加载中…
个人资料
果果爸
果果爸
  • 博客等级:
  • 博客积分:0
  • 博客访问:233,583
  • 关注人气:29
  • 获赠金笔:0支
  • 赠出金笔:0支
  • 荣誉徽章:
相关博文
推荐博文
谁看过这篇博文
加载中…
正文 字体大小:

Haproy configuration for stickey session on http and https

(2010-11-17 11:04:47)
标签:

haproxy

keepalived

stunnel

loadbalancer

it

分类: 网站架构
  1. Install Haproxy from http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.9.tar.gz
  2. make and install by: make TARGET=linux26 ARCH=x86_64& make install
  3. config the haproxy.cfg in your install directory: vi /etc/haproxy/haproxy.cfg
   global
        maxconn     32000 # Total Max Connections. This is dependent on ulimit
        daemon
       #The process number must be 1 for the sticky session load balancer for JSESSION
        nbproc      1 # Number of processing cores. Dual Dual-core Opteron is 4 cores for example.
        #ulimit-n 65535
        pidfile /tmp/haproxy.pid
       stats maxconn 5
    defaults
        mode        http
        clitimeout  60000
        srvtimeout  30000
        contimeout  4000
        #option      httpclose # Disable Keepalive
        log global
        option httplog
        log 127.0.0.1 local3

 listen  http_proxy 192.168.1.120:80
        maxconn 31000
        balance roundrobin # Load Balancing algorithm
        option httpchk HEAD /help/help.jsp HTTP/1.0
        option forwardfor # This sets X-Forwarded-For
        #option httpclose
        #option http-server-close # use this can keep-alive which is better than option-httclose
        stats enable
        stats realm icebreakersoftware\ Haproxy
        stats uri /admin?stats
        stats auth wade:wade
        stats refresh 30s
        cookie SERVERID insert nocache indirect
        stats hide-version
        #appsession JSESSIONID len 52 timeout 3h mode query-string
        #appsession JSESSIONID len 52 timeout 3h mode path-parameters
        # for images ,dont use persistent , which can use less memory usage for sticky session
        acl image_ico path_sub .ico
        acl image_gif path_sub .gif
        acl image_png path_sub .png
        acl image_jpg path_sub .jpg
        #ignore-persist if image_ico || image_gif || image_png || image_jpg
        appsession JSESSIONID len 52 timeout 1h request-learn  mode path-parameters


        ## Define your servers to balance
        server server1 192.168.100.64:8280 weight 1 maxconn 512 check inter 2000 rise 2 fall 3 cookie A
        server server2 192.168.100.65:8280 weight 1 maxconn 512 check inter 2000 rise 2 fall 3 cookie B
        server server3 192.168.100.66:8280 weight 1 maxconn 512 check inter 2000 rise 2 fall 3 cookie C
        server server4 192.168.100.39:8280 weight 1 maxconn 512 check inter 2000 rise 2 fall 3 cookie D
        #server server4 192.168.1.108:8280 weight 1 maxconn 512 check inter 2000 rise 2 fall 3
        #server web67 192.168.1.67:8080  maxconn 512 check inter 2000 cookie server67
        #server web68 192.168.1.68:8080  maxconn 512 check inter 2000 cookie server68
        #server web67 192.168.1.67:8080  maxconn 512 check inter 2000
        #server web68 192.168.1.68:8080  maxconn 512 check inter 2000

       option persist
       option redispatch

       option abortonclose


How to enable the log system.
   1. Edit the  /etc/syslog.conf and add follows :
local3.* /var/log/haproxy.log
   2. Check the /etc/services
          syslog 514/udp (If no this, please add it manually)
  3.  change syslogd configuration file, in /etc/sysconfig/syslog
SYSLOGD_PARAMS=""
改为:
SYSLOGD_PARAMS="-r"
 4.  restart syslog
   # /etc/init.d/syslog restart
   # netstat -tlunp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:514 0.0.0.0:* 24314/syslogd



STUNNEL (Decipher https before HAproxy)

 if you can install it by the default package of your system. just use it, I don't start it on redhat 5.5, I just install it 4.15 by yum install stunnel-x64_86. you can also download and compile it

Download an stunnel for which an haproxy stunnel patch exists. For this you should check here:http://haproxy.1wt.eu/download/patches/?C=N;O=A for the highest numbered stunnel patch, and then visit here: http://www.stunnel.org/download/source.html and grab the URL for version that matches the patch.

In my case this was version 4.15, oh, and I’m doing this as root because I find it easier when compiling stuff:
sudo su
mkdir /usr/local/util
cd /usr/local/util
wget http://www.stunnel.org/download/stunnel/src/stunnel-4.15.tar.gz

And let’s unpack that:
gunzip stunnel-4.15.tar.gz
tar -xvf stunnel-4.15.tar
rm stunnel-4.15.tar

Grab the patch that we spotted earlier:
wget http://haproxy.1wt.eu/download/patches/stunnel-4.15-xforwarded-for.diff

Apply the patch:
cd stunnel-4.15
patch -p1 < ../stunnel-4.15-xforwarded-for.diff

Get the pre-requisites, if you don't do this you may see errors when you ./configure about not finding the SSL libraries, with an error along the lines of "Couldn't find your SSL library installation dir":
apt-get install libcurl3-openssl-dev

Make stunnel:
./configure
make && make install

Configure stunnel, I’m assuming you already have your SSL certs and have put them somewhere sensible like /etc/ssl/certs:
mkdir /etc/stunnel
vim /etc/stunnel/stunnel.conf

And into that file put this basic config:

######################################################################

cert=/etc/ssl/certs/www.server.com.crt
key = /etc/ssl/certs/www.server.com.key 
;setuid = nobody 
;setgid = nogroup 
pid = /etc/stunnel/stunnel.pid 
debug = 3 
output = /etc/stunnel/stunnel.log
 socket=l:TCP_NODELAY=1 
socket=r:TCP_NODELAY=1 
[https] accept=192.168.1.120:443 
connect=192.168.100.64:8443
TIMEOUTclose=0 
xforwardedfor=yes

######################################################################

Note: stunnel is very fussy about comments in the config file… make sure they’re the only thing on a line and never put comments at the end of a line!

