如何使用Haproxy粘性会话忽略客户端IP?

时间:2018-05-24 11:00:21

标签: load-balancing haproxy sticky-session

我使用haproxy作为3个应用程序服务器的负载均衡器,在客户端流量到达此负载均衡器之前,它将首先命中WAF,WAF具有多个随机分布式IP。因此,当连接更新时,由于会话cookie的更改,原始会话可能会跳转到另一台服务器,我不希望这种情况发生。

WAF供应商建议我在设置会话cookie时将负载均衡器的会话标识符设置为使用X-Real-IP。或者从用于制作会话cookie的标识中删除IP组合,我不知道如何这样做。可以就此提出建议吗?

以下是我的haproxy设置。

frontend http_frontend
bind *:80
acl url_static       path_beg       -i /static /images /javascript /stylesheets
acl url_static       path_end       -i .jpg .gif .png .css .js

use_backend static          if url_static
default_backend bk_http

frontend https_frontend
bind *:443
mode tcp
default_backend bk_https

backend static
balance     roundrobin
server      static 127.0.0.1:4331 check

backend bk_http
mode http
balance     roundrobin
stick on src table bk_https
cookie SRVNAME insert
server  web1 ip1:80 check cookie SA check
server  web2 ip2:80 check cookie SB check

backend bk_https
mode tcp
balance leastconn
stick-table type ip size 2000k expire 30m
stick on src
default-server inter 1s
cookie SRVNAME insert
server  web1 ip1:443 check cookie web1
server  web2 ip2:443 check cookie web2

1 个答案:

答案 0 :(得分:1)

我认为cookie仅在http模式下可用,在TCP模式下,您需要进行ssl亲和力

尝试一下:

#maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 20M expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
server XXX:443 check
server YYY:443 check
option ssl-hello-chk

要进行检查,请通过套接字启用统计信息,并通过haproxy连接站点上的2个浏览器:

stats socket /var/lib/haproxy/stats


bash#> echo "show table" | socat unix-connect:/var/lib/haproxy/stats stdio
# table: BACKEND_NAME, type: binary, size:20971520, used:2

bash#>echo "show table BACKEND_NAME" | socat unix-connect:/var/lib/haproxy/stats stdio
# table: BACKEND_NAME, type: binary, size:20971520, used:2
0x7f9ca0f24314:
key=8A3DF855010388A4DD94F71E0FEAF7A54A7032EA56D477D20F59B4F28CEF183B use=0
exp=1264499 server_id=1
0x7f9ca0f245c4:
key=C7EA05BA85730EAF725035EFB3C4F7537FCCCFD0469FB45A4A2DE85308ECF1C7 use=0
exp=1696667 server_id=2

警告,如果启用nbproc,则亲和力在进程上受到限制。