linux运维、架构之路-HAProxy反向代理

一、HAProxy介绍

         专业反向代理,支持双机热备支持虚拟主机,配置简单,拥有非常不错的服务器健康检查功能,当其代理的后端节点出现故障, HAProxy会自动将该服务器摘除,故障恢复后再自动将该服务器加入，基于TCP和HTTP应用的代理软件，开源免费、快速并且可靠的一种方案。

二、HAProxy优点

1、专业做反向代理负载均衡的软件
2、负载均衡算法多，大概8种
3、性能优于nginx
4、支持动态管理、通过和haproxy的sock进行通信管理
5、有比较丰富的dashboard页面
6、强大的七层功能

三、HAProxy应用场景

1、"tcp"即4层代理（大多用于邮件服务器、内部协议通信服务器等）

2、HAProxy可以作为MySQL、邮件或其它的非web的负载均衡，我们常用于它作为MySQL(读)负载均衡

3、特别适用于负载特大的web站点，这些站点通常又需要会话保持或者七层处理

四、HAProxy服务部署

1、环境

#haproxy01
[root@haproxy01 ~]# cat /etc/redhat-release 
CentOS release 6.9 (Final)
[root@haproxy01 ~]# uname -r
2.6.32-696.el6.x86_64
[root@haproxy01 ~]# getenforce 
Disabled
[root@haproxy01 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@haproxy01 ~]# hostname -I
172.19.5.3 172.16.1.3

#haproxy02
[root@haproxy02 ~]# cat /etc/redhat-release 
CentOS release 6.9 (Final)
[root@haproxy02 ~]# uname -r
2.6.32-696.el6.x86_64
[root@haproxy02 ~]# getenforce 
Disabled
[root@haproxy02 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.
[root@haproxy02 ~]# hostname -I
172.19.5.4 172.16.1.4

2、编译安装HAProxy

mkdir /server/tools -p
cd /server/tools/
#上传haproxy-1.7.9.tar.gz
tar xf haproxy-1.7.9.tar.gz
cd haproxy-1.7.9
make TARGET=linux26 PREFIX=/usr/local/haproxy-1.7.9
make install
cp /usr/local/sbin/haproxy /usr/sbin/
cp /server/tools/haproxy-1.7.9/examples/haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
useradd -r haproxy
mkdir /etc/haproxy
mkdir /var/lib/haproxy

3、设置HAProxy日志(/etc/rsyslog.conf)

$ModLoad imudp
$UDPServerRun 514
local3.*                                                /var/log/haproxy.log

4、创建配置文件

###全局配置###
globallog 127.0.0.1 local3 info #日志输出配置chroot /var/lib/haproxy #chroot运行路径user haproxy #运行haproxy用户 group haproxy #运行haproxy所属的组daemon #以后台的形式运行haproxystats socket /var/lib/haproxy/haproxy.sock mode 600 level admin #haproxy动态管理配置stats timeout 2m
    maxconn 4096 #默认最大连接数###默认配置###
defaultslog global #采用全局定义的日志mode http #默认的模式mode，tcp是4层，http是7层option httplog #日志类别option dontlognull #不记录健康检查日志timeout connect 5000ms #连接超时timeout client  50000ms #客户端超时timeout server 50000ms #服务器超时

###前端配置###
frontend web_frontmode http #7层bind *:80 #建议使用bindstats uri  /haproxy-status #haproxy监控页面uridefault_backend web_back#acl is_static_reg url_reg /*.(css|jpg|png|js|jpeg|gif)$#use_backend web01_back_backend if is_static_reg

###后端配置###
backend web_backbalance roundrobin #默认负载均衡方式，轮询
   #balance source #负载均衡方式，类似Nginx的ip_hash
   #balance leastconn #负载均衡方式，最小连接数#option httpchk GET /index.html #后端节点健康检查server haproxy01  172.19.5.3:8080 check inter 2000 rise 30 fall 15 #后端服务器定义server haproxy02  172.19.5.4:8080 check inter 2000 rise 30 fall 15 #后端服务器定义

5、实现HAProxy负载均衡

#分别在haproxy01和haproxy02上面装了http服务，修改默监听端口为8080
#测试负载均衡数据
[root@haproxy01 ~]# curl 172.19.5.3
http01
[root@haproxy01 ~]# curl 172.19.5.3
http02
[root@haproxy01 ~]# curl 172.19.5.3
http01
[root@haproxy01 ~]# curl 172.19.5.3
http02
[root@haproxy01 ~]# curl 172.19.5.3
http01
[root@haproxy01 ~]# curl 172.19.5.3

[root@haproxy02 ~]# curl 172.19.5.4
http01
[root@haproxy02 ~]# curl 172.19.5.4
http02
[root@haproxy02 ~]# curl 172.19.5.4
http01
[root@haproxy02 ~]# curl 172.19.5.4
http02
[root@haproxy02 ~]# curl 172.19.5.4
http01
[root@haproxy02 ~]# curl 172.19.5.4
http02 

