HaProxy – możliwości i zastosowania
Marek Oszczapiński
m.oszczapinski@polskapresse.pl
oczek@oczek.com
Agenda
●
Wstęp
●
HaProxy
●
Konfiguracja i zastosowani
●
Podsumowanie
•
•
Load Balancing
●
Sprzętowe – F5, Cisco LD, loadbalancer.org
●
Sieciowe – L2 i L3
●
Softwarowe
Softwarowe LB
●
HaProxy
●
Pound
●
Varnish
●
Squid
●
Nginx
●
Pen
●
I wiele innych...
•
•
HaProxy
●
Darmowy
●
Bardzo szybki
●
HA
●
Load Balancing
●
Proxy TCP i HTTP(s)
●
Multisystemowy
●
Bezpieczny
•
Konfiguracja HaProxy
●
global
●
defaults
●
backend
●
frontend
●
listen
•
•
Konfiguracja – global
global
log 127.0.0.1:520 local1 debug
maxconn 4096
uid www
gid www
daemon
pidfile /var/run/haproxy.p...
Konfiguracja – defaults
defaults
log global
mode http
balance roundrobin
option httplog
maxconn 8192
contimeout 30s
clitim...
Konfiguracja – backend, frontend, listen
backend apache
server www 192.168.0.1:80 inter 3000 fall 2 rise 2
frontend web.ex...
Konfiguracja – HaProxy HA
peers haproxy
peer haproxy1 192.168.0.1:1024
peer haproxy2 192.168.0.2:1024
backend apache
stick...
Konfiguracja – HTTP
frontend web.example.tld
bind 1.1.1.1:80
default_backend apache
backend apache
balance roundrobin
opti...
Konfiguracja – HTTP acl
●
fronted web.example.tld
bind 1.1.1.1:80
acl static path_end .flv .js .css .ico .jpeg .jpg .png
u...
Zastosowania – HTTP acl
●
fronted web.example.tld
bind 1.1.1.1:80
acl static path_end .flv .js .css .ico .jpeg .jpg .png
a...
Zastosowania – HTTP acl c.d.
●
redirect code 301 prefix http://www.naszemiasto.pl if { hdr(host) -i
naszemiasto.pl } || { ...
Konfiguracja – HTTPs
●
fronted web.example.tld
bind 1.1.1.1:80
bind 1.1.1.1:443 ssl crt /etc/haproxy/ssl/cert.pem
reqadd X...
Zastosowania – HTTPs htaccess
●
userlist admin
user admin1 insecure-password 123456
user admin2 password $6$k6y3o.eP$JlKBx...
Konfiguracja – sticky session, hit ratio
●
backend apache
balance source
server cache1 192.168.0.1:80 check
server cache2 ...
Konfiguracja – IPv6
●
●
●
●
listen naszemiasto.pl 2a02:1320:ffff:0:195:8:99:2:80
mode tcp
server naszemiasto.pl 195.8.99.2...
Zastosowania – TCP, DDoS
listen 1.1.1.1:22
mode tcp
stick-table type ip size 200k expires 60s store conn_cur
tcp-request c...
Konfiguracja – TCP smtp, imap
listen 1.1.1.1:25
mode tcp
option tcplog
balance roundrobin
tcp-request connection reject if...
Zastosowania – MySQL
listen mysql 192.168.0.1:3306
mode tcp
option tcplog
server mysql1 10.0.0.1:3306 check
•
•
Zastosowania – MySQL
# DB write cluster
# Failure scenarios:
# - replication 'up' on db01 & db02 = writes to db01
# - repl...
Zastosowania – MySQL
backend cluster_db_write
mode tcp
option tcpka
balance roundrobin
option httpchk GET /dps
server db01...
Zastosowania – FTP
listen ftp-lb00
bind 2.2.2.2:21
mode tcp
option tcplog
balance leastconn
server ftp-serv00 192.168.1.1:...
Zastosowania – FTP c.d.
