haproxy 命令配置实例

一：Global parameters
* Process management and security
- chroot 改变当前工作目录
- daemon 运行方式为后台工作
- user - group 工作用户和组
-log <address> <facility>日志输出设备
- nbproc 创建工作的进程数目
-pidfile pid文件位置
- ulimit-n 设置每个进程的可用的最大文件描述符
- stats 创建监控所用的套接字目录
- node 创建另外一个节点名字共用一个IP地址，用来识别哪个节点在处理流量
- description 描述实例的名称
maxconn <number> 每个进程可用的最大连接数
maxpipes <number> 每个进程可用的最大管道数
nokqueue nopoll nosepoll nosplice 禁用这些功能
spread-checks <0..50, in percent> health check 的时间间隔
tune.bufsize <number>
tune.maxaccept <number>
tune.maxpollevents <number>
tune.maxrewrite <number>
tune.rcvbuf.client <number>
tune.rcvbuf.server <number>
tune.sndbuf.client <number>
tune.sndbuf.server <number>
以上凭字面理解吧
debug 调试模式，输出启动信息到标准输出
quiet 安装模式，启动时无输出

二：defaults 块
作用于其后紧跟的listen块，直至下一个defaults 块，下一个default 将替换上一个块作用于以后的listen
frontend 块，接受请求的端口组
backend块，后端处理的server 组
listen块，frontend和backend 块的结合

三：常用配置命令

balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post [<max_wait>]] 负载均衡模块设置

Examples :
balance roundrobin
balance url_param userid
balance url_param session_id check_post 64
balance hdr(User-Agent)
balance hdr(host)
balance hdr(Host) use_domain_only

block { if | unless } <condition> 在7层阻止访问
Example:
acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl定义和squid 很像
acl invalid_src src_port 0:1023
acl local_dst hdr(host) -i localhost
block if invalid_src || local_dst

capture cookie <name> len <length> 在请求和回应包中捕捉记录指定长度的cookie,name 为cookie的开头几个字母

Example:
capture cookie ASPSESSION len 32

capture request header <name> len <length>
capture response header <name> len <length> 同上

clitimeout <timeout> (deprecated)
contimeout <timeout> (deprecated) 客户端超时时间，不赞成设置

cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] [ postonly ] [ domain <domain> ]* 允许持续的基于cookie 的后端连接

default_backend <backend> 默认应用的后端

Example :
use_backend dynamic if url_dyn
use_backend static if url_css url_img extension_img
default_backend dynamic 当没有匹配时就用dynamic

errorfile <code> <file> 定义出现错误的代码的返回页
Example :
errorfile 400 /etc/haproxy/errorfiles/400badreq.http
errorfile 403 /etc/haproxy/errorfiles/403forbid.http
errorfile 503 /etc/haproxy/errorfiles/503sorry.http

errorloc <code> <url> errorloc302 <code> <url> 出错重定向到指定url
force-persist { if | unless } <condition> 在特定条件下，强制继续连接down 掉的服务器后端
fullconn <conns> 定义后端组的最大连接数
grace <time> haproxy停止后，再持续多长时间用于处理连接
http-check disable-on-404 如果后端检测返回404，将不再把后端计入负载均衡
http-check send-state 允许haproxy 发送 X-Haproxy-Server-State
http-request { allow | deny | http-auth [realm <realm>] } [ { if | unless } <condition> ] 七层访问控制
Example:
acl nagios src 192.168.129.3
acl local_net src 192.168.0.0/16
acl auth_ok http_auth(L1)

http-request allow if nagios
http-request allow if local_net auth_ok
http-request auth realm Gimme if local_net auth_ok
http-request deny

