Shulou(Shulou.com)06/03 Report--

Working with scen

If you want to implement an environment where haproxy reverse proxies four nginx nodes, nginx1 and nginx2 combine php to provide dynamic web services, and nginx3 and nginx4 provide static web services. As shown below:

Because the timeout-related settings in the default configuration file are unreasonable, it is recommended that you modify these times. In addition, some items that are recommended to be opened or closed should also be opened or closed as far as possible.

Haproxy configuration description

For more information about haproxy installation and configuration, see HaProxy installation and common commands.

Haproxy default configuration description # View the default haproxy.cfg configuration file cat / usr/local/haproxy/conf/haproxy.cfgglobal log 127.0.0.1 local2 # need to set / etc/rsyslog.conf plus local2 device logging level and log path chroot / usr/local/haproxy # here installed to / usr/local/haproxy by compilation Yum installation defaults to / var/lib/haproxy pidfile / var/run/haproxy.pid maxconn 4000 #, which is the maximum number of external connections at the front end. When proxying http, there is no problem that 1G free memory holds more than 20000 user haproxy group haproxy daemon stats socket / var/lib/haproxy/stats # enable dynamic viewing and management of haproxy status files # it is also recommended to set the spread-checks global item And the recommended percentage is defaults mode http # 7 layer http proxy between 2-5 There are also four layers of tcp agent log global option httplog # logging http requests, session information, etc. Option dontlognull # do not record empty connections in the log option http-server-close # backend recommends using http-server-close for dynamic applications When the backend is static, it is recommended to use http-keep-alive option forwardfor except 127.0.0.0 http-keep-alive option forwardfor except 8 # haproxy to add the "X-Forwarded-For" header field option redispatch # to the request sent to the backend when a backend down is dropped so that the haproxy cannot forward the request with cookie to the backend Forward it to other backend timeout http-request 10s # this is the maximum time to wait for the client to send a complete request. It should be set shorter to prevent flooding. If set to 2-3 seconds # haproxy always requires a request or response to be sent before it is processed or forwarded. The maximum time for timeout queue 1m # requests to be in queue, 1 minute is too long. Setting it to 10 seconds is a bit long. If you can't request resources in 10 seconds, the client will lose patience with timeout connect 10s # haproxy and the maximum time it takes for the server to establish a connection. Setting it to 1 second is enough. The establishment of a connection in the local area network is generally instantaneous timeout client 1m # and the timeout for the client to keep the idle connection, which can be slightly shorter in the case of high concurrency, and can be set to 10 seconds to release the timeout between the connection timeout server 1m # and the server to keep the idle connection as soon as possible. The connection in the local area network is very fast, so try to set it short, especially when concurrent. For example, set to 1-3 seconds timeout http-keep-alive 10s # and the maximum duration of persistent connection with the client. Priority is higher than timeout http-request, higher than timeout client timeout check 10s # and the time between the successful establishment of the connection and the final completion of the check by the back-end server (excluding the time to establish the connection, only the time it takes to read the check result), # can be set to be shorter. For example, 1-2 seconds maxconn 3000 # default and the maximum number of connections in the previous segment, but cannot exceed the maxconn hard limit in global

Description ⚠️:

(1) haproxy is a single-process, event-driven model software. The efficiency of single-process is already very good. It is not recommended to open multi-process / multi-instance.

(2) the maxconn instruction controls the maximum number of concurrent connections, which can be set in multiple places. Different locations represent different meanings:

