首页 Haproxy教程haproxy-ACL案例

hapxory-ACL基础介绍

haproxy-自定义HAProxy页面

运维派隶属马哥教育旗下专业运维社区,是国内成立最早的IT运维技术社区,欢迎关注公众号:yunweipai
领取学习更多免费Linux云计算、Python、Docker、K8s教程关注公众号:马哥linux运维

ACL示例-域名匹配

[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog

###################### acl setting ###############################
  acl pc_domain  hdr_dom(host)      -i www.magedu.org
  acl mobile_domain hdr_dom(host)   -i mobile.magedu.org

###################### acl hosts #################################
  use_backend  pc_hosts         if   pc_domain
  use_backend  mobile_hosts     if   mobile_domain
  default_backend pc_hosts 

###################### backend hosts #############################
backend mobile_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

测试结果:

[root@centos6 ~]#cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 centos6.localdomain
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.7 mobile.magedu.org  www.magedu.org magedu.org 

[root@centos6 ~]#curl www.magedu.org
10.0.0.27
[root@centos6 ~]#curl mobile.magedu.org
10.0.0.17
[root@centos6 ~]#curl magedu.org
10.0.0.27

ACL示例-基于源IP或子网调度访问

将指定的源地址调度至指定的web服务器组。

root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog

###################### acl setting ###############################
  acl pc_domain  hdr_dom(host)      -i www.magedu.org
  acl mobile_domain hdr_dom(host)   -i mobile.magedu.org
  acl ip_range_test src 172.18.0.0/16 10.0.0.6

###################### acl hosts #################################
  use_backend  pc_hosts         if  ip_range_test   #放在第一行优先生效
  use_backend  pc_hosts         if   pc_domain
  use_backend  mobile_hosts     if   mobile_domain
  default_backend pc_hosts 

###################### backend hosts #############################
backend mobile_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5 

测试结果

[root@centos6 ~]#hostname -I
10.0.0.6 
[root@centos6 ~]#curl www.magedu.org
10.0.0.27
[root@internet ~]#curl -H "HOST: www.magedu.org" 10.0.0.7
10.0.0.27
[root@centos6 ~]#curl mobile.magedu.org
10.0.0.27
[root@centos6 ~]#curl magedu.org
10.0.0.27
[root@centos8 ~]#curl mobile.magedu.org
10.0.0.17
[root@centos8 ~]#curl www.magedu.org
10.0.0.27
[root@centos8 ~]#curl magedu.org
10.0.0.27

ACL示例-基于源地址的访问控制

拒绝指定IP或者IP范围访问

listen  web_host
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog

###################### acl setting ###############################
  acl acl_deny_src src 10.0.0.6 192.168.0.0/24

###################### acl hosts #################################
  #block  if  acl_deny_src
  http-request deny  if acl_deny_src  #2.1版本后,不再支持block
  #http-request allow
  default_backend default_web
###################### backend hosts #############################
backend magedu_host
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend default_web
  mode http
  server web1 10.0.0.27:80 check inter 2000 fall 3 rise 5

测试:

[root@centos6 ~]#curl www.magedu.org
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

ACL示例-匹配浏览器类型

匹配客户端浏览器,将不同类型的浏览器调动至不同的服务器组

[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog
###################### acl setting ###############################
  acl acl_user_agent    hdr_sub(User-Agent)  -i curl wget
  acl acl_user_agent_ab hdr_sub(User-Agent)  -i ApacheBench

###################### acl hosts #################################
  redirect prefix   http://10.0.0.8 if acl_user_agent               #301临时重定向至新URL
  http-request deny                 if acl_user_agent_ab            #拒绝ab
  default_backend pc_hosts 
###################### backend hosts #############################
backend mobile_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

范例:

[root@centos6 ~]#curl -I 10.0.0.7
HTTP/1.1 302 Found
content-length: 0
location: http://10.0.0.8/
cache-control: no-cache

[root@centos6 ~]#curl -L 10.0.0.7
10.0.0.8
[root@centos6 ~]#wget -O -  -q http://10.0.0.7
10.0.0.8
[root@centos6 ~]#curl -A chrome http://10.0.0.7
10.0.0.27

#模拟ab
[root@centos6 ~]#curl -A ApacheBench 10.0.0.7
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>

[root@centos6 ~]#ab  -n1 -c 1 http://10.0.0.7/
This is ApacheBench, Version 2.3 <Revision: 655654>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 10.0.0.7 (be patient).....done

Server Software:        
Server Hostname:        10.0.0.7
Server Port:            80

Document Path:          /
Document Length:        93 bytes

Concurrency Level:      1
Time taken for tests:   0.001 seconds
Complete requests:      1
Failed requests:        0
Write errors:           0
Non-2xx responses:      1                   #提示出现非200的响应
Total transferred:      208 bytes
HTML transferred:       93 bytes
Requests per second:    939.85 [#/sec] (mean)
Time per request:       1.064 [ms] (mean)
Time per request:       1.064 [ms] (mean, across all concurrent requests)
Transfer rate:          190.91 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        1    1   0.0      1       1
Processing:     1    1   0.0      1       1
Waiting:        0    0   0.0      0       0
Total:          1    1   0.0      1       1

