详细的部署方法:请参见官方文档
https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html
2.2 Router pod 中的 HAProxy 进程
在 Router 服务的每个 pod 之中,openshift-router 进程启动了一个 haproy 进程:
UID PID PPID C STIME TTY TIME CMD1000000+ 1 0 0 Nov21 ? 00:14:27 /usr/bin/openshift-router1000000+ 16011 1 0 12:42 ? 00:00:00 /usr/sbin/haproxy -f /var/lib/haproxy/conf/haproxy.config -p /var/lib/haproxy/run/haproxy.pid -x /var/lib/haproxy/run/haproxy.sock -sf 16004
查看 haproxy 使用的配置文件(只是部分):
global maxconn 20000 daemon ca-base /etc/ssl crt-base /etc/ssl。。。。defaults maxconn 20000 # Add x-forwarded-for header. # server openshift_backend 127.0.0.1:8080 errorfile 503 /var/lib/haproxy/conf/error-page-503.http 。。。timeout http-request 10s timeout http-keep-alive 300s # Long timeout for WebSocket connections. timeout tunnel 1hfrontend public bind :80 mode http tcp-request inspect-delay 5s tcp-request content accept if HTTP monitor-uri /_______internal_router_healthz # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/) http-request del-header Proxy # DNS labels are case insensitive (RFC 4343), we need to convert the hostname into lowercase # before matching, or any requests containing uppercase characters will never match. http-request set-header Host %[req.hdr(Host),lower] # check if we need to redirect/force using https. acl secure_redirect base,map_reg(/var/lib/haproxy/conf/os_route_http_redirect.map) -m found redirect scheme https if secure_redirect use_backend %[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)] default_backend openshift_default# public ssl accepts all connections and isn't checking certificates yet certificates to use will be# determined by the next backend in the chain which may be an app backend (passthrough termination) or a backend# that terminates encryption in this router (edge)frontend public_ssl bind :443 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # if the connection is SNI and the route is a passthrough don't use the termination backend, just use the tcp backend # for the SNI case, we also need to compare it in case-insensitive mode (by converting it to lowercase) as RFC 4343 says acl sni req.ssl_sni -m found acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found use_backend %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough # if the route is SNI and NOT passthrough enter the termination flow use_backend be_sni if sni # non SNI requests should enter a default termination backend rather than the custom cert SNI backend since it # will not be able to match a cert to an SNI host default_backend be_no_sni 。。。backend be_edge_http:demoprojectone:jenkins mode http option redispatch option forwardfor balance leastconn timeout server 4m timeout check 5000ms http-request set-header X-Forwarded-Host %[req.hdr(host)] http-request set-header X-Forwarded-Port %[dst_port] http-request set-header X-Forwarded-Proto http if !{ ssl_fc } http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 } http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)];proto-version=%[req.hdr(X-Forwarded-Proto-Version)] cookie 4376ea64d7d0abf11209cfe5f7cca1e7 insert indirect nocache httponly secure server pod:jenkins-1-84nrt:jenkins:10.128.2.13:8080 10.128.2.13:8080 cookie 8669a19afc9f0fed6824feb9fb1cf4ac weight 256 。。。
为了简单期间,上面只是配置文件的部分内容,它主要包括三种类型:
- 全局配置,比如最大连接数 maxconn,超时时间 timeout 等;以及front部分,即前端配置,HAProxy 默认会在 443 和 80 两个端口上分别监听外部 https 和 http 请求 。
- backend,即每个服务的后端配置,里面有很多关键内容,比如后端协议(mode)、负载均衡方法(balance)、后端列表(server,这里是pod,包括其IP 地址和端口)、证书等 。
推荐阅读
- 卤味配方详解:手把手教你制作美味的卤味料理
- 惠普打印机加墨粉步骤详解 惠普打印机怎么换墨盒
- vivoz1i隐藏照片步骤详解 私密照片从哪里打开VIVO
- OPPO Reno7 测评详解 oppo reno7怎么样值得买吗
- 电脑蓝牙打开图文详解 电脑蓝牙在哪里打开win7
- iPhone 12 Pro系列详解 苹果12pro参数配置详细处理器
- 手机投屏到电视上教程详解 投屏怎么投到电视上没有声音
- 华为P50 Pro测评详解 华为p50pro骁龙888值得买吗
- 怎么使用刷脸支付 刷脸支付流程图详解
- tomcat安装配置详解 将电脑localhost设置为127.0.0.1