----------------------
HAProxy
配置手册
----------------------
版本 1.3.15
作者:willy tarreau
译者:finalbsd
2008/04/19
本文档覆盖了如上版本HAProxy的所有配置命令. 但是不提供任何的提示(hint)、示例(example)或建议.
如果你要获得此类信息,请查看“参考手册”和“架构手册”。
HAProxy的配置过程分为3个主要部分:
-
命令行参数,这是最优先的
- global(全局)段,设置进程级参数
- 代理配置段,通常位于"default", "listen", "fronted", "backend"这样的形式内。
配置文件的语法是由以本手册描述的关键字后跟可选的一个或者多个参数(参数之间空格)
组成。如果字符串中包含空格,必须使用'\'进行转义。\本身需要使用\进行转义。中期检查报告
一些参数值为时间,比如说timeout。时间值通常单位为毫秒(ms),但是也可以通过加后缀
来使用其他的单位。这是很重要的,因为我并不会在每个关键字中说明这点。支持的单位为:
- us : microconds. 1 microcond = 1/1000000 cond
- ms : milliconds. 1 millicond = 1/1000 cond. This is the default.
- s : conds. 1s = 1000ms
- m : minutes. 1m = 60s = 60000ms
-
h : hours. 1h = 60m = 3600s = 3600000ms
- d : days. 1d = 24h = 1440m = 86400s = 86400000ms
1. Global(全局)参数
--------------------
"global" 段的参数是进程级的,通常和操作系统(OS)相关。这些参数一般只设置一次,如果
配置无误,就不需要再次配置进行修改。(译注:也就是说如果设置多个正确的,还是以第一个
为准,后面的无效)。 这些参数其中一些有对应的命令行参数。
global段支持的关键字如下:
* 进程管理和安全
- chroot
- daemon
-
gid
- group
- log
- nbproc
- pidfile
- uid
- ulimit-n
- ur
- stats
* 性能调优
- maxconn
-
noepoll
- nokqueue
- nopoll
- nopoll
- spread-checks
- tune.maxaccept
- tune.maxpollevents
* 调试
- debug
- quiet
1.1) 进程管理和安全
高端会所-
稻草人好词好句摘抄
-----------------------------------
chroot <jail dir>
切换运行目录到<jail dir>并且在放弃超级权限前执行chroot()。这会增强HAProxy的安全
级别。仅在HAProxy以超级用户启动时才能使用。要注意的是<jail dir>必须为空并且其他
任何用户不可写。
daemon
使HAProxy进程进入后台运行。这是推荐的运行模式。等同于命令行-D参数。命令行参数
-db则为禁止此选项。
gid <number>
进程运行的组ID。建议将HAProxy的运行gid设置为一个专有的,或者设置为和其
他类似进程
一样的gid。 HAProxy必须以属于此组的用户启动,或者使用root来启动。
参考group 和 uid.
group <group name>
和gid类似,不过这里使用/etc/group中对应组名的gid。
参考gid和 uid.
log <address> <facility> [max level]
添加一个全局的syslog服务器。 最多允许定义2个全局服务器。这些服务器将接收HAProxy的
启动和退出日志,如果代理配置里设置了log global,可以接收所有日志。
<address> 可以为:
- 一个IPv4 IP地址后跟一个:和一个UDP端口。如果端口不指定, 默认使用514
(标准的syslog端口)
-
一个到UNIX domain socket文件的路径。注意chroot(此文件在chroot内能访问)
和uid/gid(此文件可写).
