一、参考资料

CentOS7安装HAProxy2.4.3
CentOS7—HAProxy安装与配置 HAProxy 2.4.3 编译安装
HAProxy 官网
HAProxy git

二、安装步骤

  1. 进入目录cd /usr/local/src;
  2. 下载haproxy包 wget https://www.haproxy.org/download/2.4/src/haproxy-2.4.12.tar.gz
  3. 下载lua包 wget http://www.lua.org/ftp/lua-5.4.4.tar.gz
  4. 解压 tar -zxvf haproxy-2.4.12.tar.gz; tar -zxvf lua-5.4.4.tar.gz;
  5. 安装编译相关包 
     yum install make gcc gcc-c++ openssl openssl-devel readline-devel pcre-devel systemd-devel zlib-devel -y  #安装haproxy、lua依赖
 yum -y install pcre-static make perl -y #这个应该是不需要,如果make失败,可尝试运行
 yum install build-essential libssl-dev zlib1g-dev libpcre3 libpcre3-dev -y #这个不需要
  6. 编译lua扩展包 
    1
2
3

     cd /usr/local/src/lua-5.4.4
 make linux test
 /usr/local/src/lua.5.4.4/src/lua -v #显示lua版本即表示安装正确
  7. 编译安装haproxy,目标目录 /usr/local/services/haproxy 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

    make TARGET=linux-glic ARCH=x86_64
  USE_PCRE=1 USE_OPENSSL=1 USE_LIBCRYPT=1  
  USE_CRYPT_H=1 USE_ZLIB=1 USE_SYSTEMD=1  
  USE_CPU_AFFINITY=1 USE_THREAD=1 USE_DL=1   
  USE_PTHREAD_PSHARED=1 USE_STATIC_PCRE=1   
  USE_PROMEX=1 USE_SYSTEMD=1 USE_OBSOLETE_LINKER=1  
  USE_THREAD_DUMP=1  USE_LUA=1  
  LUA_INC=/usr/local/src/lua-5.4.4/src  
  LUA_LIB=/usr/local/src/lua-5.4.4/src  
  PCRE_LIB=/usr/local/services/pcre/lib 
  PCRE_INC=/usr/local/services/pcre/include 
  PREFIX=/usr/local/services/haproxy -j 12;

make install PREFIX=/usr/local/services/haproxy #建立软连接

ln -s /usr/local/services/haproxy/sbin/haproxy /usr/sbin/haproxy #建立软连接
  8. 创建用户及相关目录 
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

     创建HAProxy运行账户和组
 groupadd haproxy #添加haproxy组
 useradd -g haproxy haproxy -c "haproxy" -d /var/lib/haproxy -s /sbin/nologin
 或者
 groupadd -r -g 149 haproxy
 useradd -r -u 149 -g haproxy -s /sbin/nologin haproxy

 mkdir -p /etc/haproxy;
 mkdir -p /etc/haproxy/cert; #存放ssl证书相关的文件
 mkdir -p /etc/haproxy/errorfiles; #存放http错误定向文件
 touch /etc/haproxy/haproxy.cfg; #创建haproxy配置文件

 mkdir -p /var/lib/haproxy;
 mkdir -p /var/log/haproxy;

 chown -R haproxy:haproxy /etc/haproxy;
 chown -R haproxy:haproxy /var/lib/haproxy;
 chown -R haproxy:haproxy /var/log/haproxy;
  9. 创建systemctl服务管理文件 
    1
2
3

    cd /usr/lib/systemd/system/;
vim haproxy.service
写入以下内容

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

##/usr/lib/systemd/system/
[Unit]
Description=HAProxy Load Balancer
After=network-online.target
Wants=network-online.target

[Service]
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "OPTIONS=-S /var/run/haproxy.sock"
EnvironmentFile=-/etc/default/haproxy
EnvironmentFile=-/etc/sysconfig/haproxy
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS 
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $OPTIONS
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID
ExecStop=/bin/kill `cat /run/haproxy.pid`
SuccessExitStatus=143
KillMode=mixed
Restart=always
Type=notify

[Install]
WantedBy=multi-user.target

```shell
执行命令 systemctl daemon-reload #重新加载服务配置文件
systemctl start haproxy #启动服务
systemctl stop  haproxy #停止服务
systemctl enable haproxy #添加开机启动文件
```
  1. 配置rsyslog错误日志: 
    1
2
3
4

    ps afx|grep rsyslog #查看rsyslog服务是否启动
cd /etc/rsyslog.d/; #进入rsyslogd服务配置文件
vim haproxy.conf    #创建配置文件
写入以下内容

1
2
3
4
5
6
7
8

# Collect log with UDP
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514

# Creating separate log files based on the severity
local2.* /var/log/haproxy/haproxy-traffic.log
local2.notice /var/log/haproxy/haproxy-admin.log

```shell
systemctl restart rsyslog #重启rsyslog服务
```
  1. 编辑haproxy配置文件
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