• PASSIVE
Bind 192.168.1.1
Port 21
MasqueradeAddress 2.2.2.2
PassivePorts 1025 2048
Bind 192.168.1...
Zastosowania – RDP
listen RDP_Test
bind 192.168.67.30:3389
mode tcp
balance leastconn
option tcpka
tcp-request inspect-del...
Statystyki
listen stats 192.168.0.1:8080
mode http
stats enable
stats hide-version
stats realm Haproxy Statistics
stats ur...
Narzedzia
global
stats socket /tmp/haproxy mode 0600 level admin
$ echo "show info;show stat" | socat /tmp/haproxy stdio
$...
Podsumowanie
• Wydajne: 108k req/s, 16kb per session
• Konfigurowalne
• Bardzo dobra dokumentacja
- http://haproxy.1wt.eu/...
Dziękuję za uwagę!
Pytania?
of 30

Prezentacja zimowisko 2014

Konfiguracja i zastosowania HaProxy
Published on: Mar 4, 2016
Published in: Software      
Source: www.slideshare.net


Transcripts - Prezentacja zimowisko 2014

  • 1. HaProxy – możliwości i zastosowania Marek Oszczapiński m.oszczapinski@polskapresse.pl oczek@oczek.com
  • 2. Agenda ● Wstęp ● HaProxy ● Konfiguracja i zastosowani ● Podsumowanie • •
  • 3. Load Balancing ● Sprzętowe – F5, Cisco LD, loadbalancer.org ● Sieciowe – L2 i L3 ● Softwarowe
  • 4. Softwarowe LB ● HaProxy ● Pound ● Varnish ● Squid ● Nginx ● Pen ● I wiele innych... • •
  • 5. HaProxy ● Darmowy ● Bardzo szybki ● HA ● Load Balancing ● Proxy TCP i HTTP(s) ● Multisystemowy ● Bezpieczny •
  • 6. Konfiguracja HaProxy ● global ● defaults ● backend ● frontend ● listen • •
  • 7. Konfiguracja – global global log 127.0.0.1:520 local1 debug maxconn 4096 uid www gid www daemon pidfile /var/run/haproxy.pid stats socket /tmp/haproxy mode 0600 level admin •
  • 8. Konfiguracja – defaults defaults log global mode http balance roundrobin option httplog maxconn 8192 contimeout 30s clitimeout 30s srvtimeout 30s
  • 9. Konfiguracja – backend, frontend, listen backend apache server www 192.168.0.1:80 inter 3000 fall 2 rise 2 frontend web.example.tld bind 1.1.1.1:80 default_backend apache listen web.example.tld 1.1.1.1:80 server www 192.168.0.1:80 inter 3000 fall 2 rise 2 • •
  • 10. Konfiguracja – HaProxy HA peers haproxy peer haproxy1 192.168.0.1:1024 peer haproxy2 192.168.0.2:1024 backend apache stick-table type ip size 20k expires 10m store cont_cur peers haproxy stick or src •
  • 11. Konfiguracja – HTTP frontend web.example.tld bind 1.1.1.1:80 default_backend apache backend apache balance roundrobin option httpchk HEAD /check.txt HTTP/1.0 server www1 192.168.0.1:80 inter 3000 cookie 1 check server www2 192.168.0.2:80 inter 3000 cookie 2 check 81 server www3 192.168.0.3:80 inter 3000 cookie 3 check server www-bkp1 192.168.0.4:80 inter 3000 cookie 1 check backup
  • 12. Konfiguracja – HTTP acl ● fronted web.example.tld bind 1.1.1.1:80 acl static path_end .flv .js .css .ico .jpeg .jpg .png use_backend static if static default_backend apache fronted web.example.tld bind 1.1.1.1:80 use_backend static if { path_end .flv .js .css .ico .jpeg .jpg .png } default_backend apache
