我可以毫无问题地访问所有网站,我们的客户也可以毫无困难地下订单,但在我们的一个地点,有很多用户不断访问该网站,突然间他们无法连接到其中一个前端绑定。
他们能够查看 haproxy 监控页面并访问其他前端的站点。
Haproxy 没有负载,并且我也没有启用任何因任何原因限制流量的配置。
Amazon Linux 或 Haproxy 是否有任何类型的默认防火墙可以阻止来自单个 IP 地址的大量连接?
这是我的配置:
global
log 127.0.0.1 local1
#logs are saved in /var/log and rotated to not fill up.
#http://kvz.io/blog/2010/08/11/haproxy-logging/
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 50000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
#added to hopefully solve 400 bad request errors
option accept-invalid-http-request
timeout http-request 15s
timeout queue 1m
timeout connect 10s
timeout client 2m
timeout server 2m
timeout http-keep-alive 10s
timeout check 5s
retries 3
balance roundrobin
maxconn 100000
stats enable
#stats refresh 10s
stats uri /haproxy?stats
stats auth admin:Super187
monitor-uri /haproxy?monitor
frontend Websites_IN
bind 10.60.49.51:80 name http
bind 10.60.49.51:443 name https ssl crt /etc/haproxy/haproxy_ssl.pem
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Forwarded-Port:\ 443 if { ssl_fc }
reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
reqadd X-Forwarded-Port:\ 80 if !{ ssl_fc }
acl host_Site1 hdr(host) -m dom -i www.site1.com
use_backend Website_Site1 if host_Site1
acl host_Site2 hdr(host) -m dom -i www.site2.com
use_backend Website_Site2 if host_Site1
backend Website_Site1
option httpchk GET /monitor/ HTTP/1.1\r\nHost:\ www.site1.com
http-check expect string OK
cookie SVRDJ insert indirect nocache
errorfile 503 /etc/haproxy/errors/503.http
server Web1ZoneD 10.60.17.72:80 cookie Web1ZoneD check inter 2000 rise 2 fall 2
server Web1ZoneE 10.60.42.156:80 cookie Web1ZoneE check inter 2000 rise 2 fall 2
server Web2ZoneD 10.60.27.94:80 cookie Web2ZoneD check inter 2000 rise 2 fall 2
server Web2ZoneE 10.60.35.129:80 cookie Web2ZoneE check inter 2000 rise 2 fall 2
backend Website_Site2
option httpchk GET /monitor/ HTTP/1.1\r\nHost:\ www.site2.com
http-check expect string OK
cookie SVRDJ2 insert indirect nocache
errorfile 503 /etc/haproxy/errors/503.http
server Web1ZoneD 10.60.17.72:80 cookie Web1ZoneD check inter 2000 rise 2 fall 2
server Web1ZoneE 10.60.42.156:80 cookie Web1ZoneE check inter 2000 rise 2 fall 2
server Web2ZoneD 10.60.27.94:80 cookie Web2ZoneD check inter 2000 rise 2 fall 2
server Web2ZoneE 10.60.35.129:80 cookie Web2ZoneE check inter 2000 rise 2 fall 2
只是为了包含更多细节...
问题在前几天开始出现,之前它已经正常工作了两周。首次报告时,我故障转移到我们的备用服务器(2 个具有相似配置的独立 HAproxy 实例),它又正常工作了 15 个小时。我尝试恢复到以前已知的工作配置,但没有任何变化。我向无法正常工作的前端添加了一个新的 ACL 和后端,然后,我的用户可以看到新域(就叫它 site3),但仍然无法看到同一前端上的其他域。请注意,所有站点都在同一组服务器上使用主机头设置。我还有其他几个位于不同 IP 上的前端部分,它们对同一用户来说工作正常。我已将某些站点设置为需要基本身份验证,用户将看到身份验证弹出窗口,但无法进入站点。
我检查了负载,发现服务器的 CPU 利用率不到 20%,几乎没有 RAM。它在 m1.small ec2 实例上运行。
我检查了我的 iptables 规则,发现它们是空的。我甚至无法在服务器上找到 iptables 日志。我如何判断防火墙是打开还是关闭?
另外,我已多次重新启动每台服务器,并进行故障转移,但结果相同。
我已使用以下配置设置日志以使用 rsyslog:
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
#Haproxy log stuff
#http://blog.hintcafe.com/post/33689067443/haproxy-logging-with-rsyslog-on-linux
$template Haproxy,"%msg%\n"
local1.=info -/var/log/haproxy/haproxy-info.log;Haproxy
local1.notice -/var/log/haproxy/haproxy-system.admin;Haproxy
# don't log anywhere else
local1.* ~
我认为这应该可以捕获所有 HAproxy 日志数据。我还不确定如何启用调试。
想知道我是否应该将 haproxy 更新到最新的 DEV 版本?
