本文的内容较多,包括:Socat 对HAPROXY的sock操作(多个模式);实现HAPROXY优雅下线后端服务器(多个方式)。
1. 实践架构及说明
# 七台主机
1 2台web服务器 :
主机名:WebServer-IP17
CentOS 7.9
IP:192.168.250.17
主机名:WebServer-IP27
CentOS 7.9
IP:192.168.250.27
2 2台 MariaDB 数据库服务器 :
主机名:MariaDB-IP37
CentOS 7.9
IP:192.168.250.37
主机名:MariaDB-IP47
CentOS 7.9
IP:192.168.250.47
3 1台 haproxy-ip07 服务器 :
主机名: haproxy-ip07
CentOS 7.9
IP:192.168.250.7/24
HAProxy version 2.4.15
socat version 1.7.4.3
4 2台client主机 :
主机名:Client-IP172-8
CentOS 8.4
IP:172.16.0.8/24 NAT成192.168.250.254 访问192.168.250.X网段
主机名:Client-IP192-68
CentOS 8.4
IP:192.168.250.68/24WEB服务器环境准备
[root@webserver-ip17 <sub>]#yum -y install httpd;hostname > /var/www/html/indexTmp.html;hostname -I >> /var/www/html/indexTmp.html;cat /var/www/html/indexTmp.html | xargs > /var/www/html/index.html;rm -rf /var/www/html/indexTmp.html;systemctl enable --now httpd
[root@webserver-ip27 </sub>]#yum -y install httpd;hostname > /var/www/html/indexTmp.html;hostname -I >> /var/www/html/indexTmp.html;cat /var/www/html/indexTmp.html | xargs > /var/www/html/index.html;rm -rf /var/www/html/indexTmp.html;systemctl enable --now httpdMariaDB数据库服务器准备
[root@mariadb-ip37 <sub>]# yum -y install mariadb-server
[root@mariadb-ip37 </sub>]# mysql -e 'grant all on *.* to test@"%.%.%.%" identified by "shone8888"'
[root@mariadb-ip37 <sub>]# systemctl enable --now mariadb.service
[root@mariadb-ip47 <sub>]# yum -y install mariadb-server
[root@mariadb-ip47 </sub>]# mysql -e 'grant all on *.* to test@"%.%.%.%" identified by "shone8888"'
[root@mariadb-ip47 <sub>]# systemctl enable --now mariadb.service2. socat简介及 安装
2.1 socat 简介
对服务器动态权重和其它状态可以利用 socat工具进行调整,Socat 是 Linux 下的一个强大的多功能的网络工具,名字来由是Socket CAT,其功能与有瑞士军刀之称的 Netcat(nc) 类似,可以看做是 Netcat 的加强版。Socat 的主要特点就是在两个数据流之间建立双向通道,且支持众多协议和链接方式,如IP,TCP,UDP,IPv6,pipe,exec,system,open,proxy,openssl,socket等。
官网: http://www.dest-unreach.org/socat/
功能
- 端口转发
- 端口映射
- 端口监听
- tcp/udp连接
- 文件传送
- nat映射
- 使用openssl加密传输
2.2 socat 安装
yum安装
[root@haproxy-ip07 ~]#yum -y install socat编译安装最新版本
[root@haproxy-ip07 <sub>]# wget http://www.dest-unreach.org/socat/download/socat-1.7.4.3.tar.gz
[root@haproxy-ip07 </sub>]# tar -zxvf socat-1.7.4.3.tar.gz -C /usr/local/src
[root@haproxy-ip07 src]# ll /usr/local/src/
total 16
drwxrwxr-x 13 root root 4096 Apr 2 20:44 haproxy-2.4.15
drwxr-xr-x 4 1026 1000 58 Jan 14 00:15 lua-5.4.4
drwxr-xr-x 4 1032 1032 8192 Jan 9 05:10 socat-1.7.4.3
[root@haproxy-ip07 <sub>]# cd /usr/local/src/socat-1.7.4.3
[root@haproxy-ip07 socat-1.7.4.3]# ./configure --disable-fips
[root@haproxy-ip07 socat-1.7.4.3]# make -j 8 && make install
[root@haproxy-ip07 socat-1.7.4.3]# reboot
[root@haproxy-ip07 </sub>]# socat -V
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.3 on Apr 5 2022 15:07:38
running on Linux version #1 SMP Mon Oct 19 16:18:59 UTC 2020, release 3.10.0-1160.el7.x86_64, machine x86_64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#define WITH_ABSTRACT_UNIXSOCKET 1
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#define WITH_INTERFACE 1
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_VSOCK 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#undef WITH_READLINE
#define WITH_TUN 1
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#undef WITH_LIBWRAP
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /*debug*/
[root@haproxy-ip07 ~]#3. socat 的认识及使用
# 默认yum 源的 socat 版本
[root@haproxy-ip07 <sub>]# yum info socat
.....................
