haproxy 配置和参数说明

jrhppt02:/root# cat /etc/haproxy/haproxy.cfg

this config needs haproxy-1.1.28 or haproxy-1.2.1

global ##参数是进程级的，通常和操作系统（OS）相关。这些参数一般只设置一次，如果配置无误，就不需要再次配置进行修改
log 127.0.0.1 local3 ####日志文件的输出定向
maxconn 65535 ####最大连接数
chroot /usr/local/haproxy ## 改变当前工作目录
uid 401
gid 401
daemon ###运行方式为后台工作

defaults ###作用于其后紧跟的listen块，直至下一个defaults 块，下一个default 将替换上一个块作用于以后的listen
log global ## Enable per-instance logging of events and traffic.
mode http ##默认的模式mode { tcp|http|health }，tcp是4层，http是7层，health只会返回OK
option httplog ##Enable logging of HTTP request, session state and timers 记录HTTP 请求,session 状态和计时器
option dontlognull ###Enable or disable logging of null connections 启用和禁用 记录 空连接
retries 3 ###当对server的connection失败后，重试的次数
option redispatch ### Enable or disable session redistribution in case of connection failure 启用或禁用在连接故障情况下的会话重新分配
option abortonclose ###Enable or disable early dropping of aborted requests pending in queues 启用或禁用在队列中挂起的中止请求的早期丢弃
option httpclose ####每次请求完毕后主动关闭http通道，HA-Proxy不支持keep-alive模式
###Enable or disable passive HTTP connection closing 启用和关闭被动HTPP 连接关闭
option forwardfor ####获得客户端IP
maxconn 65535 ##maxconn 每个进程可用的最大连接数
timeout connect 5000
timeout client 50000
timeout server 50000

timeout check   5s
stats   refresh 30s
stats   uri     /stats  
stats   realm   baison-test-Haproxy     
stats   auth    admin:zjadmin818
stats   hide-version            

frontend http ###前端配置
#监听端口
bind *:80
##启用ssl证书
bind *:443 ssl crt /etc/haproxy/cert.pem

##redirect all HTTP traffic to HTTPS when SSL is handled by haproxy   将所有的HTTP 流量指向HTTPS,当SSL 是被haproxy使用
redirect scheme https if !{ ssl_fc }

    acl host_zjcap.cn  hdr_beg(host)  -i zjcap.cn  ###定义ACL名称,对应的请求的主机头是zjcap.cn 不区分大小写,ACL 名字为host_zjcap.cn 

    ###注意hdr_beg(host)  只匹配开头
    acl host_zjzb.cn  hdr_beg(host)  -i zhongjunziben.com
    acl www_zjzb.cn  hdr_beg(host)  -i www.zhongjunziben.com
    acl host_zjzc.cn  hdr_beg(host)  -i zhongjunzichan.com
    acl www_zjzc.cn  hdr_beg(host)  -i www.zhongjunzichan.com
    redirect prefix   http://www.zjcap.cn if host_zjcap.cn
    redirect prefix   http://www.zjcap.cn if host_zjzb.cn
    redirect prefix   http://www.zjcap.cn if www_zjzb.cn
    redirect prefix   http://www.zjcap.cn if host_zjzc.cn
    redirect prefix   http://www.zjcap.cn if www_zjzc.cn

    ##web_req 为acl名字 
    ##path_beg 路径开头

    acl             web_req                 path_beg                -i                      /web

    use_backend     appserver_8081          if                      web_req

    acl             business_req            path_beg                -i                      /business
    use_backend     appserver_8081          if                      business_req

    acl             validcode_req           path_beg                -i                      /validcode
    use_backend     appserver_8081          if                      validcode_req

    acl             api_req                 path_beg                -i                      /api
    use_backend     appserver_8082          if                      api_req

    acl             mgr_req                 path_beg                -i                      /backoffice
    use_backend     mgrserver_8001          if                      mgr_req

