HAProxy的高级配置选项-haproxy的四层负载及访问控制案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.安装MariaDB并授权
1>.安装MariaDB数据库
[root@node107.yizhengjie.org.cn ~]# yum -y install mariadb-server Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.huaweicloud.com Resolving Dependencies --> Running transaction check ---> Package mariadb-server.x86_64 1:5.5.64-1.el7 will be installed --> Processing Dependency: mariadb-libs(x86-64) = 1:5.5.64-1.el7 for package: 1:mariadb-server-5.5.64-1.el7.x86_64 --> Processing Dependency: mariadb(x86-64) = 1:5.5.64-1.el7 for package: 1:mariadb-server-5.5.64-1.el7.x86_64 --> Processing Dependency: perl-DBI for package: 1:mariadb-server-5.5.64-1.el7.x86_64 --> Processing Dependency: perl-DBD-MySQL for package: 1:mariadb-server-5.5.64-1.el7.x86_64 --> Processing Dependency: perl(DBI) for package: 1:mariadb-server-5.5.64-1.el7.x86_64 --> Running transaction check ---> Package mariadb.x86_64 1:5.5.64-1.el7 will be installed ---> Package mariadb-libs.x86_64 1:5.5.60-1.el7_5 will be updated ---> Package mariadb-libs.x86_64 1:5.5.64-1.el7 will be an update ---> Package perl-DBD-MySQL.x86_64 0:4.023-6.el7 will be installed ---> Package perl-DBI.x86_64 0:1.627-4.el7 will be installed --> Processing Dependency: perl(RPC::PlServer) >= 0.2001 for package: perl-DBI-1.627-4.el7.x86_64 --> Processing Dependency: perl(RPC::PlClient) >= 0.2000 for package: perl-DBI-1.627-4.el7.x86_64 --> Running transaction check ---> Package perl-PlRPC.noarch 0:0.2020-14.el7 will be installed --> Processing Dependency: perl(Net::Daemon) >= 0.13 for package: perl-PlRPC-0.2020-14.el7.noarch --> Processing Dependency: perl(Net::Daemon::Test) for package: perl-PlRPC-0.2020-14.el7.noarch --> Processing Dependency: perl(Net::Daemon::Log) for package: perl-PlRPC-0.2020-14.el7.noarch --> Running transaction check ---> Package perl-Net-Daemon.noarch 0:0.48-5.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: mariadb-server x86_64 1:5.5.64-1.el7 base 11 M Installing for dependencies: mariadb x86_64 1:5.5.64-1.el7 base 8.7 M perl-DBD-MySQL x86_64 4.023-6.el7 base 140 k perl-DBI x86_64 1.627-4.el7 base 802 k perl-Net-Daemon noarch 0.48-5.el7 base 51 k perl-PlRPC noarch 0.2020-14.el7 base 36 k Updating for dependencies: mariadb-libs x86_64 1:5.5.64-1.el7 base 759 k Transaction Summary ======================================================================================================================== Install 1 Package (+5 Dependent packages) Upgrade ( 1 Dependent package) Total download size: 22 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/7): mariadb-libs-5.5.64-1.el7.x86_64.rpm | 759 kB 00:00:00 (2/7): mariadb-5.5.64-1.el7.x86_64.rpm | 8.7 MB 00:00:04 (3/7): perl-DBD-MySQL-4.023-6.el7.x86_64.rpm | 140 kB 00:00:00 (4/7): perl-DBI-1.627-4.el7.x86_64.rpm | 802 kB 00:00:00 (5/7): perl-Net-Daemon-0.48-5.el7.noarch.rpm | 51 kB 00:00:00 (6/7): perl-PlRPC-0.2020-14.el7.noarch.rpm | 36 kB 00:00:00 (7/7): mariadb-server-5.5.64-1.el7.x86_64.rpm | 11 MB 00:00:04 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 4.5 MB/s | 22 MB 00:00:04 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/8 Installing : 1:mariadb-5.5.64-1.el7.x86_64 2/8 Installing : perl-Net-Daemon-0.48-5.el7.noarch 3/8 Installing : perl-PlRPC-0.2020-14.el7.noarch 4/8 Installing : perl-DBI-1.627-4.el7.x86_64 5/8 Installing : perl-DBD-MySQL-4.023-6.el7.x86_64 6/8 Installing : 1:mariadb-server-5.5.64-1.el7.x86_64 7/8 Cleanup : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 8/8 Verifying : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/8 Verifying : perl-Net-Daemon-0.48-5.el7.noarch 2/8 Verifying : 1:mariadb-5.5.64-1.el7.x86_64 3/8 Verifying : perl-DBD-MySQL-4.023-6.el7.x86_64 4/8 Verifying : 1:mariadb-server-5.5.64-1.el7.x86_64 5/8 Verifying : perl-DBI-1.627-4.el7.x86_64 6/8 Verifying : perl-PlRPC-0.2020-14.el7.noarch 7/8 Verifying : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 8/8 Installed: mariadb-server.x86_64 1:5.5.64-1.el7 Dependency Installed: mariadb.x86_64 1:5.5.64-1.el7 perl-DBD-MySQL.x86_64 0:4.023-6.el7 perl-DBI.x86_64 0:1.627-4.el7 perl-Net-Daemon.noarch 0:0.48-5.el7 perl-PlRPC.noarch 0:0.2020-14.el7 Dependency Updated: mariadb-libs.x86_64 1:5.5.64-1.el7 Complete! [root@node107.yizhengjie.org.cn ~]#
2>.启动数据库
