Shulou(Shulou.com)06/01 Report--

This article will explain in detail about the functions of haproxy and the principle of the use of keepalived, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Functions that can be achieved by haproxy

Layer 4 load balancing, transparent proxy, layer 7 load balancing (session persistence, static and dynamic separation, multiple polling algorithms)

Install haproxy

Centos7 comes with HA-Proxy version 1.5yum update-y & & yum install epel*-y & & yum update-y & & yum install haproxy-y

Configure it to forward (haproxy is a load balancer based on nat mode and needs to turn on the forwarding function of the system)

Vim / etc/sysctl.confnet.ipv4.ip_forward = 1sysctl-p # refresh configuration

Edit the configuration of haproxy

Vim / etc/haproxy/haproxy.conf, various parameters will be described in detail later, and the following cases are completed

1: using tcp mode to achieve proxy and load balancing of ssl 2: using http mode to achieve simple web load balancing (later on, we will introduce the use of frontend,backend to achieve load balancing, such as dynamic and static separation) 3: use listen module to configure the overall monitoring page

Contents of the configuration file haproxy.conf

# # global maxconn 20480 # default maximum number of connections log 127.0.0.1 local3 notice chroot / var/lib/haproxy # Note The path here is not quite the same as that in version 1.3 of user haproxy group haproxy daemon #. The number of processes running haproxy nbproc 1 # later (you can set multiple processes to improve performance) the pid storage path of pidfile / var/run/haproxy.pid # haproxy. The user who starts the process must have permission to access this file, ulimit-n 65535 # ulimit. Limit the number of categories handled by defaults log global mode http # (# 7 layer http) Layer 4 tcp) maxconn 20480 # maximum number of connections option httplog # Log category http log format option httpclose # actively close the http channel after each request option dontlognull # do not record the health check log information option forwardfor # if the back-end server needs to obtain the parameters that the client needs to configure for the real ip, you can obtain the client ip option redispatch # from Http Header # when the server corresponding to serverid dies Force direct to another health server # when cookie is used, haproxy will insert the serverID of its requested back-end server into cookie to ensure the SESSION persistence of the session At this point, if the backend server goes down, but the client's cookie will not be refreshed, if you set this parameter, the customer's request will be forcibly directed to another backend server to ensure the normal service. Option abortonclose # when the server load is high, automatically end the connection that has been processed for a long time in the current queue stats refresh 30 # Statistics page refresh interval retries 3 # 3 connection failure is considered to be unavailable You can also set balance roundrobin # default load balancing mode, polling method # balance source # default load balancing method, similar to nginx's ip_hash # balance leastconn # default load balancing mode, and minimum connection timeout connect 10s # connection timeout Note that the keywords here are different from version 1.3 and 1.4. Timeout client 1m # client timeout timeout server 1m # server timeout timeout http-keep-alive 10s timeout check 10s # heartbeat detection timeout listen jiankong *: 80 # using listen module Implement the 7-layer mode of configuring the overall monitoring page description web-jiqun mode http # http log 127.0.0.1 local3 err # error logging stats refresh 5s # automatically refresh the monitoring page stats uri / admin # url stats realm itnihao\ itnihao # prompt information of the monitoring page stats auth admin:admin # user and password admin of the monitoring page You can set multiple usernames stats auth admin1:admin1 # user and password for monitoring page admin1 stats hide-version # hide HAproxy version information on the statistics page stats admin if TRUE # manually enable / disable Backend server (later version of haproxy-1.4.9) # HAProxy logging content setting # capture request header Host len 40 capture request header Content-Length len 10 capture request header Referer len 200 capture response header Server len 40 capture response header Content-Length len 10 capture response header Cache-Control len 8listen web *: 100 # using http mode Implement a simple web load balance description web mode http balance roundrobin server web1 192.168.10.188 check inter 1500 rise 3 fall 3 weight 1 server web2 192.168.10.153 fall 80 check inter 1500 rise 3 fall 3 weight 1listen ssl *: 200 # using tcp mode Implement the proxy and load balancing of ssl description ssl-web mode tcp balance roundrobin server web1 192.168.10.188 server web2 22 server web2 192.168.10.153

Configure log for haproxy to achieve the function of logging

Vim / etc/rsyslog.conf # add a line local3.* / var/log/haproxy.log to this file

Restart the rsyslog service

Systemctl restart rsysloghaproxy-f / etc/haproxy/haproxy.cfg-c # check whether the specified configuration is correct haproxy-f / etc/haproxy/haproxy.cfg-D # specify profile startup

After starting haproxy, check to see if there is a file called / var/log/haproxy.log. If not, consider disabling se linux.

