Haproxy

ubuntu 上的透明 HAproxy(亞馬遜 EC2)

  • January 1, 2019

我正在嘗試在亞馬遜 EC2 上使用 ubuntu 18.04 設置一個透明的 HAproxy 負載均衡器。我讓 HAproxy 在非透明模式下工作,所以現在我正在嘗試添加透明模式所需的更改,但503 Service Unavailable No server is available to handle this request.出現錯誤。

另一個問題是後端伺服器位於另一個 EC2 帳戶中。我提到它是因為我看到一些教程告訴我要更改 VPC 配置、子網和路由表中的內容。在我的問題中,後端伺服器和 HAproxy 不在同一個帳戶中,因此絕對不在同一個子網/VPC 中。

我已禁用亞馬遜 EC2 儀表板中負載平衡器實例的“操作 > 網路 > 更改源/目標檢查”。

代理

# grep TPROXY /boot/config-4.15.0-10*
/boot/config-4.15.0-1021-aws:CONFIG_NETFILTER_XT_TARGET_TPROXY=m
/boot/config-4.15.0-1031-aws:CONFIG_NETFILTER_XT_TARGET_TPROXY=m

我需要手動啟動核心上的 xt_TPROXY:

# sudo modprobe -v xt_TPROXY
insmod /lib/modules/4.15.0-1021-aws/kernel/net/netfilter/xt_TPROXY.ko

# lsmod | grep -i tproxy
xt_TPROXY              20480  0
nf_defrag_ipv6         36864  3 nf_conntrack_ipv6,xt_socket,xt_TPROXY
nf_defrag_ipv4         16384  3 xt_socket,nf_conntrack_ipv4,xt_TPROXY
x_tables               40960  10 iptable_mangle,ip_tables,iptable_filter,xt_mark,xt_socket,xt_TPROXY,xt_recent,ip6table_filter,xt_conntrack,ip6_tables

haproxy.cfg:

global
daemon
log /dev/log local4
maxconn 40000
ulimit-n 81000

defaults
log global
contimeout 4000
clitimeout 42000
srvtimeout 43000

listen http1
bind *:80 transparent
mode http
option http-server-close
option forwardfor
source 0.0.0.0 usesrc clientip
balance roundrobin
server http1_1 123.123.123.123:80 cookie http1_1 check inter 2000 rise 2 fall 3

聯網:

# cat /proc/sys/net/ipv4/conf/lo/rp_filter
0
# sysctl net.ipv4.ip_nonlocal_bind
net.ipv4.ip_nonlocal_bind = 1
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

iptable mangle:

# iptables-save -t mangle
# Generated by iptables-save v1.6.1 on Tue Jan  1 15:35:54 2019
*mangle
:PREROUTING ACCEPT [216:12398]
:INPUT ACCEPT [30415:1434643]
:FORWARD ACCEPT [12:608]
:OUTPUT ACCEPT [57979:5590669]
:POSTROUTING ACCEPT [57991:5591277]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A DIVERT -j MARK --set-xmark 0x6f/0xffffffff
-A DIVERT -j ACCEPT
COMMIT

HAproxy 版本(使用 USE_LINUX_TPROXY 編譯):

# /usr/bin/haproxy -vv
HA-Proxy version 1.5-dev7 2011/09/10
Copyright 2000-2011 Willy Tarreau <w@1wt.eu>

Build options :
 TARGET  = linux26
 CPU     = generic
 CC      = gcc
 CFLAGS  = -O2 -g -fno-strict-aliasing
 OPTIONS = USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1

Default settings :
 maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes

Available polling systems :
    sepoll : pref=400,  test result OK
     epoll : pref=300,  test result OK
      poll : pref=200,  test result OK
    select : pref=150,  test result OK
Total: 4 (4 usable), will use sepoll.

-d這些是使用該選項執行 HAproxy 時的結果。它正在記錄傳入的請求,但沒有HTTP/1.1 200 OK來自後端伺服器的回复,就像在不透明的情況下一樣:

# /usr/bin/haproxy -d -f /etc/haproxy.cfg
Available polling systems :
    sepoll : pref=400,  test result OK
     epoll : pref=300,  test result OK
      poll : pref=200,  test result OK
    select : pref=150,  test result OK
Total: 4 (4 usable), will use sepoll.
Using sepoll() as the polling mechanism.
00000001:http1.accept(0004)=0006 from [111.222.333.111:54270]
00000002:http1.accept(0004)=0007 from [111.222.333.111:54269]
00000002:http1.clireq[0007:ffff]: GET /mytest.php HTTP/1.1
00000002:http1.clihdr[0007:ffff]: Host: example.com
00000002:http1.clihdr[0007:ffff]: Connection: keep-alive
00000002:http1.clihdr[0007:ffff]: Cache-Control: max-age=0
00000002:http1.clihdr[0007:ffff]: Upgrade-Insecure-Requests: 1
00000002:http1.clihdr[0007:ffff]: User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
00000002:http1.clihdr[0007:ffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
00000002:http1.clihdr[0007:ffff]: Accept-Encoding: gzip, deflate
00000002:http1.clihdr[0007:ffff]: Accept-Language: en-US,en;q=0.9,he;q=0.8,es;q=0.7
00000001:http1.clicls[0006:ffff]
00000001:http1.closed[0006:ffff]

ip規則列表

0:      from all lookup local
32765:  from all fwmark 0x6f lookup 100
32766:  from all lookup main
32767:  from all lookup default

知道我想做的事情是否可行嗎?我想念什麼嗎?如果您需要我添加更多資訊,請告訴我

iptables -L -t mangle

•(現已修復)除非您正在尋找匹配的數據包計數器,否則不要這樣做。與以下相比,它絕對不是人類友好的輸出:

iptables-save -t mangle

• 對於透明代理,有TRPOXY目標。不確定您是否正在使用它(“感謝” iptables -L),但以防萬一:看起來您錯過了它。

•(現已修復)~~我在您給出的摘錄中找不到“透明綁定”。~~查看透明模式下 haproxy 的官方手冊

前端 ft_application
綁定 1.1.1.1:80 透明

• 您正在使用替代路由表,但您是否在其中安裝了任何路由?

引用自:https://serverfault.com/questions/947226