[root@node107.yizhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node107.yizhengjie.org.cn ~]# [root@node107.yizhengjie.org.cn ~]# systemctl start mariadb [root@node107.yizhengjie.org.cn ~]# [root@node107.yizhengjie.org.cn ~]# [root@node107.yizhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 *:3306 *:* LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node107.yizhengjie.org.cn ~]#
3>.对数据库进行安全初始化操作
[root@node107.yizhengjie.org.cn ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! [root@node107.yizhengjie.org.cn ~]#
4>.授权Nginx服务器可以连接MySQL数据库
[root@node107.yizhengjie.org.cn ~]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 11 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'jason'@'172.30.1.102' IDENTIFIED BY 'yinzhengjie' WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> SELECT user,host,password FROM mysql.user; +-------+--------------+-------------------------------------------+ | user | host | password | +-------+--------------+-------------------------------------------+ | root | localhost | *BD0B1F48FDC55BD27555FC2F22FF29A68A25A1D7 | | root | 127.0.0.1 | *BD0B1F48FDC55BD27555FC2F22FF29A68A25A1D7 | | root | ::1 | *BD0B1F48FDC55BD27555FC2F22FF29A68A25A1D7 | | jason | 172.30.1.102 | *BD0B1F48FDC55BD27555FC2F22FF29A68A25A1D7 | +-------+--------------+-------------------------------------------+ 4 rows in set (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> SHOW GRANTS FOR jason@'172.30.1.102'; +--------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for jason@172.30.1.102 | +--------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'jason'@'172.30.1.102' IDENTIFIED BY PASSWORD '*BD0B1F48FDC55BD27555FC2F22FF29A68A25A1D7' WITH GRANT OPTION | +--------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec) MariaDB [(none)]> MariaDB [(none)]> QUIT Bye [root@node107.yizhengjie.org.cn ~]# [root@node107.yizhengjie.org.cn ~]#
5>.haproxy节点测试连接数据库
[root@node102.yinzhengjie.org.cn ~]# yum -y install mysql Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 8.3 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.tuna.tsinghua.edu.cn * extras: mirror.bit.edu.cn * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/2): epel/x86_64/updateinfo | 1.0 MB 00:00:07 (2/2): epel/x86_64/primary_db | 6.9 MB 00:00:16 Resolving Dependencies --> Running transaction check ---> Package mariadb.x86_64 1:5.5.64-1.el7 will be installed --> Processing Dependency: mariadb-libs(x86-64) = 1:5.5.64-1.el7 for package: 1:mariadb-5.5.64-1.el7.x86_64 --> Running transaction check ---> Package mariadb-libs.x86_64 1:5.5.60-1.el7_5 will be updated ---> Package mariadb-libs.x86_64 1:5.5.64-1.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================= Package Arch Version Repository Size ================================================================================================================================================= Installing: mariadb x86_64 1:5.5.64-1.el7 base 8.7 M Updating for dependencies: mariadb-libs x86_64 1:5.5.64-1.el7 base 759 k Transaction Summary ================================================================================================================================================= Install 1 Package Upgrade ( 1 Dependent package) Total download size: 9.5 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): mariadb-libs-5.5.64-1.el7.x86_64.rpm | 759 kB 00:00:06 (2/2): mariadb-5.5.64-1.el7.x86_64.rpm | 8.7 MB 00:00:16 ------------------------------------------------------------------------------------------------------------------------------------------------- Total 594 kB/s | 9.5 MB 00:00:16 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/3 Installing : 1:mariadb-5.5.64-1.el7.x86_64 2/3 Cleanup : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 3/3 Verifying : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/3 Verifying : 1:mariadb-5.5.64-1.el7.x86_64 2/3 Verifying : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 3/3 Installed: mariadb.x86_64 1:5.5.64-1.el7 Dependency Updated: mariadb-libs.x86_64 1:5.5.64-1.el7 Complete! [root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# mysql -h node107.yinzhengjie.org.cn -u jason -pyinzhengjie #测试连接,可以成功登录~ Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 12 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> QUIT Bye [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]#
二.安装Redis并授权
1>.安装epel源
