使用相同路径访问的Haproxy多个后端

时间:2015-05-28 13:54:53

标签: haproxy

我的服务器上运行了4个java应用程序,2个主要和& 2个子应用程序,我需要通过Haproxy访问。

app1 ---->在app1.domain.org上访问tcp:8442   subapp1 ---->侦听tcp:9001并使用路径app1.domain.org/abc

进行访问

app2 ---->在app2.domain.org上访问tcp:8444   subapp2 ---->侦听tcp:9000并使用路径app2.domain.org/abc

进行访问

所以子应用程序都使用相同的路径访问

我无法让Haproxy将请求路由到正确的子应用。使用包含的配置访问主应用程序工作正常,但根据use_backend语句的顺序,所有子应用程序请求被路由到相同的后端(首先列出)。如果我重新排序ACL,则没有观察到任何差异。似乎ACL没有正确匹配入站请求。

感谢任何帮助!

我的配置:

global
    log localhost   local1  
    log-send-hostname server-hostname   
    maxconn 1024                
    user root                   
    group root                  
    daemon                      
    pidfile /var/run/haproxy.pid
    ssl-default-bind-options no-sslv3 no-tls-tickets  

defaults
    log global                  
    mode http                   
    option  dontlognull         
    option forwardfor           
    no option http-server-close  
    no option accept-invalid-http-request   
    timeout client 600s                     
    timeout client-fin 10s                  
    timeout server 600s                     
    stats enable
    stats auth user:password
    stats uri /haproxyStats

listen admin
    mode http
    bind *:8080
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth user:password

frontend http-in
    bind *:80                           
    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src                    
    option tcplog                       
    log-format %ci\ %f\ %b\ %ST\ %{+Q}r\ %Tr   
    redirect scheme https code 301 if !{ ssl_fc }   

frontend https-in
    bind *:443 ssl crt /etc/haproxy/ssl.cert        
    mode http

    acl test_sapp path_beg -i /abc 
    acl test_sapp hdr(host) -m dom -i *app2.domain.com*

    acl prod_sapp path_beg -i /abc 
    acl prod_sapp hdr(host) -m dom -i *app1.domain.com*

    acl test_app1 hdr_end(host) -i app2.domain.com
    acl prod_app1 hdr_end(host) -i app1.domain.com

    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src
    option tcplog   
    log-format %r
    reqadd X-Forwarded-Proto:\ https                

    use_backend sapp-test if test_sapp
    use_backend sapp-prod if prod_sapp

    use_backend app-prod if prod_app1
    use_backend app-test if test_app1

    timeout client 600s                 
    timeout client-fin 10s              

backend app-prod
    balance leastconn
    option httpclose
    option forwardfor
    server prod-web-node 127.0.0.1:8442 cookie A check 
    timeout server 600s                 

backend app-test
    option httpclose
    option forwardfor
    server test-web-node 127.0.0.1:8444 cookie A check
    timeout server 600s                 

backend sapp-prod
    balance leastconn
    option httpclose
    option forwardfor
    server prod-mdr-node 127.0.0.1:9001 cookie A check
    timeout server 600s                 

backend sapp-test
    balance leastconn
    option httpclose
    option forwardfor
    server test-mdr-node 127.0.0.1:9000 cookie A check
    timeout server 600s 

1 个答案:

答案 0 :(得分:3)

这是未经测试但我认为这个https-in前端应该有效:

frontend https-in
    bind *:443 ssl crt /etc/haproxy/ssl.cert        
    mode http

    acl prod_domain hdr(host) -i app1.domain.com
    acl test_domain hdr(host) -i app2.domain.com

    acl sub_app path_beg -i /abc 

    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src
    option tcplog   
    log-format %r
    reqadd X-Forwarded-Proto:\ https                

    use_backend sapp-test if sub_app test_domain
    use_backend sapp-prod if sub_app prod_domain

    use_backend app-prod if prod_domain
    use_backend app-test if test_domain

    timeout client 600s                 
    timeout client-fin 10s

密钥位于use_backend sapp-testuse_backend sapp-prod行,只有在sub_app acl test_domain /的情况下才会选择后端prod_domain acl是真的。否则它会回退到app-prodapp-test后端。

希望有所帮助:)