Name : socat
Arch : x86_64
Version : 1.7.3.2
Release : 2.el7
Size : 1.1 M
Repo : installed
From repo : base
.....................
[root@haproxy-ip07 </sub>]# yum list socat
..................
socat.x86_64 1.7.3.2-2.el7 @base
[root@haproxy-ip07 <sub>]#
# yum 安装并查看安装后的文件
[root@haproxy-ip07 </sub>]# yum -y install socat
[root@haproxy-ip07 ~]# rpm -ql socat
/usr/bin/filan
/usr/bin/procan
/usr/bin/socat
/usr/share/doc/socat-1.7.3.2
/usr/share/doc/socat-1.7.3.2/BUGREPORTS
/usr/share/doc/socat-1.7.3.2/CHANGES
/usr/share/doc/socat-1.7.3.2/COPYING
/usr/share/doc/socat-1.7.3.2/COPYING.OpenSSL
/usr/share/doc/socat-1.7.3.2/DEVELOPMENT
/usr/share/doc/socat-1.7.3.2/EXAMPLES
/usr/share/doc/socat-1.7.3.2/FAQ
/usr/share/doc/socat-1.7.3.2/PORTING
/usr/share/doc/socat-1.7.3.2/README
/usr/share/doc/socat-1.7.3.2/SECURITY
/usr/share/doc/socat-1.7.3.2/daemon.sh
/usr/share/doc/socat-1.7.3.2/ftp.sh
/usr/share/doc/socat-1.7.3.2/gatherinfo.sh
/usr/share/doc/socat-1.7.3.2/mail.sh
/usr/share/doc/socat-1.7.3.2/proxy.sh
/usr/share/doc/socat-1.7.3.2/proxyecho.sh
/usr/share/doc/socat-1.7.3.2/readline-test.sh
/usr/share/doc/socat-1.7.3.2/readline.sh
/usr/share/doc/socat-1.7.3.2/socat_buildscript_for_android.sh
/usr/share/doc/socat-1.7.3.2/socks4a-echo.sh
/usr/share/doc/socat-1.7.3.2/socks4echo.sh
/usr/share/doc/socat-1.7.3.2/test.sh
/usr/share/man/man1/socat.1.gz# 查看帮助
[root@haproxy-ip07 <sub>]# socat -h
# 管道符传送参数给socat
[root@haproxy-ip07 </sub>]# echo "help" | socat stdio /var/lib/haproxy/haproxy.sock1
The following commands are valid at this level:
abort ssl cert <certfile> : abort a transaction for a certificate file
add acl [@<ver>] <acl> <pattern> : add an acl entry
add map [@<ver>] <map> <key> <val> : add a map entry (payload supported instead of key/val)
add ssl crt-list <list> <cert> [opts]* : add to crt-list file <list> a line <cert> or a payload
clear acl [@<ver>] <acl> : clear the contents of this acl
clear counters [all] : clear max statistics counters (or all counters)
clear map [@<ver>] <map> : clear the contents of this map
clear table <table> [<filter>]* : remove an entry from a table (filter: data/key)
commit acl @<ver> <acl> : commit the ACL at this version
commit map @<ver> <map> : commit the map at this version
commit ssl cert <certfile> : commit a certificate file
del acl <acl> [<key>|#<ref>] : delete acl entries matching <key>
del map <map> [<key>|#<ref>] : delete map entries matching <key>
del ssl cert <certfile> : delete an unused certificate file
del ssl crt-list <list> <cert[:line]> : delete a line <cert> from crt-list file <list>
disable agent : disable agent checks
disable dynamic-cookie backend <bk> : disable dynamic cookies on a specific backend
disable frontend <frontend> : temporarily disable specific frontend
disable health : disable health checks
disable server (DEPRECATED) : disable a server for maintenance (use 'set server' instead)
enable agent : enable agent checks
enable dynamic-cookie backend <bk> : enable dynamic cookies on a specific backend
enable frontend <frontend> : re-enable specific frontend
enable health : enable health checks
enable server (DEPRECATED) : enable a disabled server (use 'set server' instead)
get acl <acl> <value> : report the patterns matching a sample for an ACL
get map <acl> <value> : report the keys and values matching a sample for a map
get var <name> : retrieve contents of a process-wide variable
get weight <bk>/<srv> : report a server's current weight
new ssl cert <certfile> : create a new certificate file to be used in a crt-list or a directory
