1、HAProxy支持https协议:
拓扑图
HOST:172.20.222.2
docker建立两个httpd:172.17.0.2;172.17.0.3
拉取镜像:docker pull httpd:2.4.37-alpine
docker run --name web1 -d--network bridge httpd:2.4.37-alpine
docker run --name web2 -d --network bridge httpd:2.4.37-alpine
docker exec -it web1 /bin/sh
echo web1 > /htdocs/index.html
docker exec -it web2 /bin/sh
echo web1 > /htdocs/index.html
配置HAProxy参数:
vim /etc/haproxy/haproxy
frontend websrvs
bind :443 ssl crt /etc/haproxy/certs/haproxy.pem
default_backend websrvs
backend websrvs
balance roundrobin
server web1 172.17.0.2:80 check
server web2 172.17.0.3:80 check
生成私钥:
openssl genrsa -out haproxy.key 2048
生成自签证书:
openssl req -new -x509 -key haproxy.key -out haproxy.crt -subj "/CN=demo01.duanx.vip"
将私钥和证书导入pem文件:
cat haproxy.crt haproxy.key > haproxy.pem
查看pem文件:
openssl x509 -in haproxy.pem -noout -text
删除私钥和证书并修改pem文件权限:(生产环境必备!)
rm -f haproxy.crt haproxy.key;chmod 600 haproxy.pem
client:172.20.222.3
curl -k https://172.20.222.2验证即可
2、HAProxy-MySQL的四层负载均衡
一个HAProxy下创建两个docker容器并反代MySQL实验:四层负载均衡
拓扑图
host:172.20.222.2
docker run --name db1 -d -e MYSQL_ROOT_PASSWORD=duan mysql:5.7
docker run --name db2 -d -e MYSQL_ROOT_PASSWORD=duan mysql:5.7
vim /etc/haproxy/haproxy.conf
listen mydb
bind :3306
mode tcp----->>一定要指定,默认为http
balance leastconn
server db1 172.17.0.3:3306 check
server db2 172.17.0.4:3306 check
systemctl restart haproxy;ss -ntl
db1:172.17.0.3
mysql -pduan
GRANT ALL ON *.* TO 'myuser'@'172.17.%.%' IDENTIFIED BY 'mypass';
设定MySQL网络连接是和DIP有关系,所以指定的是172.17.%.%,下面一样
db2:172.17.0.4
mysql -pduan
GRANT ALL ON *.* TO 'myuser'@'172.17.%.%' IDENTIFIED BY 'mypass';
mysql/client:172.20.222.3
mysql -h172.20.222.2 -umyuser -pmypass;
检测:
mysql/client:
CREATE DATABASE mydb;
SHOW DATABASES;
再开启一个mysql/client会话:
mysql -h172.20.222.2 -umyuser -pmypass;
SHOW DATABASES;可看到数据库列表并没有mydb库,起到了轮询的效果!
监控检查:
host:172.20.222.2
vim /etc/haproxy/haproxy
listen mydb
bind :3306
mode tcp----->>一定要指定,默认为http
#acl badguy src 172.20.222.---------------->
#tcp-request connection accept if #badguy-->只接受172.20.222.3的连接
#tcp-request connection reject------------->
balance leastconn
server db1 172.17.0.3:3306 check
server db2 172.17.0.4:3306 check
systemctl restart haproxy;ss -ntl
3、基于ACL的HAProxyD[docker(httpd+php+tomcat)]七层动静分离:
拓扑图
以下提供了两种安装服务的方法:虚拟主机和docker容器
###########################################################################################################
1、HOST:
docker pull httpd:2.4.37-alpine
docker run --name web1 -d httpd:2.4.37-alpine
docker pull php:7.3-rc-apache
docker run --name web2 -d php:7.3-rc-apache
docker pull tomcat:7
docker run --name web3 -d tomcat:7
web1:
docker exec -it web1 /bin/sh
添加img/index.html
web2:
docker exec -it web2 /bin/sh
添加info.php
web3:
docker exec -it web3 /bin/sh
添加index.jsp---文件在webapps/ROOT下
.jsp文件格式:
<html>
<head></head>
<body>
<%
out.println("This is tomcat server!");
%>
</body>
</html>
client:
curl http://172.20.222.2/index.html
curl http://172.20.222.2/info.php
curl http://172.20.222.2/index.jsp
注:1)以上容器安装服务要是编辑内容麻烦的话,可以尝试安装vim命令:1)apt-get update 2)apt-get install vim
2)若安装了容器无法查到ip,可退出容器,docker container inspect +容器名称即可
###########################################################################################################
2、Client:172.20.222.1
HOST:172.20.222.2
HTTP:172.20.222.3 img/index.html
PHP:172.20.222.4 info.php
TOMCAT:172.20.222.5 index.jsp
安装TOMCAT及页面:
mkdir /usr/local/jeremy
wget http://www-us.apache.org/dist/tomcat/tomcat-9/v9.0.13/bin/apache-tomcat-9.0.13.tar.gz
cd /usr/local/jeremy;tar -xvf
tar -xvf apache-tomcat-9.0.13.tar.gz
cd apache-tomcat-9.0.13
./startup.sh;vim /usr/local/jeremy/tomcat/webapps/ROOT/index.jsp
<html>
<head></head>
<body>
<%
out.println("This is tomcat server!");
%>
</body>
</html>
###########################################################################################################
HOST:
vim /etc/haproxy/haproxy.conf
frontend www
bind *:80,:8080
maxconn 5000
mode http
log global
option httplog
option httpclose
option forwardfor
log global
default_backend default
#静态页面匹配前缀、后缀和hdr(hdr和path和url可以同时用?)
acl url_static path_beg -i /static /images /img /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js .html
acl host_static hdr_beg(host) -i img. video. download. ftp. imags. videos.
#定义php动态页面
acl url_php path_end -i .php
#定义tomcat动态页面
acl url_jsp path_end -i .jsp .do
#匹配三个服务的ACL规则
use_backend static_pool if url_static or host_static
use_backend php_pool if url_php
use_backend tomcat_pool if url_jsp
backend static_pool
option httpchk GET /index.html 对后端服务做http协议的健康状态监测
server static1 172.17.0.2:80 cookie id1 check inter 2000 rise 2 fall 3
backend php_pool
option httpchk GET /info.php
server php1 172.17.0.3:80 cookie id1 check inter 2000 rise 2 fall 3
backend tomcat_pool
option httpchk GET /index.jsp
server tomcat1 172.17.0.4:8080 cookie id2 check inter 2000 rise 2 fall 3
backend default ----->名字和backend_default一致
mode http
option httpchk GET /index.html
server default 172.20.222.2:80 cookie id1 check inter 2000 rise 2 fall 3 maxconn 5000
listen admin_status #设置haproxy监控状态
bind *:8888
mode http
log 127.0.0.1 local3 err
stats refresh 5s
stats uri /status
stats realm www.duanx.vip
stats auth admin:admin
stats hide-version
stats admin if TRUE
监控页检查:
“`
转载请注明:黑夜 » HAProxy系列(三)相关实验(四七层动静分离、HTTPS等)
