haproxy打开日志:
vim /etc/rsyslog.conf $ModLoad imudp # 打开注释 $UDPServerRun 514 # 打开注释,监听了udp的514端口 local2.* /var/log/haproxy.log # 找到local7在下面添加此行 systemctl restart rsyslog.service
haproxy的global配置段:
log 127.0.0.1 local2 # rsyslog中开启服务和添加local2
global配置段:
log 127.0.0.1 local2 # rsyslog中开启服务和添加local2 chroot /var/lib/haproxy # 安全运行 pidfile /var/run/haproxy.pid # pid文件 maxconn 4000 # 最大并发连接数 user haproxy # 运行的用户 group haproxy # 运行的组 daemon # 以守护进程来运行 # turn on stats unix socket stats socket /var/lib/haproxy/stats
简单代理配置:
frontend main *:80 default_backend webserver backend webserver balance roundrobin server web1 192.168.199.80:80 check server web2 192.168.199.80:80 check
条件后端:
use_backend server1 if url_dyn
开启监控页面:
#haproxy监控页面地址 listen admin_stat #haproxy的web管理端口 8888,自行设置 bind 0.0.0.0:8888 mode http stats refresh 30s #haproxy web管理url,自行设置 stats uri /haproxy_stats stats realm Haproxy\ Statistics #haproxy web管理用户名密码,自行设置 stats auth admin:admin stats hide-version
加白名单:
backend k8s
mode tcp
option tcplog
option tcp-check
balance roundrobin
tcp-request content accept if { src -f /etc/haproxy/white_ip_list }
tcp-request content reject
server master01 master01-prod-zx-xg.pudaocredit.local:6443 check
server master02 master02-prod-zx-xg.pudaocredit.local:6443 check
server master03 master03-prod-zx-xg.pudaocredit.local:6443 checkwhite_ip_list:
192.168.199.80 192.168.199.81 192.168.199.82 192.168.199.88 192.168.199.89 192.168.199.86
HA-Proxy version 1.5.18 版本配置:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
listen admin_stat
bind 0.0.0.0:8888
mode http
stats refresh 30s
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats hide-version
#---------------------------------------------------------------------
frontend main *:8443
mode tcp
option tcplog
default_backend k8s
#---------------------------------------------------------------------
backend k8s
mode tcp
option tcplog
option tcp-check
balance roundrobin
server master01 {{ master01_hostname }}:6443 check
server master02 {{ master02_hostname }}:6443 check
server master03 {{ master03_hostname }}:6443 checkHAProxy version 2.8.5 版本配置:
global
log /dev/log local0 # 适配新版日志路径,使用 local0
log /dev/log local1 notice # 添加 notice 级别日志
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# 统计套接字配置(适配新版本路径和权限)
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
# SSL 默认配置(来自新版模板)
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
mode http # 默认模式仍为 http
log global
option httplog
option dontlognull
option http-server-close # 保持连接优化
option forwardfor except 127.0.0.0/8
option redispatch # 会话重调度
retries 3 # 重试次数
timeout http-request 10s # 明确保留原有超时设置
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000 # 默认最大连接数
# 错误页面配置(来自新版模板)
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# 管理统计页面配置(保持 listen 块结构)
listen admin_stat
bind 0.0.0.0:8888
mode http # 明确指定模式
stats enable
stats refresh 30s
stats uri /haproxy_stats
stats realm "Haproxy Statistics"
stats auth admin:admin
stats hide-version
# 前端 TCP 代理配置
frontend main
bind *:8443
mode tcp
option tcplog # TCP 日志记录
default_backend k8s
# 后端 Kubernetes 集群配置
backend k8s
mode tcp
option tcplog
option tcp-check # TCP 健康检查
balance roundrobin
server master01 {{ master01_hostname }}:6443 check
server master02 {{ master02_hostname }}:6443 check
server master03 {{ master03_hostname }}:6443 check检查配置:
haproxy -c -f /etc/haproxy/haproxy.cfg