operator : lower the level of the current CLI session to operator
prepare acl <acl> : prepare a new version for atomic ACL replacement
prepare map <acl> : prepare a new version for atomic map replacement
set dynamic-cookie-key backend <bk> <k> : change a backend secret key for dynamic cookies
set map <map> [<key>|#<ref>] <value> : modify a map entry
set maxconn frontend <frontend> <value> : change a frontend's maxconn setting
set maxconn global <value> : change the per-process maxconn setting
set maxconn server <bk>/<srv> : change a server's maxconn setting
set profiling <what> {auto|on|off} : enable/disable resource profiling (tasks,memory)
set rate-limit <setting> <value> : change a rate limiting value
set server <bk>/<srv> [opts] : change a server's state, weight, address or ssl
set severity-output [none|number|string]: set presence of severity level in feedback information
set ssl cert <certfile> <payload> : replace a certificate file
set ssl ocsp-response <resp|payload> : update a certificate's OCSP Response from a base64-encode DER
set ssl tls-key [id|file] <key> : set the next TLS key for the <id> or <file> listener to <key>
set table <table> key <k> [data.* <v>]* : update or create a table entry's data
set timeout [cli] <delay> : change a timeout setting
set weight <bk>/<srv> (DEPRECATED) : change a server's weight (use 'set server' instead)
show acl [@<ver>] <acl>] : report available acls or dump an acl's contents
show activity : show per-thread activity stats (for support/developers)
show backend : list backends in the current running config
show cache : show cache status
show cli level : display the level of the current CLI session
show cli sockets : dump list of cli sockets
show env [var] : dump environment variables known to the process
show errors [<px>] [request|response] : report last request and/or response errors for each proxy
show events [<sink>] [-w] [-n] : show event sink state
show fd [num] : dump list of file descriptors in use or a specific one
show info [desc|json|typed|float]* : report information about the running process
show libs : show loaded object files and libraries
show map [@ver] [map] : report available maps or dump a map's contents
show peers [dict|-] [section] : dump some information about all the peers or this peers section
show pools : report information about the memory pools usage
show profiling [<what>|<#lines>|byaddr]*: show profiling state (all,status,tasks,memory)
show resolvers [id] : dumps counters from all resolvers section and associated name servers
show schema json : report schema used for stats
show servers conn [<backend>] : dump server connections status (all or for a single backend)
show servers state [<backend>] : dump volatile server information (all or for a single backend)
show sess [id] : report the list of current sessions or dump this exact session
show ssl cert [<certfile>] : display the SSL certificates used in memory, or the details of a file
show ssl crt-list [-n] [<list>] : show the list of crt-lists or the content of a crt-list file <list>
show startup-logs : report logs emitted during HAProxy startup
show stat [desc|json|no-maint|typed|up]*: report counters for each proxy and server
show table <table> [<filter>]* : report table usage stats or dump this table's contents (filter: data/key)
show tasks : show running tasks
show threads : show some threads debugging information
show tls-keys [id|*] : show tls keys references or dump tls ticket keys when id specified
show trace [<module>] : show live tracing state
show version : show version of the current process
