我看到过与我的问题类似的帖子,但似乎没有一个与我的情况相关。过去 3 个月,我的 HAproxy 配置大致相同,没有遇到任何问题。服务器受 2 个防火墙保护,无法从互联网访问(防火墙配置为允许从我的 HQ IP 进行 http/s 访问)。上周,我将其开放给全世界,进行了大量压力测试,一切似乎都正常。测试完成后几个小时,我的前端服务器没有响应,甚至无法加载统计页面。
检查我的监控系统没有显示任何高 CPU、RAM 或带宽。虽然统计页面没有加载,但我从 SNMP 监控系统监控统计页面,可以看到整个 HAproxy 服务器的最大并发连接数约为 700,甚至还不到全局 maxconn 10000(fullconn 也是 10000)。
重新启动 HAproxy 服务暂时解决了该问题,因为几个小时后该问题再次出现。
我目前安装了 HAproxy 1.5.3,尽管我读过http://www.haproxy.org/download/1.5/src/CHANGELOG我不确定这个问题是否在后续版本中得到解决。
任何关于此问题的帮助都将受到欢迎。
这是我的配置:
global
log 127.0.0.1 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
stats socket /etc/haproxy/haproxysock level admin
stats socket /var/run/haproxy.stat mode 666
#---------------------------------------------------------------------
Defaults
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 5s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
bind site1.app.company.com:443 ssl crt /etc/haproxy/ssl/app/apppublic.pem no-sslv3
bind site2.company.com:443 ssl crt /etc/haproxy/ssl/public.pem no-sslv3
bind site3.company.net:443 ssl crt /etc/haproxy/ssl/net.pem no-sslv3
redirect scheme https code 301 if !{ ssl_fc }
acl rule1 hdr_dom(host) -i site1.app.company.com
use_backend site1 if rule1
acl rule2 hdr_dom(host) -i site2.company.com
use_backend site2 if rule2
acl rule3 hdr_dom(host) -i site3.company.net
use_backend site3 if rule3
default_backend site1
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend site1
mode http
fullconn 10000
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
server Server1 1.1.1.1:443 cookie A check ssl verify none
server Server2 2.2.2.1:443 cookie B check ssl verify none
backend wwwsest
mode http
fullconn 10000
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Port %[dst_port]
server Server1 1.1.1.2:443 cookie A check ssl verify none inter 3000 fall 2 rise 2
server Server2 2.2.2.2:443 cookie B check ssl verify none inter 3000 fall 2 rise 2
backend internalst
mode http
fullconn 10000
balance roundrobin
option httpclose
option forwardfor
cookie SERVERID insert indirect nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Port %[dst_port]
server Server1 10.0.0.1:443 cookie A check ssl verify none inter 3000 fall 2 rise 2
server Server2 10.0.0.2:443 cookie B check ssl verify none inter 3000 fall 2 rise 2
#Statistics server:
listen stats *:1936
bind *:1936 ssl crt /etc/haproxy/ssl/app/apppublic.pem
stats enable
stats uri /
stats hide-version
stats refresh 30s
stats auth admin:********