Shulou(Shulou.com)06/03 Report--

HAProxy advanced application

=

Overview:

This chapter will continue to introduce the relevant parameters of the haprosy proxy configuration section in the previous chapter, as follows:

ACL Control access list

Layer 4 detection mechanism: dst,dst_port,src,src_port

Layer 7 inspection mechanism: path, req.hdr, res.hdr

Parameters related to http layer access control:

Block,http-request

Access control parameters for the TCP layer

=

10. Modify the header of the request or response message:

★ option forwardfor [except] [header] [if-none]

⊙ function:

AProxy adds a "X-Forwared-For" header to the request message before sending it to the backend host; its value is the client address

⊙ range: all can be used

⊙ parameters:

[except]: except xxx is not added, such as local access

[header]: you can customize the header name

[if-none]: add only if there is no header.

Examples:

# Public HTTP address also used by stunnel on the same machinefrontend www mode http option forwardfor except 127.0.0.1 # stunnel already adds the header# Those servers want the IP Address in X-Clientbackend www mode http option forwardfor header X-Client

★ adds or deletes a request and responds to the header of the message

⊙ reqadd [{if | unless}]

Add a header message to the request message

⊙ rspadd [{if | unless}]

Add a header message to the response message

⊙ reqdel [{if | unless}]

Reqidel [{if | unless}] (ignore case) ignores case

Delete the header of the request message

⊙ rspdel [{if | unless}]

Rspidel [{if | unless}] (ignore case)

Delete the header of the response message

Note:

The parameters for adding or removing the header of a request response message are frontend, listen, and backend

Demonstrate that 1:HAProxy adds a "X-Forwared-For" header to the request message before sending it to the backend host

1. First, edit the configuration file of haproxy to define that X-Forwared-For is added to all request messages except the local machine. The first part records the client information and sends it to the backend CVM, as follows:

two。 Edit the configuration file / etc/httpd/conf/httpd.conf of the httpd service of the backend CVM RS1, and modify the log format as follows:

3. When you start the RS1 backend host, access it in a browser, and view the log in RS1, you can see that the log recorded is the user's remote address, not the haproxy proxy address.

[root@centos7] # tail-5 / var/log/httpd/access_log192.168.1.105-- [21/Nov/2016:23:48:54 + 0800] "GET / HTTP/1.1" 304-"-" Mozilla/5.0 (Windows NT WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 "192.168.1.105-[21/Nov/2016:23:49:39 + 0800]" GET / HTTP/1.1 "304 -"-"Mozilla/5.0 (Windows NT 6.1) WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 "192.168.1.105-[21/Nov/2016:23:50:29 + 0800]" GET / HTTP/1.1 "304 -"-"Mozilla/5.0 (Windows NT 6.1) WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 "192.168.1.105-[21/Nov/2016:23:50:30 + 0800]" GET / HTTP/1.1 "304 -"-"Mozilla/5.0 (Windows NT 6.1) WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 "192.168.1.105-[21/Nov/2016:23:50:30 + 0800]" GET / HTTP/1.1 "304 -"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"

-

Demo 2:

1. Add that the first part of the response client message is the first message forwarded via haproxy, as follows:

Reload the haproxy service. Request to view the first information as follows:

[root@centos7] # curl-I http://192.168.1.111HTTP/1.1 200 OKDate: Mon, 21 Nov 2016 16:31:02 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Fri, 18 Nov 2016 16:09:35 GMTETag: "1a-54195883a68b2" Accept-Ranges: bytesContent-Length: 26Content-Type: text/html; charset=UTF-8X-Via: HAProxy/1.5

two。 Delete the response header message Server, and edit the configuration file as follows:

Reload the haproxy service. Request to view the header information and find that the header of Server has been deleted, as follows:

[root@centos7] # curl-I http://192.168.1.111HTTP/1.1 200 OKDate: Mon, 21 Nov 2016 16:33:59 GMTLast-Modified: Fri, 18 Nov 2016 16:09:35 GMTETag: "1a-54195883a68b2" Accept-Ranges: bytesContent-Length: 26Content-Type: text/html; charset=UTF-8X-Via: HAProxy/1.5

11. Timeout:

★ timeout client:

Function: sets the maximum inactive duration of the client connection. The default unit is millisecond.

★ timeout server

Function: sets the maximum inactive duration of the server connection. The default unit is millisecond.

★ timeout connect

Function: the timeout when establishing a connection to the server

★ timeout http-keep-alive

Function: enable the time-out for keeping the connection on the client side. The default unit is ms.

★ timeout client-fin

Function: half-connection timeout on the client side

★ timeout server-fin

Function: half-connection timeout on one side of the server

12.ACL Control access list

★ syntax format:

Acl [flags] [operator] []...

⊙:

ACL names must be formed from upper and lower case letters, digits,'-'(dash),'_'(underscore),'. (dot) and':'(colon). ACL names are case-sensitive. The ACL name can consist of uppercase and lowercase letters, numbers,'-','_','.' And': 'and are case-sensitive.

Type of ⊙:

-boolean / / Boolean value

-integer or integer range / / integer or integer range

-IP address / network / / ip address

-string (exact, substring, suffix, prefix, subdir, domain) / / string

-regular expression / / regular expression

-hex block

⊙ [flags]

-I: character case is ignored when being matched by pattern, which is more commonly used

-f: load patterns from a file.

-m: use a specific pattern matching method

-n: forbid the DNS resolutions

-M: load the file pointed by-f like a map file.

-u: force the unique id of the ACL

-: force end of flags. Useful when a string looks like one of the flags. / / escape

⊙ [operator]

◆ numeric matching:

Eq: true if the tested value equals at least one value

Ge: true if the tested value is greater than or equal to at least one value

Gt: true if the tested value is greater than at least one value

Le: true if the tested value is less than or equal to at least one value

Lt: true if the tested value is less than at least one value

◆ string matching:

-exact match (- m str): exact string matching

-substring match (- m sub): substring matching

-prefix match (- m beg): prefix match

-suffix match (- m end): suffix matching

-subdir match (- m dir): subdirectory matching

-domain match (- m dom): domain matching

Logical connection of ⊙ condition

-AND (implicit)

-OR (explicit with the "or" keyword or the "| |" operator)

-Negation with the exclamation mark (!)

★:

⊙ layer 4 detection mechanism:

Dst: ip

Dst_port: integer

Src: ip

Src_port: integer

⊙ block {if | unless}

Function: block a layer 7 request when the condition is matched

Example:

Acl invalid_src src 0.0.0.0 acl invalid_src src 7 224.0.0.0/3acl invalid_src src_port 0:1023acl local_dst hdr (host)-i localhostblock if invalid_src | | local_dst

Demo:

1. Block ip (browser address) requests from non-10.1.250.25 and edit the configuration file as follows:

Reload the haproxy service, access can be found in the browser, access is denied

You can access it normally using the curl command on the local machine, which means that only requests from ip of 10.1.250.25 have been denied.

[root@centos7 haproxy] # curl http://10.1.252.153Backend Server 1 [root@centos7 haproxy] # curl http://10.1.252.153Backend Server 1 [root@centos7 haproxy] # curl http://10.1.252.153Backend Server 2

-

two。 Only this browser (10.1.250.25) can access port 8080. Edit the configuration file as follows:

Reload the haproxy service, which can be found in the browser and can be accessed normally

Use the curl command on the local machine to access port 8080 and deny access, as follows:

[root@centos7 haproxy] # curl http://10.1.252.153:8080403 ForbiddenRequest forbidden by administrative rules.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.