The maxconn set in the global segment or frontend/listen/defaults segment represents the maximum number of concurrent connections with the client (that is, frontend). The value of the global segment is a hard limit, and the maxconn value of the frontend/listen/defaults segment cannot exceed the value of the global segment. When set in the server directive, it represents the maximum number of concurrent connections maintained by haproxy and a back-end server. The maximum concurrency of the front end (that is, the maxconn of the global segment) can be estimated based on memory. Haproxy maintains two caches for each connection, each about 16K, plus some additional data, a total of about 33-34K, so in theory, 1G of free memory can maintain 2W-2.5W pure HTTP concurrent connections (only in theory). If the agent is https, the maximum number of concurrency allowed is much smaller. The default value of the front-end maxconnis is 2000, which is necessary to increase it several times. In general, when proxying pure http services, if the backend can handle it in a timely manner, there will be no problem setting more than 20000 here. The above is only a rough estimate of the agent capacity. In actual settings, the frontend maxconn must be set according to the backend processing capacity and haproxy's own capabilities, otherwise the backend cannot be processed immediately if the frontend is connected. The sum of the maxconnvalues of all servers in the backend should be close to the maxconnvalue of the front end, and the waiting queue length maxqueue of the backend should also be considered when calculating the difference between the two. The maxconn of the static web server and the static server can be set larger. Configuration instructions for haproxy modified as needed: global log 127.0.0.1 local2 chroot / var/lib/haproxy pidfile / var/run/haproxy.pid maxconn 20000 user haproxy group haproxy daemon stats socket / var/lib/haproxy/stats spread-checks 2defaults mode httplog global option httplog Option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch timeout http-request 2s timeout queue 3s timeout connect 1s timeout client 10s timeout server 2s timeout http-keep-alive 10s timeout check 2s maxconn 18000 frontend http-in bind 0.0.0.0 80 # indicates that haproxy listens on all addresses The listening port defines access control for 80 mode http log global capture request header Host len 20 capture request header Referer len 60 #, indicating which server the url ends with .css .js .html .php to access # # ACL means access control list (access control list), which is used to define a set of blacklists or whitelists. Acl url_static path_beg-I / static / images / stylesheets acl url_static path_end-I .jpg .jpeg .gif .png .ico .bmp .css .js acl url_static path_end-I .html .htm .shtml .shtm .pdf .mp3 .mp4 .rm .rmvb .txt acl url_static path_end-I .zip .rar .gz .tgz .bz2 .tgz # usr_backend means using backend services If indicates that if the condition of url_static is met, it will be dispatched to this server. # use_backend static_group if url_static # will respond to the default dynamic page default_backend dynamic_groupbackend static_group balance roundrobin # haproxy reverse proxy scheduling algorithm of backend if it is not satisfied. If the backend is a static web, it is recommended to use the roundrobin algorithm. Option http-keep-alive # analyzes and processes all request and response (the default), using the http-keep-alive model when the back end is a static web or static cache server. Because of the fast response, it is expensive to establish tcp connections frequently. Http-reuse safe # enables haproxy connection reuse. Safe: this is the recommended strategy. Option httpchk GET / index.html # enables haproxy health check. This example is based on http protocol check. The tcp protocol is used by default for checking. If you want to check based on other protocols, you need to explicitly specify the object to be checked using the option instruction corresponding to the protocol. And the premise is that check must be specified in the server, which is the switch that controls whether it is checked or not. Http-check expect status 200 # uses http-check expect to specify that it is not considered healthy until the status code 200 is checked. If the http-check expect instruction is not specified, it is considered healthy to check based on the http protocol as long as the status code is 2xx or 3xx. Server staticsrv1 192.168.100.62 check rise 80 maxconn 5000 # check sets whether the health check function is enabled, and the time interval for the check, how many times the backend is considered offline after determining how many times it is unhealthy, and how many times it is successful that the backend is back online. Server staticsrv2 192.168.100.6380 check rise 1 maxconn 5000 # rise: set the number of times an offline server transitions from offline to normal in health check; # maxconn: specify the maximum number of concurrent connections accepted by this server If the number of connections to this server is higher than the value specified here, it will be placed in the request queue to wait for other connections to be released; backend dynamic_group cookie appsrv insert nocache # inserts a cookie into the response message to ensure that the scheduled server and client can maintain the session. Balance roundrobin # if the backend needs to maintain session information but does not use cookie, you can use the source address hash algorithm source to ensure that the same client is booted to the same back-end server. If you use cookie, you can use the roundrobin or leastconn algorithm. The source address hash algorithm is generally used as a last resort only when there is no way but when it has to be dispatched to the same back-end server. Option http-server-close # closes the connection to the server side after processing the first response, but the connection to the client remains. This mode is recommended for the dynamic application server group at the back end. The option httpchk GET / index.php # setting does a health check by getting index.php. Http-check expect status 200 # uses http-check expect to specify that it is not considered healthy until the status code 200 is checked. Server appsrv1 192.168.100.60 server appsrv1 80 check rise 1 maxconn 3000 cookie appsrv1 # cookie: sets the cookie value for the specified cookie. The value specified here will be checked when inbound is requested, and the server selected for this value for the first time will be selected in subsequent requests for the purpose of implementing persistent connections. Server appsrv2 192.168.100.61 maxconn 80 check rise 1 maxconn 3000 cookie appsrv2listen report_stats bind 0.0.0.0 maxconn 8081 # listening port stats refresh 30s # Statistics page automatic refresh time stats enable # enable management interface stats hide-version # hide the version information of HAProxy on the statistics page stats uri / hastats # Statistics page url stats realm "pls enter your name" # prompt text on the password box of the statistics page stats auth admin:admin # user name and password setting stats admin if TRUE # if you successfully log in, you can manage the Online server # definition error page # errorfile 403 / etc/haproxy/errorfiles/403.httperrorfile 500 / etc/haproxy/errorfiles/500.httperrorfile 502 / etc/haproxy/errorfiles/502.httperrorfile 503 / etc/haproxy/errorfiles/503.http

In the above configuration:

(1) static requests will be assigned to static_group and scheduled by roundrobin, and health check will be done by getting index.html. In addition, the functions of haproxy and back-end connection reuse are set up.

(2) the dynamic request will be assigned to dynamic_group and scheduled by roundrobin, but a cookie is inserted into the response message to ensure that the scheduled server and client can maintain the session. In addition, it is also set to do a health check by getting index.php. Configure nginx and php+php-fpm

Yum-y install nginx php php-fpm

In order to distinguish, the host source prompt for the response is added to the index.html file of nginx1/nginx2 and nginx3/nginx4, respectively, and the cookie entry is set in the php file. The contents of index.php are as follows:

Response from webapp 192.168.100.60

test. The content returned by the php page is roughly as follows:

Reference documentation

Haproxy configuration examples and issues to consider

HAProxy usage details the most detailed Chinese documents of the whole network

HAproxy (2) static and dynamic separation

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.