haproxy七层代理

一.负载均衡

负载均衡：Load Balance，简称LB，是一种服务或基于硬件设备等实现的高可用反向代理技术，负载均衡将特定的业务(web服务、网络流量等)分担给指定的一个或多个后端特定的服务器或设备，从而提高了公司业务的并发处理能力、保证了业务的高可用性、方便了业务后期的水平动态扩展

四层负载均衡

四层（mode tcp） ：只认 IP + 端口，不看内容，转发快，通用所有 TCP 服务，工作在传输层

七层负载均衡

七层（mode http） ：能看懂 HTTP 请求内容（URL、域名、Cookie、Header），功能强，只支持 HTTP/HTTPS，工作在应用层

二.haproxy简介

HAProxy是法国开发者威利塔罗(Willy Tarreau) 在2000年使用C语言开发的一个开源软件

是一款具备高并发(万级以上)、高性能的TCP和HTTP负载均衡器

支持基于cookie的持久性，自动故障切换，支持正则表达式及web状态统计

企业版网站：https://www.haproxy.com

社区版网站：http://www.haproxy.org

github：https://github.com/haprox

HAPORXY实验环境设定

1.haproxy主机

bash 复制代码

[root@haproxy ~]# vmset.sh eth0 172.25.254.100 haproxy
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/7）
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:0c:6f:ee brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 172.25.254.100/24 brd 172.25.254.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe0c:6fee/64 scope link tentative noprefixroute
       valid_lft forever preferred_lft forever
haproxy
[root@haproxy ~]# vmset.sh eth1 192.168.0.100 haproxy norouter
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/8）
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:0c:6f:f8 brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    altname ens224
    inet 192.168.0.100/24 brd 192.168.0.255 scope global noprefixroute eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::4ca7:8cde:1244:8df/64 scope link tentative noprefixroute
       valid_lft forever preferred_lft forever
haproxy


#配置内核路由功能
[root@haproxy ~]# echo net.ipv4.ip_forward=1 > /etc/sysctl.conf
[root@haproxy ~]# sysctl -p
net.ipv4.ip_forward = 1

2.webserver1 2

bash 复制代码

[root@webserver1 ~]# vmset.sh eth0 192.168.0.10 webserver1 noroute
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/4）
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:8c:96:72 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 192.168.0.10/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe8c:9672/64 scope link tentative noprefixroute
       valid_lft forever preferred_lft forever
webserver1

[root@webserver1 ~]# dnf install httpd -y
root@webserver1 ~]# echo webserver1 - 192.168.0.10 > /var/www/html/index.html
[root@webserver1 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.


[root@webserver2 ~]# vmset.sh eth0 192.168.0.20 webserver2 noroute
连接已成功激活（D-Bus 活动路径：/org/freedesktop/NetworkManager/ActiveConnection/4）
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:8c:96:72 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 192.168.0.20/24 brd 192.168.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe8c:9672/64 scope link tentative noprefixroute
       valid_lft forever preferred_lft forever
webserver2
[root@webserver2 ~]# dnf install httpd -y 
[root@webserver2 ~]#  echo webserver2 - 192.168.0.20 > /var/www/html/index.html
[root@webserver2 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

3.验证环境

bash 复制代码

#在haproxy中访问
[root@haproxy ~]# curl  192.168.0.10
webserver1 - 192.168.0.10
[root@haproxy ~]# curl  192.168.0.20
webserver2 - 192.168.0.20

Haproxy的安装及配置参数

1.安装

bash 复制代码

#在调度器（双网卡主机中）
[root@haproxy ~]# dnf install haproxy.x86_64 -y
[root@haproxy ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.

2.harpoxy的参数详解实验

1.实现最基本的负载

1）frontend 和 backend

2）listen

bash 复制代码

#设定vim中tab键的空格个数
[root@haproxy ~]# vim ~/.vimrc
set ts=4 ai

#前后端分开设定
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg

frontend webcluster
    bind            *:80
    mode            http
    use_backend     webserver-80

backend webserver-80
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5

[root@haproxy ~]# systemctl restart haproxy.service

#测试：
[root@haproxy ~]# curl  172.25.254.100
webserver2 - 192.168.0.20
[root@haproxy ~]# curl  172.25.254.100
webserver1 - 192.168.0.10


#用listen方式书写负载均衡
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    mode        http
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试
[root@haproxy ~]# curl  172.25.254.100
webserver2 - 192.168.0.20
[root@haproxy ~]# curl  172.25.254.100
webserver1 - 192.168.0.10