Example:
acl auth_ok http_auth_group(L1) G1

http-request auth unless auth_ok

mode { tcp|http|health } 设定启动的实例的协议类型
monitor fail { if | unless } <condition> 监控失败条件设置

option abortonclose 丢弃由于客户端等待时间过长而关闭连接但仍在haproxy等待队列中的请求
option accept-invalid-http-request 接受无效的http请求，建议关闭（开启可能有安全隐患）
option accept-invalid-http-response 接受无效的response ,建议关闭
option allbackups 应该是后备服务器，如果正常的后端无法使用，就使用这些后备的设备，balance方式还是用原来的，没有优先的选择，常用来提供错误的页面
option checkcache 分析后端response,阻止可缓存的cookie,它对response 进行严格检查，包括"Cache-control", "Pragma" and "Set-cookie" ，查看在客户端代理那边保存是否有风险，如果这个允许的话，符全以下条件的response 将被允许，其它的将被阻止。
- all those without "Set-Cookie" header ;
- all those with a return code other than 200, 203, 206, 300, 301, 410,
provided that the server has not set a "Cache-control: public" header ;
- all those that come from a POST request, provided that the server has not
set a 'Cache-Control: public' header ;
- those with a 'Pragma: no-cache' header
- those with a 'Cache-control: private' header
- those with a 'Cache-control: no-store' header
- those with a 'Cache-control: max-age=0' header
- those with a 'Cache-control: s-maxage=0' header
- those with a 'Cache-control: no-cache' header
- those with a 'Cache-control: no-cache="set-cookie"' header
- those with a 'Cache-control: no-cache="set-cookie,' header
(allowing other fields after set-cookie)

option clitcpka   是否允许客户端发送tcp keepalive 包,这个和http 的keepalive 没有关系
option contstats   允许连续的流量统计更新
option dontlog-normal   开启正常连接的日志
option dontlognull   记录空连接
option forceclose 允许关闭session 在后端把response 发送后
option forwardfor [ except <network> ] [ header <name> ]        允许在request 中加入X-Forwarded-For header 发往server
option http-pretend-keepalive    定义是否haproxy要宣布同server keepalive
option http-server-close   是否开启在server 端 connection closing
option http-use-proxy-header    用non-standard Proxy-Connection 替换 connection

option httpchk <method> <uri> <version> 允许用http协议检查server 的健康
Examples :
# Relay HTTPS traffic to Apache instance and check service availability
# using HTTP request "OPTIONS * HTTP/1.1" on port 80.
backend https_relay
mode tcp
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
server apache1 192.168.1.1:443 check port 80

option httplog [ clf ] 定制日志格式
option http_proxy 开启http 代理模式，只有最基本的代理功能
option ignore-persist { if | unless } <condition> 在某条件下拒绝持续连接，适用于对静态文件的负载均衡
option independant-streams 启用双向超时处理，如socket 的read 和write
option log-health-checks   记录健康检查日志
option log-separate-errors   对非完全成功的连接改变日志记录等级
option logasap   大传输大文件时可以提前记录日志
option mysql-check   mysql 健康检查
option nolinger 清除肮脏连接后开成的tcp 状态及占用的资源，不过并不是强列要求你用这个选项，当然如果你有thousands of FIN_WAIT1 sessions on your system ，那肯定得用了
option originalto [ except <network> ] [ header <name> ]   允许在requests中加入X-Original-To header 发往server
option persist     强制将http请求发往已经down 掉的server
option redispatch   是否允许重新分配在session 失败后
option smtpchk   smtp 检查
option socket-stats 允许对单个socket进行统计
option srvtcpka 是否允许向server 发送keepalive
option tcpka 是否允许向server和client发送keepalive
option tcplog 允许记录tcp 连接的状态和时间
option transparent   允许客户端透明代理
rate-limit sessions <rate> 设置frontend 每秒处理的连接的上限，如果到达上限就停止建立新的connection

redirect location <to> [code <code>] <option> [{if | unless} <condition>]
redirect prefix <to> [code <code>] <option> [{if | unless} <condition>] 重定向，相当于rewrite

Example: move the login URL only to HTTPS.
acl clear      dst_port 80
acl secure     dst_port 8080
acl login_page url_beg   /login
acl logout     url_beg   /logout
acl uid_given url_reg   /login?userid=[^&]+
acl cookie_set hdr_sub(cookie) SEEN=1

redirect prefix   https://mysite.com set-cookie SEEN=1 if !cookie_set
redirect prefix   https://mysite.com           if login_page !secure
redirect prefix   http://mysite.com drop-query if login_page !uid_given
redirect location http://mysite.com/           if !login_page secure
redirect location / clear-cookie USERID=       if logout