shutdown frontend <frontend> : stop a specific frontend
shutdown session [id] : kill a specific session
shutdown sessions server <bk>/<srv> : kill sessions on a server
trace [<module>|0] [cmd [args...]] : manage live tracing (empty to list, 0 to stop all)
user : lower the level of the current CLI session to user
help [<command>] : list matching or all commands
prompt : toggle interactive mode with prompt
quit : disconnect
[root@haproxy-ip07 ~]#4. Socat 工具实现对HAPROXY sock 的操作
4.1 模式一:后端web服务器权重相同 ,2个sock文件,2个进程
#### 修改/etc/haproxy/haproxy.cfg 配置,实现对后端web服务器的相同权重 只指定二个sock文件,二个进程
[root@haproxy-ip07 <sub>]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /apps/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
stats socket /var/lib/haproxy/haproxy.sock1 mode 600 level admin process 1
stats socket /var/lib/haproxy/haproxy.sock2 mode 600 level admin process 2
#uid 99
#gid 99
user haproxy
group haproxy
daemon
nbproc 2
#cpu-map 1 0
#cpu-map 2 1
#cpu-map 3 2
#cpu-map 4 3
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
######################## listen Single file 状态页 ##############################
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:shone8888
######################## http + front + backend #############################
frontend WEB_PORT_80
bind 192.168.250.7:80
mode http
use_backend web_port_http_nodes
log global
backend web_port_http_nodes
mode http
option forwardfor
server web1 192.168.250.17:80 check inter 3000 fall 2 rise 5
server web2 192.168.250.27:80 check inter 3000 fall 2 rise 5
[root@haproxy-ip07 </sub>]#
# 查看sock的信息
[root@haproxy-ip07 <sub>]# echo "show info" | socat stdio /var/lib/haproxy/haproxy.sock1
Name: HAProxy
Version: 2.4.15-7782e23
Release_date: 2022/03/14
Nbthread: 1
Nbproc: 2
Process_num: 1
Pid: 3123
Uptime: 0d 16h57m24s
Uptime_sec: 61044
Memmax_MB: 0
PoolAlloc_MB: 0
PoolUsed_MB: 0
PoolFailed: 0
Ulimit-n: 200031
Maxsock: 200031
Maxconn: 100000
Hard_maxconn: 100000
CurrConns: 0
CumConns: 40655
CumReq: 27
MaxSslConns: 0
CurrSslConns: 0
CumSslConns: 0
Maxpipes: 0
PipesUsed: 0
PipesFree: 0
ConnRate: 0
ConnRateLimit: 0
MaxConnRate: 2
SessRate: 0
SessRateLimit: 0
MaxSessRate: 2
SslRate: 0
SslRateLimit: 0
MaxSslRate: 0
SslFrontendKeyRate: 0
SslFrontendMaxKeyRate: 0
SslFrontendSessionReuse_pct: 0
SslBackendKeyRate: 0
SslBackendMaxKeyRate: 0
SslCacheLookups: 0
SslCacheMisses: 0
CompressBpsIn: 0
CompressBpsOut: 0
CompressBpsRateLim: 0
ZlibMemUsage: 0
MaxZlibMemUsage: 0
Tasks: 12
Run_queue: 0
Idle_pct: 100
node: haproxy-ip07
Stopping: 0
Jobs: 7
Unstoppable Jobs: 2
Listeners: 6
ActivePeers: 0
ConnectedPeers: 0
DroppedLogs: 0
BusyPolling: 0
FailedResolutions: 0
TotalBytesOut: 149810
TotalSplicdedBytesOut: 0
BytesOutRate: 0
DebugCommandsIssued: 0
CumRecvLogs: 0
Build info: 2.4.15-7782e23
Memmax_bytes: 0
PoolAlloc_bytes: 74752
PoolUsed_bytes: 74752
Start_time_sec: 1649068332
Tainted: 0
[root@haproxy-ip07 </sub>]#
# 查看后端服务器的状态
[root@haproxy-ip07 <sub>]# echo "show servers state" | socat stdio /var/lib/haproxy/haproxy.sock1
1
# be_id be_name srv_id srv_name srv_addr srv_op_state srv_admin_state srv_uweight srv_iweight srv_time_since_last_change srv_check_status srv_check_result srv_check_health srv_check_state srv_agent_state bk_f_forced_id srv_f_forced_id srv_fqdn srv_port srvrecord srv_use_ssl srv_check_port srv_check_addr srv_agent_addr srv_agent_port
4 web_port_http_nodes 1 web1 192.168.250.17 2 0 1 1 61125 6 3 6 6 0 0 0 - 80 - 0 0 - - 0
4 web_port_http_nodes 2 web2 192.168.250.27 2 0 1 1 61125 6 3 6 6 0 0 0 - 80 - 0 0 - - 0
# 获取 后端服务器的权重
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