2.log 指定日志发送位置

实验指定日志发送到192.168.0.10

bash 复制代码

#在192.168.0.10 开启接受日志的端口
[root@webserver1 ~]# vim /etc/rsyslog.conf
 32 module(load="imudp") # needs to be done just once
 33 input(type="imudp" port="514")
 
[root@webserver1 ~]# systemctl restart rsyslog.service

#测试接受日志端口是否开启
[root@webserver1 ~]# netstat -antlupe | grep rsyslog
udp        0      0 0.0.0.0:514             0.0.0.0:*                           0          74140      30965/rsyslogd
udp6       0      0 :::514                  :::*                                0          74141      30965/rsyslogd

#在haproxy主机中设定日志发送信息
[root@haproxy haproxy]# vim haproxy.cfg

log         192.168.0.10 local2
[root@haproxy haproxy]# systemctl restart haproxy.service

#验证
─
[2026-01-23 15:13.54]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
webserver1 - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-23 15:19.05]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
webserver2 - 192.168.0.20

[root@webserver1 ~]# cat /var/log/messages

Jan 23 15:19:06 192.168.0.100 haproxy[31310]: 172.25.254.1:9514 [23/Jan/2026:15:19:06.320] webcluster webcluster/haha 0/0/0/1/1 200 273 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
Jan 23 15:19:10 192.168.0.100 haproxy[31310]: 172.25.254.1:9519 [23/Jan/2026:15:19:10.095] webcluster webcluster/hehe 0/0/0/0/0 200 273 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

3.实现haproxy的多进程

bash 复制代码

#默认haproxy是单进程
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(31439)---haproxy(31441)-+-{haproxy}(31442)
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
nbproc      2

[root@haproxy ~]# systemctl restart haproxy.service

#验证
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(31549)-+-haproxy(31551)
           |                `-haproxy(31552)

bash 复制代码

#多进程cpu绑定
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
    nbproc      2
    cpu-map     1 0
    cpu-map     2 1
[root@haproxy ~]# systemctl restart haproxy.service

bash 复制代码

#为不同进程准备不同套接字
[root@haproxy ~]# systemctl stop haproxy.service
[root@haproxy ~]# rm -fr /var/lib/haproxy/stats
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
    #stats socket /var/lib/haproxy/stats
    stats socket /var/lib/haproxy/haproxy1  mode 600 level admin process 1
    stats socket /var/lib/haproxy/haporxy2  mode 660 level admin process 1

[root@haproxy ~]# systemctl restart haproxy.service

#效果
[root@haproxy ~]# ll /var/lib/haproxy/
总用量 0
srw-rw---- 1 root root 0  1月 23 15:41 haporxy2
srw------- 1 root root 0  1月 23 15:41 haproxy1

4.haproxy实现多线程

注意多线程不能和多进程同时启用

bash 复制代码

#查看当前haproxy的进程信息
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(31742)-+-haproxy(31744)
           |                `-haproxy(31745)
 #查看haproxy子进程的线程信息
[root@haproxy ~]# cat /proc/31744/status  | grep Threads
Threads:        1

#启用多线程
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg

	#nbproc     2
    #cpu-map    1 0
    #cpu-map    2 1
    nbthread    2
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    #stats socket /var/lib/haproxy/haproxy1  mode 600 level admin process 1
    #stats socket /var/lib/haproxy/haporxy2  mode 660 level admin process 1
    
[root@haproxy ~]# systemctl restart haproxy.service

#效果
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(31858)---haproxy(31860)---{haproxy}(31861)

[root@haproxy ~]# cat /proc/31860/status  | grep Threads
Threads:        2

proxies配置（代理配置）

参数	类型	作用
defaults [<name>]	proxies	默认配置项，针对以下的frontend、backend和listen生效，可以多个name也可以没有name
frontend <name>	proxies	前端servername，类似于Nginx的一个虚拟主机 server和LVS服务集群。
backend <name>	proxies	#后端服务器组，等于nginx的upstream和LVS中的RS服务器
listen <name>	proxies	#将frontend和backend合并在一起配置，相对于frontend和backend配置更简洁，生产常用

socat热更新工具

热更新：即在服务或软件不停止的情况下更新软件或服务的工作方式，完成对软件不停工更新，典型的热更新设备，usb，在使用usb进行插拔时，电脑系统时不需要停止工作的，这中设备叫热插拔设备，更新完如重启会恢复配置文件的设置