#haproxy日志提示403
[root@centos7 ~]#tail /var/log/haproxy.log
Apr  4 08:16:29 localhost haproxy[1483]: 10.0.0.6:56470 [04/Apr/2020:08:16:29.977] magedu_http_port magedu_http_port/<NOSRV> 0/-1/-1/-1/0 403 212 - - PR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

ACL示例-基于文件后缀名实现动静分离

[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog
###################### acl setting ###############################
  acl acl_static path_end -i .jpg .jpeg .png .gif .css .js
  acl acl_php   path_end -i .php
###################### acl hosts #################################
  use_backend  mobile_hosts if acl_static
  use_backend  app_hosts if acl_php
  default_backend pc_hosts 
###################### backend hosts #############################
backend mobile_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

backend app_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

#分别在后端两台主机准备相关文件
[root@centos17 ~]#ls /var/www/html
index.html  wang.jpg

[root@centos27 ~]#cat /var/www/html/test.php
<?php
echo "<h1>http://10.0.0.27/test.php</h1>\n";
?>

haproxy-ACL案例插图
haproxy-ACL案例插图(1)

ACL-匹配访问路径实现动静分离

[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog
###################### acl setting ###############################
  acl  acl_static  path_beg  -i  /static /images /javascript
  acl  acl_static  path_end  -i .jpg .jpeg .png .gif .css.js

###################### acl hosts #################################
  use_backend static_hosts if acl_static
  default_backend app_hosts 
###################### backend hosts #############################
backend static_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend app_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

#创建相关文件
[root@centos17 ~]#mkdir /var/www/html/static
[root@centos17 ~]#echo 10.0.0.17 >  /var/www/html/static/test.html

#测试访问
[root@centos6 ~]#curl 10.0.0.7/static/test.html
10.0.0.17

ACL示例-预定义ACL使用

官方帮助文档:http://cbonte.github.io/haproxy-dconv/2.1/configuration.html#7.4

预定义ACL

ACL name Equivalent to Usage
FALSE always_false never match
HTTP req_proto_http match if protocol is valid HTTP
HTTP_1.0 req_ver 1.0 match HTTP version 1.0
HTTP_1.1 req_ver 1.1 match HTTP version 1.1
HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length
HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme
HTTP_URL_SLASH url_beg / match URL beginning with "/"
HTTP_URL_STAR url * match URL equal to "*"
LOCALHOST src 127.0.0.1/8 match connection from local host
METH_CONNECT method CONNECT match HTTP CONNECT method
METH_DELETE method DELETE match HTTP DELETE method
METH_GET method GET HEAD match HTTP GET or HEAD method
METH_HEAD method HEAD match HTTP HEAD method
METH_OPTIONS method OPTIONS match HTTP OPTIONS method
METH_POST method POST match HTTP POST method
METH_PUT method PUT match HTTP PUT method
METH_TRACE method TRACE match HTTP TRACE method
RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie
REQ_CONTENT req_len gt 0 match data in the request buffer
TRUE always_true always match
WAIT_END wait_end wait for end of content analysis

预定义ACL使用

[root@centos6 ~]#curl -I -XTRACE 10.0.0.7/static/test.html
HTTP/1.1 200 OK
date: Sat, 04 Apr 2020 02:04:01 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
transfer-encoding: chunked
content-type: message/http

[root@centos7 ~]#cat  /etc/haproxy/conf.d/test.cfg
frontend  magedu_http_port
  bind 10.0.0.7:80
  mode http
  balance  roundrobin
  log global
  option httplog
###################### acl setting ###############################
  acl  acl_static_path  path_beg  -i  /static /images /javascript
###################### acl hosts #################################
  use_backend static_path_hosts
  http-request deny if METH_TRACE  HTTP_1.1  #引用预定义的ACL,与关系
  default_backend pc_hosts 
################### backend hosts ################################
backend static_path_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend mobile_hosts
  mode http
  server web1 10.0.0.17 check inter 2000 fall 3 rise 5

backend pc_hosts
  mode http
  server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5

[root@centos6 ~]#curl -I -XTRACE 10.0.0.7/static/test.html
HTTP/1.1 403 Forbidden
content-length: 93
cache-control: no-cache
content-type: text/html
connection: close

[root@centos6 ~]#curl -I -0 -XTRACE 10.0.0.7/static/test.html
HTTP/1.1 200 OK
date: Sat, 04 Apr 2020 02:10:13 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
content-type: message/http
connection: close

#查看日志,观察协议版本
[root@centos17 ~]#tail /var/log/httpd/access_log 
10.0.0.7 - - [04/Apr/2020:10:11:41 +0800] "TRACE /static/test.html HTTP/1.0" 200 230 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

[root@centos6 ~]#curl  -i 10.0.0.7/static/test.html
HTTP/1.1 200 OK
date: Sat, 04 Apr 2020 02:07:58 GMT
server: Apache/2.4.6 (CentOS) PHP/5.4.16
last-modified: Sat, 04 Apr 2020 01:27:45 GMT
etag: "a-5a26cf0ed4913"
accept-ranges: bytes
content-length: 10
content-type: text/html; charset=UTF-8
10.0.0.17

本文链接:http://www.yunweipai.com/35302.html

hapxory-ACL基础介绍

haproxy-自定义HAProxy页面

网友评论comments

发表评论

邮箱地址不会被公开。

暂无评论

Copyright © 2012-2021 YUNWEIPAI.COM - 运维派 京ICP备16064699号-6
扫二维码
扫二维码
返回顶部