Dear all,
We use haproxy for our web service. But we found the acl not so nice to use. The ACL HTTP can't capture all the traffic to backend web server, but all our client request go to the backend transparent to the Internet.Here is the configure below. And our system is the FreeBSD9.1 stable HA-Proxy version 1.5-dev19 2013/06/17 Copyright 2000-2013 Willy Tarreau <[email protected]> Build options : TARGET = freebsd CPU = generic CC = cc CFLAGS = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 Running on OpenSSL version : OpenSSL 0.9.8y 5 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.33 2013-05-28 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY Available polling systems : kqueue : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use kqueue. ############### global log 192.168.149.22:10602 local4 info pidfile /var/run/ha-l1-n1.pid maxconn 200000 maxpipes 50000 daemon stats socket /tmp/ha-l1-n1.sock nbproc 2 spread-checks 5 tune.rcvbuf.client 16384 tune.rcvbuf.server 16384 tune.sndbuf.client 32768 tune.sndbuf.server 16384 node frontendL1 # debug defaults #TCP SECTION maxconn 200000 backlog 32768 timeout connect 5s timeout client 60s timeout server 60s timeout queue 60s timeout check 10s timeout http-request 15s timeout http-keep-alive 1s timeout tunnel 3600s option tcpka option tcp-smart-accept # option nolinger ### Linux specified # option splice-auto # option splice-request # option splice-response #HTTP SECTION hash-type consistent option accept-invalid-http-request option accept-invalid-http-response option redispatch option http-server-close option http-pretend-keepalive retries 2 # option http-no-delay option httplog no option checkcache #SYSTEM SECTION option dontlog-normal option dontlognull option log-separate-errors # cookie SERVERID ########################## listen admin_stat bind 192.168.140.48:1080 mode http log global stats enable stats refresh 30s stats uri /admin?stats stats realm Haproxy\ Statistics stats auth admin:haproxy2012 stats hide-version ######### frontend ############## frontend tcp-in #bind 192.168.137.44:2222 transparent bind 192.168.137.44:2222 mode tcp log global option tcplog #distingush HTTP and non-HTTP # tcp-request inspect-delay 30s # tcp-request content accept if HTTP # tcp-request content accept if !HTTP # tcp-request content accept if WAIT_END #ACL DEFINE acl squid_incompatiable-Host hdr_reg(Host) -f /usr/local/etc/acl-define.d/squid_incompatiable-Host.txt acl direct-dstip dst -f /usr/local/etc/acl-define.d/direct_out-dst.txt #ACL DEFINE of websocket acl is_websocket hdr(Upgrade) -i WebSocket acl is_websocket hdr_beg(Host) -i ws #ACTION use_backend Direct if METH_CONNECT use_backend NginxClusterNormal if squid_incompatiable-Host use_backend NginxClusterWebsockets if is_websocket use_backend SquidCluster if HTTP use_backend Direct if !HTTP default_backend SquidCluster backend SquidCluster mode http option abortonclose option forwardfor header X-Client balance uri whole log global acl mgmt-src src -f /usr/local/etc/acl-define.d/mgmt-src.txt rspidel ^via:.* unless mgmt-src rspidel ^x-cache:* unless mgmt-src rspidel ^x-cache-lookup:* unless mgmt-src source 0.0.0.0 option httpchk GET http://192.168.172.30/check.txt server sq-L1-n1a 192.168.134.24:3129 weight 20 check inter 5s maxconn 10000 server sq-L1-n1b 192.168.134.25:3129 weight 20 check inter 5s maxconn 10000 server sq-L1-n1c 192.168.134.26:3129 weight 20 check inter 5s maxconn 10000 server sq-L1-n1d 192.168.134.27:3129 weight 20 check inter 5s maxconn 10000 server sq-L1-n1e 192.168.134.28:3129 weight 20 check inter 5s maxconn 10000 backend Direct mode tcp log global option tcplog no option httpclose no option http-server-close no option accept-invalid-http-response no option http-pretend-keepalive source 0.0.0.0 usesrc clientip option transparent option abortonclose option tcp-smart-connect /0 /1 /2 /3 /4 /5 /6 /7 /8 /9 /10 Load Average || Interface Traffic Peak Total lagg0 in 9.005 MB/s 9.748 MB/s 1.855 GB out 9.378 MB/s 9.817 MB/s 1.879 GB vlan708 in 8.528 MB/s 9.236 MB/s 1.269 GB out 507.189 KB/s 539.656 KB/s 78.061 MB (All the traffic go to the Internet throught Direct backend) vlan705 in 3.701 KB/s 9.934 KB/s 10.645 MB out 2.394 KB/s 6.652 KB/s 7.050 MB vlan67 in 0.579 KB/s 0.737 KB/s 1.873 MB out 0.788 KB/s 1.793 KB/s 1.627 MB vlan64 in 477.880 KB/s 532.444 KB/s 103.494 MB (The incomming traffic through vlan64 ) out 8.888 MB/s 9.288 MB/s 1.762 GB vlan62 in 3.875 KB/s 10.380 KB/s 483.774 MB out 1.908 KB/s 5.141 KB/s 33.764 MB lo0 in 0.000 KB/s 0.046 KB/s 6.867 KB out 0.000 KB/s 0.046 KB/s 6.867 KB igb1 in 4.772 MB/s 4.772 MB/s 849.381 MB out 4.054 MB/s 5.263 MB/s 956.056 MB igb0 in 4.232 MB/s 5.724 MB/s 1.026 GB out 5.333 MB/s 5.333 MB/s 967.559 MB Regards Jinge