    acl             pay_req                 path_beg                -i                      /pay
    use_backend     appserver_8083          if                      pay_req

    acl             llmock_req              path_beg                -i                      /llmock
    use_backend     appserver_8083          if                      llmock_req
    acl             tongji_req                 path_beg                -i                      /tongji
    use_backend     appserver_8084          if                      tongji_req

    acl             url_static              path_end                .html .gif .png .jpg .css .js
    use_backend     webserver_8001          if                      url_static

    default_backend webserver_8001

backend webserver_8001
mode http
balance roundrobin
server webhost01_8001 10.252.105.157:8001 check inter 2000 fall 3
server webhost02_8001 10.168.29.17:8001 check inter 2000 fall 3

backend mgrserver_8001
mode http
server mgrhost_8001 10.168.34.94:8001 check inter 2000 fall 3

backend appserver_8081
mode http
balance roundrobin
server apphost01_8081 10.168.32.82:8081 check inter 2000 fall 3
server apphost02_8081 10.168.33.193:8081 check inter 2000 fall 3

backend appserver_8082
mode http
balance roundrobin
server apphost11_8082 10.171.243.55:8082 check inter 2000 fall 3
server apphost12_8082 10.252.148.164:8082 check inter 2000 fall 3

backend appserver_8083
mode http
balance roundrobin
server apphost21_8083 10.171.240.139:8083 check inter 2000 fall 3
server apphost22_8083 10.252.163.244:8083 check inter 2000 fall 3
backend appserver_8084
mode http
balance roundrobin
server apphost31_8084 10.168.79.12:8084 check inter 2000 fall 3
listen stats 0.0.0.0:8899
mode http
option httpclose
balance roundrobin
stats uri /admin-status
stats realm Haproxy Statistics
stats auth admin:admin-check

   haproxy 和keep-alive：
   1、背景
KeepAlive是就是通常所称的长连接。KeepAlive带来的好处是可以减少tcp连接的开销，这对于短response body的请求效果更加明显。同时，可以为采用HTTP协议的交互式应用提供良好的session支持。
HAPxoxy作为一款开源的LoadBalance，其最新的1.3.22（Stable版本）不能支持KeepAlive。（其中自从1.4.dev5开始也支持Client端的KeepAlive）  

2、KeepAlive的原理
在HTTP1.0和HTTP1.1协议中都有对KeepAlive的支持。其中HTTP1.0需要在request中增加”Connection： keep-alive“ header才能够支持，而HTTP1.1默认支持。
HTTP1.0 KeepAlive支持的数据交互流程如下：
a)Client发出request，其中该request的HTTP版本号为1.0。同是在request中包含一个header：”Connection： keep-alive“。
b)Web Server收到request中的HTTP协议为1.0及”Connection： keep-alive“就认为是一个长连接请求，其将在response的header中也增加”Connection： keep-alive“。同是不会关闭已建立的tcp连接。
c)Client收到Web Server的response中包含”Connection： keep-alive“，就认为是一个长连接，不close tcp连接。并用该tcp连接再发送request。（跳转到a)）
HTTP1.1 KeepAlive支持的数据交互流程如下：
a)Client发出request，其中该request的HTTP版本号为1.1。
b)Web Server收到request中的HTTP协议为1.1就认为是一个长连接请求，其将在response的header中也增加”Connection： keep-alive“。同是不会关闭已建立的tcp连接。
c)Client收到Web Server的response中包含”Connection： keep-alive“，就认为是一个长连接，不close tcp连接。并用该tcp连接再发送request。（跳转到a)）
3、Patch实现思路
HAProxy client KeepAlive支持的patch主要解决三个问题：
a)”Connection: keep-alive“ header处理问题
参见KeepAlive的原理，client KeepAlive对于这个header的处理是在对开启client KeepAlive的frontend上经过的response中增加”Connection: keep-alive“ header；
b)怎么处理重新触发client发过来的request的时机问题
从KeepAlive的原理中可以得知，next request是在完成before request的response被client接收的情况下才发出。因此需要在向client写完before request的response后才能触发。而写完response可以通过计算response中body的长度信息得到（Content-Length或者Chunk信息）
c)怎么触发NOT_FIRST request
在Haproxy中对于对于连接的管理是通过session这个数据结构来实现的。触发NOT_FIRST request就通过重置session这个数据结构来实现。
4、Patch的配置方式
配置方式为在每个Proxy的Front中配置添加：
option cli_keepalive
5、patch代码
附件为基于该版本的Client KeepAlive Patch。
该Patch只支持Client端的KeepAlive。

By default HAProxy operates in keep-alive mode with regards to persistent
connections: for each connection it processes each request and response, and
leaves the connection idle on both sides between the end of a response and the
start of a new request.

默认,HAProxy 操作在keep-alive模式来保持连接:

对于每个连接 它处理每个请求和响应, 保持连接空闲在结束响应和新的请求之间

option httpclose
no option httpclose
Enable or disable passive HTTP connection closing ###启动和关闭被动的HTTP连接关闭
May be used in sections : defaults | frontend | listen | backend
yes | yes | yes | yes
Arguments : none

By default HAProxy operates in keep-alive mode with regards to persistent
connections: for each connection it processes each request and response, and
leaves the connection idle on both sides between the end of a response and
the start of a new request. This mode may be changed by several options such
as “option http-server-close”, “option forceclose”, “option httpclose” or
“option http-tunnel”.

默认的,HAProxy 操作在keep-alive模式 来保持连接:对于每个连接 它处理每个请求和响应,

保留连接在响应结束和请求开始两边。 这个模式可能被改变通过几个选项比如 “option http-server-close”, “option forceclose”, “option httpclose” or
“option http-tunnel”.

If “option httpclose” is set, HAProxy will work in HTTP tunnel mode and check
if a “Connection: close” header is already set in each direction, and will
add one if missing. Each end should react to this by actively closing the TCP
connection after each transfer, thus resulting in a switch to the HTTP close
mode. Any “Connection” header different from “close” will also be removed.
Note that this option is deprecated since what it does is very cheap but not
reliable. Using “option http-server-close” or “option forceclose” is strongly
recommended instead.

如果 “option httpclose” 被设置, HAProxy 会工作在HTTP 隧道模式来检查 如果一个 “Connection: close” header 已经在每个方向上,

并将增加一个如果丢失的话。每端应该积极的关闭TCP连接在每个传输后,

因此由于切换到HTTP close 模式。 任何”Connection” header 不同于”close” 会被删除。

请注意,此选项是不赞成的 因为它是很便宜,但是不可靠。 强烈推荐使用”option http-server-close” or “option forceclose”

It seldom happens that some servers incorrectly ignore this header and do not
close the connection even though they reply “Connection: close”. For this
reason, they are not compatible with older HTTP 1.0 browsers. If this happens
it is possible to use the “option forceclose” which actively closes the
request connection once the server responds. Option “forceclose” also
releases the server connection earlier because it does not have to wait for
the client to acknowledge it.

它很少发生,一些服务器不正确的忽略这个header 不关闭连接尽管 它们回复 “Connection: close”。

由于这个原因, 它们不和老的HTTP 1.0浏览器兼容。 如果这个发生,可能需要使用”option forceclose”

“option forceclose” 会积极的关闭请求连接 一旦server 响应。 选项”forceclose”

也释放 server 连接更早,因为它没必要等待客户端来确认它

This option may be set both in a frontend and in a backend. It is enabled if
at least one of the frontend or backend holding a connection has it enabled.

It disables and replaces any previous “option http-server-close”,
“option forceclose”, “option http-keep-alive” or “option http-tunnel”. Please
check section 4 (“Proxies”) to see how this option combines with others when
frontend and backend options differ.

