1、微服務:每個模塊都可以獨立運行,都可以被其它程序通過標準接口所調用;docker容器用來運行每一個單一簡單的程序;然後容器編排系統將運行有程序的容器從各個機器組合運行到容器編排系統上。容器編排系統可以監控容器中程序的狀態,並且當容器中程序停止運行時將它重新自動啓動,實現了運維的簡單,轉向容器編排系統的維護。
2、運維三大核心工作:發佈(換代碼)、變更(增加機器,減少機器和改變配置文件等)、故障處理;
3、配置文件的管理:手動管理-->版本控制中心-->配置中心管理 提高效率
4、數據存儲:非結構化數據、半結構化數據和結構化數據
非結構化數據:只能放到文件系統和對象存儲上
文件系統;節點表,inode、block,元數據和內容數據;
文件系統缺點:
元數據集中管理,一旦發生丟失,都會丟失;
數據量過大時,效率很低;
對象存儲系統:元數據和內容數據存放到一起;每個文件都是一個對象;
缺點:不是文件系統結構,不是集中的元數據,沒辦法掛載訪問;只能通過應用客戶端
基於API接口進行訪問;
圖片一般存放在分佈式對象存儲系統
半結構化數據:數據存放到鍵值系統(nosql系統),鍵和值在一起存放;而mysql則是分開存放
的。如帖子;nosql系統支持cap(數據一致性、可用性、分區容錯性)理論;大多數nosql系統是
分佈式系統
結構化數據:存放到關係型數據庫中,如交易,嚴格支持事務機制;
5、sre:站點可靠性工程師,Google,掌控運維的方向,開發好用工具,儘量避免人爲介入。
6、傳輸層以下四層在內核空間實現,應用層在用戶空間實現;如httpd服務實際上是用戶空間的一個守護進程,通過向內核請求註冊一個套接字接聽80端口,等待用戶訪問;當用戶訪問請求到達內核時,進行一層層的解封裝,到套接字80端口,符合要求,進行響應;只有工作在用戶空間的進程纔會進行端口監聽,而在內核空間的進程不會進行監聽
7、HAProxy是工作在用戶空間的,不能直接處理用戶請求,僞四層,需要註冊監聽
8、https:貴、慢;會話是在lvs和後端服務器之間進行的,緩存不好用,每個後端服務器還要配置證書等;
9、會話卸載:可以在客戶端和lvs之間進行加密,而lvs到後端就沒有加密,這需要lvs機器支持7層調度;
實驗:實現HAProxy的調度功能,默認有健康性檢查
(1)A機器,調度機,ip爲172.18.62.61
yum install haproxy
vim haproxy.cfg
frontend websrvs *:80
default_backend mywebsrvs
backend mywebsrvs
balance roundrobin
server srv1 172.18.62.60:80 check
server srv2 172.18.62.63:80 check
log 127.0.0.1 local5
vim /etc/rsyslog.conf 設置日誌
$ModLoad imudp 去掉註釋
$UDPServerRun 514
local5.* /var/log/haproxy.log
systemctl restart haproxy
systemctl restart rsyslog
tail /var/log/haproxy.log -f
(2)B機器,ip爲172.18.62.60
echo RS1 > /var/www/html/index.html
systemctl start httpd
(3)C機器,ip爲172.18.62.63
systemctl start httpd
echo RS2 > /var/www/html/index.html
(4)D機器,ip爲172.18.62.50
for i in {1..1000};do sleep 0.5;curl 172.18.62.61;done
當將rs關掉一個時,立馬切換到另一個rs調度,速度很快
10、docker必須工作在前臺
HAProxy:
LB Cluster:
四層:
lvs, nginx(stream),haproxy(mode tcp)
七層:
http: nginx(http, ngx_http_upstream_module), haproxy(mode http), httpd, ats, perlbal, pound...
