menu Chancel's blog
rss_feed
Chancel's blog
有善始者实繁,能克终者盖寡。

Haproxy配置HTTP代理

作者:Chancel Yang, 创建:2021-06-16, 字数:1942, 已阅:48, 最后更新:2021-06-16

这篇文章更新于 1016 天前,文中部分信息可能失效,请自行甄别无效内容。

在封闭内网,有多个HTTP代理服务器做正向代理访问外网,使用Haproxy做简单的配置

INI
global
    # 最大并发2000
    maxconn 2000
    log /dev/log	local0
    log /dev/log	local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    
       # 日志配置,需要搭配rsyslog实现,日志等级local2
    log 127.0.0.1 local2

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log	global
    mode	http
    option	httplog
    option	dontlognull
        timeout connect 30s
        timeout client  30s
        timeout server  30s
    maxconn 2000

frontend http-proxy
    bind *:33128
    mode http
    # 以下3句只允许172.16.1.2访问,不允许其他来源ip访问
    acl allow_host src 172.16.1.2
    tcp-request content accept if allow_host
    tcp-request content reject
    default_backend	http-proxy-backend

backend http-proxy-backend
    mode http
    balance roundrobin
    option  redispatch
    # 超出最大请求数则排队30秒
    timeout queue 30s
    default-server check inter 1000 rise 1 fall 1 maxconn 2000
    server  http-proxy-1   172.16.1.11:3128 
    server  http-proxy-2   172.16.1.12:3128
    server  http-proxy-3   172.16.1.13:3128

# 监控面板,访问8404
listen stats
    bind *:8404
    stats enable
    stats uri /monitor
    stats refresh 5s

如果需要将访问信息输出到 /var/log/haproxy.log,则需要修改/etc/rsyslog.conf,在文件尾添加如下配置

INI
...

$ModLoad imudp
$UDPServerRun 514

local2.* /var/log/haproxy.log

[[replyMessage== null?"发表评论":"发表评论 @ " + replyMessage.m_author]]

account_circle
email
web_asset
textsms

评论列表([[messageResponse.total]])

还没有可以显示的留言...
[[messageItem.m_author]] [[messageItem.m_author]]
[[messageItem.create_time]]
[[getEnviron(messageItem.m_environ)]]
[[subMessage.m_author]] [[subMessage.m_author]] @ [[subMessage.parent_message.m_author]] [[subMessage.parent_message.m_author]]
[[subMessage.create_time]]
[[getEnviron(messageItem.m_environ)]]