当前大多数的互联网系统都使用了服务器集群技术,集群是将相同服务部署在多台服务器上构成一个集群整体对外提供服务,这些集群可以是 Web 应用服务器集群,也可以是数据库服务器集群,还可以是分布式缓存服务器集群等等。
在实际应用中,在 Web 服务器集群之前总会有一台负载均衡服务器,负载均衡设备的任务就是作为 Web 服务器流量的入口,挑选最合适的一台 Web 服务器,将客户端的请求转发给它处理,实现客户端到真实服务端的透明转发。
最近几年很火的「云计算」以及分布式架构,本质上也是将后端服务器作为计算资源、存储资源,由某台管理服务器封装成一个服务对外提供,客户端不需要关心真正提供服务的是哪台机器,在它看来,就好像它面对的是一台拥有近乎无限能力的服务器,而本质上,真正提供服务的,是后端的集群。 继续阅读
This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.
This snippet was tested on haproxy 1.5.
This snippet is tested on a Digital Ocean VPS. If you like this snippet and want to support me, plus get free credit @ DO, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212
This example restricts access to the /admin/ and /helpdesk URL’s. It only allows access from the IP addresses 20.30.40.50 and 20.30.40.40. Any other IP addresses will get the standard haproxy 403 forbidden error. 继续阅读
HAProxy提供高可用性、负载均衡以及基于TCP和HTTP应用的代理,支持虚拟主机,它是免费、快速并且可靠的一种解决方案。根据官方数据,其最高极限支持10G的并发。
HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持或七层处理。HAProxy运行在当前的硬件上,完全可以支持数以万计的并发连接。并且它的运行模式使得它可以很简单安全的整合进您当前的架构中,同时可以保护你的web服务器不被暴露到网络上。
其支持从4层至7层的网络交换,即覆盖所有的TCP协议。就是说,Haproxy 甚至还支持 Mysql 的均衡负载(read)。
如果说在功能上,能以proxy反向代理方式实现WEB均衡负载,这样的产品有很多。包括 Nginx,ApacheProxy,lighttpd,Cheroke 等。
但要明确一点的,Haproxy 并不是 Http 服务器。以上提到所有带反向代理均衡负载的产品,都清一色是 WEB 服务器。简单说,就是他们能自个儿提供静态(html,jpg,gif..)或动态(php,cgi..)文件的传输以及处理。而Haproxy 仅仅,而且专门是一款的用于均衡负载的应用代理。其自身并不能提供http服务。
但其配置简单,拥有非常不错的服务器健康检查功能还有专门的系统状态监控页面,当其代理的后端服务器出现故障, HAProxy会自动将该服务器摘除,故障恢复后再自动将该服务器加入。自1.3版本开始还引入了frontend、backend,frontend根据任意HTTP请求头内容做规则匹配,然后把请求定向到相关的backend。 继续阅读
We’ve seen recently more and more DOS and DDOS attacks. Some of them were very big, requiring thousands of computers…
But in most cases, this kind of attacks are made by a few computers aiming to make a service or website unavailable, either by sending it too many requests or by taking all its available resources, preventing regular users to use the service.
Some attacks targets known vulnerabilities of widely used applications.
In the present article, we’ll explain how to take advantage of an application delivery controller to protect your website and application against DOS, DDOS and vulnerability scans.
Why using a LB for such protection since a firewall and a Web Application Firewall (aka WAF) could already do the job?
Well, the Firewall is not aware of the application layer but would be useful to pretect against SYN flood attacks. That’s why we saw recently application layer firewalls: Web Application Firewalls, also known as WAF.
Well, since the load balancer is in front of the platform, it can be a good partner for the WAF, filtering out 99% of the attacks, which are managed by script kiddies. The WAF can then happily clean up the remaining attacks.
Well, maybe you don’t need a WAF and you want to take advantage of your Aloha and save some money ;).
Note that you need an application layer load-balancer, like Aloha or OpenSource HAProxy to be efficient. 继续阅读
In this article we will explore how to setup a simple Tomcat cluster and load balancing using HAProxy. Our environment will consists of two Tomcat (latest version) instances running under Ubuntu Lucid (10.04 LTS). We will use sample applications from the built-in Tomcat package to demonstrate various scenarios. Later in the tutorial, we will study in-depth how to configure HAProxy and how to setup logging.