这个选项可以设置在frontend 和 backend。它被启用如果 至少frontend或者backend中的一个保持连接已经被启动

它disable 和替换任何先前的option http-server-close”,
“option forceclose”, “option http-keep-alive” or “option http-tunnel”.

If this option has been enabled in a “defaults” section, it can be disabled
in a specific instance by prepending the “no” keyword before it.

如果这个选项被启用 在默认的章节,它会disable 在一个特定的实例前机上 “no”关键字

See also : “option forceclose”, “option http-server-close” and
“1.1. The HTTP transaction model”.

    -------------------------------------------------------------------------------
    option http-server-close

no option http-server-close
Enable or disable HTTP connection closing on the server side 开启和关闭 HTTP 连接在服务端关闭
May be used in sections : defaults | frontend | listen | backend
yes | yes | yes | yes
Arguments : none

By default HAProxy operates in keep-alive mode with regards to persistent
connections: for each connection it processes each request and response, and
leaves the connection idle on both sides between the end of a response and
the start of a new request. This mode may be changed by several options such
as “option http-server-close”, “option forceclose”, “option httpclose” or
“option http-tunnel”.

Setting “option http-server-close” enables HTTP
connection-close mode on the server side while keeping the ability to support
HTTP keep-alive and pipelining on the client side. This provides the lowest
latency on the client side (slow network) and the fastest session reuse on
the server side to save server resources, similarly to “option forceclose”.
It also permits non-keepalive capable servers to be served in keep-alive mode
to the clients if they conform to the requirements of RFC2616. Please note
that some servers do not always conform to those requirements when they see
“Connection: close” in the request. The effect will be that keep-alive will
never be used. A workaround consists in enabling “option
http-pretend-keepalive”.

默认情况下,HAProxy 操作在keep-alive 模式 来保持连接:对于每个连接 它处理每个连接和响应,

然后保持连接 空闲 在响应结束和新的请求开始。 这个模式会被改变通过几个选项比如:
“option http-server-close”, “option forceclose”, “option httpclose” or
“option http-tunnel”.

设置”option http-server-close” 启用 HTTP connection-close 模式 在server 端, 同时保持支持HTTP

keep-alive 和流水线操作在客户端。 这提供了最低的客户端的延迟(慢的网络) 和最快的session 重用在服务端

以节省服务器资源,类似于”option forceclose”.

它也允许 non-keepalive 功能的服务器 被服务在keep-alive 模式给客户端,如果

它们符合RFC2616。 请注意 一些server 不总是符合哪些要求的,当它们 看到”Connection: close” 在请求里。

At the moment, logs will not indicate whether requests came from the same
session or not. The accept date reported in the logs corresponds to the end
of the previous request, and the request time corresponds to the time spent
waiting for a new request. The keep-alive request time is still bound to the
timeout defined by “timeout http-keep-alive” or “timeout http-request” if
not set.

在这一刻, 日志不能指明 请求是否来自同样的session. 接收的日志在日志中记录与先前的请求结束时间一致

请求时间于 花在等待一个新的请求时间一致。keep-alive 请求时间是限制到timeout 定义的 通过”timeout http-keep-alive” or “timeout http-request”

如果没有设置

This option may be set both in a frontend and in a backend. It is enabled if
at least one of the frontend or backend holding a connection has it enabled.
It disables and replaces any previous “option httpclose”, “option forceclose”,
“option http-tunnel” or “option http-keep-alive”. Please check section 4
(“Proxies”) to see how this option combines with others when frontend and
backend options differ.

这个选项可以设置在front和backend

If this option has been enabled in a “defaults” section, it can be disabled
in a specific instance by prepending the “no” keyword before it.

See also : “option forceclose”, “option http-pretend-keepalive”,
“option httpclose”, “option http-keep-alive”, and
“1.1. The HTTP transaction model”.