  • 13. Zastosowania – HTTP acl ● fronted web.example.tld bind 1.1.1.1:80 acl static path_end .flv .js .css .ico .jpeg .jpg .png acl static hdr_reg(host) -i ^(s|m|img).web.example.tld acl bot hdr_reg(user-agent) -i -f /etc/haproxy/bot.txt acl blokada src 192.168.100.0/24 acl wyjatek src 192.168.100.100 block if blokada !wyjatek use_backend bot if bot use_backend static if static default_backend apache ●
  • 14. Zastosowania – HTTP acl c.d. ● redirect code 301 prefix http://www.naszemiasto.pl if { hdr(host) -i naszemiasto.pl } || { hdr_end(host) naszemiasto.com.pl } redirect location http://prasa24.pl if { hdr_reg(host) -i ^(www.)? naszemiasto.pl } { path_beg /gazety } redirect location http://www.gratka.pl if { hdr_reg(host) (.*) } reqirep ^Host: www.(.*) Host: 1 if { hdr_beg(host) -i www. } ● • • ● •
  • 15. Konfiguracja – HTTPs ● fronted web.example.tld bind 1.1.1.1:80 bind 1.1.1.1:443 ssl crt /etc/haproxy/ssl/cert.pem reqadd X-Forwarded-Proto: https if { dst_port 443 } reqadd X-Forwarded-Proto: http unless { dst_port 443 } http-request redirect scheme https if !{ ssl_fc } default_backend apache ● • •
  • 16. Zastosowania – HTTPs htaccess ● userlist admin user admin1 insecure-password 123456 user admin2 password $6$k6y3o.eP$JlKBx9za966xHSwRv6J.C0/D7cV91 fronted web.example.tld bind 1.1.1.1:80 bind 1.1.1.1:443 ssl crt /etc/haproxy/ssl/cert.pem http-request auth realm Restricted_Area if !{ http_auth(admin) } { dst_port 443 } default_backend apache
  • 17. Konfiguracja – sticky session, hit ratio ● backend apache balance source server cache1 192.168.0.1:80 check server cache2 192.168.0.2:80 check backend apache balance roundrobin cookie JSESSIONID prefix indirect nocache server cache1 192.168.0.1:80 check cookie c1 server cache2 192.168.0.2:80 check cookie c2 backend apache stick store-request src stick-table type ip size 200k expires 30m server cache1 192.168.0.1:80 inter 3000 fall 2 rise 2 server cache2 192.168.0.2:80 inter 3000 fall 2 rise 2
  • 18. Konfiguracja – IPv6 ● ● ● ● listen naszemiasto.pl 2a02:1320:ffff:0:195:8:99:2:80 mode tcp server naszemiasto.pl 195.8.99.2:80 check inter 3000
  • 19. Zastosowania – TCP, DDoS listen 1.1.1.1:22 mode tcp stick-table type ip size 200k expires 60s store conn_cur tcp-request connection reject if { sc1_conn_cur gt 10 } tcp-request connection track-sc1 src server ssh1 192.168.0.1:22 inter 3000 fall 2 rise 2 listen 1.1.1.1:80 stick-table type ip size 200k expires 60s store conn_cur acl abuser sc1_conn_cur gt 100 tcp-request connection track-sc1 src if ! { sc1_conn_cur gt 100 } use_backend slow if abuser server ssh1 192.168.0.1:80 inter 3000 fall 2 rise 2
  • 20. Konfiguracja – TCP smtp, imap listen 1.1.1.1:25 mode tcp option tcplog balance roundrobin tcp-request connection reject if { src 192.168.100.0/24 } server smtp1 192.168.0.1:25 inter 3000 server smtp2 192.168.0.2:25 inter 3000 listen 1.1.1.1:143 mode tcp balance lastconn option tcp-check tcp-check connect port 143 tcp-check expect string * OK IMAP4 ready server imap1 192.168.0.1:143 check inter 3000 server imap2 192.168.0.2:143 check inter 3000