五、HAProxy动态管理

1、安装socat命令

yum install -y socat

2、使用方法

[root@haproxy01 ~]# echo "help"|socat stdio /var/lib/haproxy/haproxy.sock
Unknown command. Please enter one of the following commands only :help           : this messageprompt         : toggle interactive mode with promptquit           : disconnectset maxconn global : change the per-process maxconn settingset rate-limit : change a rate limiting valueset timeout    : change a timeout settingshow env [var] : dump environment variables known to the processshow stat resolvers [id]: dumps counters from all resolvers section andassociated name serversadd acl        : add acl entryclear acl <id> : clear the content of this acldel acl        : delete acl entryget acl        : report the patterns matching a sample for an ACLshow acl [id]  : report available acls or dump an acl's contentsadd map        : add map entryclear map <id> : clear the content of this mapdel map        : delete map entryget map        : report the keys and values matching a sample for a mapset map        : modify map entryshow map [id]  : report available maps or dump a map's contentsshow pools     : report information about the memory pools usageshow sess [id] : report the list of current sessions or dump this sessionshutdown session : kill a specific sessionshutdown sessions server : kill sessions on a serverclear counters : clear max statistics counters (add 'all' for all counters)show info      : report information about the running processshow stat      : report counters for each proxy and servershow errors    : report last request and response errors for each proxyclear table    : remove an entry from a tableset table [id] : update or create a table entry's datashow table [id]: report table usage stats or dump this table's contentsdisable frontend : temporarily disable specific frontendenable frontend : re-enable specific frontendset maxconn frontend : change a frontend's maxconn settingshow servers state [id]: dump volatile server information (for backend <id>)show backend   : list backends in the current running configshutdown frontend : stop a specific frontenddisable agent  : disable agent checks (use 'set server' instead)disable health : disable health checks (use 'set server' instead)disable server : disable a server for maintenance (use 'set server' instead)enable agent   : enable agent checks (use 'set server' instead)enable health  : enable health checks (use 'set server' instead)enable server  : enable a disabled server (use 'set server' instead)set maxconn server : change a server's maxconn settingset server     : change a server's state, weight or addressget weight     : report a server's current weightset weight     : change a server's weight (deprecated)

3、监控数据

[root@haproxy01 ~]# echo "show info"|socat stdio /var/lib/haproxy/haproxy.sock
Name: HAProxy
Version: 1.7.9
Release_date: 2017/08/18
Nbproc: 1
Process_num: 1
Pid: 3897
Uptime: 0d 2h57m54s
Uptime_sec: 10674
Memmax_MB: 0
PoolAlloc_MB: 0
PoolUsed_MB: 0
PoolFailed: 0
Ulimit-n: 4031
Maxsock: 4031
Maxconn: 2000
Hard_maxconn: 2000
CurrConns: 0
CumConns: 3563
CumReq: 3575
Maxpipes: 0
PipesUsed: 0
PipesFree: 0
ConnRate: 1
ConnRateLimit: 0
MaxConnRate: 2
SessRate: 1
SessRateLimit: 0
MaxSessRate: 2
CompressBpsIn: 0
CompressBpsOut: 0
CompressBpsRateLim: 0
Tasks: 5
Run_queue: 1
Idle_pct: 100
node: haproxy01

4、管理后端节点

①后端节点正常状态

②关闭后端节点haproxy01

echo "disable server web_back/haproxy01"|socat stdio /var/lib/haproxy/haproxy.sock

③打开后端节点haproxy01又恢复正常

[root@haproxy01 ~]# echo "enable server web_back/haproxy01"|socat stdio /var/lib/haproxy/haproxy.sock

六、HAProxy结合Keepalived实现高可用

 1、安装keepalived

yum install keepalived -y

2、keepalived配置文件

#HAProxy01-keepalived配置# global_defs {    router_id HAProxy-HA01 }   vrrp_instance HAProxy_1 {     state MASTER     interface eth0     virtual_router_id 55     priority 150     advert_int 1     authentication {         auth_type PASS         auth_pass 1111     }     virtual_ipaddress {         172.19.5.16/24         172.19.5.17/24     } }

#HAProxy02-keepalived配置# global_defs {    router_id HAProxy-HA02 }   vrrp_instance HAProxy_1 {     state BACKUP     interface eth0     virtual_router_id 55     priority 100     advert_int 1     authentication {         auth_type PASS         auth_pass 1111     }     virtual_ipaddress {         172.19.5.16/24         172.19.5.17/24     } }

3、使用tcpdump检测主发包

[root@haproxy01 ~]# tcpdump -n 'host 224.0.0.18'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:22:52.240031 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:53.241106 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:54.242203 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:55.243301 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:56.244382 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:57.245453 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:58.245809 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:22:59.246893 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:23:00.247984 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24
16:23:01.249098 IP 172.19.5.3 > 224.0.0.18: VRRPv2, Advertisement, vrid 55, prio 150, authtype simple, intvl 1s, length 24

 4、测试keepalived的高可用，故障切换

①使用vip访问测试

[root@m01 ~]# curl 172.19.5.16
http01
[root@m01 ~]# curl 172.19.5.16
http02
[root@m01 ~]# curl 172.19.5.17
http01
[root@m01 ~]# curl 172.19.5.17
http02

②haproxy01上查看vip

[root@haproxy01 ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 02:63:31:57:80:01 brd ff:ff:ff:ff:ff:ffinet 172.19.5.3/24 brd 172.19.5.255 scope global eth0inet 172.19.5.16/24 scope global secondary eth0inet 172.19.5.17/24 scope global secondary eth0inet6 fe80::63:31ff:fe57:8001/64 scope link valid_lft forever preferred_lft forever

③停掉haproxy01的keepalived服务

[root@haproxy01 ~]# /etc/init.d/keepalived stop
Stopping keepalived:                                       [  OK  ]

④haproxy02上查看vip

[root@haproxy02 ~]# ip a s eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether f6:4f:56:db:f5:d8 brd ff:ff:ff:ff:ff:ffinet 172.19.5.4/24 brd 172.19.5.255 scope global eth0inet 172.19.5.16/24 scope global secondary eth0inet 172.19.5.17/24 scope global secondary eth0inet6 fe80::f44f:56ff:fedb:f5d8/64 scope link valid_lft forever preferred_lft forever