[root@node106.yinzhengjie.org.cn ~]# yum -y install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.bit.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Installing: epel-release noarch 7-11 extras 15 k Transaction Summary ======================================================================================================================================= Install 1 Package Total download size: 15 k Installed size: 24 k Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete! [root@node106.yinzhengjie.org.cn ~]#
2>.利用epel源安装Redis服务
[root@node106.yinzhengjie.org.cn ~]# yum info redis Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 8.3 kB 00:00:00 * base: mirror.bit.edu.cn * epel: mirrors.tuna.tsinghua.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn epel | 5.3 kB 00:00:00 (1/3): epel/x86_64/group_gz | 90 kB 00:00:00 (2/3): epel/x86_64/updateinfo | 1.0 MB 00:00:02 (3/3): epel/x86_64/primary_db | 6.9 MB 00:00:06 Available Packages Name : redis Arch : x86_64 Version : 3.2.12 Release : 2.el7 Size : 544 k Repo : epel/x86_64 Summary : A persistent key-value database URL : http://redis.io License : BSD Description : Redis is an advanced key-value store. It is often referred to as a data : structure server since keys can contain strings, hashes, lists, sets and : sorted sets. : : You can run atomic operations on these types, like appending to a string; : incrementing the value in a hash; pushing to a list; computing set : intersection, union and difference; or getting the member with highest : ranking in a sorted set. : : In order to achieve its outstanding performance, Redis works with an : in-memory dataset. Depending on your use case, you can persist it either : by dumping the dataset to disk every once in a while, or by appending : each command to a log. : : Redis also supports trivial-to-setup master-slave replication, with very : fast non-blocking first synchronization, auto-reconnection on net split : and so forth. : : Other features include Transactions, Pub/Sub, Lua scripting, Keys with a : limited time-to-live, and configuration settings to make Redis behave like : a cache. : : You can use Redis from most programming languages also. [root@node106.yinzhengjie.org.cn ~]#
[root@node106.yinzhengjie.org.cn ~]# yum -y install redis Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.bit.edu.cn * epel: mirrors.tuna.tsinghua.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn Resolving Dependencies --> Running transaction check ---> Package redis.x86_64 0:3.2.12-2.el7 will be installed --> Processing Dependency: libjemalloc.so.1()(64bit) for package: redis-3.2.12-2.el7.x86_64 --> Running transaction check ---> Package jemalloc.x86_64 0:3.6.0-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================= Installing: redis x86_64 3.2.12-2.el7 epel 544 k Installing for dependencies: jemalloc x86_64 3.6.0-1.el7 epel 105 k Transaction Summary ======================================================================================================================================= Install 1 Package (+1 Dependent package) Total download size: 648 k Installed size: 1.7 M Downloading packages: warning: /var/cache/yum/x86_64/7/epel/packages/redis-3.2.12-2.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEYTA Public key for redis-3.2.12-2.el7.x86_64.rpm is not installed (1/2): redis-3.2.12-2.el7.x86_64.rpm | 544 kB 00:00:00 (2/2): jemalloc-3.6.0-1.el7.x86_64.rpm | 105 kB 00:00:06 --------------------------------------------------------------------------------------------------------------------------------------- Total 102 kB/s | 648 kB 00:00:06 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <epel@fedoraproject.org>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-11.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : jemalloc-3.6.0-1.el7.x86_64 1/2 Installing : redis-3.2.12-2.el7.x86_64 2/2 Verifying : redis-3.2.12-2.el7.x86_64 1/2 Verifying : jemalloc-3.6.0-1.el7.x86_64 2/2 Installed: redis.x86_64 0:3.2.12-2.el7 Dependency Installed: jemalloc.x86_64 0:3.6.0-1.el7 Complete! [root@node106.yinzhengjie.org.cn ~]#
