WHCSRL 技术网

haproxy 负载均衡

1. haproxy简介

HAProxy是法国开发者 威利塔罗(Willy Tarreau) 在2000年使用C语言开发的一个开源软件,是一款具备高并发(一万以上)、高性能的TCP和HTTP负载均衡器,支持基于cookie的持久性,自动故障切换,支持正则表达式及web状态统计,目前最新TLS版本为9.0

HAProxy是一个使用C语言编写的自由及开放源代码软件,其提供高可用性、负载均衡,以及基于TCP和HTTP的应用程序代理。

HAProxy是一个免费的负载均衡软件,可以运行于大部分主流的Linux操作系统上。

HAProxy提供了L4(TCP)和L7(HTTP)两种负载均衡能力,具备丰富的功能。HAProxy的社区非常活跃,版本更新快速。最关键的是,HAProxy具备媲美商用负载均衡器的性能和稳定性。

因为HAProxy的上述优点,它当前不仅仅是免费负载均衡软件的首选,更几乎成为了唯一选择。

1.1 核心功能

  • 负载均衡:L4和L7两种模式,支持RR/静态RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等丰富的负载均衡算法
  • 健康检查:支持TCP和HTTP两种健康检查模式
  • 会话保持:对于未实现会话共享的应用集群,可通过Insert Cookie/Rewrite Cookie/Prefix Cookie,以及上述的多种Hash方式实现会话保持
  • SSL:HAProxy可以解析HTTPS协议,并能够将请求解密为HTTP后向后端传输
  • HTTP请求重写与重定向
  • 监控与统计:HAProxy提供了基于Web的统计信息页面,展现健康状态和流量数据。基于此功能,使用者可以开发监控程序来监控HAProxy的状态

1.2 haproxy的关键特性

  • 高性能
    通常情况下,HAProxy自身只占用15%%%%的处理时间,剩余的85%%%%都是在系统内核层完成的
  • 高稳定性
    一旦成功启动,除非操作系统或硬件故障,否则就不会崩溃

2. haproxy部署安装

haproxy软件包下载官网:https://www.haproxy.org//

//安装依赖包
[root@localhost ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel

//创建haproxy用户
[root@localhost ~]# useradd -r -M -s /sbin/nologin haproxy

//解压下载好的安装包
[root@localhost src]# ls
debug  haproxy-2.4.0.tar.gz  kernels
[root@localhost src]# tar xf haproxy-2.4.0.tar.gz -C /usr/src/
[root@localhost src]# ls
debug  haproxy-2.4.0  haproxy-2.4.0.tar.gz  kernels
[root@localhost src]# 

//编译安装
[root@localhost src]# cd haproxy-2.4.0/
[root@localhost haproxy-2.4.0]# 
[root@localhost haproxy-2.4.0]# make clean
[root@localhost haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc 
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@localhost haproxy-2.4.0]# make install prefix=/usr/local/haproxy
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
//配置内核参数
[root@localhost ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@localhost ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@localhost ~]# sysctl  -p 
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
[root@localhost ~]# 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
//提供配置文件
[root@localhost ~]# cd /etc/haproxy/
[root@localhost haproxy]# vim haproxy.cfg 
[root@localhost haproxy]# cat haproxy.cfg 
#--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode http
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------统计页面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web设置-----------------------
listen webcluster
    bind 0.0.0.0:80
    mode http
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    server web01 192.168.35.137:80  check inter 2000 fall 5
    server web02 192.168.35.138:80  check inter 2000 fall 5
[root@localhost haproxy]# 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
//haproxy.service文件编写
[root@localhost ~]# cat /usr/lib/systemd/system/haproxy.service 
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target

[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg   -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg  -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target
[root@localhost ~]#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
[root@localhost ~]# systemctl enable --now haproxy.service 
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@localhost ~]# 

