ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
HAProxyBy ChinaNetCloudPioneers in OaaS – Operations-as-a-Service
January, 2015
www.ChinaNetCloud.com
Copyright 2015 ChinaNetcloud Training Program
ChinaNetCloud Training
2
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Introduction
● HAProxy key part of most large systems● World's most powerful software load balancer● A little complex● Interesting and fun
3
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Load Balancer Overview
● Listen on front-end ports, usually 80/443● Forwards to a back-end pool of servers● Has health checks of back-end
● Only send to Healthy & UP servers
● Has sticky sessions, usually using cookies● Web servers see LB as client, with LB's IP● Use X-Forwarded-for Header to send real IP
● Important for web server logs
4
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Load Balancer Overview
● Single LB, many web
● Two LB, many web
5
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
High-Avail HAProxy
● Two HAProxy● Run KeepAlived to manage failover● Have front-end VIP● We have standard config, Wiki● Usually Physical / Private
● On Public Cloud use ELB or Heartbeat
6
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
HA Load Balancer – Public Cloud
● Amazon, Aliyun – Have their ELB/SLB in front● Use their to help bandwidth and failover
● AWS – Need ELB for HA between zones● Aliyun – Need SLB for single bandwidth point
● Still use two HAProxy● HAProxy more powerful, configurable● HAProxy can be monitored (Nginx can't)
7
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Parts of HAProxy
● Front-End Listeners● Back-End Pools● ACLs● Rewrites● Logs● Monitoring
8
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Front-End
● Listening part of HAProxy● Pretty simple● Has IP, port to listen on● Has networking options, like timeouts● Includes vhost, name to listen on● Can have several front-ends
● Usually for different domains, www., images., etc.● Can go to same or different back-ends
9
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Back End Pools
● Part that does the work● Lots of options● Also does logging, error handling● And health checks of backend servers● Has a backend server list
● Each server has options, weights, health checks
10
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
ACLs – Control & Multi-Pool
● Can split traffic by URL, host● For vhost split, use second Front-end● For URL split, use ACLs● Based on Headers, URL, or Path● If-then structure● Also can avoid scans, DDoS● Example:
● acl is_www_domain_com hdr_end(host) -i domain.com● use_backend www_ex_com if is_www_example_com
11
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Rewrites
● Has basic rewrites● Can be useful, especially cross-domain● Usually better to rewrite on web server
12
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Configuration
● Single file● Has Global default second, for all Front/Back● Has section for each Front & Back● Not much to change, other than pools & URLs
● Sometimes change timeouts● Sometimes advanced features like keepalive
● Sometimes Tomcat needs more changes● server srv-example-web1_80 10.9.1.205:80 cookie
srv-example-web1_80 check maxconn 2000
13
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Session Stickiness
● Makes sure same user goes to same server● Especially in one session
● Very important for Java● Not very important for PHP if uses shared cache● Can cause instability on big systems● Done with separate (not session) cookie● Remove cookie name in server list to disable
14
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Logs
● Very powerful and useful● Uses syslog, so /var/log/haproxy …● Shows disconnect reason/state
● 4 letter code like CRNI, RHEP● See manual for meaning● Show is Client or Backend server disconnected
– Also often shows why or how
● Also shows if session/cookie was used
15
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Monitoring
● Very good● Keeps stats by pool and by servers● Records status, errors, but not timing● Unusual words:
● Sessions – Concurrent connections● Session Rate – Request rate
● Two ways to use (Can also manage servers)● API called via Socket● GUI web interface
16
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
GUI Web Monitor
● Lots of good detail
17
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
SSL in HAProxy
● Just got support in June, 2014 – Version 1.5● Starting to see in production use
● Until now, we had to:● Have to use Nginx in front● Set Nginx on port 443 as proxy● Sends traffic to Haproxy on port 80 or 81
– Use 81 if need to keep SSL traffic separate
● Now we can use directly in version 1.5● See docs on how to configure
18
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Multi-Process
● HAProxy is single process – use single CPU● Usually okay, but can limit scaling
● 250,000 connections, but only 2,500 requests/sec● 50,000+ requests/sec, but only 2,500 concurrent con
● Need special config and discussion to use● It CAN run multi-process, but monitoring is wrong
● All monitoring by process, so gets confused● Messy
19
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Summary
● HAProxy important and powerful● Very configurable● Has pools● Great logs
● Good luck !
20
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Lab
● Create VM on AWS● Install Nginx & Apache
● Configure Nginx on port 81 and Apache on 82
● Install HAProxy from RPM & Wiki● Create frontend & backend for nginx, test● Add ACL and Apache backend pool
● Split URLs between Nginx & Apache, test
● Look at monitor page, use CLI tools● Look at logs, look up status codes
21
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
About ChinaNetCloud
Www.ChinaNetCloud.com – +86-21-6422-1946 – [email protected]
ChinaNetCloud is a Shanghai-based, full-service Internet managed services provider (MSP). We architect, build, optimize, and manage large-scale systems for e-commerce, games, apps, mobile, media, and more.
We deliver Reliability, Performance, Scale, Security, and cost savings via our Operations-as-a-Service (OaaS) platform, which includes 7x24 operations, deep predcitive monitoring, networking, security scanning, backups, databases, upgrades,rapid troubleshooting, configuration changes, and much more.
Our OaaS platform is state-of-the-art with a wide variety of sophisticated tools ranging from deep design to audit, migration, management, monitoring, backups, CMDB, load testing, capacity planning, performance analysis, portals, and much more.
Over six years, we've helped hundreds of internet companies improve their systems, focusing on Reliability, Performance, Scalability, Security, and Cost-Savings.
Let us help you today!
22
ChinaNetCloudRunning the World's Internet Servers 管理全球服务器
Contact ChinaNetCloud
Silicon Valley Office:
440 North Wolfe Road
Sunnyvale, 94085 USA ChinaNetCloud www.ChinaNetCloud.com
Shanghai Headquarters:
X2 Space 10601
1238 Xietu Lu
Shanghai, 200032 China
Beijing Office:
Lee World Business Building #305
57 Middl Xingfu Village Rd., Chaoyang
Beijing, 100027 China
T: +86-21-6422-1946