Install keepalived

Keepalived can not only achieve high availability (control vip drift), but also achieve load balancing. We only need it to achieve vip drift here. Keepalived is installed using source code downloaded from the official website.

First install depends on yum install openssl-devel.x86_64-y download address: http://www.keepalived.org/./configure # if this step goes wrong, it is likely that openssl-devel.x86_64make-j4make install is not installed

(note: try not to add prefix parameters when compiling, because keepalived startup is the default configuration file path / etc/keepalived/keepalived.conf. If the path or file does not exist, vip binding cannot be achieved.)

After installation, you need to change the configuration file cp / usr/local/etc/keepalived / etc-r

The principle of realizing HA with keepalived

Using vrrp protocol; (MASTER keeps sending heartbeats to BACKUP,backup, if it doesn't receive heartbeats, it will take over vip)

Keepalived configuration file vim / etc/keepalived/keepalived.conf (master and standby)-(Note: master and standby nodes, only need to change state MASTER and priority 100)

Keepalived does not check the correctness of syntax when starting, so you need to pay special attention to the configuration syntax.

# the global definition section global_defs {notification_email {root@wsfnk.com # sets the email alarm address, and you can set more than one One 112323250@qq.com} notification_email_from Alexandre.Cassen@firewall.loc # per line sets the sending address smtp_server 192.168.200.1 # sets smtp server smtp_connect_timeout 30 # sets the timeout router_id LVS_DEVEL of the connection smtp server # indicates a sign for running a keepalived server The message displayed in the subject of the message when sending the message vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0} vrrp_script chk_http_port {# define a script to check haproxy script "/ root/check_haproxy.sh" interval 2 weight 2} # vrrp instance definition section vrrp_instance VI_1 {state MASTER # specifies the role as the primary MASTER Be prepared to specify the interface of the HA monitoring network for BACKUP interface eth0 #. Pay attention to the name of the network device. To be consistent with the system, virtual_router_id 51 # virtual routing label, which is a number, must be set higher than back for the same vrrp instance to use the unique label priority 100#. The higher the number, the higher the advert_int 1 # sets the heartbeat interval between the keepalived-master and the slave node (in seconds) authentication {# sets the authentication type and password auth_type PASS # sets the authentication type, and sets the authentication password by PASS and HA auth_pass 1111 #. Under the same vrrp instance Keepalived-master and backup nodes must use the same password to communicate normally} track_script {# call the script chk_http_port} virtual_ipaddress {# defined above to check haproxy, set virtual ip, and you can set multiple virtual vip One 192.168.200.16 per line 192.168.200.18} * *

Keepalived controls the startup of haproxy

The following script means that when the master / slave starts keepalived, the haproxy will be started respectively. As long as the keepalived does not stop, the haproxy program will not be killed. Vip will be used to carry the business. Starting the haproxy on both sides has no effect. You only need to do a good job of monitoring. Of course, you can also improve it.