HAProxy:
http://www.haproxy.org
http://www.haproxy.com
文檔:
http://cbonte.github.io/haproxy-dconv/
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can:
: - route HTTP requests depending on statically assigned cookies
: - spread load among several servers while assuring server persistence
: through the use of HTTP cookies
: - switch to backup servers in the event a main server fails
: - accept connections to special ports dedicated to service monitoring
: - stop accepting connections without breaking existing ones
: - add, modify, and delete HTTP headers in both directions
: - block requests matching particular patterns
: - report detailed status to authenticated users from a URI intercepted by the
application
版本:1.4, 1.5, 1.6, 1.7
程序環境:
主程序:/usr/sbin/haproxy
主配置文件:/etc/haproxy/haproxy.cfg
Unit file:/usr/lib/systemd/system/haproxy.service
配置段:
global:全局配置段
進程及安全配置相關的參數
性能調整相關參數
Debug參數
用戶列表
peers
proxies:代理配置段
defaults:爲frontend, listen, backend提供默認配置;
fronted:前端,相當於nginx, server {}
backend:後端,相當於nginx, upstream {}
listen:同時擁前端和後端
簡單的配置示例:
frontend web
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.100.6:80 check
server srv2 172.16.100.7:80 check
global配置參數:
進程及安全管理:chroot, daemon,user, group, uid, gid
log:定義全局的syslog服務器;最多可以定義兩個路徑;
log <address> [len <length>] <facility> [max level [min level]]
nbproc <number>:要啓動的haproxy的進程數量;
ulimit-n <number>:每個haproxy進程可打開的最大文件數;每個套接
字都需要一個文件描述符,即一個被打開的文件以跟蹤進程狀態;這裏
haproxy可以實現自動調整;
ulimit:用來限制核心資源的使用
性能調整:
maxconn <number>:設定每個haproxy進程所能接受的最大併發連接
數;Sets the maximum per-process number of concurrent connections
to <number>.
總體的併發連接數:nbproc * maxconn
maxconnrate <number>:Sets the maximum per-process number of
connections per second to <number>. 每個進程每秒種所能創建的最大
連接數量;#防止一瞬間大量連接請求,創建文件,內存速度跟不上,
導致服務器壓力很大;
maxse***ate <number>:
maxsslconn <number>: Sets the maximum per-process number of
concurrent SSL connections to <number>.
設定每個haproxy進程所能接受的ssl的最大併發連接數;
spread-checks <0..50, in percent> 分散連接,提前或延遲在0到50%之
間
代理配置段:
- defaults <name>
- frontend <name>
- backend <name>
- listen <name>
A "frontend" section describes a set of listening sockets accepting client connections. #用於承載前端的連接
A "backend" section describes a set of servers to which the proxy will
connect to forward incoming connections. #用於承載後端的連接
A "listen" section defines a complete proxy with its frontend and backend
parts combined in one section. It is generally useful for TCP-only traffic. 對
應配置段的標識符;
All proxy names must be formed from upper and lower case letters, digits, '-
' (dash), '_' (underscore) , '.' (dot) and ':' (colon). 區分字符大小寫;
配置參數:
bind:Define one or several listening addresses and/or ports in a frontend.
bind [<address>]:<port_range> [, ...] [param*]
listen http_proxy
bind :80,:443
bind 10.0.0.1:10080,10.0.0.1:10443
bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
套接字:ipvs套接字和socket套接字socket套接字是基於ipc通信的,只能是在同一個機器上
bind只用於前端frontend和listen,可以查文檔得知:
http://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4.1
balance:後端服務器組內的服務器調度算法
balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post]
查文檔可知可以設置defaluts、backend和listen
算法:
roundrobin:Each server is used in turns, according to their
weights.
