1、HAProxy 相关博客

HAProxy Balance 调度算法详解（包括 hash type）

HAProxy 的 server 参数、 stats 相关参数和 cookie 参数详解（包含其它相关参数 rspadd / rspdel / option / mode / maxconn ）

HAProxy 简单示例及 HAProxy_Log 的简单配置

HAProxy Log 日志系统详解

HAProxy 的压缩、健康检查和其它相关参数详解（compression、http-check、timeout、use_backend、block、http-request、tcp-request）

2、HAProxy ACL

2.1 ACL 介绍

The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status.

2.2 ACL 语法介绍

## acl <aclname> <criterion> [flags] [operator] [<value>] ...

	## aclname         # 指定acl的名称，在引用时区分大小写。可随意指定，且多个acl指令可以指定同一个aclname，这表示"或"的逻辑关系
	## flags           # 可选项，表示标识位。一般会用到的标识位只有"-i"，表示不区分大小写
	## operator        # 可选项，某些操作符，有"eq"、"ge"、"gt"、"le"、"lt"，表示数学上的等于、大于、小于
	## <criterion>     # 指定检查标准，即检查方法。见下文给出的常用4层标准和7层标准
	## <value>         # 根据criterion的不同，值的类型不同

2.2.1 aclname

## <aclname>
	## ACL names must be formed from upper and lower case letters, digits, '-' (dash), 
	## '_' (underscore) , '.' (dot) and ':' (colon).ACL names are case-sensitive.

2.2.2 value types

## - boolean
## - integer or integer range
## - IP address / network
## - string (exact, substring, suffix, prefix, subdir, domain)
## - regular expression
## - hex block

2.2.3 flags

## -i : ignore case during matching of all subsequent patterns.
## -m : use a specific pattern matching method
## -n : forbid the DNS resolutions
## -u : force the unique id of the ACL
## -- : force end of flags. Useful when a string looks like one of the flags.	

2.2.4 operator

## 匹配整数值：eq、ge、gt、le、lt
				
## 匹配字符串：
	## - exact match     (-m str) : the extracted string must exactly match the patterns ;
	## - substring match (-m sub) : the patterns are looked up inside the extracted string, and the ACL matches if any of them is found inside ;
	## - prefix match    (-m beg) : the patterns are compared with the beginning of the extracted string, and the ACL matches if any of them matches.
	## - suffix match    (-m end) : the patterns are compared with the end of the extracted string, and the ACL matches if any of them matches.
	## - subdir match    (-m dir) : the patterns are looked up inside the extracted string, delimited with slashes ("/"), and the ACL matches if any of them matches.
	## - domain match    (-m dom) : the patterns are looked up inside the extracted string, delimited with dots ("."), and the ACL matches if any of them matches.	

2.2.5 acl 作为条件时的逻辑关系

## - AND (implicit)
## - OR  (explicit with the "or" keyword or the "||" operator)
## - Negation with the exclamation mark ("!")
				
## 示例 ##
	## if invalid_src invalid_port      
	## if invalid_src || invalid_port
	## if ! invalid_src invalid_port	

2.2.6 criterion

## dst : ip
## dst_port : integer
## src : ip
## src_port : integer

## 示例 ##
	## acl invalid_src  src  172.16.200.2

## path : string
	## This extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).
	## /path;<params>
						
	## path     : exact string match
	## path_beg : prefix match
	## path_dir : subdir match
	## path_dom : domain match
	## path_end : suffix match
	## path_len : length match
	## path_reg : regex match
	## path_sub : substring match
					

					
## 示例 ## 
	## path_beg /images/
	## path_end .jpg .jpeg .png .gif
	## path_reg ^/images.*\.jpeg$
	## path_sub image                   # 路径字串
	## path_dir jpegs                   # 子路径（两个 / 之间的完整内容）
	## path_dom ilinux                  # 域名
		
	## 此路径匹 /images/jpegs/20180312/logo.jpg 匹配上述 1 2 4 ##			

## url : string
	## This extracts the request's URL as presented in the request. A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and keep them in caches.
					