利用工具socat 对服务器动态权重调整

1.安装socat

复制代码

[root@haproxy ~]# dnf install socat -y
[root@haproxy ~]# socat  -h

2.利用socat查看haproxy信息

bash 复制代码

[root@haproxy ~]# echo "show servers state"  | socat stdio /var/lib/haproxy/stats
1
# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord srv_use_ssl srv_check_port srv_check_addr srv_agent_addr srv_agent_port
2 webcluster 1 haha 192.168.0.10 2 0 1 1 275 6 3 7 6 0 0 0 - 80 - 0 0 - - 0
2 webcluster 2 hehe 192.168.0.20 2 0 1 1 275 6 3 7 6 0 0 0 - 80 - 0 0 - - 0


[root@haproxy ~]# echo "get  weight webcluster/haha" | socat  stdio /var/lib/haproxy/stats
1 (initial 1)

[root@haproxy ~]# echo "get  weight webcluster/hehe" | socat  stdio /var/lib/haproxy/stats
1 (initial 1)

3.利用socat更改haproxy信息

bash 复制代码

#直接更改报错
[root@haproxy ~]# echo "set  weight  webcluster/haha 2 " | socat stdio /var/lib/haproxy/stats
Permission denied

#对socket进行授权
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
stats socket /var/lib/haproxy/stats mode 600 level admin


[root@haproxy ~]# rm -rf /var/lib/haproxy/*

[root@haproxy ~]# systemctl restart haproxy.service
[root@haproxy ~]# ll /var/lib/haproxy/
总用量 0
srw------- 1 root root 0  1月 25 10:04 stats


#执行泉州更改
[root@haproxy ~]# echo "get  weight webcluster/hehe" | socat  stdio /var/lib/haproxy/stats
1 (initial 1)

[root@haproxy ~]# echo "set  weight  webcluster/hehe 4 " | socat stdio /var/lib/haproxy/stats

[root@haproxy ~]# echo "get  weight webcluster/hehe" | socat  stdio /var/lib/haproxy/stats
4 (initial 1)

#测试
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20

Haproxy算法实验

静态算法

1.static-rr

基于权重的轮询调度

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     static-rr
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1


[root@haproxy ~]# systemctl restart haproxy.service

#测试
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10


#检测是否支持热更新
[root@haproxy ~]# echo "get  weight webcluster/haha" | socat  stdio /var/lib/haproxy/stats
2 (initial 2)

[root@haproxy ~]# echo "set  weight  webcluster/haha 1  " | socat stdio /var/lib/haproxy/stats       Backend is using a static LB algorithm and only accepts weights '0%' and '100%'

2.first

根据服务器在列表中的位置，自上而下进行调度
其只会当第一台服务器的连接数达到上限，新请求才会分配给下一台服务
其会忽略服务器的权重设置
不支持用socat进行动态修改权重,可以设置0和1,可以设置其它值但无效

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     first
    server haha 192.168.0.10:80 maxconn 1 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1


[root@haproxy ~]# systemctl restart haproxy.service


#测试：在一个shell中执行持续访问
[Administrator.DESKTOP-VJ307M3] ➤ while true; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
.... .....

#在其他设立了中建立持续访问并观察
Administrator.DESKTOP-VJ307M3] ➤  while true; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10						#此处出现10信息
webserver2 - 192.168.0.20

动态算法

1.roundrobin

基于权重的轮询动态调度算法，
支持权重的运行时调整，不同于lvs中的rr轮训模式，
HAProxy中的roundrobin支持慢启动(新加的服务器会逐渐增加转发数)，
其每个后端backend中最多支持4095个real server，
支持对real server权重动态调整，
roundrobin为默认调度算法,此算法使用广泛

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     roundrobin
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service

#测试
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10


#动态权重更新

[root@haproxy ~]# echo "get  weight webcluster/haha" | socat  stdio /var/lib/haproxy/stats
2 (initial 2)

[root@haproxy ~]# echo "set  weight  webcluster/haha 1  " | socat stdio /var/lib/haproxy/stats       
[root@haproxy ~]# echo "get  weight webcluster/haha" | socat  stdio /var/lib/haproxy/stats
1 (initial 2)

#效果
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10

2.leastconn

leastconn加权的最少连接的动态
支持权重的运行时调整和慢启动，即:根据当前连接最少的后端服务器而非权重进行优先调度(新客户端连接)
比较适合长连接的场景使用，比如：MySQL等场景。