<facility> 必须为如下24种标准syslog设备的一种:
kern ur mail daemon auth syslog lpr news
uucp cron auth2 ftp ntp audit alert cron2
local0 local1 local2 local3 local4 local5 local6 local7
还可以设置一个可选的level来过滤发出日志。默认会发出所有日志。如果指定了level,
等于或高于此级别的日志才会发出。 8个级别为:
emerg alert crit err warning notice info debug
nbproc <number>
创建<number>个进程进入deamon模式运行。此参数要求将运行模式设置为"daemon"。
默认只创建一个进程, 这也是推荐的运行模式。 对那些每个进程的文件描述符被限制为
很小值的系统来说, 可能需要开启多个daemon进程。但是使用多个进程将使调试变
得非常艰难,这是非常不鼓励使用的。
参考"daemon"。
pidfile <pidfile>
将所有进程的pid写入文件<pidfile>。 等同于命令行参数"-p"。 启动进程的用户必须
有权限访问此文件。
参考"daemon"
stats socket <path> [{uid | ur} <uid>] [{gid | group} <gid>] [mode <mode>]
在<path>下创建流模式的UNIX套接字. 任何已存的套接字会备份后会被替换。连接到
此套接字并输入show stat后会得到一个CSV格式的输出,输出包括进程信息。输入show
info将返回更详细的相关信息。
stats timeout <timeout, in milliconds>
默认stats套接字的超时时间为10s。可以用此参数修改,单位可以为us,ms,s,m,h,d后缀。
stats maxconn <connections>
默认,stats套接字(socket)仅限10个并发连接。这个值可由此参数修改。
uid <number>
设置进程用户ID为<number>.建议将HAProxy的运行uid设置为一个专有的,或者设置为和
其他类似进程一样的uid。 HAProxy必须以root来启动从而切换到其他用户运行。
参考gid和ur.
ulimit-n <number>
设置每个进程的最大文件描述符数。默认的, 此值会自动计算,所以不推荐设置此参数。
ur <ur name>
和uid类似,不过这里使用/etc/passw
d中对应用户名的uid。
参考uid和group.
1.2) 性能调优
-----------------------
maxconn <number>
Sets the maximum per-process number of concurrent connections to <number>. It
is equivalent to the command-line argument "-n". Proxies will stop accepting
connections when this limit is reached. The "ulimit-n" parameter is
automatically adjusted according to this value. See also "ulimit-n".
设置每个进程的最大并发连接数. 等于命令行参数"-n"。 如果达到此值,代理会拒绝接受
新的连接。ulimit-n会根据这个值自动调整。
noepoll
Disables the u of the "epoll" event polling system on Linux. It is
equivalent to the command-line argument "-de". The next polling system
ud will generally be "poll". See also "nopoll", and "nopoll".
在Linux上禁止使用epoll。等于命令行"-de"参数。 下一个会用到的polling系统为
poll。
查看"noepoll"和"nopoll".
nokqueue
Disables the u of the "kqueue" event polling system on BSD. It is
equivalent to the command-line argument "-dk". The next polling system
ud will generally be "poll". See also "nopoll".
在BSD上禁止kqueue polling系统。等于命令行"-dk"参数. 下一个会使用的是poll.
查看"nopoll".
nopoll
Disables the u of the "poll" event polling system. It is equivalent to the
command-line argument "-dp". The next polling system ud will be "lect".
It should never be needed to disable "poll" since it's available on all
platforms supported by HAProxy. See also "nopoll", and "nopoll" and
"nokqueue".
禁止poll,等于命令行"-dp"。下一个使用的是lect。poll在任何能运行HAProxy的机器
上都支持,因此不要禁止poll。
查看"nospoll"和"nopoll"以及"nokquque".
nopoll
Disables the u of the "speculative epoll" event polling system on Linux. It
is equivalent to the command-line argument "-ds". The next polling system
ud will generally be "epoll". See also "nopoll", and "nopoll".
在Linux上禁止使用speculative epoll系统。等于"-ds". 下一个使用的是epoll.
查看"nospell", "nopoll".
spread-checks <0..50, in percent>
Sometimes it is desirable to avoid nding health checks to rvers at exact
intervals, for instance when many logical rvers are located on the same
physical rver. With the help of this parameter, it becomes possible to add
some randomness in the check interval between 0 and +/- 50%. A value between
2 and 5 ems to show good results. The default value remains at 0.
1689年tune.maxaccept <number>
Sets the maximum number of concutive accepts that a process may perform on
a single wake up. High values give higher priority to high connection rates,
while lower values give higher priority to already established connections.
This value is unlimited by default in single process mode. However, in
为中华之崛起而读书教案multi-process mode (nbproc > 1), i
t defaults to 8 so that when one process
wakes up, it does not take all incoming connections for itlf and leaves a
东港市政府part of them to other process. Setting this value to zero or less disables
the limitation. It should normally not be needed to tweak this value.
tune.maxpollevents <number>
Sets the maximum amount of events that can be procesd at once in a call to
the polling system. The default value is adapted to the operating system. It
has been noticed that reducing it below 200 tends to slightly decrea
latency at the expen of network bandwidth, and increasing it above 200
tends to trade latency for slightly incread bandwidth.
