更新时间:2022-10-04 12:45:53
iptables:
http://blog.csdn.net/niejicai/article/details/50275367
haproxy:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
yum install haproxy listen stats #开启HAProxy图形化Web管理功能
bind : 9091
stats enable
stats uri / simpletime?admin
stats hide - version
stats auth admin:abc. 123
stats admin if TRUE
启动服务 centos7 ~] # systemctl start haproxy
~] # systemctl status haproxy #查看状态
~] # ss -tnlp #查看80和9091端口是否启用
~] # systemctl enable haproxy #设置开机启动
|
配置文件
http://blog.csdn.net/xuyouzheng/article/details/9818743
原始的haproxy配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
global log 127.0 . 0.1 local2
chroot / var / lib / haproxy
pidfile / var / run / haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket / var / lib / haproxy / stats
defaults mode http
log global
option httplog
option dontlognull
option http - server - close
option forwardfor except 127.0 . 0.0 / 8
option redispatch
retries 3
timeout http - request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http - keep - alive 10s
timeout check 10s
maxconn 3000
frontend main * : 5000
acl url_static path_beg - i / static / images / javascript / stylesheets
acl url_static path_end - i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
backend static balance roundrobin
server static 127.0 . 0.1 : 4331 check
backend app balance roundrobin
server app1 127.0 . 0.1 : 5001 check
server app2 127.0 . 0.1 : 5002 check
server app3 127.0 . 0.1 : 5003 check
server app4 127.0 . 0.1 : 5004 check
|
最后使用的haproxy配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
global log 127.0 . 0.1 local2
chroot / var / lib / haproxy
pidfile / var / run / haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket / var / lib / haproxy / stats
defaults mode tcp
log global
option tcplog
retries 3
timeout http - request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http - keep - alive 10s
timeout check 10s
maxconn 3000
frontend foxtrot - tango - papa - control
bind * : 21 default_backend ftp_server_pool
frontend foxtrot - tango - papa01
bind * : 10501 - 10750 default_backend foxtrot_tango_papa01
backend ftp_server_pool server foxtrot - tango - papa01 x.x.x.x check port 21 inter 10s rise 1 fall 2 backend foxtrot_tango_papa01 server foxtrot - tango - papa01 x.x.x.x check port 21 inter 10s rise 1 fall 2
|
vim /etc/vsftpd/vsftpd.conf
域名模式,可以支持多个HAproxy同时访问,推荐
pasv_enable=YES #允许PASV模式
pasv_min_port=10000 #最小端口
pasv_max_port=10250 #最大端口
pasv_addr_resolve=YES #允许DNS解析
pasv_address=ftp.upload.net
IP模式,只支持一个Haproxy访问
pasv_enable=YES #允许PASV模式
pasv_min_port=10000 #最小端口
pasv_max_port=10250 #最大端口
pasv_address=1.1.1.1 #此处配置为haproxy的ip地址
haproxy日志配置 + rsyslog
http://www.ttlsa.com/linux/haproxy-log-configuration-syslog/
使用haproxy的ACL封禁IP
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
acl local_dst hdr(host) -i localhost
block if invalid_src || local_dst
用acl定义一些规则,而用(block|use_backend)指定满足这些规则怎么做,我们当然选择block!
上述这段配置可以位于如下section
keyword defaults frontend listen backend
----------------------+----------+----------+---------+---------
acl - X X X
或者
backend webserver option http-request 访问控制
排错
tcpdump -i eth0 -vnn dst host 172.16.1.122