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     leastconn
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service

[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20

混合算法

source

源地址hash，基于用户源地址hash并将请求转发到后端服务器，后续同一个源地址请求将被转发至同一个后端web服务器。此方式当后端服务器数据量发生变化时，会导致很多用户的请求转发至新的后端服务器，默认为静态方式，但是可以通过hash-type支持的选项更改这个算法一般是在不插入Cookie的TCP模式下使用，也可给拒绝会话cookie的客户提供最好的会话粘性，适用于session会话保持但不支持cookie和缓存的场景源地址有两种转发客户端请求到后端服务器的服务器选取计算方式，分别是取模法和一致性has

bash 复制代码

#默认静态算法
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     source
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20


#source动态算法
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     source
    hash-type 	consistent
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20

uri

基于对用户请求的URI的左半部分或整个uri做hash，再将hash结果对总权重进行取模后

根据最终结果将请求转发到后端指定服务器

适用于后端是缓存服务器场景

默认是静态算法，也可以通过hash-type指定map-based和consistent，来定义使用取模法还是一致性hash

bash 复制代码

#主备实验环境
[root@webserver1 ~]# echo RS1 - 192.168.0.10 > /var/www/html/index1.html
[root@webserver1 ~]# echo RS1 - 192.168.0.10 > /var/www/html/index2.html
[root@webserver2 ~]# echo RS2 - 192.168.0.20 > /var/www/html/index1.html
[root@webserver2 ~]# echo RS2 - 192.168.0.20 > /var/www/html/index2.html

#设定uri算法
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     uri
    hash-type 	consistent
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100/index.html; done
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-25 14:51.59]  ~
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100/index2.html; done
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20
RS2 - 172.168.0.20

url_param

url_param对用户请求的url中的 params 部分中的一个参数key对应的value值作hash计算，并由服务器总权重相除以后派发至某挑出的服务器,后端搜索同一个数据会被调度到同一个服务器，多用与电商通常用于追踪用户，以确保来自同一个用户的请求始终发往同一个real server

如果无没key，将按roundrobin算法

bash 复制代码

#主备实验环境
[root@webserver1 ~]# echo RS1 - 192.168.0.10 > /var/www/html/index1.html
[root@webserver1 ~]# echo RS1 - 192.168.0.10 > /var/www/html/index2.html
[root@webserver2 ~]# echo RS2 - 192.168.0.20 > /var/www/html/index1.html
[root@webserver2 ~]# echo RS2 - 192.168.0.20 > /var/www/html/index2.html

#设定url_param算法
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     url_param name
    hash-type 	consistent
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100/index.html?name=lee; done
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20
webserver2 - 192.168.0.20

[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..10}; do curl 172.25.254.100/index.html?name=redhat; done
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10
webserver1 - 192.168.0.10

hdr

针对用户每个http头部(header)请求中的指定信息做hash，

此处由 name 指定的http首部将会被取出并做hash计算，

然后由服务器总权重取模以后派发至某挑出的服务器，如果无有效值，则会使用默认的轮询调度。

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     hdr（User-Agent）
    hash-type 	consistent
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ curl -A "lee" 172.25.254.100
webserver2 - 192.168.0.20
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-25 15:00.53]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl -A "lee" 172.25.254.100
webserver2 - 192.168.0.20
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-25 15:00.54]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl -A "timinglee" 172.25.254.100
webserver2 - 192.168.0.20
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-25 15:01.00]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl -A "timing" 172.25.254.100
webserver1 - 192.168.0.10

基于cookie的会话保持

如果在haprorxy中设定算法为source，在同一台客户端主机中，无论使用什么浏览器访问的最终服务器是同一个

可以使用cookie值进行优化，让同一台客户端中同一个浏览器中访问的是同一个服务器

不同浏览器访问的是不同的服务器

bash 复制代码

#配合基于cookie的会话保持方法
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     roundrobin
    hash-type   consistent
    cookie WEBCOOKIE insert nocache indirect
    server haha 192.168.0.10:80 cookie web1 check inter 3s fall 3 rise 5 weight 2
    server hehe 192.168.0.20:80 cookie web2 check inter 3s fall 3 rise 5 weight 1