[root@localhost ~]# ss -antl
State        Recv-Q       Send-Q             Local Address:Port             Peer Address:Port       
LISTEN       0            128                    127.0.0.1:6010                  0.0.0.0:*          
LISTEN       0            128                      0.0.0.0:8189                  0.0.0.0:*          
LISTEN       0            128                      0.0.0.0:111                   0.0.0.0:*          
LISTEN       0            128                      0.0.0.0:80                    0.0.0.0:*          
LISTEN       0            128                      0.0.0.0:22                    0.0.0.0:*          
LISTEN       0            5                      127.0.0.1:631                   0.0.0.0:*          
LISTEN       0            128                        [::1]:6010                     [::]:*          
LISTEN       0            128                         [::]:111                      [::]:*          
LISTEN       0            128                         [::]:22                       [::]:*          
LISTEN       0            5                          [::1]:631                      [::]:*          
[root@localhost ~]#
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
//启用日志
[root@localhost ~]# vim /etc/rsyslog.conf 
 65 local0.*        /var/log/haproxy.log   //添加这一行
[root@localhost ~]# systemctl restart rsyslog.service 
  • 1
  • 2
  • 3
  • 4
//在web主机上安装httpd服务
[root@web01 ~]# yum -y install httpd
[root@web01 ~]# echo "web01" > /var/www/html/index.html
[root@web01 ~]# systemctl restart httpd.service 

[root@web02 ~]# yum -y install httpd
[root@web02 ~]#  echo "web02" > /var/www/html/index.html
[root@web02 ~]# systemctl restart httpd.service
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

在这里插入图片描述

在这里插入图片描述

3. haproxy配置负载均衡(https)

//证书生成
[root@web01 ~]# yum -y install openssl
[root@web01 ~]# mkdir ~/keys
[root@web01 ~]# cd keys/
[root@web01 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................+++++
......+++++
e is 65537 (0x010001)
[root@web01 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:passport
Common Name (eg, your name or your server's hostname) []:web01.com
Email Address []:passport@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1
string is too short, it needs to be at least 4 bytes long
A challenge password []:1@2.com
An optional company name []:
[root@web01 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = CN, ST = HuBei, L = WuHan, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com
Getting Private key
[root@web01 keys]# ls
passport.com.crt  passport.com.csr  passport.com.key
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
//利用scp命令将证书发送到另外一台主机上
[root@web01 keys]# scp passport.com.crt passport.com.key 192.168.35.137:/root/
The authenticity of host '192.168.35.137 (192.168.35.137)' can't be established.
ECDSA key fingerprint is SHA256:ECsvugl1DCHfuejtUk08a5piC1AmP1akOaWPFqszmFE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.35.137' (ECDSA) to the list of known hosts.
root@192.168.35.137's password: 
passport.com.crt                                                  100%%%% 1294   899.0KB/s   00:00    
passport.com.key   
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
//在web两台主机上配置https,注意web01需要同样的步骤
[root@web02 ~]# mkdir  /etc/httpd/ssl
[root@web02 ~]# mv passport.com.* /etc/httpd/ssl/
[root@web02 ~]# cd /etc/httpd/ssl/
[root@web02 ssl]# ls
passport.com.crt  passport.com.key
[root@web02 ssl]# cd ..
[root@web02 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl  state
[root@web02 httpd]# cd conf.d/
[root@web02 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@web02 conf.d]# vim ssl.conf 
43 DocumentRoot "/var/www/html"   //取消这两行注释
44 ServerName www.example.com:443
85 SSLCertificateFile /etc/httpd/ssl/passport.com.crt   //修改路径
93 SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key   //修改路径
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
//修改配置文件haproxy.cfg
[root@localhost haproxy]# cat haproxy.cfg 
#--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode tcp   //修改为tcp
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------统计页面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web设置-----------------------
listen webcluster
    bind 0.0.0.0:443   //修改端口为443
    mode tcp   //修改为tcp
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    server web01 192.168.35.137:443  check inter 2000 fall 5   //修改端口为443
    server web02 192.168.35.138:443  check inter 2000 fall 5   //修改端口为443
[root@localhost haproxy]# 
[root@localhost haproxy]# systemctl restart haproxy.service
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56

请添加图片描述
请添加图片描述
还可以登陆到后台查看web主机的信息和运行情况
请添加图片描述

推荐阅读