Example: send redirects for request for articles without a '/'.
acl missing_slash path_reg ^/article/[^/]*$
redirect code 301 prefix / drop-query append-slash if missing_slash
redisp (deprecated)
redispatch (deprecated) 开启session 重新分配在connection连接失败后，不赞成启用
reqadd <string> [{if | unless} <cond>] 在http请示的末尾加上string

Example : add "X-Proto: SSL" to requests coming via port 81
acl is-ssl dst_port 81
reqadd X-Proto:\ SSL if is-ssl

reqallow <search> [{if | unless} <cond>]
reqiallow <search> [{if | unless} <cond>] (ignore case) request 请求访问控制

Example :
# allow www.* but refuse *.local
reqiallow ^Host:\ www\.
reqideny ^Host:\ .*\.local

reqdel <search> [{if | unless} <cond>]
reqidel <search> [{if | unless} <cond>] (ignore case) 删除请求的head 中的内容

Example :
# remove X-Forwarded-For header and SERVER cookie
reqidel ^X-Forwarded-For:.*
reqidel ^Cookie:.*SERVER=

reqdeny <search> [{if | unless} <cond>]
reqideny <search> [{if | unless} <cond>] (ignore case) 拒绝访问

reqrep <search> <string> [{if | unless} <cond>]
reqirep <search> <string> [{if | unless} <cond>]   (ignore case) request 请求替换
Example :
# replace "/static/" with "/" at the beginning of any request path.
reqrep ^([^\ ]*)\ /static/(.*)     \1\ /\2
# replace "www.mydomain.com" with "www" in the host name.
reqirep ^Host:\ www.mydomain.com   Host:\ www

reqtarpit <search> [{if | unless} <cond>]
reqitarpit <search> [{if | unless} <cond>] (ignore case) 阻止ｈｔｔｐ请求中的某些信息

Examples :
# ignore user-agents reporting any flavour of "Mozilla" or "MSIE", but
# block all others.
reqipass ^User-Agent:\.*(Mozilla|MSIE)
reqitarpit ^User-Agent:

# block bad guys
acl badguys src 10.1.0.3 172.16.13.20/28
reqitarpit . if badguys

retries <value> 当对ｓｅｒｖｅｒ的ｃｏｎｎｅｃｔｉｏｎ失败后，重试的次数
rspadd <string> [{if | unless} <cond>] response 增加信息
rspdel <search> [{if | unless} <cond>]
rspidel <search> [{if | unless} <cond>] (ignore case)
rspdeny <search> [{if | unless} <cond>]
rspideny <search> [{if | unless} <cond>] (ignore case)
rsprep <search> <string> [{if | unless} <cond>]
rspirep <search> <string> [{if | unless} <cond>] (ignore case)
以上和request 的差不多

source <addr>[:<port>] [usesrc { <addr2>[:<port2>] | client | clientip } ] 定义从代理出去的连接的对象，用于限定地址可以访问server

一些timeout

srvtimeout <timeout> server 处理超时，不赞成设置
timeout check                             X          -         X         X
timeout client                            X          X         X         -
timeout clitimeout          (deprecated) X          X         X         -
timeout connect                           X          -         X         X
timeout contimeout          (deprecated) X          -         X         X
timeout http-keep-alive                   X          X         X         X
timeout http-request                      X          X         X         X
timeout queue                             X          -         X         X
timeout server                            X          -         X         X
timeout srvtimeout          (deprecated) X          -         X         X
timeout tarpit                            X          X         X         X

stats auth <user>:<passwd> 监控统计的帐号和密码
backend public_www
server srv1 192.168.0.1:80
stats enable
stats hide-version
stats scope   .
stats uri     /admin?stats
stats realm   Haproxy\ Statistics
stats auth    admin1:AdMiN123
stats auth    admin2:AdMiN321

# internal monitoring access (unlimited)
backend private_monitoring
stats enable
stats uri /admin?stats
stats refresh 5s

还有很多参数，以上能用到的也没有几个，只要满足当前需求就好，对于性能要求高的话，建议把不需要的功能都关了吧