[root@haproxy ~]# systemctl restart haproxy.service

HAProxy状态页

通过web界面，显示当前HAProxy的运行状态

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen stats
    mode        http
    bind 0.0.0.0:4321
    stats       enable
    log         global
#   stats       refresh
    stats uri   /status
    stats auth  lee:lee
[root@haproxy ~]# systemctl restart haproxy.service

开启自动更新

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen stats
    mode        http
    bind 0.0.0.0:4321
    stats       enable
    log         global
    stats       refresh   1
    stats uri   /status
    stats auth  lee:lee
[root@haproxy ~]# systemctl restart haproxy.service

IP透传

七层IP透传

bash 复制代码

#实验环境
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    balance     roundrobin
    server haha 192.168.0.10:80 check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:80 check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service


#测试环境

[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..5}
> do
> curl 172.25.254.100
> done
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10
webserver2 - 192.168.0.20
webserver1 - 192.168.0.10


#在rs主机中默认是未开启透传功能的
[root@webserver2 ~]# cat /etc/httpd/logs/access_log
192.168.0.100 - - [26/Jan/2026:10:03:03 +0800] "GET / HTTP/1.1" 200 26 "-" "curl/7.65.0"
192.168.0.100 - - [26/Jan/2026:10:03:03 +0800] "GET / HTTP/1.1" 200 26 "-" "curl/7.65.0"


#开启ip透传的方式
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
。。。忽略。。。。。
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8				#开启haproxy透传功能
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#在rs中设定采集透传IP   \"%{X-Forwarded-For}i\"
[root@webserver2 ~]#  vim /etc/httpd/conf/httpd.conf
201     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{X-Forwarded-For}i\" \"%{Referer}i\" \"%{User-Agent}i    \"" combined

[root@webserver2 ~]# systemctl restart httpd

#测试效果
[root@webserver2 ~]# cat /etc/httpd/logs/access_log
192.168.0.100 - - [26/Jan/2026:10:10:29 +0800] "GET / HTTP/1.1" 200 26 "172.25.254.1" "-" "curl/7.65.0"
192.168.0.100 - - [26/Jan/2026:10:10:30 +0800] "GET / HTTP/1.1" 200 26 "172.25.254.1" "-" "curl/7.65.0"
192.168.0.100 - - [26/Jan/2026:10:10:30 +0800] "GET / HTTP/1.1" 200 26 "172.25.254.1" "-" "curl/7.65.0"

四层IP透传

bash 复制代码

#环境设置
#在RS中把apache停止
[root@webserver1 ~]# systemctl disable --now httpd
[root@webserver2 ~]# systemctl disable --now httpd

#部署nginx
[root@webserver1 ~]# dnf install nginx -y
[root@webserver2 ~]# dnf install nginx -y
[root@webserver1 ~]# echo RS1 - 192.168.0.10 > /usr/share/nginx/html/index.html
[root@webserver2 ~]# echo RS2 - 192.168.0.20 > /usr/share/nginx/html/index.html
[root@webserver1 ~]# systemctl enable --now nginx
[root@webserver2 ~]# systemctl enable --now nginx

#测环境
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..5}; do curl 172.25.254.100; done
RS1 - 192.168.0.10
RS2 - 192.168.0.20
RS1 - 192.168.0.10
RS2 - 192.168.0.20
RS1 - 192.168.0.10


#启用nginx的四层访问控制
[root@webserver1 ~]# vim /etc/nginx/nginx.conf
    server {
        listen       80 proxy_protocol;			#启用四层访问控制
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }
        
[root@webserver2 ~]# vim /etc/nginx/nginx.conf
    server {
        listen       80 proxy_protocol;			#启用四层访问控制
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }
        
[root@webserver1 ~]# systemctl restart nginx.service
[root@webserver2 ~]# systemctl restart nginx.service


#测试
Administrator.DESKTOP-VJ307M3] ➤ for i in {1..5}; do curl 172.25.254.100; done
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

出现上述报错标识nginx只支持四层访问

#设定haproxy访问4层  proxy_protocol
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    mode        tcp				#四层访问
    balance     roundrobin
    server haha 192.168.0.10:80 send-proxy check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:80 send-proxy check inter 3s fall 3 rise 5 weight 1
    
[root@haproxy ~]# systemctl restart haproxy.service

#测试四层访问
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..5}; do curl 172.25.254.100; done
RS1 - 192.168.0.10
RS2 - 192.168.0.20
RS1 - 192.168.0.10
RS2 - 192.168.0.20
RS1 - 192.168.0.10