	## url     : exact string match
	## url_beg : prefix match
	## url_dir : subdir match
	## url_dom : domain match
	## url_end : suffix match
	## url_len : length match
	## url_reg : regex match
	## url_sub : substring match

## req.hdr([<name>[,<occ>]]) : string
	## This extracts the last occurrence of header <name> in an HTTP request.
					
	## hdr([<name>[,<occ>]])     : exact string match
	## hdr_beg([<name>[,<occ>]]) : prefix match
	## hdr_dir([<name>[,<occ>]]) : subdir match
	## hdr_dom([<name>[,<occ>]]) : domain match
	## hdr_end([<name>[,<occ>]]) : suffix match
	## hdr_len([<name>[,<occ>]]) : length match
	## hdr_reg([<name>[,<occ>]]) : regex match
	## hdr_sub([<name>[,<occ>]]) : substring match	

## 示例 ##
	## acl bad_curl hdr_sub(User-Agent) -i curl
	## block if bad_curl

##	status : integer
	## Returns an integer containing the HTTP status code in the HTTP response.

2.3 Pre-defined ACLs

## ACL name	Equivalent to	Usage
## FALSE	always_false	never match
## HTTP	req_proto_http	match if protocol is valid HTTP
## HTTP_1.0	req_ver 1.0	match HTTP version 1.0
## HTTP_1.1	req_ver 1.1	match HTTP version 1.1
## HTTP_CONTENT	hdr_val(content-length) gt 0	match an existing content-length
## HTTP_URL_ABS	url_reg ^[^/:]*://	match absolute URL with scheme
## HTTP_URL_SLASH	url_beg /	match URL beginning with "/"
## HTTP_URL_STAR	url *	match URL equal to "*"
## LOCALHOST	src 127.0.0.1/8	match connection from local host
## METH_CONNECT	method CONNECT	match HTTP CONNECT method
## METH_GET	method GET HEAD	match HTTP GET or HEAD method
## METH_HEAD	method HEAD	match HTTP HEAD method
## METH_OPTIONS	method OPTIONS	match HTTP OPTIONS method
## METH_POST	method POST	match HTTP POST method
## METH_TRACE	method TRACE	match HTTP TRACE method
## RDP_COOKIE	req_rdp_cookie_cnt gt 0	match presence of an RDP cookie
## REQ_CONTENT	req_len gt 0	match data in the request buffer
## TRUE	always_true	always match
## WAIT_END	wait_end	wait for end of content analysis

3、HAProxysock

## echo "help"| socat stdio /usr/local/haproxy/stats 

4、基于 ACL 的动静分离示例

frontend  web *:80
	acl url_static       path_beg       -i  /static /images /javascript /stylesheets
	acl url_static       path_end       -i  .jpg .gif .png .css .js .html .txt .htm

	use_backend staticsrvs          if url_static
	default_backend             appsrvs

backend staticsrvs
	balance     roundrobin
	server      stcsrv1 172.16.100.6:80 check

backend appsrvs
	balance	roundrobin
	server  app1 172.16.100.7:80 check
	server  app1 172.16.100.7:8080 check

listen stats
	bind :9091
	stats enable
	stats auth admin:admin
	stats admin if TRUE	

5、配置 HAProxy 支持 https 协议

1 支持ssl会话
	## bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
			
	crt后的证书文件要求PEM格式，且同时包含证书和与之匹配的所有私钥		
	## cat  demo.crt demo.key > demo.pem 
				
2 把80端口的请求重向定443
	## bind *:80
	## redirect scheme https if !{ ssl_fc }
			
另一种配置：对非ssl的任何url的访问统统定向至https主机的主页
   	## redirect location https://172.16.0.67/ if !{ ssl_fc }
			
3 如何向后端传递用户请求的协议和端口
	## http_request set-header X-Forwarded-Port %[dst_port]
	## http_request add-header X-Forwared-Proto https if { ssl_fc }