80 cookie web1 check inter 3000 fall 3 rise 5server web2 10.0.0.27:80 cookie web2 check inter 3000 fall 3 rise 5#在所有后端服务建立检测页面
[root@backend ~]#mkdir /var/www/html/monitor/
[root@backend ~]#echo monitor > /var/www/html/monitor/check.html#关闭一台Backend服务器
[root@backend1 ~]#systemctl stop httpd验证http监测
查看到状态页,可以看到启了七层检测功能:LastChk字段:L7
#后端服务器查看访问日志
[root@backend ~]#tail /var/log/httpd/access_log
10.0.0.7 - - [02/Apr/2020:14:25:22 +0800] "HEAD /monitor/check.html HTTP/1.1"
200 - "-" "-"
10.0.0.7 - - [02/Apr/2020:14:25:25 +0800] "HEAD /monitor/check.html HTTP/1.1"
200 - "-" "-"
10.0.0.7 - - [02/Apr/2020:14:25:28 +0800] "HEAD /monitor/check.html HTTP/1.1"
200 - "-" "-"