#设置4层ip透传
[root@webserver1&2 ~]# vim /etc/nginx/nginx.conf

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '"$proxy_protocol_addr"'			#采集透传信息
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';


[root@webserver1&2 ~]# systemctl restart nginx.service

#测试
[Administrator.DESKTOP-VJ307M3] ➤ for i in {1..5}; do curl 172.25.254.100; done
RS2 - 192.168.0.20
RS1 - 192.168.0.10
RS2 - 192.168.0.20
RS1 - 192.168.0.10
RS2 - 192.168.0.20


[root@webserver1 ~]# cat /var/log/nginx/access.log
192.168.0.100 - - [26/Jan/2026:10:52:40 +0800] "GET / HTTP/1.1" "172.25.254.1"200 19 "-" "curl/7.65.0" "-"
192.168.0.100 - - [26/Jan/2026:10:53:49 +0800] "GET / HTTP/1.1"  "172.25.254.1"200 19 "-" "curl/7.65.0" "-"
192.168.0.100 - - [26/Jan/2026:10:53:50 +0800] "GET / HTTP/1.1"  "172.25.254.1"200 19 "-" "curl/7.65.0" "-"
192.168.0.100 - - [26/Jan/2026:10:53:50 +0800] "GET / HTTP/1.1"  "172.25.254.1"200 19 "-" "curl/7.65.0" "-"

Haproxy ACL访问控制

访问控制列表（ACL，Access Control Lists）

是一种基于包过滤的访问控制技术

它可以根据设定的条件对经过服务器传输的数据包进行过滤(条件匹配)即对接收到的报文进行匹配和过滤，基于请求报文头部中的源地址、源端口、目标地址、目标端口、请求方法、URL、文件后缀等信息内容进行匹配并执行进一步操作，比如允许其通过或丢弃。

1.实验环境

在浏览器或者curl主机中设定本地解析

在windows中设定解析

设定基础的haproxy实验配置

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    use_backend     webserver-80-web1

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5


[root@haproxy ~]# systemctl restart haproxy.service

3.基础acl示例

bash 复制代码

#在访问的网址中，所有以.com  结尾的访问10，其他访问20
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    
    acl test hdr_end(host) -i .com			#acl列表
    
    use_backend  webserver-80-web1 if test	#acl列表访问匹配
    default_backend webserver-80-web2		#acl列表访问不匹配

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5


#测试
[2026-01-26 15:50.45]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl www.lee.com
webserver1 - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 15:50.45]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl www.lee.org
webserver2 - 192.168.0.20



#基于访问头部
    acl head hdr_beg(host) -i bbs.
    use_backend  webserver-80-web1 if head
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    
    acl test hdr_end(host) -i .com			#acl列表
    
    acl head hdr_beg(host) -i bbs.
    use_backend  webserver-80-web1 if head
    default_backend webserver-80-web2

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5


#测试效果


#base参数acl
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    
    acl pathdir base_dir -i /lee
    use_backend  webserver-80-web1 if pathdir
    default_backend webserver-80-web2		#acl列表访问不匹配

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5

[root@webserver1+2 ~]# mkdir -p /var/www/html/lee/
[root@webserver1+2 ~]#  mkdir -p /var/www/html/lee/test/


[root@webserver1 ~]# echo lee - 192.168.0.10  > /var/www/html/lee/index.html
[root@webserver1 ~]# echo lee/test - 192.168.0.10 > /var/www/html/lee/test/index.html
[root@webserver2 ~]# echo lee - 192.168.0.20  > /var/www/html/lee/index.html
[root@webserver2 ~]# echo lee/test - 192.168.0.10 > /var/www/html/lee/test/index.html


#测试
[2026-01-26 16:01.56]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100/lee/
lee - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 16:01.57]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100/lee/test/
lee/test - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 16:02.01]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100/index.html
webserver2 - 192.168.0.20


#acl禁止列表黑名单
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    
    acl test hdr_end(host) -i .com			#acl列表
    
    use_backend  webserver-80-web1 if test	#acl列表访问匹配
    default_backend webserver-80-web2		#acl列表访问不匹配

	acl invalid_src src 172.25.254.1
    http-request deny if invalid_src

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5
    
#测试：
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>


#禁止列表白名单
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind            *:80
    mode            http
    
    acl test hdr_end(host) -i .com			#acl列表
    
    use_backend  webserver-80-web1 if test	#acl列表访问匹配
    default_backend webserver-80-web2		#acl列表访问不匹配

	acl invalid_src src 172.25.254.1
    http-request deny if ！ invalid_src

backend webserver-80-web1
    server web1 192.168.0.10:80 check inter 3s fall 3 rise 5

backend webserver-80-web2
    server web2 192.168.0.20:80 check inter 3s fall 3 rise 5
    
