[HAProxy] HAProxy教學指南 – Load-Balancer on Ubuntu 16.04

NickNetwork, Web Server

基本安裝設定

安裝

sudo apt-get install haproxy

檢查與重啟概念

haproxy -v  #Version
haproxy -f /etc/haproxy/haproxy.cfg -c  #檢查
service haproxy restart

設定 - /etc/haproxy/haproxy.cfg含設定後範例:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend loadbalance
        bind *:80
        bind *:443 ssl crt /etc/ssl/private/server.pem
        option forwardfor
        default_backend webservers

backend webservers
        balance roundrobin
        #balance source
        server ssl-server 139.16.54.23:443 check ssl verify none
        #server normal-webserver 192.168.1.13:80 check
        option httpchk

上列重點:

  1. 開通Load-Balancer上HTTP與HTTPS服務

  2. 後端Nodes連線亦演示HTTP與HTTPS

HAProxy SSL安裝

別於WEB Server,HAProxy可以僅使用當一合併PEM檔設定,亦即Server憑證+Server Key+中繼憑證可通包一檔,設定檔如下:

frontend load-balancer
        bind *:80
        bind *:443 ssl crt /etc/ssl/private/all-in-one.pem
        option forwardfor
        default_backend webservers

PEM合成公式

sudo cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key | sudo tee /etc/ssl/private/server.pem

如要加中繼憑證(Intermediate SSL certificate)直接一起打包進PEM

TCP Mode - Layer 4 Load Balancing

這模式最好搭配NAT Mode來解決Client IP問題,設定範例:

frontend layer4-load-balancer
        bind *:80
        bind *:443
        option tcplog
        mode tcp
        default_backend layer4nodes

backend layer4nodes
        mode tcp
        server new-cloud-server 220.130.123.201:443

HAProxy Statistics (控制台儀表板)

版本1.5以上範例檔:

# HAProxy Statistics
listen  stats
        bind :9000
        mode http
        stats enable  # Enable stats page
        stats hide-version  # Hide HAProxy version
        stats realm Haproxy\ Statistics  # Title text for popup window
        stats uri /haproxy_stats  # Stats URI
        stats auth Username:Password  # Authentication credentials

如上設定後,訪問:

http://{haproxy_host}:9000/haproxy_stats

後端Web Server Real IP問題

Nginx: ngx_http_realip_module

Apache: mod_remoteip

HTTP to HTTPS

HAProxy - Redirecting HTTP Requests

加入frontend設定:

acl http      ssl_fc,not
http-request redirect scheme https if http

Log

(待確認) 最快方法可以將收取log設定至/etc/rsyslog.d/haproxy.conf:

$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
local2.*    /var/log/haproxy/haproxy.log

一般應用會設定使用rsyslog

Leave a Reply

Your email address will not be published. Required fields are marked *