Cd / rootvim checkout haproxy.shroud etc/haproxy/haproxy.cfg Dfisleep 2if [$(ps-C haproxy-- no-header | wc-l)-eq 0]; then / usr/sbin/haproxy-f / etc/haproxy/haproxy.cfg-Dfisleep 2if [$(ps-C haproxy-- no-header | wc-l)-eq 0] Then keepalived stopfichmod + x check_haproxy.sh starts keepalivedkeepalived start** ★★★ stop if you want to delve into haproxy and keepalived, the following is an example of their configuration. The following is an explanation of the configuration of haproxy, mainly about listen,acl,frontend. Backend# global configuration information # # parameters are process-level Usually related to the operating system (OS) # global# default global settings # these parameters can be configured to frontend,backend Listen component # # defaults# website monitors listen configuration # this usage is mainly used to monitor the monitoring status of haproxy back-end servers # listen site_status bind 0.0.0.0 listen 1081 # listening on port mode http # http layer 7 mode log 127.0.0.1 Local3 err # [err warning info debug] monitor-uri / site_status # website Health Inspection URL It is used to check whether the website managed by HAProxy is available. It returns normal and abnormal returns 503 acl site_dead nbsrv (server_web) lt 2 # defines the policy of website down when the number of medium valid machines in the specified backend hanging on the load balancer is less than 1, returns true acl site_dead nbsrv (server_blog) lt 2 acl site_dead nbsrv (server_bbs) lt 2 monitor fail if site_dead # returns 503 when the policy is met, and the online document says 500. The actual test is 503 monitor-net 192.168.16.2 monitor-net 32 # Log information from 192.168.16.2 will not be recorded and forwarded to the monitor-net 192.168.16.3/32#frontend configuration # Note Multiple acl can be defined in the frontend configuration for matching operation # frontend http_80_in bind 0.0.0.0 web 80 # listening port, that is, the port on which haproxy provides web services, and the vip port of lvs is similar to mode http # http layer 7 mode log global # Application Global Log configuration option httplog # enable http log option httpclose # actively close http channel after each request is completed HA-Proxy does not support keep-alive mode option forwardfor # if the back-end server needs to obtain the real IP of the client, you need to configure secondary parameters Client IP#acl policy configuration # acl itnihao_web hdr_reg (host)-I ^ (www.itnihao.cn | ww1.itnihao.cn) $# will be available from Http Header. If the requested domain name satisfies the two domain names in the regular expression, return true-I ignore case acl itnihao_blog hdr_dom (host)-I blog.itnihao.cn # If the requested domain meets www.itnihao.cn, return true-I ignore case # acl itnihao hdr (host)-I itnihao.cn # if requested domain meets itnihao.cn return true-I ignore case # acl file_req url_sub-I killall= # include killall= in request url Then this control policy returns true, otherwise it is false # acl dir_req url_dir-I allow # there is allow as part of the address path in the request url Then this control policy returns true Otherwise, return false # acl missing_cl hdr_cnt (Content-length) eq 0 # if the Content-length in the requested header equals 0, return true acl url_static path_beg-I / static / images / javascript / stylesheets acl url_static path_end-I .jpg .gif .png .css. JS # use_backend static if url_static # default_backend app#acl policy matching corresponding # # block if missing_cl # when Content-length equals 0 in header to block a request, return 403 # block if! file_req | | dir_req # block means to block a request A 403 error is returned, which currently means that the request use_backend server_web if itnihao_web is blocked if the policy file_req is not satisfied or the policy dir_req is satisfied. Use server_web 's backend use_backend server_blog if itnihao_blog # when satisfying the policy of itnihao_web # use the backend # redirect prefix http://blog.itniaho.cn code 301if itnihao # of server_blog when meeting the policy of itnihao_blog # when accessing itnihao.cn Use http's 301s to switch to http://192.168.16.3 default_backend server_bbs # when you are not satisfied with using the default server_bbs 's backend#backend settings # below I will set up three groups of server server_web,server_blog Server_bbs#backend server_web#backend server_web mode http # http's 7-tier mode balance roundrobin # load balancer, roundrobin average mode cookie SERVERID # allows serverid to be inserted into cookie, and option httpchk GET / index.html # heartbeat detection file server web1 192.168.16.2 cookie web1 check inter 80 cookie web1 check inter 1500 rise 3 fall 3 weight 1 # server definition can be defined after serverid Cookie 1 indicates that serverid is web1,check inter 1500 is detected heartbeat frequency rise 3 is 3 times that server is available, # fall 3 is 3 times failed that server is unavailable, weight represents weight server web2 192.168.16.3 web1,check inter 80 cookie web2 check inter 1500 rise 3 fall 3 weight 2 # server definition, cookie 1 means serverid is web2,check inter 1500 is detected heartbeat frequency rise 3 is 3 times correctly considered server available # fall 3 is considered unavailable after 3 failures. Weight represents weight # backend server_blog#backend server_blog mode http # http's 7-tier mode balance roundrobin # load balancing. Roundrobin average mode cookie SERVERID # allows serverid to be inserted into cookie. Serverid can be followed by a definition of option httpchk GET / index.html # file server blog1 192.168.16.2 cookie blog1 check inter 80 rise 1500 rise 3 fall 3 weight 1 # server definition, cookie 1 indicates that serverid is blog1,check inter 1500 is detected heartbeat frequency rise 3 is 3 times that the server is available and fall 3 is 3 failures that the server is unavailable Weight represents weight server blog2 192.168.16.3 cookie blog2 check inter 80 cookie blog2 check inter 1500 rise 3 fall 3 weight 2 # server definition. Cookie 1 indicates that serverid is blog2,check inter 1500 is the detection of heartbeat frequency rise 3 is 3 times that the server is available and fall 3 is 3 failures that the server is unavailable Weight represents weight # backend server_bbs#backend server_bbs mode http # http's 7-tier mode balance roundrobin # load balancing mode, roundrobin average mode cookie SERVERID # allows serverid to be inserted into cookie Serverid can be followed by a definition of option httpchk GET / index.html # file server bbs1 192.168.16.2 cookie bbs1 check inter 80 rise 1500 rise 3 fall 3 weight 1 # server definition, cookie 1 indicates that serverid is bbs1,check inter 1500 is detected heartbeat frequency rise 3 is 3 times that the server is available and fall 3 is 3 failures that the server is unavailable Weight represents weight server bbs2 192.168.16.3 weight 80 cookie bbs2 check inter 1500 rise 3 fall 3 weight 2 # server definition, cookie 1 means serverid is bbs2,check inter 1500 is detected heartbeat rate rise 3 is 3 times that server is available, fall 3 is 3 times failed that server is unavailable, weight represents weight * *