# This HAProxy Config

global
    log 127.0.0.1:514 local2
    chroot  /var/lib/haproxy
    pidfile /run/haproxy.pid
    nbproc 1
    nbthread 24
    hard-stop-after 3600s
    maxconn 32768
    user haproxy
    group haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
    tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

errorfile 403 /etc/haproxy/errorfiles/403.http
errorfile 500 /etc/haproxy/errorfiles/500.http
errorfile 502 /etc/haproxy/errorfiles/502.http
errorfile 503 /etc/haproxy/errorfiles/503.http
errorfile 504 /etc/haproxy/errorfiles/504.http

# not matched
backend not_matched
    mode http
    http-request deny deny_status 503


userlist admin_users
    user admin password xxxxxxxxxxx


# This sets up the admin page for HA Proxy at port 1080.
listen stats
    bind 0.0.0.0:1080
    balance
    mode http
    maxconn 1024
    stats enable
    stats refresh 30s
    stats uri /
    acl auth_admin http_auth(admin_users)
    stats http-request auth realm Prove\ me\ baby unless auth_admin
    stats show-legends

# HTTP on port 443
frontend https_in
    bind 0.0.0.0:443 ssl crt /etc/haproxy/cert/oa.net.pem
    maxconn 5000
    timeout client 10s
    timeout http-request 10s
    timeout http-keep-alive 10s
    option forwardfor except 10.0.0.0/8

    acl testoa hdr(host) -i test.oa.net
    use_backend testoa_server if testoa
    
    # Default
    default_backend not_matched

# HTTP on port 80
frontend http_in
    bind 0.0.0.0:80
    maxconn 5000
    timeout client 10s
    timeout http-request 10s
    timeout http-keep-alive 10s
    option forwardfor except 10.0.0.0/8

    acl testoa hdr(host) -i test.oa.net
    use_backend testoa_server if testoa

# testoa
backend testoa_server
    mode http
    timeout check 10s
    timeout connect 10s
    timeout server 300s
    timeout http-request 10s
    timeout http-keep-alive 10s
    timeout tunnel 300s
    timeout queue 10s
    balance roundrobin
    #cookie SERVERNAME insert indirect nocache
    http-reuse safe
    option httpchk OPTIONS /?haproxy HTTP/1.1\r\nHost:\ test.oa.net
    server s1 192.168.126.21:80 check inter 5000 rise 3 fall 10 maxconn 1024 maxqueue 128 #disabled
    server s1 192.168.126.22:80 check inter 5000 rise 3 fall 10 maxconn 1024 maxqueue 128 #disabled


# MySQL 
listen mysql_mynas
    bind 0.0.0.0:3305
    mode    tcp
    option  tcplog
    maxconn 4096
    timeout client 300s
    timeout client-fin 300s
    timeout connect 3s
    timeout server 300s
    timeout tunnel 1800s
    timeout queue 60s
    retries 3
    #option mysql-check user root
    server mynas 192.168.126.22:3306 check rise 5 fall 10 maxconn 1024 maxqueue 512

# Redis
listen  redis_mynas
    bind    0.0.0.0:7000
    mode    tcp
    option  tcplog
    maxconn 100000
    balance roundrobin
    server redis1 192.168.126.22:6380 check
    server redis2 192.168.126.22:6381 check
    server redis3 192.168.126.22:6382 check
    server redis4 192.168.126.22:6383 check
    server redis5 192.168.126.22:6384 check
    server redis6 192.168.126.22:6385 check
  1. errorfiles文件列表 a. 400.http
1
2
3
4
5
6
7
8

HTTP/1.0 400 Bad request^M
Cache-Control: no-cache^M
Connection: close^M
Content-Type: text/html^M
^M
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>

b. 500.http

1
2
3
4
5
6
7
8

HTTP/1.0 500 Internal Server Error^M
Cache-Control: no-cache^M
Connection: close^M
Content-Type: text/html^M
^M
<html><body><h1>500 Internal Server Error</h1>
An internal server error occurred.
</body></html>

c. 503.http

1
2
3
4
5
6
7
8

HTTP/1.0 503 Service Unavailable^M
Cache-Control: no-cache^M
Connection: close^M
Content-Type: text/html^M
^M
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

  1. 相关操作

    1
2
3
4

    /usr/sbin/haproxy -c -f /etc/haproxy/haproxy.cfg #检查配置正确与否
systemctl reload haproxy #重启命令
http://192.168.126.10:1080 #查看Haproxy页面管理控制台: 
http://192.168.126.10:1080/metrics #查看haproxy统计度量信息

  2. 用户加密相关操作 参考haproxy
    haproxy userlist

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

    Use the following commands to generate an SHA-256 encrypted password.
mkpasswd -m sha-256 mypassword123  

## ubuntu系统
Use the following commands to generate an SHA-256 encrypted password.
$ sudo apt install whois
$ mkpasswd -m sha-256 mypassword123

$5$s6Subz0X7FSX2zON$r94OtF6gOfWlGmySwvn3pDFIAHbIpe6mWneueqtBOm/ 

echo [mypassword] | mkpasswd --stdin --method=sha-256

## 执行如下命令获取的密码可以作为秘文
python -c 'import crypt; print(crypt.crypt("mypassword123"))'

## 或者参考这个工具
https://github.com/myENA/mkpasswd
go get -u github.com/myENA/mkpasswd
mkpasswd -hash sha256 -password mypassword123