Create the init.d script to start and stop the daemon:
vim /etc/init.d/stunnel

Insert the script contents:

######################################################################
#!/bin/bash
#
# stunnel      This shell script takes care of starting and stopping
             stunnel
#
# chkconfig: 345 80 30
# description:  Secure tunnel

# processname: stunnel
# config: /etc/stunnel/stunnel.conf
# pidfile: /var/run/stunnel/stunnel.pid

# Source function library.
. /lib/lsb/init-functions

# Source stunnel configureation.
if [ -f /etc/sysconfig/stunnel ] ; then
 . /etc/sysconfig/stunnel
fi

RETVAL=0
prog="stunnel"

start() {
 # Start daemons.

 echo -n $"Starting $prog: "
 if test -x /usr/local/bin/stunnel ; then
   /usr/local/bin/stunnel /etc/stunnel/stunnel.conf
 fi
 RETVAL=$?
 echo
 [ $RETVAL -eq 0 ] && touch /var/lock/stunnel
 return $RETVAL
}

stop() {
 # Stop daemons.
 echo -n $"Shutting down $prog: "
 killproc stunnel
 RETVAL=$?
 echo
 [ $RETVAL -eq 0 ] && rm -f /var/lock/stunnel
 return $RETVAL
}

# See how we were called.
case "$1" in
  start)
 start
 ;;
  stop)
 stop
 ;;
  restart)
 stop
 start
 RETVAL=$?
 ;;
  condrestart)
 if [ -f /var/lock/stunnel ]; then
     stop
     start
     RETVAL=$?
 fi
 ;;
  status)
 status stunnel
 RETVAL=$?
 ;;
  *)
 echo $"Usage: $0 {start|stop|restart|condrestart|status}"
 exit 1
esac

exit $RETVAL

######################################################################

Save it and then change the mode so that it can be executed:
chmod 755 /etc/init.d/stunnel

Now you can stop and start the service using:
service stunnel stop
service stunnel start

That’s also taken care of starting it automatically at boot.

Last thing to do… have HAProxy listen for the SSL traffic:
sudo vim /etc/haproxy/haproxy.cfg

Add these lines to the end:


The reqadd’s are adding headers… you can use something like this in PHP to determine whether or not the request originated from http or https:

listen  https_proxy 192.168.1.120:8443# fake ssl
        SAME AS THE CONFIGURATION OF 

Restart HAProxy and you’re done:
service haproxy restart


Keepalived for Haporxy failover

If you want your Haproxy can failover if it have a problem.Keepalived will be a good solution.Keepalived use a virtual ip.it can switch virtual ip to another server when one server have a problem.

step 1:download keepalived

wget http://www.keepalived.org/software/keepalived-1.1.20.tar.gz

tar xzvf keepalived-1.1.20.tar.gz

cd keepalived-1.1.20

./configure

make && make install&& make clean

step2:some script config

 

# cd /etc/sysconfig

# ln -s /usr/local/etc/sysconfig/keepalived .

# cd /etc/rc3.d/

# ln -s /usr/local/etc/rc.d/init.d/keepalived S100keepalived

# cd /etc/init.d/

# ln -s /usr/local/etc/rc.d/init.d/keepalived .

step3:Configuration----use vi open a file location /etc/keepalived.conf and config it in two server that you install Keepalived

 

! Configuration File for Keepalived

global_defs {

   notification_email {

     sysadmin@icebreakersoftware.com

   }

   notification_email_from haproxy@icebreakersoftware.com

   smtp_server 192.168.100.70

   smtp_connect_timeout 30

   router_id LVS_DEVEL

}

vrrp_script chk_haproxy {           # Requires keepalived-1.1.13

        script "killall -0 haproxy"     # cheaper than pidof

        interval 2                      # check every 2 seconds

        weight 2                        # add 2 points of prio if OK

}

vrrp_instance VI_1 {

        interface eth0

        state MASTER

        virtual_router_id 40

        priority 100

        advert_int 2 

        authentication {

            auth_type PASS

            auth_pass wade

        }

        virtual_ipaddress {

                192.168.100.44

        }

track_script {

            chk_haproxy

        }

}


step4:start and top keepalived

start:keepalived -f /etc/keepalived.conf -d
stop:/etc/init.d/keepalived stop

step 5:check virtual ip
ip addr sh eth0

0

阅读 评论 收藏 转载 喜欢 打印举报/Report
  • 评论加载中,请稍候...
发评论

    发评论

    以上网友发言只代表其个人观点,不代表新浪网的观点或立场。

      

    新浪BLOG意见反馈留言板 电话:4000520066 提示音后按1键(按当地市话标准计费) 欢迎批评指正

    新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

    新浪公司 版权所有