HAProxy

• haproxy.com - The #1 Open Source Software Load Balancer and Application Delivery Controller
• haproxy/haproxy
• 最擅长 负载均衡
• 特性
  • L4(TCP) L7(HTTP) 负载均衡
  • URL 重写
  • 限流
  • SSL/TLS termination/offload
  • Gzip
  • 支持 HTTP 代理协议
  • 监控检查
  • 链接和 HTTP 日志
  • HTTP/2
  • 多线程
  • 无缝重载
  • gRPC
  • Lua 和 SPOE 支持
  • L4 重试
  • 简单熔断机制
• 参考
  • HAproxy Starter Guide
  • HAProxy at GitHub
  • 5 Ways to Extend HAProxy with Lua
  • Using HAProxy as an API Gateway
  • haproxytech/client-native
    • Go client for HAProxy configuration and runtime API
    • 配置模型 models

caution

• 不能转发任意 UDP - Nginx 可以
  • 2.3+ 支持 syslog UDP
  • 2.5+ 支持 QUIC, HTTP/3
  • 未来可能支持 DNS

haproxy -c -f haproxy.cfg # 检查配置是否正确
# master-worker mode - reload
# 本质也是 -sf 启新的进程
kill -USR2 $(cat /var/run/haproxy.pid)

# 重启新的 haproxy - reload
haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

docker

docker run --rm -it \
  -v /path/to/etc/haproxy:/usr/local/etc/haproxy:ro \
  --sysctl net.ipv4.ip_unprivileged_port_start=0 \
  --name haproxy haproxy:2.5

# reload
docker kill -s HUP haproxy

metrics

• https://www.haproxy.com/blog/haproxy-exposes-a-prometheus-metrics-endpoint/
• https://www.haproxy.com/blog/exploring-the-haproxy-stats-page/

Runtime API

global
  stats socket [email protected]:9999 level admin
  stats socket /run/haproxy-runtime-api.sock mode 666 level admin
  stats timeout 2m

echo "help" | socat stdio tcp4-connect:127.0.0.1:9999
echo "show acl" | socat stdio /run/haproxy-runtime-api.sock
socat readline /run/haproxy-runtime-api.sock
help

Proxy Protocol

• proxy-protocol.txt
  • v1 - 明文 PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n\r\n
  • v2 - 支持二进制，支持更多协议
• 支持的服务: haproxy, nginx, varnish, stud, stunnel
• 希望基于来源 IP 做策略的一般都会支持

frontend

frontend http
  mode http
  bind 0.0.0.0:80 name v4
  bind :::80 name v6
  tcp-request connection expect-proxy layer4

frontend https
  mode http
  bind 127.0.0.1:443 name v4 crt /etc/haproxy/certs/frontend ssl alpn h2,http/1.1 accept-proxy
  bind :::443 name v6 crt /etc/haproxy/certs/frontend ssl v4v6 alpn h2,http/1.1 accept-proxy

frontend ssl
  mode tcp
  bind 0.0.0.0:443 name v4
  bind :::443 name v6 v4v6
  tcp-request connection expect-proxy layer4

backend

backend be
  server svr 192.168.1.2:443 check send-proxy

# CURL 测试 proxy protocol
curl --haproxy-protocol 192.168.1.2

nginx

http {
  server {
    listen 80   proxy_protocol;
    listen 443  ssl proxy_protocol;

    #set_real_ip_from 192.168.1.0/24;
    #real_ip_header proxy_protocol;
  }
}

stream {
  server {
    listen 12345 proxy_protocol;
  }
}

• Accepting the PROXY Protocol

Connect() failed for backend : no free ports

cat /proc/sys/net/ipv4/ip_local_port_range

echo "2000 60999" | sudo tee /proc/sys/net/ipv4/ip_local_port_range

• 尝试添加 resolve-prefer ipv4