[root@node106.yinzhengjie.org.cn ~]# rpm -ql redis /etc/logrotate.d/redis /etc/redis-sentinel.conf /etc/redis.conf /etc/systemd/system/redis-sentinel.service.d /etc/systemd/system/redis-sentinel.service.d/limit.conf /etc/systemd/system/redis.service.d /etc/systemd/system/redis.service.d/limit.conf /usr/bin/redis-benchmark /usr/bin/redis-check-aof /usr/bin/redis-check-rdb /usr/bin/redis-cli /usr/bin/redis-sentinel /usr/bin/redis-server /usr/lib/systemd/system/redis-sentinel.service /usr/lib/systemd/system/redis.service /usr/libexec/redis-shutdown /usr/share/doc/redis-3.2.12 /usr/share/doc/redis-3.2.12/00-RELEASENOTES /usr/share/doc/redis-3.2.12/BUGS /usr/share/doc/redis-3.2.12/CONTRIBUTING /usr/share/doc/redis-3.2.12/MANIFESTO /usr/share/doc/redis-3.2.12/README.md /usr/share/licenses/redis-3.2.12 /usr/share/licenses/redis-3.2.12/COPYING /usr/share/man/man1/redis-benchmark.1.gz /usr/share/man/man1/redis-check-aof.1.gz /usr/share/man/man1/redis-check-rdb.1.gz /usr/share/man/man1/redis-cli.1.gz /usr/share/man/man1/redis-sentinel.1.gz /usr/share/man/man1/redis-server.1.gz /usr/share/man/man5/redis-sentinel.conf.5.gz /usr/share/man/man5/redis.conf.5.gz /var/lib/redis /var/log/redis /var/run/redis [root@node106.yinzhengjie.org.cn ~]#
3>.启动Redis
[root@node106.yinzhengjie.org.cn ~]# grep bind /etc/redis.conf | grep -v ^# bind 127.0.0.1 [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]# vim /etc/redis.conf [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]# grep bind /etc/redis.conf | grep -v ^# bind 172.30.1.106 [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]# systemctl start redis [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 172.30.1.106:6379 *:* LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::22 :::* [root@node106.yinzhengjie.org.cn ~]# [root@node106.yinzhengjie.org.cn ~]#
三.基于haproxy实现四层负载案例实战
1>.编辑haproxy的配置文件
[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg global maxconn 100000 chroot /yinzhengjie/softwares/haproxy stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin user haproxy group haproxy daemon nbproc 2 cpu-map 1 0 cpu-map 2 1 nbthread 2 pidfile /yinzhengjie/softwares/haproxy/haproxy.pid log 127.0.0.1 local5 info defaults option http-keep-alive option forwardfor option redispatch option abortonclose maxconn 100000 mode http timeout connect 300000ms timeout client 300000ms timeout server 300000ms errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html listen status_page bind 172.30.1.102:8888 stats enable stats uri /haproxy-status stats auth admin:yinzhengjie stats realm "Welcome to the haproxy load balancer status page of YinZhengjie" stats hide-version stats admin if TRUE stats refresh 5s listen redis-port bind 172.30.1.102:6379 mode tcp balance leastconn server redis01 172.30.1.106:6379 check server redis02 172.30.1.107:6379 check backup listen mysql-port bind 172.30.1.102:3306 mode tcp balance leastconn server mysql01 172.30.1.106:3306 check backup server mysql02 172.30.1.107:3306 check [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy [root@node102.yinzhengjie.org.cn ~]#
2>.查看haproxy的端口和进程信息
[root@node102.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 172.30.1.102:3306 *:* LISTEN 0 128 172.30.1.102:6379 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 172.30.1.102:8888 *:* LISTEN 0 128 :::22 :::* [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy | grep -v grep root 21396 1 0 22:31 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 21397 21396 0 22:31 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 21398 21396 0 22:31 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]#
3>.查看haproxy的状态页
4>.客户端安装连接工具
[root@node105.yinzhengjie.org.cn ~]# yum -y install epel-release Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.bit.edu.cn * extras: mirrors.huaweicloud.com * updates: mirror.bit.edu.cn Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================ Installing: epel-release noarch 7-11 extras 15 k Transaction Summary ============================================================================================================================================================================ Install 1 Package Total download size: 15 k Installed size: 24 k Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete! [root@node105.yinzhengjie.org.cn ~]#
