E4b9a6's blog
有善始者实繁,能克终者盖寡。
作者:E4b9a6, 创建:2021-06-16, 字数:1943, 已阅:83, 最后更新:2021-06-16
这篇文章更新于 1256 天前,文中部分信息可能失效,请自行甄别无效内容。
在封闭内网,有多个HTTP代理服务器做正向代理访问外网,使用Haproxy做简单的配置
global
# 最大并发2000
maxconn 2000
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# 日志配置,需要搭配rsyslog实现,日志等级local2
log 127.0.0.1 local2
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 30s
timeout client 30s
timeout server 30s
maxconn 2000
frontend http-proxy
bind *:33128
mode http
# 以下3句只允许172.16.1.2访问,不允许其他来源ip访问
acl allow_host src 172.16.1.2
tcp-request content accept if allow_host
tcp-request content reject
default_backend http-proxy-backend
backend http-proxy-backend
mode http
balance roundrobin
option redispatch
# 超出最大请求数则排队30秒
timeout queue 30s
default-server check inter 1000 rise 1 fall 1 maxconn 2000
server http-proxy-1 172.16.1.11:3128
server http-proxy-2 172.16.1.12:3128
server http-proxy-3 172.16.1.13:3128
# 监控面板,访问8404
listen stats
bind *:8404
stats enable
stats uri /monitor
stats refresh 5s
如果需要将访问信息输出到 /var/log/haproxy.log,则需要修改/etc/rsyslog.conf,在文件尾添加如下配置
...
$ModLoad imudp
$UDPServerRun 514
local2.* /var/log/haproxy.log