What is HAProxy?
HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing – http://haproxy.1wt.eu/
What is Tomcat?
Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies… Apache Tomcat powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations – http://tomcat.apache.org/
1. High Availability of Tomcat
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
frontend tomcat *:82
mode http
default_backend tomcat
backend tomcat
mode http
balance roundrobin
option forwardfor
option http–server–close
cookie JSESSIONID prefix
# http-server-close is very important – without this, only the first request will have its headers inspected for cookies and hence our JSESSIONID – so sticky sessions will not work.
server tomcat1 127.0.0.1:8080 cookie JSESSIONID_SERVER_1 check inter 5000
server tomcat2 127.0.0.1:8180 cookie JSESSIONID_SERVER_2 check inter 5000
|
Let’s imagine a situation where, for whatever reason, we have a number of web applications available for users, and we want users to access them using, for example,
https://example.com/appname/
Each application is served by a number of backend servers, so we want some sort of load balancing. Each backend server is not aware of the clustering, and expects requests relative to /, not /appname. Also, SSL connections and caching are needed. The following picture illustrates the situation:
Here is an example of how to implement such a setup using Apache, HAProxy and keepalived. The provided configuration samples refer to the load balancer machine(s). Here’s the logical structure of a load balancer described here:
This article will describe the process required to set up a highly-available SSL-enabled load balancer using HAProxy, stunnel and keepalived to front a pair of Apache Tomcat instances.
The configuration will start off simple, and extend and grow as more functionality is added. First, a session-aware HAProxy load balancer is configured. Next, Tomcat clustering is configured with session replication and the responsibility for maintaining session state is moved to Tomcat. Then, keepalived is added – providing a failover IP between HAProxy instances running on two nodes. The solution is then fully HA. To complete the article, SSL support will be enabled by way of adding stunnel in front of the HAProxy instances, and a few cleanup tasks performed. 继续阅读
一、简介
二、环境介绍
三、安装配置后端服务器
四、安装配置Haproxy
五、安装配置Keepalived
六、验证服务
一、简介
HAProxy简介:
HAProxy提供高可用性、负载均衡以及基于TCP和HTTP应用的代理,支持虚拟主机,它是免费、快速并且可靠的一种解决方案。HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持或七层处理。HAProxy运行在时下的硬件上,完全可以支持数以万计的并发连接。并且它的运行模式使得它可以很简单安全的整合进您当前的架构中, 同时可以保护你的web服务器不被暴露到网络上
HAProxy实现了一种事件驱动、单一进程模型,此模型支持非常大的并发连接数。多进程或多线程模型受内存限制 、系统调度器限制以及无处不在的锁限制,很少能处理数千并发连接。事件驱动模型因为在有更好的资源和时间管理的用户端(User-Space) 实现所有这些任务,所以没有这些问题。此模型的弊端是,在多核系统上,这些程序通常扩展性较差。这就是为什么他们必须进行优化以 使每个CPU时间片(Cycle)做更多的工作
Keepalived简介:
KeepAlived是一个类似于layer3, 4 & 5交换机制的软件,是一个高可用解决方案,通过虚拟IP地址和心跳检测对方状态来实现高可用功能。Keepalived是由两台服务器分别指定Master与Backup两个角色,而指定Master的优先级比Backup的高;所以默认情况下虚拟IP会绑定到Master服务器上,对外提供服务。而Master、Backup服务器会在一定的时间间隔向对方发送心跳信息来检测对方的存活状态,时间间隔一般为2秒钟可以修改,如果Backup发现Master宕机,那么Backup会发送ARP包到网关,然后把虚拟IP绑定到自己的网卡上,此时Backup对外提供服务,实现了自动化的故障转移,当Master恢复的时会重新接管所有资源 继续阅读
We’re going to explore high availability and load balancing using Keepalived and HAProxy.
Keepalived is a routing software designed to provide simple and robust facilities for load balancing and high-availability to Linux systems and Linux-based infrastructures.
HAProxy is an open source load balancer/reverse proxy generally used for load balancing web services, but also has the functionality to load balance TCP traffic. 继续阅读