Topology
我把Proxy建在我的client-pc
Proxy (Client-PC)
Hostname : 0846101.nasa
IP Address : 10.113.25.119/24
Agent
Hostname : agent.0846101.nasa
IP Address : 10.113.25.129/24
Goals
Reverseproxy
-
Make a reverse proxy under http://0846101.nasa/reverse/
- Round-robin
- 10.113.ID.129:8001
- 10.113.ID.129:8002
- Round-robin
-
Make a reverse proxy under http://0846101.nasa/ip/
- 10.113.ID.129:8003
- Pass non-standard HTTP headers to the backend.
- “X-Forwarded-For”
- “X-Real-IP”: The real client IP.
Install HAProxy
dnf install haproxy
systemctl start haproxy
systemctl enable haproxy
設定 Log
Configure rsyslog so that it stores all HAProxy statistics,
edit rsyslog config file “/etc/rsyslog.conf” and uncomment line 19 and 20,
vim /etc/rsyslog.conf
……
module(load="imudp")
input(type="imudp" port="514")
……
create haproxy.conf file for rsyslog , paste the following lines,
and create separate log files according to the level of messages
vim /etc/rsyslog.d/haproxy.conf
local2.* /var/log/haproxy.log
local2.=info /var/log/haproxy-access.log
local2.notice /var/log/haproxy-info.log
Restart and enable rsyslog service so that it will be available across the reboots
systemctl restart rsyslog
systemctl enable rsyslog
CentOS 預設有很多安全機制 ,要手動關掉
set the following selinux rule,
setsebool -P haproxy_connect_any 1
or
vim /etc/selinux/config
SELINUX= ̶e̶n̶f̶o̶r̶c̶i̶n̶g̶ disabled
Firewall
開啟Proxy的port 80
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
Router的iptables
vim /etc/sysconfig/iptables
-A INPUT -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
Configuration
vim /etc/haproxy/haproxy.cfg
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
# http request timeout 5s
timeout http-request 5s
timeout queue 1m
timeout connect 5s
timeout client 5s
#
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
backend ten_connection
#
stick-table type ip size 100k expire 10s store conn_cur,conn_rate(10s)
backend http_conn
# 20 http request timeout 5s
stick-table type ip size 100k expire 5s store http_req_rate(5s)
backend jail_list
stick-table type ip size 100k expire 10s store gpc0
frontend clientpc
bind *:80
# boolean
acl banned sc2_get_gpc0 gt 0
tcp-request connection track-sc2 src table jail_list
# gpc0 of sc2 will increase if banned
tcp-request connection sc-inc-gpc0(2) if banned
# track
tcp-request connection track-sc0 src table ten_connection
# current connection greater than 10
tcp-request connection reject if { sc0_conn_cur gt 10 }
# connection rate greater than 30
tcp-request connection reject if { sc0_conn_rate gt 30 }
http-request track-sc1 src table http_conn
http-request track-sc2 src table jail_list
# gpc0 of sc2 will increase if banned
http-request sc-inc-gpc0(2) if banned
# gpc0 of sc2 will increase if request gt 20
http-request sc-inc-gpc0(2) if { sc1_http_req_rate gt 20 }
#
tcp-request connection reject if banned
# Return 403 for any new request from this user.
http-request deny deny_status 403 if banned
# option http-server-close
# find real rource
option forwardfor
http-request set-header X-Real-IP %[src]
# 2 tabs
acl url_rv path_beg -i /reverse
acl url_ip path_beg -i /ip
use_backend rv if url_rv
use_backend ip if url_ip
default_backend rv
backend rv
mode http
balance roundrobin
#option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost
server loadbalancer1 10.113.25.129:8001 check
server loadbalancer2 10.113.25.129:8002 check
backend ip
server showreal 10.113.25.129:8003 check
systemctl restart haprxoy
Test
設定 HAProxy 之前:
Agent的 port 8001是Load Balancer 1
Agent的 port 8002是Load Balancer 2
Agent的 port 8003
設定 HAProxy 之後:
curl 10.113.25.119/reverse
Load Balancer做Round Robin
curl 10.113.25.119/ip
查看原始IP
Add Record
ns1/var/named/named.0846101.nasa*
0846101.nasa. IN A 10.113.25.119