[root@haproxy-ip07 </sub>]#4.2 模式二:后端web服务器权重不同(1:3) ,1个sock文件,1个进程
#### 修改/etc/haproxy/haproxy.cfg 配置,实现对后端web服务器的不同权重 1:3 只指定一个 sock 文件,一个进程
[root@haproxy-ip07 <sub>]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /apps/haproxy
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
#stats socket /var/lib/haproxy/haproxy.sock1 mode 600 level admin process 1
#stats socket /var/lib/haproxy/haproxy.sock2 mode 600 level admin process 2
#uid 99
#gid 99
user haproxy
group haproxy
daemon
nbproc 1
cpu-map 1 0
#cpu-map 2 1
#cpu-map 3 2
#cpu-map 4 3
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
######################## listen Single file 状态页 ##############################
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:shone8888
######################## http + front + backend #############################
frontend WEB_PORT_80
bind 192.168.250.7:80
mode http
use_backend web_port_http_nodes
log global
backend web_port_http_nodes
mode http
option forwardfor
server web1 192.168.250.17:80 check inter 3000 fall 2 rise 5
server web2 192.168.250.27:80 check inter 3000 fall 2 rise 5 weight 3
[root@haproxy-ip07 </sub>]# systemctl reload haproxy.service
[root@haproxy-ip07
# 查看权重
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock
1 (initial 1)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
3 (initial 3)
# 修改权重并查看
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web1 2" | socat stdio /var/lib/haproxy/haproxy.sock
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock
2 (initial 1)
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 1" | socat stdio /var/lib/haproxy/haproxy.sock
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
1 (initial 3)
# 使服务器不能(也就是下线WEB2),终端命令行下观察效果
[root@haproxy-ip07 <sub>]#
[root@haproxy-ip07 </sub>]# echo "disable server web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
...............
[root@CentOS84-IP172-08 ]#
# 使能服务器(也就是上线WEB2),终端命令行下观察效果
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
1 (initial 3)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock
2 (initial 1)
[root@haproxy-ip07 <sub>]#
[root@haproxy-ip07 </sub>]# echo "enable server web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
[root@haproxy-ip07 ~]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
^C
[root@CentOS84-IP172-08 ]## 修改 web2 权重为0 实现优雅下线,并观察效果
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock
2 (initial 1)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock
0 (initial 3)
[root@haproxy-ip07 </sub>]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
.................
[root@CentOS84-IP172-08 ]#4.3 模式三:后端web服务器权重不同(1:3) ,2个sock文件,2个进程
#### 修改/etc/haproxy/haproxy.cfg 配置,实现对后端web服务器的不同权重 1:3 只指定2个 sock 文件,2个进程
[root@haproxy-ip07 <sub>]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /apps/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
stats socket /var/lib/haproxy/haproxy.sock1 mode 600 level admin process 1
stats socket /var/lib/haproxy/haproxy.sock2 mode 600 level admin process 2
#uid 99
#gid 99
user haproxy
group haproxy
daemon
nbproc 2
cpu-map 1 0
#cpu-map 2 1
#cpu-map 3 2
#cpu-map 4 3
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
######################## listen Single file 状态页 ##############################
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:shone8888
######################## http + front + backend #############################
frontend WEB_PORT_80
bind 192.168.250.7:80
mode http
use_backend web_port_http_nodes
log global
backend web_port_http_nodes
mode http
option forwardfor
