Skip to main content

HAProxy

caution
  • 不能转发任意 UDP - Nginx 可以
    • 2.3+ 支持 syslog UDP
    • 2.5+ 支持 QUIC, HTTP/3
    • 未来可能支持 DNS
haproxy -c -f haproxy.cfg # 检查配置是否正确
# master-worker mode - reload
# 本质也是 -sf 启新的进程
kill -USR2 $(cat /var/run/haproxy.pid)

# 重启新的 haproxy - reload
haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
docker
docker run --rm -it \
-v /path/to/etc/haproxy:/usr/local/etc/haproxy:ro \
--sysctl net.ipv4.ip_unprivileged_port_start=0 \
--name haproxy haproxy:2.5

# reload
docker kill -s HUP haproxy

metrics

Runtime API

global
stats socket [email protected]:9999 level admin
stats socket /run/haproxy-runtime-api.sock mode 666 level admin
stats timeout 2m
echo "help" | socat stdio tcp4-connect:127.0.0.1:9999
echo "show acl" | socat stdio /run/haproxy-runtime-api.sock
socat readline /run/haproxy-runtime-api.sock
help

Proxy Protocol

  • proxy-protocol.txt
    • v1 - 明文 PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n\r\n
    • v2 - 支持二进制,支持更多协议
  • 支持的服务: haproxy, nginx, varnish, stud, stunnel
  • 希望基于来源 IP 做策略的一般都会支持
frontend
frontend http
mode http
bind 0.0.0.0:80 name v4
bind :::80 name v6
tcp-request connection expect-proxy layer4

frontend https
mode http
bind 127.0.0.1:443 name v4 crt /etc/haproxy/certs/frontend ssl alpn h2,http/1.1 accept-proxy
bind :::443 name v6 crt /etc/haproxy/certs/frontend ssl v4v6 alpn h2,http/1.1 accept-proxy

frontend ssl
mode tcp
bind 0.0.0.0:443 name v4
bind :::443 name v6 v4v6
tcp-request connection expect-proxy layer4
backend
backend be
server svr 192.168.1.2:443 check send-proxy
# CURL 测试 proxy protocol
curl --haproxy-protocol 192.168.1.2

nginx

http {
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;

#set_real_ip_from 192.168.1.0/24;
#real_ip_header proxy_protocol;
}
}

stream {
server {
listen 12345 proxy_protocol;
}
}

Connect() failed for backend : no free ports

cat /proc/sys/net/ipv4/ip_local_port_range

echo "2000 60999" | sudo tee /proc/sys/net/ipv4/ip_local_port_range
  • 尝试添加 resolve-prefer ipv4