#测试：
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
webserver2 - 192.168.0.20

[root@haproxy ~]# curl  172.25.254.100
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

自定义HAProxy 错误界面

1.sorryserver的设定

正常的所有服务器如果出现宕机，那么客户将被定向到指定的主机中，这个当业务主机出问题时被临时访问的主机叫做sorryserver

bash 复制代码

#在新主机中安装apache（可以用haproxy主机代替）
[root@haproxy ~]# dnf install httpd -y
[root@haproxy ~]# vim /etc/httpd/conf/httpd.conf
47 Listen 8080
[root@haproxy ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

[root@haproxy ~]# echo "李哥在，没意外" > /var/www/html/index.html


#配置sorryserver上线、
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen webcluster
    bind        *:80
    mode        tcp
    balance     roundrobin
    server haha 192.168.0.10:80  check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:80  check inter 3s fall 3 rise 5 weight 1
    server wuwu 192.168.0.100:8080  backup					#sorryserver
    
[root@haproxy ~]# systemctl restart haproxy.service

#测试
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
webserver1 - 192.168.0.10
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 14:22.33]  ~
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
webserver2 - 192.168.0.20
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 14:22.35]  ~



#关闭两台正常的业务主机
[root@webserver1+2 ~]# systemctl stop httpd


[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
李哥在，没意外

2.自定义错误页面

当所有主机包括sorryserver都宕机了，那么haproxy会提供一个默认访问的错误页面，这个错误页面跟报错代码有关，这个页面可以通过定义来机型设置

bash 复制代码

#出现的错误页面
[root@webserver1+2 ~]# systemctl stop httpd
[root@haproxy ~]# systemctl stop httpd

#注意不能是四层tcp（IP可以访问但是端口不行会一直处于等待状态，没有ip报错信息503）


#所有后端web服务都宕机
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>


[root@haproxy ~]# mkdir /errorpage/html/ -p
[root@haproxy ~]# vim /errorpage/html/503.http
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<html><body><h1>什么动物生气最安静</h1>
大猩猩！！
</body></html>
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
    errorfile 503           /errorpage/html/503.http			#error 页面
[root@haproxy ~]# systemctl restart haproxy.service


#测试
[Administrator.DESKTOP-VJ307M3] ➤ curl 172.25.254.100
<html><body><h1>什么动物生气最安静</h1>
大猩猩！！
</body></html>

3.从定向错误到指定网站

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
    errorloc 503            http://www.baidu.com			#error 页面
[root@haproxy ~]# systemctl restart haproxy.service

#在浏览器中访问

Harproxy的四层负载

1.环境设定

bash 复制代码

#部署mariadb数据库
[root@webserver1+2 ~]# dnf install mariadb-server mariadb  -y
[root@webserver1+1 ~]# vim /etc/my.cnf.d/mariadb-server.cnf
[mysqld]
server_id=10			#设定数据库所在主机的id标识，在20上设定id为20
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mariadb/mariadb.log
pid-file=/run/mariadb/mariadb.pid

#安装后开启服务
[root@webserver1 ~]# systemctl start mariadb

#建立远程登录用户并授权
[root@webserver2+1 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>  CREATE USER 'lee'@'%' identified by 'lee';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> CREATE USER 'lee'@'%' identified by 'lee';
MariaDB [(none)]> GRANT ALL ON *.* TO 'lee'@'%';
Query OK, 0 rows affected (0.000 sec)

#测试
[root@webserver2 ~]# mysql -ulee -plee -h 192.168.0.20   #测试10时修改ip即可
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

2.四层负载操作

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen mariadbcluster
    bind        *:6663
    mode        tcp
    balance     roundrobin
    server haha 192.168.0.10:3306  check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:3306  check inter 3s fall 3 rise 5 weight 1
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg

#检测端口
[root@haproxy ~]# netstat -antlupe  | grep haproxy
tcp        0      0 0.0.0.0:6663            0.0.0.0:*               LISTEN      0          44430      2136/haproxy
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          44429      2136/haproxy
tcp        0      0 0.0.0.0:4321            0.0.0.0:*               LISTEN      0          44431      2136/haproxy