server web1 192.168.250.17:80 check inter 3000 fall 2 rise 5
server web2 192.168.250.27:80 check inter 3000 fall 2 rise 5 weight 3
[root@haproxy-ip07 </sub>]# !syst
systemctl reload haproxy.service
[root@haproxy-ip07 <sub>]# systemctl reload haproxy.service
[root@haproxy-ip07 </sub>]#
# 验证权重设置
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock2
1 (initial 1)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock1
3 (initial 3)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock2
3 (initial 3)
[root@haproxy-ip07 <sub>]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
^C
[root@CentOS84-IP172-08 ]#
# 使不能 web1 后通过 get weight web_port_http_nodes/web1 看到web1的权重虽然是1,但实际在终端访问已经不能访问WEB1了
[root@haproxy-ip07 </sub>]# echo "disable server web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 <sub>]# echo "disable server web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock2
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock2
1 (initial 1)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock1
3 (initial 3)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock2
3 (initial 3)
[root@haproxy-ip07 </sub>]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
^C
[root@CentOS84-IP172-08 ]#
# 使能 web1 后通过 get weight web_port_http_nodes/web1 看到web1的权重虽然是1,但实际在终端访问又能访问WEB1了
[root@haproxy-ip07 <sub>]# echo "enable server web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 </sub>]# echo "enable server web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock2
[root@haproxy-ip07 ~]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
^C
[root@CentOS84-IP172-08 ]#4.4 模式四:后端web服务器权重相同 ,2个sock文件,2个进程,绑定CPU
#### 修改/etc/haproxy/haproxy.cfg 配置,实现对后端web服务器的相同权重 1:1 只指定2个sock文件,2个进程,并绑定CPU
[root@haproxy-ip07 <sub>]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /apps/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
stats socket /var/lib/haproxy/haproxy.sock1 mode 600 level admin process 1
stats socket /var/lib/haproxy/haproxy.sock2 mode 600 level admin process 2
#uid 99
#gid 99
user haproxy
group haproxy
daemon
nbproc 2
cpu-map 1 0
cpu-map 2 1
#cpu-map 3 2
#cpu-map 4 3
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
######################## listen Single file 状态页 ##############################
listen stats
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth haadmin:shone8888
######################## http + front + backend #############################
frontend WEB_PORT_80
bind 192.168.250.7:80
mode http
use_backend web_port_http_nodes
log global
backend web_port_http_nodes
mode http
balance static-rr
option forwardfor
server web1 192.168.250.17:80 check inter 3000 fall 2 rise 5 weight 1
server web2 192.168.250.27:80 check inter 3000 fall 2 rise 5 weight 1
[root@haproxy-ip07 </sub>]#
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock2
1 (initial 1)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
[root@haproxy-ip07 <sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock2
1 (initial 1)
[root@haproxy-ip07 </sub>]# echo "get weight web_port_http_nodes/web1" | socat stdio /var/lib/haproxy/haproxy.sock1
1 (initial 1)
# 当确定使用的 balance static-rr 算法时候,是不支持 将权重修改成非0和1 之外的其他数值的,也就是说静态算法下只支持下线和上线基本操作,不支持动态修改权重值的,下面这段是全部的验证和实验过程
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 3" | socat stdio /var/lib/haproxy/haproxy.sock2
Backend is using a static LB algorithm and only accepts weights '0%' and '100%'.
[root@haproxy-ip07 </sub>]# echo "set weight web_port_http_nodes/web2 3" | socat stdio /var/lib/haproxy/haproxy.sock1
Backend is using a static LB algorithm and only accepts weights '0%' and '100%'.