1.3) 调试
---------------
debug
启动debug模式,此模式会dump所有的交互信息到stdout,并运行于前台(译注:不进入deamon
模式)。等效于命令行参数-d. 此参数绝不要用于生产环境,因为它会在系统启动时被挂起.
quiet
在启动时不显示任何信息。等于命令行参数-v。
2) 代理(Proxies)
----------
Proxy configuration can be located in a t of ctions :
代理相关配置位于下列配置段中:
- defaults <name>
- frontend <name>
- backend <name>
-
listen <name>
A "defaults" ction ts default parameters for all other ctions following
its declaration. Tho default parameters are ret by the next "defaults"
ction. See below for the list of parameters which can be t in a "defaults"
ction. The name is optional but its u is encouraged for better readability.
"defaults"段为其后的所有其他配置段设置默认参数。 "defaults"段可以有多个,后设置的总
是会覆盖之前的配置。 查看下面的列表可以知道"defaults"段可以使用哪些配置参数。"defaults"
关键字是可选的,但是为了更好的可读性,建议加上。
A "frontend" ction describes a t of listening sockets accepting client
connections.
"frontend"段描述了一组监听的套接字,它们接受客户端连接。
A "backend" ction describes a t of rvers to which the proxy will connect
to forward incoming connections.
"backend"段描述了一组服务器,代理(Haproxy)会连接这些服务器并转发客户端请求到这些服
务器上。
A "listen" ction defines a complete proxy with its frontend and backend
parts combined in one ction. It is generally uful for TCP-only traffic.
"listen"段定义了一个完整的代理,它的前段(frontend)和后端(frontend)都在这个配置
图片卡通可爱段里。这种配置通常用于仅TCP的流量.
All proxy names must be formed from upper and lower ca letters, digits,
'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
ca-nsitive, which means that "www" and "WWW" are two different proxies.
代理名必须由大(小)写字母、数字、'-'、'_'、'.'、':'组成。ACL名字是大小写敏感的,
也即www和WWW分别指不同的代理
。
Historically, all proxy names could overlap, it just caud troubles in the
logs. Since the introduction of content switching, it is mandatory that two
proxies with overlapping capabilities (frontend/backend) have different names.
However, it is still permitted that a frontend and a backend share the same
name, as this configuration ems to be commonly encountered.
由于历史原因,所有的代理名字是可以重叠的,这种仅仅会导致日志有些问题。 后来内容交换
(Content Switching)的加入使得两个有重复功能的代理(frontend/backend)必须使用不
同的名字。 然而, 仍然允许frontend和backend使用同一个名字,因为这种配置会经常遇到。
金融电影Right now, two major proxy modes are supported : "tcp", also known as layer 4,
and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
bidirectionnal traffic between two sides. In layer 7 mode, HAProxy analyzes the
protocol, and can interact with it by allowing, blocking, switching, adding,
modifying, or removing arbitrary contents in requests or respons, bad on
arbitrary criteria.
当前,HAProxy支持两种主要的代理模式: "tcp"也即4层,和"http",即7层。在4层模式下,
HAproxy仅在客户端和服务器之间转发双向流量。7层模式下,HAProxy会分析协议,并且能通过
允许、拒绝、交换、增加、修改或者删除请求(request)或者回应(respon)里指定内容来控制
协议,这种操作要基于特定规则。
2.1) Quick reminder about HTTP
-
-----------------------------
When a proxy is running in HTTP mode, both the request and the respon are
fully analyzed and indexed, thus it becomes possible to build matching criteria
on almost anything found in the contents.
However, it is important to understand how HTTP requests and respons are
formed, and how HAProxy decompos them. It will then become easier to write
correct rules and to debug existing configurations.
2.1.1) The HTTP transaction model
---------------------------------
The HTTP protocol is transaction-driven. This means that each request will lead
to one and only one respon. Traditionnally, a TCP connection is established
from the client to the rver, a request is nt by the client on the
connection, the rver responds and the connection is clod. A new request
will involve a new connection :
[CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
In this mode, called the "HTTP clo" mode, there are as many connection
establishments as there are HTTP transactions. Since the connection is clod
by the rver after the respon, the client does not need to know the content
length.
Due to the transactional nature of the protocol, it was possible to improve it
to avoid closing a connection between two subquent transactions. In this mode
however, it is mandatory that the rver indicates the content length for