  • 21. Zastosowania – MySQL listen mysql 192.168.0.1:3306 mode tcp option tcplog server mysql1 10.0.0.1:3306 check • •
  • 22. Zastosowania – MySQL # DB write cluster # Failure scenarios: # - replication 'up' on db01 & db02 = writes to db01 # - replication 'down' on db02 = writes to db01 # - replication 'down' on db01 = writes to db02 # - replication 'down' on db01 & db02 = go nowhere, split- brain, cluster FAIL! # - mysql 'down' on db02 = writes to db01_backup # - mysql 'down' on db01 = writes to db02_backup # - mysql 'down' on db01 & db02 = go nowhere, cluster FAIL! •
  • 23. Zastosowania – MySQL backend cluster_db_write mode tcp option tcpka balance roundrobin option httpchk GET /dps server db01 172.16.0.60:3306 weight 1 check port 9201 inter 1s rise 2 fall 1 server db02 172.16.0.61:3306 weight 1 check port 9201 inter 1s rise 2 fall 1 backup server db01_backup 172.16.0.60:3306 weight 1 check port 9301 inter 1s rise 2 fall 2 addr 127.0.0.1 backup server db02_backup 172.16.0.61:3306 weight 1 check port 9302 inter 1s rise 2 fall 2 addr 127.0.0.1 backup •
  • 24. Zastosowania – FTP listen ftp-lb00 bind 2.2.2.2:21 mode tcp option tcplog balance leastconn server ftp-serv00 192.168.1.1:21 check server ftp-serv01 192.168.1.2:21 check server ftp-serv02 192.168.1.3:21 check • ACTIVE iptables -A POSTROUTING -s 192.168.1.1/32 -o eth1 -j SNAT --to-source 2.2.2.2 iptables -A POSTROUTING -s 192.168.1.2/32 -o eth1 -j SNAT --to-source 2.2.2.2 iptables -A POSTROUTING -s 192.168.1.3/32 -o eth1 -j SNAT --to-source 2.2.2.2 • •
  • 25. Zastosowania – FTP c.d. • PASSIVE Bind 192.168.1.1 Port 21 MasqueradeAddress 2.2.2.2 PassivePorts 1025 2048 Bind 192.168.1.2 Port 21 MasqueradeAddress 2.2.2.2 PassivePorts 2049 3072 iptables -A PREROUTING -d 2.2.2.2/32 -i eth1 -p tcp -m tcp --dport 1025:2048 -j DNAT --to-destination 192.168.1.1 iptables -A PREROUTING -d 2.2.2.2/32 -i eth1 -p tcp -m tcp --dport 2049:3072 -j DNAT --to-destination 192.168.1.2 •
  • 26. Zastosowania – RDP listen RDP_Test bind 192.168.67.30:3389 mode tcp balance leastconn option tcpka tcp-request inspect-delay 5s tcp-request content accept if RDP_COOKIE stick-table type string size 10240k expire 12h peers haproxy timeout client 12h timeout server 12h server Win2k8-1 192.168.0.11:3389 check inter 2000 rise 2 fall 3 server Win2k8-2 192.168.0.12:3389 check inter 2000 rise 2 fall 3 •
  • 27. Statystyki listen stats 192.168.0.1:8080 mode http stats enable stats hide-version stats realm Haproxy Statistics stats uri / • •
  • 28. Narzedzia global stats socket /tmp/haproxy mode 0600 level admin $ echo "show info;show stat" | socat /tmp/haproxy stdio $ echo "show sess" | socat /tmp/haproxy stdio $ echo "shutdown frontend www" | socat /tmp/haproxy stdio • Statystyki http • Hatop •
  • 29. Podsumowanie • Wydajne: 108k req/s, 16kb per session • Konfigurowalne • Bardzo dobra dokumentacja - http://haproxy.1wt.eu/download/1.5/doc/configuration.txt - http://marc.info/?l=haproxy • Multisystemowa • Proxy TCP i HTTP • Obsługa SSL •
  • 30. Dziękuję za uwagę! Pytania?

Related Documents