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 </sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock2
[root@haproxy-ip07 <sub>]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
^C
[root@CentOS84-IP172-08 ]#
[root@haproxy-ip07 </sub>]# echo "set weight web_port_http_nodes/web2 1" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 1" | socat stdio /var/lib/haproxy/haproxy.sock2
[root@haproxy-ip07 </sub>]#
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip27 192.168.250.27
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
webserver-ip17 192.168.250.17
webserver-ip27 192.168.250.27
^C
[root@CentOS84-IP172-08 ]#5. 手动修改web2权重为0,实现优雅下线
简要说明:在手工修改web2权重之前看到其状态也下的状态正常,手动修改其权重后看到其优雅下线,优雅下线的过程可以在WEB2上生成一个大文件,并通过客户端限速下载可以直观观察到这个优雅下线过程。
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 </sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock2
# 观察优雅下线的过程:在WEB2上创建一个100M的大文件,再在终端上限速下载,让连接保持一段时间,在这个时间段内完成手动将WEB2的权限修改为0,观察到发起新请求不会被调度到WEB2上去了,这时下载连接也不会被强制停止,直到下载任务完成或者终端上主动中断下载,这个过程全部结束后,在HAPROXY上就实现了WEB2优雅下线。
# 在WEB2上生成一个大文件
[root@webserver-ip27 <sub>]# dd if=/dev/zero of=/var/www/html/BigFile.img bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.137998 s, 760 MB/s
[root@webserver-ip27 </sub>]#
# 在客户端上限速下载
[root@CentOS84-IP68 ]#wget --limit-rate=400k http://192.168.250.7/BigFile.img
#观察HAPROXY上的连接,和访问的客户端192.168.250.68 、后端的web2服务器192.168.250.27均建立了连接
[root@haproxy-ip07 <sub>]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 293384 192.168.250.7:80 192.168.250.68:58939
ESTAB 1510564 0 192.168.250.7:29683 192.168.250.27:80
[root@haproxy-ip07 </sub>]#
# 修改WEB2 权重为0
[root@haproxy-ip07 <sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 </sub>]# echo "set weight web_port_http_nodes/web2 0" | socat stdio /var/lib/haproxy/haproxy.sock2
# 发起新的连接,不会被调度到 WEB2 192.168.250.27 上去
[root@CentOS84-IP172-08 ]# while :;do curl 192.168.250.7;sleep 1;done
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
webserver-ip17 192.168.250.17
^C
[root@CentOS84-IP172-08 ]#
# 已经建立的下载连接仍然存在,不会被强制中断
[root@haproxy-ip07 <sub>]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 210240 192.168.250.7:80 192.168.250.68:58939
ESTAB 1521220 0 192.168.250.7:29683 192.168.250.27:80
[root@haproxy-ip07 </sub>]#
# 直至下载结束后才会彻底没了针对WEB2的调度连接了
[root@haproxy-ip07 <sub>]# ss -tn
State Recv-Q Send-Q Local Address:Port Peer Address:Port
[root@haproxy-ip07 </sub>]#6. 手动使不能某台后端服务器,实现优雅下线
[root@haproxy-ip07 <sub>]# echo "disable server web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock1
[root@haproxy-ip07 </sub>]# echo "disable server web_port_http_nodes/web2" | socat stdio /var/lib/haproxy/haproxy.sock2
[root@haproxy-ip07 ~]#
7. 利用脚本下线后端服务器
[root@haproxy-ip07 ]# cat haproxy_host_up_down.sh
#
#********************************************************************************************<strong>
#Author: WuDongWuXia
#QQ: 1050572574@qq.com
#Date: 2022-04-05
#FileName: haproxy_host_up_down.sh
#URL: www.shoneinfo.cn
#Description: The Test Script
#Copyright (C):2022 All rights reserved
#</strong>*******************************************************************************************
. /etc/init.d/functions
for sock in /var/lib/haproxy/haproxy.sock*;do
case $1 in
up)
echo "set weight web_port_http_nodes/$2 1" | socat stdio $sock
[ $? -eq 0 ] && action "$2 is up"
;;
down)
echo "set weight web_port_http_nodes/$2 0" | socat stdio $sock
[ $? -eq 0 ] && action "$2 is down"
;;
*)
echo "Usage: `basename $0` up|down IP"
;;
esac
done
[root@haproxy-ip07 ]#
[root@haproxy-ip07 ~]# bash haproxy_host_up_down.sh down web2
2022/04/05 13:41:12 socat[1998] E connect(5, AF=1 "/var/lib/haproxy/haproxy.sock", 31): Connection refused
web2 is down [ OK ]
web2 is down [ OK ]
[root@haproxy-ip07 <sub>]# bash haproxy_host_up_down.sh up web2
2022/04/05 13:43:12 socat[2010] E connect(5, AF=1 "/var/lib/haproxy/haproxy.sock", 31): Connection refused
web2 is up [ OK ]
web2 is up [ OK ]
[root@haproxy-ip07 </sub>]#
