Last active
August 20, 2018 14:41
-
-
Save chanjarster/bb180190994d86bf0c8917fa134e57ea to your computer and use it in GitHub Desktop.
Haproxy配置样例
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Haproxy的常见配置 | |
| # 参考文档: | |
| # http://cbonte.github.io/haproxy-dconv/1.9/configuration.html | |
| # http://blog.sina.com.cn/s/blog_704836f40102w243.html | |
| # http://thread.gmane.org/gmane.comp.web.haproxy/12557 | |
| # https://serverfault.com/questions/678882/is-there-a-way-to-rate-limit-connections-with-haproxy-using- | |
| # https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/ | |
| # http://cbonte.github.io/haproxy-dconv/1.9/management.html | |
| # https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/ | |
| global | |
| daemon | |
| maxconn 20000 | |
| stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin | |
| log 127.0.0.1 local3 | |
| defaults | |
| mode http | |
| # 启动Haproxy web统计页面 | |
| stats uri /haproxy-admin | |
| stats realm Haproxy\ Statistics | |
| stats auth 用户名:密码 | |
| # 添加X-Forwarded-For头,使后端获得真实IP | |
| option forwardfor except 127.0.0.1 | |
| # 开启http keep-alive | |
| option http-keep-alive | |
| # http keep-alive保持5秒 | |
| timeout http-keep-alive 5s | |
| # 开启日志 | |
| log 127.0.0.1 local3 | |
| frontend http-in | |
| # 绑定80端口 | |
| bind *:80 | |
| # 最大连接数 | |
| maxconn 20000 | |
| # 客户端响应超时 | |
| timeout client 5s | |
| # http请求送达超时 | |
| timeout http-request 5s | |
| # http keep-alive保持连接最长时间 | |
| timeout http-keep-alive 5s | |
| # half-open connection未响应超时,针对web socket | |
| timeout client-fin 30s | |
| # 使用后端服务器组 | |
| default_backend servers | |
| # START 过速请求的防御 | |
| # 创建stick-table,记录 cookie(SESSIONID) -> 最近30秒内http请求次数 | |
| # stick-table type string len 50 size 1m expire 10m store http_req_rate(30s) | |
| # 将cookie(SESSION)作为key,存到stick-table中 | |
| # http-request track-sc0 req.cook(SESSION) | |
| # 定义ACL,请求次数是否超过100 | |
| # acl abuse sc0_http_req_rate gt 100 | |
| # 如果ACL为true,则拒绝http请求,响应429 | |
| # http-request deny deny_status 429 if abuse | |
| # END | |
| # START IP 黑名单 | |
| # 定义ACL,看client ip是否在ip-blacklist.txt内,文件内容如下: | |
| # xxx.xxx.xxx.xxx | |
| # xxx.xxx.xxx.xxx/8 | |
| # acl block_ip src -f path/to/ip-blacklist.txt | |
| # 如果ACL为true,则拒绝http请求 | |
| # http-request deny if block_ip | |
| # END | |
| # START User-Agent黑名单 | |
| # 定义ACL,看user-agent头是否字符串substring在ua-blacklist.txt内,文件内容如下: | |
| # okhttp | |
| # chrome | |
| # acl block_ua hdr_sub(user-agent) -i -f path/to/ua-blacklist.txt | |
| # 如果ACL为true,则拒绝http请求 | |
| # http-request deny if block_ua | |
| # END | |
| backend servers | |
| # 连接到服务器超时 | |
| timeout connect 30s | |
| # 服务器无活动超时 | |
| timeout server 60s | |
| # tunnel超时,针对web socket | |
| timeout tunnel 1h | |
| # START 负载策略:轮询,session持久策略:cookie,这个策略最均匀 | |
| balance roundrobin | |
| cookie SERVERNAME insert indirect nocache | |
| # END | |
| # START 负载策略:轮询,session持久策略:ip | |
| # balance roundrobin | |
| # stick-table type ip size 10m expire 3h | |
| # stick on src | |
| # END | |
| # START 负载策略:IP hash | |
| # balance source | |
| # END | |
| # xxx代表服务地址(可带端口号) | |
| # server1,2,3,4只是名字,可以改成需要的名字 | |
| # check port yyyy 代表通过检测后端服务器的yyyy端口来判断服务器是否可用,如果不可用,会自动切换 | |
| server server1 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s | |
| server server2 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s | |
| server server3 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s | |
| server server4 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment