如何在haproxy上实现tcp负载平衡_Tcp_Load Balancing_Haproxy

如何在haproxy上实现tcp负载平衡

tcp

如何在haproxy上实现tcp负载平衡,tcp,load-balancing,haproxy,Tcp,Load Balancing,Haproxy,我在haproxy后面的3台服务器上的8080端口上运行tcp服务我想通过haproxy来平衡这些服务器之间的tcp流量 server1 192.168.10.1 8080 server2 192.168.10.2 8080 server3 192.168.10.3 8080 假设haproxy服务器ip为192.168.10.10 1. 我可以使用什么haproxy配置来实现这一点？配置激活后，访问loadbalanced tcp流量的端点是什么 2. 另一件事是，是否可以将该端点代理为

我在haproxy后面的3台服务器上的8080端口上运行tcp服务我想通过haproxy来平衡这些服务器之间的tcp流量

server1 192.168.10.1 8080
server2 192.168.10.2 8080
server3 192.168.10.3 8080

假设haproxy服务器ip为

192.168.10.10

1. 我可以使用什么haproxy配置来实现这一点？配置激活后，访问loadbalanced tcp流量的端点是什么

2. 另一件事是，是否可以将该端点代理为类似于没有端口的url？类似于基于http的路由…那么我可以放置该tcp端点，并通过主机名将http端点路由到loadbalanced tcp服务吗

假设我想访问

http://tcp-app.example.com

然后应该路由到loadbalanced tcp服务

以回答1您可以将此作为起点吗

listen tcp-in
  bind :8080

  mode tcp
  log stdout format raw daemon
  option tcplog

  timeout client   5s
  timeout connect 30s
  timeout server  30s

  server server1 192.168.10.1:8080
  server server2 192.168.10.2:8080
  server server3 192.168.10.3:8080

您可以通过

192.168.10.10:8080

访问负载平衡器
为了更好地了解haproxy，本博客在IMHO上发布了一个良好的起点

对于问题2，您是否应该切换到，因为TCP没有“主机名”的概念。
我在这篇博文中描述了SNI路由在HAProxy中的工作原理

这里是TCP和HTTP协议之间SNI路由的haproxy配置示例。这有点复杂，因为您需要在HTTP路由之前检查TCP路由

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log stdout format raw daemon debug

    maxconn     5000

    tune.ssl.default-dh-param 3072

    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
    # set default parameters to the intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.1 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options ssl-min-ver TLSv1.1 no-tls-tickets
    
    # https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api/
    stats socket ipv4@127.0.0.1:9999 level admin
    stats socket /var/run/haproxy.sock mode 666 level admin
    stats timeout 2m

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    tcp
    log                     global
    option                  dontlognull
    #option                  logasap
    option                  srvtcpka
    option                  log-separate-errors
    retries                 3
    timeout http-request    10s
    timeout queue           2m
    timeout connect         10s
    timeout client          5m
    timeout server          5m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 750

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

##
## Frontend for HTTP
##
frontend http-in
    bind :::80 v4v6
    mode http
    option httplog

    tcp-request inspect-delay 5s
    tcp-request content accept if HTTP

    # redirect http to https .
    http-request redirect scheme https unless { ssl_fc }

##
## Frontend for HTTPS
##
frontend public_ssl

    bind :::443 v4v6 

    option tcplog

    tcp-request inspect-delay 5s
    tcp-request content capture req.ssl_sni len 25
    tcp-request content accept if { req.ssl_hello_type 1 }
    
    # https://www.haproxy.com/blog/introduction-to-haproxy-maps/
    use_backend %[req.ssl_sni,lower,map(tcp-domain2backend-map.txt)]

    default_backend be_sni

##########################################################################
# TLS SNI
#
# When using SNI we can terminate encryption with dedicated certificates.
##########################################################################
backend be_sni
  server fe_sni 127.0.0.1:10444 weight 10 send-proxy-v2-ssl-cn

backend be_sni_xmpp
  server li_tcp-in 127.0.0.1:8080 weight 10 send-proxy-v2-ssl-cn

# handle https incoming
frontend https-in

    # terminate ssl 
    bind 127.0.0.1:10444 accept-proxy ssl strict-sni alpn h2,http/1.1 crt haproxy-certs

    mode http
    option forwardfor
    option httplog
    option http-ignore-probes

    # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
    http-request del-header Proxy

    http-request set-header Host %[req.hdr(host),lower]
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-Forwarded-Host %[req.hdr(host),lower]
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
    http-request add-header Forwarded for=\"[%[src]]\";host=%[req.hdr(host),lower];proto=%[req.hdr(X-Forwarded-Proto)];proto-version=%[req.hdr(X-Forwarded-Proto-Version)]

    # Add hsts https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
    # http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"

    # https://www.haproxy.com/blog/introduction-to-haproxy-maps/
    use_backend %[req.hdr(host),lower,map(http-domain2backend-map.txt)]

#---------------------------------------------------------------------
#  backends
#---------------------------------------------------------------------
## backend for cloud.DOMAIN
backend nextcloud-backend
    mode http
    option httpchk GET / HTTP/1.1\r\nHost:\ BACKEND_VHOST
    server short-cloud 127.0.0.1:81 check 


## backend for dashboard.DOMAIN
backend dashboard-backend
    mode http
    server short-cloud 127.0.0.1:82 check

## backend for upload.DOMAIN
backend httpupload-backend
    log global
    mode http
    server short-cloud 127.0.0.1:8443 check

listen tcp-in
  bind :8080 accept-proxy ssl strict-sni crt haproxy-certs

  mode tcp
  log stdout format raw daemon
  option tcplog

  timeout client   5s
  timeout connect 30s
  timeout server  30s

  server server1 192.168.10.1:8080
  server server2 192.168.10.2:8080
  server server3 192.168.10.3:8080

文件tcp-domain2backend-map.txt

tcp-service.mydomain.im be_sni_xmpp

# http backends
nextcloud.MyDomain.com nextcloud-backend
dashboard.MyDomain.com dashboard-backend 
jabupload.MyDomain.com httpupload-backend

文件http-domain2backend-map.txt

tcp-service.mydomain.im be_sni_xmpp

# http backends
nextcloud.MyDomain.com nextcloud-backend
dashboard.MyDomain.com dashboard-backend 
jabupload.MyDomain.com httpupload-backend

在#1答案中..你有这一行

listen tcp in

你介意解释

listen

的意思和

tcp in

的意思吗？这些只是可以更改的名称，还是它们意味着什么？+也让我们假设在端口8081上的服务器上有另一个tcp服务..我会使用相同的块，但使用8081吗？这就是所有指令

listen-tcp-in

在这篇博文中解释的内容。是对于另一个端口，您可以复制

listen

块。