De Wiki inetshell
Saltar a: navegación, buscar

Documentacion

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html

Timeouts

https://alohalb.wordpress.com/2012/11/07/websockets-load-balancing-with-haproxy/

https://www.haproxy.com/blog/the-four-essential-sections-of-an-haproxy-configuration/

https://rancher.com/docs/rancher/v1.6/en/faqs/troubleshooting/

https://www.haproxy.com/blog/haproxy-layer-7-retries-and-chaos-engineering/

  • timeout client: client inactivity
  • timeout connect: allowed TCP connection establishment time
  • timeout server: allowed time to the server to process the request

Rendimiento

CPU

https://www.haproxy.com/blog/multithreading-in-haproxy/

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#cpu-map

https://medium.freecodecamp.org/how-we-fine-tuned-haproxy-to-achieve-2-000-000-concurrent-ssl-connections-d017e61a4d27

https://blog.onefellow.com/post/82478335338/haproxy-mapping-process-to-cpu-core-for-maximum

  • multiprocess
global
  nbproc 8
  cpu-map auto:1-8  0-7
  maxconn 8192
  maxpipes 2048

Configurar timeouts

defaults
timeout connect 300s
timeout client 300s
timeout server 300s

Limitar por password

https://wiki.inetshell.mx/index.php/Python:_Generar_password_con_crypt/sha256/sha512

  • Crear password:
python -c "import random,string,crypt;
randomsalt = ''.join(random.sample(string.ascii_letters,8));
print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)"
  • HAproxy config:
userlist basic-auth-list
  group web-access
  user admin  password $6$oxPvHRVT$8lLFpj/U828hVUcrqh6v7CQnHHtWezf4Ac6KIJJt/MLiVONs3Feb97gEYA4NMAhS7IoyeVYwr4yLtrNRk5OUn/ groups web-access

backend web-access
acl draw-auth http_auth(basic-auth-list)
http-request auth realm draw unless draw-auth

Limitar por IP backend HTTP

https://www.haproxy.com/blog/introduction-to-haproxy-acls/

backend server
acl allow_access src 192.168.1.0/24
http-request deny if { path -i -m beg / } ! allow_access

Limitar por IP frontend TCP

frontend 10000 acl network_allowed src 192.168.0.0/16 10.0.0.0/8 tcp-request connection reject if !network_allowed

Usar backend con SSL/TLS sin verificar en Rancher

https://github.com/rancher/rancher/issues/4977

global
ssl-server-verify none

backend target1
server $IP ssl

backend target2
server $IP ssl

Usar backend con SSL/TLS sin verificar

https://raymii.org/s/snippets/haproxy_ssl_backends.html

backend example-backend
  balance roundrobin
  option httpchk GET /health_check
  server srv01 10.20.30.40:443 weight 1 maxconn 100 check ssl verify none
  server srv02 10.20.30.41:443 weight 1 maxconn 100 check ssl verify none

Log

https://rancher.com/docs/rancher/v1.6/en/faqs/troubleshooting/

https://discourse.haproxy.org/t/haproxy-1-9-2-info-logs-in-stdout/3429/5

global
log stdout format raw local0
defaults
log global
mode http
option httplog
frontend frontend-http-in
bind *:82
option httplog
acl url_ping path_beg /ping.html
use_backend app-backend if url_ping
backend app-backend
server applocal 127.0.0.1:81 check inter 1m
backend my-local
server applocal 127.0.0.1:83 check inter 1m

Log en Rancher

https://rancher.com/docs/rancher/v1.6/en/faqs/troubleshooting/

log 127.0.0.1:8514 local0 debug