Souce Install HAProxy 1.8 on CentOS 7
HAProxy 1.8 소스 인스톨(컴파일) 설치 가이드
HAProxy 는 현재 가장 유명한 소프트웨어 로드발란서 중 하나입니다. L4 뿐 아니라 L7 기능까지 포함하고 있어 많은 곳에서 활용되고 있습니다. HAProxy 의 기능에 대해 설명된 블로그나 사이트는 많기 때문에 여기서는 설치 방법에 대해서만 다루도록 하겠습니다.
이 가이드는 HAProxy 1.8 버전을 사용하였으며 공식 사이트인 HAProxy – The Reliable, High Performance TCP/HTTP Load Balancer 및 HAProxy version 1.8.27 – Starter Guide (cbonte.github.io) 을 참조하였습니다.
의존성 패키지 설치
[root@172-19-10-106 /]# yum install -y make gcc gcc-c++ pcre-devel openssl-devel
[root@172-19-10-106 /]# cd /data/apps/dn [root@172-19-10-106 dn]# wget http://www.haproxy.org/download/1.8/src/haproxy-1.8.17.tar.gz
압축해제
[root@172-19-10-106 dn]# tar xvzf haproxy-1.8.17.tar.gz
리눅스 커널 확인
[root@172-19-10-106 dn]# uname -a Linux 172-19-10-106 3.10.0-862.3.2.el7.x86_64 #1 SMP Mon May 21 23:36:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
make시 TARGET 옵션을 주기 위해 필요한 작업이며, 커널 확인 후 README파일에 명시된 대로 지정해 주어야 한다. 아래는 haproxy에 명시된 README파일의 TARGET variable 리스트 - linux22 for Linux 2.2 - linux24 for Linux 2.4 and above (default) - linux24e for Linux 2.4 with support for a working epoll (> 0.21) - linux26 for Linux 2.6 and above - linux2628 for Linux 2.6.28, 3.x, and above (enables splice and tproxy) - solaris for Solaris 8 or 10 (others untested) - freebsd for FreeBSD 5 to 10 (others untested) - netbsd for NetBSD - osx for Mac OS/X - openbsd for OpenBSD 5.7 and above - aix51 for AIX 5.1 - aix52 for AIX 5.2 - cygwin for Cygwin - haiku for Haiku - generic for any other OS or version. - custom to manually adjust every setting
컴파일
[root@172-19-10-106 dn]# cd haproxy-1.8.17 [root@172-19-10-106 haproxy-1.8.17]# make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 [root@172-19-10-106 haproxy-1.8.17]# make PREFIX=/data/apps/src/haproxy-1.8.17 DESTDIR= install
링크생성
[root@172-19-10-106 haproxy-1.8.17]# ln -s /data/apps/src/haproxy-1.8.17 /data/apps/ln/haproxy
유저생성
[root@172-19-10-106 haproxy-1.8.17]# useradd -M -r -s /sbin/nologin haproxy
시작파일 생성
: vi /etc/init.d/haproxy
#!/bin/sh
#
# chkconfig: - 85 15
# description: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited \
# for high availability environments.
# processname: haproxy
# config: /etc/haproxy/haproxy.cfg
# pidfile: /var/run/haproxy.pid
# Script Author: Simon Matter <simon.matter@invoca.ch>
# Version: 2004060600
# Source function library.
if [ -f /etc/init.d/functions ]; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# This is our service name
BASENAME=`basename $0`
if [ -L $0 ]; then
BASENAME=`find $0 -name $BASENAME -printf %l`
BASENAME=`basename $BASENAME`
fi
BIN=/data/apps/ln/haproxy/sbin/$BASENAME
CFG=/etc/$BASENAME/$BASENAME.cfg
[ -f $CFG ] || exit 1
PIDFILE=/var/run/$BASENAME.pid
LOCKFILE=/var/lock/subsys/$BASENAME
RETVAL=0
start() {
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
echo -n "Starting $BASENAME: "
daemon $BIN -D -f $CFG -p $PIDFILE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCKFILE
return $RETVAL
}
stop() {
echo -n "Shutting down $BASENAME: "
killproc $BASENAME -USR1
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $LOCKFILE
[ $RETVAL -eq 0 ] && rm -f $PIDFILE
return $RETVAL
}
restart() {
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
stop
start
}
reload() {
if ! [ -s $PIDFILE ]; then
return 0
fi
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
$BIN -D -f $CFG -p $PIDFILE -sf $(cat $PIDFILE)
}
check() {
$BIN -c -q -V -f $CFG
}
quiet_check() {
$BIN -c -q -f $CFG
}
rhstatus() {
status $BASENAME
}
condrestart() {
[ -e $LOCKFILE ] && restart || :
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
check)
check
;;
*)
echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}"
exit 1
esac
exit $?
시작파일 권한 변경
[root@172-19-10-106 haproxy-1.8.17]# chmod 755 /etc/init.d/haproxy
haproxy config 설정
: vi /etc/haproxy/haproxy.cfg
// 예제 샘플이므로 자세한건 위의 공식문서 링크를 참조
global
daemon
user haproxy
group haproxy
master-worker
maxconn 10240
log 10.19.10.249 local2 # syslog 서버
stats socket /var/run/haproxy.sock mode 660 level admin
stats timeout 60s
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA:ADH-AES256-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:DHE-DSS-AES256-SHA:ADH-AES256-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
mode http
option httplog
log global
option dontlognull
option forwardfor
option http-server-close
retries 3
maxconn 10240
timeout connect 180s
timeout server 180s
timeout client 180s
timeout http-keep-alive 60s
# HAProxy 상태 확인 URI 설정
listen stats
bind :14098
stats enable
stats realm HAProxy\ Statistics
stats auth statsloginid:statsloginpassword
stats refresh 60s
stats uri /haproxy_status
frontend http-in
bind :80
mode http
option httplog
log global
option dontlognull
option forwardfor
option http-server-close
maxconn 10240
redirect prefix https://umount.net code 301 if { hdr(host) -i www.umount.net }
redirect scheme https code 301 if { hdr(host) -i umount.net } !{ ssl_fc }
frontend https-in
bind :443 ssl crt /etc/haproxy/secure/haproxy.umount.net.pem alpn h2,http/1.1
mode http
option httplog
log global
option dontlognull
option forwardfor
option http-server-close
maxconn 10240
reqadd X-Forwarded-Proto:\ https
redirect prefix https://umount.net code 301 if { hdr(host) -i www.umount.net }
acl umount.net hdr(host) -i umount.net
use_backend umount.net if umount.net
# set default backend
default_backend umount.net
backend umount.net
mode http
option forwardfor
option httpchk GET /lib/healthcheck.php # option : 헬스체크를 위함으로, 해당 경로에 파일이 있어야 함
http-check expect status 200 # option : 위 파일의 status가 200일경우 헬스체크 ok
fullconn 8192
balance roundrobin
cookie SERVERID insert indirect nocache
server web01 10.19.10.5:80 cookie web01 check inter 10s fastinter 2s rise 3 fall 3 maxconn 4096
server web02 10.19.10.6:80 cookie web02 check inter 10s fastinter 2s rise 3 fall 3 maxconn 4096
시작 등록 및 실행
[root@172-19-10-106 haproxy-1.8.17]# chkconfig haproxy on [root@172-19-10-106 haproxy-1.8.17]# service haproxy start