[root@node105.yinzhengjie.org.cn ~]# yum -y install mariadb-5.5.64-1.el7.x86_64 redis-3.2.12-2.el7.x86_64 Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.bit.edu.cn * extras: mirrors.huaweicloud.com * updates: mirror.bit.edu.cn No package redis-3.2.12-2.el7.x86_64 available. Resolving Dependencies --> Running transaction check ---> Package mariadb.x86_64 1:5.5.64-1.el7 will be installed --> Processing Dependency: mariadb-libs(x86-64) = 1:5.5.64-1.el7 for package: 1:mariadb-5.5.64-1.el7.x86_64 --> Running transaction check ---> Package mariadb-libs.x86_64 1:5.5.60-1.el7_5 will be updated ---> Package mariadb-libs.x86_64 1:5.5.64-1.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: mariadb x86_64 1:5.5.64-1.el7 base 8.7 M Updating for dependencies: mariadb-libs x86_64 1:5.5.64-1.el7 base 759 k Transaction Summary ======================================================================================================================== Install 1 Package Upgrade ( 1 Dependent package) Total download size: 9.5 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): mariadb-libs-5.5.64-1.el7.x86_64.rpm | 759 kB 00:00:00 (2/2): mariadb-5.5.64-1.el7.x86_64.rpm | 8.7 MB 00:00:01 ------------------------------------------------------------------------------------------------------------------------ Total 8.7 MB/s | 9.5 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/3 Installing : 1:mariadb-5.5.64-1.el7.x86_64 2/3 Cleanup : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 3/3 Verifying : 1:mariadb-libs-5.5.64-1.el7.x86_64 1/3 Verifying : 1:mariadb-5.5.64-1.el7.x86_64 2/3 Verifying : 1:mariadb-libs-5.5.60-1.el7_5.x86_64 3/3 Installed: mariadb.x86_64 1:5.5.64-1.el7 Dependency Updated: mariadb-libs.x86_64 1:5.5.64-1.el7 Complete! [root@node105.yinzhengjie.org.cn ~]#
5>.连接haproxy的3306端口
[root@node105.yinzhengjie.org.cn ~]# mysql -h node102.yinzhengjie.org.cn -u jason -pyinzhengjie Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 13 Server version: 5.5.64-MariaDB MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MariaDB [(none)]> MariaDB [(none)]> SHOW DATABASES; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) MariaDB [(none)]> QUIT Bye [root@node105.yinzhengjie.org.cn ~]# [root@node105.yinzhengjie.org.cn ~]#
6>.连接haproxy的6379端口
[root@node105.yinzhengjie.org.cn ~]# redis-cli -h node102.yinzhengjie.org.cn node102.yinzhengjie.org.cn:6379> node102.yinzhengjie.org.cn:6379> set name jason OK node102.yinzhengjie.org.cn:6379> get name "jason" node102.yinzhengjie.org.cn:6379> node102.yinzhengjie.org.cn:6379> quit [root@node105.yinzhengjie.org.cn ~]# [root@node105.yinzhengjie.org.cn ~]#
四.基于haproxy实现四层访问控制
1>.编辑haprox的配置文件
[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg global maxconn 100000 chroot /yinzhengjie/softwares/haproxy stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin user haproxy group haproxy daemon nbproc 2 cpu-map 1 0 cpu-map 2 1 nbthread 2 pidfile /yinzhengjie/softwares/haproxy/haproxy.pid log 127.0.0.1 local5 info defaults option http-keep-alive option forwardfor option redispatch option abortonclose maxconn 100000 mode http timeout connect 300000ms timeout client 300000ms timeout server 300000ms errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html listen status_page bind 172.30.1.102:8888 stats enable stats uri /haproxy-status stats auth admin:yinzhengjie stats realm "Welcome to the haproxy load balancer status page of YinZhengjie" stats hide-version stats admin if TRUE stats refresh 5s listen redis-port bind 172.30.1.102:6379 mode tcp #定义拒绝的IP地址列表 acl deny_list src 172.30.1.105 192.168.1.0/24 #调用上面定义的规则 tcp-request connection reject if deny_list balance leastconn server redis01 172.30.1.106:6379 check server redis02 172.30.1.107:6379 check backup listen mysql-port bind 172.30.1.102:3306 mode tcp acl invalid_src src 172.30.1.105 tcp-request connection reject if invalid_src balance leastconn server mysql01 172.30.1.106:3306 check backup server mysql02 172.30.1.107:3306 check [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy #别忘记重启服务使得配置文件生效哟~ [root@node102.yinzhengjie.org.cn ~]#
2>.查看haproxy的端口和进程信息
[root@node102.yinzhengjie.org.cn ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 172.30.1.102:3306 *:* LISTEN 0 128 172.30.1.102:6379 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 172.30.1.102:8888 *:* LISTEN 0 128 :::22 :::* [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy | grep -v grep root 21540 1 0 22:48 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 21542 21540 0 22:48 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid haproxy 21543 21540 0 22:48 ? 00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]#
3>.查看haproxy的状态页
4>.使用"node105.yinzhengjie.org.cn"访问haproxy代理的mysql和redis服务,都被拒绝了,如下图所示。
5>.使用"node107.yinzhengjie.org.cn"访问haproxy代理的mysql和redis服务,是可以正常访问的,如下图所示。