The following is a detailed description of the parameters of keepalived

# the global definition section global_defs {notification_email {root@wsfnk.com # sets the email alarm address, and you can set more than one One 1123323230@qq.com} notification_email_from Alexandre.Cassen@firewall.loc # per line sets the sending address smtp_server 192.168.200.1 # sets smtp server smtp_connect_timeout 30 # sets the timeout router_id LVS_DEVEL of the connection smtp server # indicates a sign for running a keepalived server The message displayed in the subject of the message when sending the message vrrp_skip_check_adv_addr vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0} vrrp_script chk_http_port {# define a script to check haproxy script "/ root/check_haproxy.sh" interval 2 weight 2} # vrrp instance definition section vrrp_instance VI_1 {state MASTER # specifies the role as the primary MASTER Be prepared to specify the interface of the HA monitoring network for BACKUP interface eth0 #. Pay attention to the name of the network device. To be consistent with the system, virtual_router_id 51 # virtual routing label, which is a number, must be set higher than back for the same vrrp instance to use the unique label priority 100#. The higher the number, the higher the advert_int 1 # sets the heartbeat interval between the keepalived-master and the slave node (in seconds) authentication {# sets the authentication type and password auth_type PASS # sets the authentication type, and sets the authentication password by PASS and HA auth_pass 1111 #. Under the same vrrp instance Keepalived-master and backup nodes must use the same password to communicate normally} track_script {# call the script chk_http_port} virtual_ipaddress {# defined above to check haproxy, set virtual ip, and you can set multiple virtual vip One per line 192.168.200.16 192.168.200.18} # Virtual server definition section virtual_server 192.168.200.100 443 {# set virtual server, need to specify virtual ip, port, separate delay_loop 6 # with spaces to set the running time interval Unit is second lb_algo rr # sets load scheduling algorithm, rr is polling algorithm lb_kind NAT # set lvs to achieve load balancing mechanism, there is NAT,TUN,DR persistence_timeout 50 # session duration, unit is second, this option is very useful for dynamic web pages Provides a good solution for session sharing in the cluster # with this session persistence feature, user requests will be distributed to a server until the session persistence time is exceeded. It is important to note that the session persistence time is the maximum unresponsive timeout. That is to say, when operating a dynamic page, if the user does not perform any action within 50 seconds # then the user will think that the timeout has occurred and later operations will be distributed to other nodes, and so on. Protocol TCP # specifies the type of protocol to be forwarded, with TCP. UDP two kinds of real_server 192.168.201.100 443 {# configure service node 1, you need to specify the real ip of real_server, and port weight 1 # configure weight. The larger the number, the higher the weight. A server with good performance can set a larger SSL_GET {url {path / digest ff20ad2481f97b1754ef3e12ecd3a9cc} url {path / mrtg/ digest 9b3a0c85a887a256d6939da88aabd8cd} connect_timeout 3 # survival test, indicating no response timeout within 3 seconds Unit: nb_get_retry 3 # indicates the number of tests delay_before_retry 3 # indicates the time interval} virtual_server 10.10.10.3 1358 {delay_loop 3 lb_algo rr lb_kind NAT persistence_timeout 50 protocol TCP real_server 192.168.200.4 1358 {weight 1 HTTP_GET {url {path / testurl/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} url {path / testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} url {path / testurl3/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} Connect_timeout 3 nb_get_retry 3 delay_before_retry 3}} real_server 192.168.200.5 1358 {weight 1 HTTP_GET {url {path / testurl/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} url {path / testurl2/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} url {path / testurl3/test.jsp digest 640205b7b0fc66c1ea91c463fac6334d} connect_timeout 3 nb_get_retry 3 delay_before_retry 3} about the functions of haproxy and how keepalived is used, that's all for sharing here. I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.