#测试：
[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          20 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]> quit
Bye
                                                                                                    ✔
─────────────────────────────────────────────────────────────────────────────────────────────────────
[2026-01-26 11:39.31]  ~
[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          10 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]>

backup参数

backup用于定义备用服务器

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
listen mariadbcluster
    bind        *:6663
    mode        tcp
    balance     roundrobin
    server haha 192.168.0.10:3306  check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:3306  check inter 3s fall 3 rise 5 weight 1 backup


[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg

#测试
[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          10 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]> quit
Bye

[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          10 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]> quit
Bye


#关闭10的mariadb并等待1分钟
[root@webserver1 ~]# systemctl stop mariadb
[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 1 "Operation not permitted"    #标识haproxy 没有完成故障转换，需要等待
  
  
[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 11
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          20 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]>


#还原故障主机等待片刻
[root@webserver1 ~]# systemctl start mariadb

[Administrator.DESKTOP-VJ307M3] ➤ mysql -ulee -plee -h172.25.254.100 -P 6663
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.27-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|          10 |
+-------------+
1 row in set (0.00 sec)

MariaDB [(none)]>

在所有非备份 服务器（比如 haha 192.168.0.10:3306）都正常运行时，不会被分配任何流量，处于 "待命" 状态，故障时自动接管。

Haproxy全站加密

1.制作证书

bash 复制代码

[root@haproxy ~]# mkdir /etc/haproxy/certs/
[root@haproxy ~]# openssl req -newkey rsa:2048 -nodes -sha256  -keyout /etc/haproxy/certs/timinglee.org.key -x509 -days 365 -out /etc/haproxy/certs/timinglee.org.crt


You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shaanxi
Locality Name (eg, city) [Default City]:Xi'an
Organization Name (eg, company) [Default Company Ltd]:timinglee
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:www.timinglee.org
Email Address []:admin@timinglee.org
[root@haproxy ~]# ls /etc/haproxy/certs/
timinglee.org.crt  timinglee.org.key

[root@haproxy ~]# cat /etc/haproxy/certs/timinglee.org.{key,crt} > /etc/haproxy/certs/timinglee.pem

2.全站加密

bash 复制代码

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster-http
    bind        *:80
    redirect scheme https if ! { ssl_fc }

listen webcluster-https
    bind        *:443 ssl  crt /etc/haproxy/certs/timinglee.pem
    mode        http
    balance     roundrobin
    server haha 192.168.0.10:80  check inter 3s fall 3 rise 5 weight 1
    server hehe 192.168.0.20:80  check inter 3s fall 3 rise 5 weight 1
    
    
[root@haproxy ~]# systemctl restart haproxy.service

#测试：
[Administrator.DESKTOP-VJ307M3] ➤ curl -v -k -L http://172.25.254.100
*   Trying 172.25.254.100:80...
* TCP_NODELAY set
* Connected to 172.25.254.100 (172.25.254.100) port 80 (#0)
> GET / HTTP/1.1
> Host: 172.25.254.100
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< content-length: 0
< location: https://172.25.254.100/					#转换信息体现
< cache-control: no-cache
<
* Connection #0 to host 172.25.254.100 left intact
* Issue another request to this URL: 'https://172.25.254.100/'
*   Trying 172.25.254.100:443...
* TCP_NODELAY set
* Connected to 172.25.254.100 (172.25.254.100) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=CN; ST=Shaanxi; L=Xi'an; O=timinglee; OU=linux; CN=www.timinglee.org; emailAddress=admin@timinglee.org
*  start date: Jan 26 08:38:57 2026 GMT
*  expire date: Jan 26 08:38:57 2027 GMT
*  issuer: C=CN; ST=Shaanxi; L=Xi'an; O=timinglee; OU=linux; CN=www.timinglee.org; emailAddress=admin@timinglee.org
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET / HTTP/1.1
> Host: 172.25.254.100
> User-Agent: curl/7.65.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< date: Mon, 26 Jan 2026 08:48:34 GMT
< server: Apache/2.4.62 (Red Hat Enterprise Linux)
< last-modified: Fri, 23 Jan 2026 03:52:02 GMT
< etag: "1a-64906147d3d6a"
< accept-ranges: bytes
< content-length: 26
< content-type: text/html; charset=UTF-8
<
webserver2 - 192.168.0.20
* Connection #1 to host 172.25.254.100 left intact