- # Haproxy的常见配置
- # 参考文档:
- # http://cbonte.github.io/haproxy-dconv/1.9/configuration.html
- # http://blog.sina.com.cn/s/blog_704836f40102w243.html
- # http://thread.gmane.org/gmane.comp.web.haproxy/12557
- # https://serverfault.com/questions/678882/is-there-a-way-to-rate-limit-connections-with-haproxy-using-
- # https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-limiting/
- # http://cbonte.github.io/haproxy-dconv/1.9/management.html
- # https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/
- global
- daemon
- maxconn 20000
- stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin
- log 127.0.0.1 local3
- defaults
- mode http
-
- # 启动Haproxy web统计页面
- stats uri /haproxy-admin
- stats realm Haproxy\ Statistics
- stats auth 用户名:密码
- # 添加X-Forwarded-For头,使后端获得真实IP
- option forwardfor except 127.0.0.1
-
- # 开启http keep-alive
- option http-keep-alive
-
- # http keep-alive保持5秒
- timeout http-keep-alive 5s
-
- # 开启日志
- log 127.0.0.1 local3
- frontend http-in
-
- # 绑定80端口
- bind *:80
-
- # 最大连接数
- maxconn 20000
-
- # 客户端响应超时
- timeout client 5s
- # http请求送达超时
- timeout http-request 5s
- # http keep-alive保持连接最长时间
- timeout http-keep-alive 5s
- # half-open connection未响应超时,针对web socket
- timeout client-fin 30s
-
- # 使用后端服务器组
- default_backend servers
-
- # START 过速请求的防御
-
- # 创建stick-table,记录 cookie(SESSIONID) -> 最近30秒内http请求次数
- # stick-table type string len 50 size 1m expire 10m store http_req_rate(30s)
-
- # 将cookie(SESSION)作为key,存到stick-table中
- # http-request track-sc0 req.cook(SESSION)
-
- # 定义ACL,请求次数是否超过100
- # acl abuse sc0_http_req_rate gt 100
-
- # 如果ACL为true,则拒绝http请求,响应429
- # http-request deny deny_status 429 if abuse
-
- # END
-
- # START IP 黑名单
-
- # 定义ACL,看client ip是否在ip-blacklist.txt内,文件内容如下:
- # xxx.xxx.xxx.xxx
- # xxx.xxx.xxx.xxx/8
- # acl block_ip src -f path/to/ip-blacklist.txt
-
- # 如果ACL为true,则拒绝http请求
- # http-request deny if block_ip
-
- # END
-
- # START User-Agent黑名单
-
- # 定义ACL,看user-agent头是否字符串substring在ua-blacklist.txt内,文件内容如下:
- # okhttp
- # chrome
- # acl block_ua hdr_sub(user-agent) -i -f path/to/ua-blacklist.txt
-
- # 如果ACL为true,则拒绝http请求
- # http-request deny if block_ua
-
- # END
-
- backend servers
- # 连接到服务器超时
- timeout connect 30s
- # 服务器无活动超时
- timeout server 60s
- # tunnel超时,针对web socket
- timeout tunnel 1h
- # START 负载策略:轮询,session持久策略:cookie,这个策略最均匀
- balance roundrobin
- cookie SERVERNAME insert indirect nocache
- # END
-
- # START 负载策略:轮询,session持久策略:ip
- # balance roundrobin
- # stick-table type ip size 10m expire 3h
- # stick on src
- # END
-
- # START 负载策略:IP hash
- # balance source
- # END
-
- # xxx代表服务地址(可带端口号)
- # server1,2,3,4只是名字,可以改成需要的名字
- # check port yyyy 代表通过检测后端服务器的yyyy端口来判断服务器是否可用,如果不可用,会自动切换
- server server1 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s
- server server2 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s
- server server3 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s
- server server4 xxx check port yyyy maxconn 1000 maxqueue 10 slowstart 60s