这是评论中要求的 pf -Af 的结果。
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 02:19 ? 00:00:01 /sbin/init
root 2 0 0 02:19 ? 00:00:00 [kthreadd]
root 3 2 0 02:19 ? 00:00:00 [ksoftirqd/0]
root 4 2 0 02:19 ? 00:00:00 [kworker/0:0]
root 5 2 0 02:19 ? 00:00:00 [kworker/u:0]
root 6 2 0 02:19 ? 00:00:00 [migration/0]
root 7 2 0 02:19 ? 00:00:00 [cpuset]
root 8 2 0 02:19 ? 00:00:00 [khelper]
root 9 2 0 02:19 ? 00:00:00 [kdevtmpfs]
root 10 2 0 02:19 ? 00:00:00 [netns]
root 11 2 0 02:19 ? 00:00:00 [kworker/u:1]
root 15 2 0 02:19 ? 00:00:00 [xenwatch]
root 16 2 0 02:19 ? 00:00:01 [xenbus]
root 83 2 0 02:19 ? 00:00:00 [sync_supers]
root 85 2 0 02:19 ? 00:00:00 [bdi-default]
root 86 2 0 02:19 ? 00:00:00 [kintegrityd]
root 88 2 0 02:19 ? 00:00:00 [kblockd]
root 103 2 0 02:19 ? 00:00:00 [md]
root 201 2 0 02:19 ? 00:00:00 [khungtaskd]
root 206 2 0 02:19 ? 00:00:00 [kswapd0]
root 207 2 0 02:19 ? 00:00:00 [ksmd]
root 277 2 0 02:19 ? 00:00:00 [fsnotify_mark]
root 282 2 0 02:19 ? 00:00:00 [crypto]
root 289 2 0 02:19 ? 00:00:00 [kthrotld]
root 295 2 0 02:19 ? 00:00:00 [khvcd]
root 346 2 0 02:19 ? 00:00:02 [kworker/0:2]
root 355 2 0 02:19 ? 00:00:00 [deferwq]
root 628 2 0 02:19 ? 00:00:01 [jbd2/xvda1-8]
root 629 2 0 02:19 ? 00:00:00 [ext4-dio-unwrit]
root 668 1 0 02:19 ? 00:00:00 /sbin/udevd -d
root 777 668 0 02:19 ? 00:00:00 /sbin/udevd -d
root 787 668 0 02:19 ? 00:00:00 /sbin/udevd -d
root 1009 2 0 02:19 ? 00:00:00 [kauditd]
root 1130 2 0 02:19 ? 00:00:00 [flush-202:1]
root 1182 1 0 02:19 ? 00:00:00 /sbin/dhclient -q -lf /var/lib/dhclient/dhclient-eth
root 1225 1 0 02:19 ? 00:00:00 auditd
root 1240 1 0 02:19 ? 00:00:00 /sbin/rsyslogd -i /var/run/syslogd.pid -c 5
rpc 1264 1 0 02:19 ? 00:00:00 rpcbind
rpcuser 1281 1 0 02:19 ? 00:00:00 rpc.statd
root 1305 2 0 02:19 ? 00:00:00 [rpciod]
root 1308 1 0 02:19 ? 00:00:00 rpc.idmapd
root 1315 1 0 02:19 ? 00:00:07 ha_logd: read process
root 1318 1315 0 02:19 ? 00:00:06 ha_logd: write process
dbus 1338 1 0 02:19 ? 00:00:00 dbus-daemon --system
root 1383 1 0 02:19 ? 00:00:27 bash /etc/haproxy/hamonitor
root 1404 1 0 02:19 ? 00:00:00 /usr/sbin/sshd
ntp 1431 1 0 02:19 ? 00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g
root 1446 1 0 02:19 ? 00:00:02 sendmail: accepting connections
smmsp 1453 1 0 02:19 ? 00:00:00 sendmail: Queue runner@01:00:00 for /var/spool/clien
haproxy 1465 1 0 02:19 ? 00:07:47 /usr/sbin/haproxy -D -f
/etc/haproxy/haproxy.cfg -p
root 1473 1 0 02:19 ? 00:00:00 crond
root 1483 1 0 02:19 ? 00:00:00 /usr/sbin/atd
root 1503 1 0 02:19 tty1 00:00:00 /sbin/mingetty /dev/tty1
root 1507 1 0 02:19 tty2 00:00:00 /sbin/mingetty /dev/tty2
root 1509 1 0 02:19 tty3 00:00:00 /sbin/mingetty /dev/tty3
root 1511 1 0 02:19 hvc0 00:00:00 /sbin/agetty /dev/hvc0 38400 vt100-nav
root 1512 1 0 02:19 tty4 00:00:00 /sbin/mingetty /dev/tty4
root 1514 1 0 02:19 tty5 00:00:00 /sbin/mingetty /dev/tty5
root 1516 1 0 02:19 tty6 00:00:00 /sbin/mingetty /dev/tty6
root 11917 1404 0 15:57 ? 00:00:00 sshd: ec2-user [priv]
ec2-user 11921 11917 0 15:57 ? 00:00:00 sshd: ec2-user@pts/0
ec2-user 11922 11921 0 15:57 pts/0 00:00:00 -bash
root 11945 11922 0 15:57 pts/0 00:00:00 sudo -s
root 11946 11945 0 15:57 pts/0 00:00:00 /bin/bash
newrelic 13357 1 0 16:22 ? 00:00:00 /usr/sbin/nrsysmond -c /etc/newrelic/nrsysmond.cfg -
newrelic 13359 13357 0 16:22 ? 00:00:17 /usr/sbin/nrsysmond -c /etc/newrelic/nrsysmond.cfg -
root 30012 1383 0 21:40 ? 00:00:00 sleep 5