server options: weight #
動態算法:支持權重的運行時調整,而不會打亂整個權重分
布,支持慢啓動;每個後端中最多支持4095個server;即不
必重啓服務,給新機器慢慢加連接數以達到指定權重;
static-rr:
靜態算法:不支持權重的運行時調整及慢啓動;後端主機數
量無上限;
leastconn:
推薦使用在具有較長會話的場景中,例如MySQL、LDAP
等;
算法是動態的還是靜態的取決於hash_type的值
first:
根據服務器在列表中的位置,自上而下進行調度;前面服務
器的連接數達到上限,新請求才會分配給下一臺服務;
source:源地址hash;
除權取餘法:
一致性哈希:
基於cookie的調度比較好,但是需要用到7層調度,不用,
因爲後臺服務器壞了就沒法了;
會話不綁定應該採用:
會話粘性,如cookie
會話複製集羣:涉及到會話在後端服務器間的複製
session server:集中負責會話保存的服務器
uri:
對URI的左半部分做hash計算,並由服務器總權重相除以後
派發至某挑出的服務器;
<scheme>://<user>:<password>@<host>:
<port>/<path>;<params>?<query>#<frag>
左半部分:/<path>;<params>
整個uri:/<path>;<params>?<query>#<frag>
url_param:對用戶請求的uri聽<params>部分中的參數的值作hash計算,並由服務器總權重相除以後派發至某挑出的服務器;
通常用於追蹤用戶,以確保來自同一個用戶的請求始終發往同一
個Backend Server;
hdr(<name>):對於每個http請求,此處由<name>指定的http首部將會被取出做hash計算; 並由服務器總權重相除以後派發至某
挑出的服務器;沒有有效值的會被輪詢調度;
hdr(Cookie) 常用,調用靈活細緻;每個瀏覽器的cookie都
是不同的,甚至同一個瀏覽器的兩個進程的cookie也是
不同的;
rdp-cookie
rdp-cookie(<name>)
hash-type:哈希算法
hash-type <method> <function> <modifier>
map-based:除權取餘法,哈希數據結構是靜態的數組;
consistent:一致性哈希,哈希數據結構是一個樹;
<function> is the hash function to be used : 哈希函數
sdbm
djb2
wt6
default_backend <backend>
設定默認的backend,用於frontend中;
default-server [param*]
爲backend中的各server設定默認選項;
server <name> <address>[:[port]] [param*]
定義後端主機的各服務器及其選項;
server <name> <address>[:port] [settings ...]
default-server [settings ...]
<name>:服務器在haproxy上的內部名稱;出現在日誌及警告信息;
<address>:服務器地址,支持使用主機名;
[:[port]]:端口映射;省略時,表示同bind中綁定的端口;
[param*]:參數
maxconn <maxconn>:當前server的最大併發連接數;
backlog <backlog>:當前server的連接數達到上限後的後援
隊列長度;要根據壓測進行設置
backup:設定當前server爲備用服務器;
check:對當前server做健康狀態檢測;
addr :檢測時使用的IP地址;可以對機器的其他ip檢測
port :針對此端口進行檢測;
inter <delay>:連續兩次檢測之間的時間間隔,默認爲
2000ms;
rise <count>:連續多少次檢測結果爲“成功”才標記服務
器爲可用;默認爲2;
fall <count>:連續多少次檢測結果爲“失敗”才標記服務
器爲不可用;默認爲3;
健康性檢測有3種:網絡層檢測、傳輸層檢測和應用層檢
測;網絡層檢測只是ping下,準確度不高;傳輸層檢測
是對端口進行檢測,保證了服務還在運行;而應用層檢
測則很準確,都能訪問頁面等資源了;
注意:httpchk,"smtpchk", "mysql-check", "pgsql-
check" and "ssl-hello-chk" 用於定義應用層檢測方法;
cookie <value>:爲當前server指定其cookie值,用於實現基於cookie的會話黏性;
disabled:標記爲不可用;
on-error <mode>:後端服務故障時的行動策略;
- fastinter: force fastinter 快速再次測試
- fail-check: simulate a failed check, also forces fastinter (default)
- sudden-death: simulate a pre-fatal failed health check, one more failed
check will mark a server down, forces fastinter -
mark-down: mark the server immediately down and force fastinter
redir <prefix>:將發往此server的所有GET和HEAD類的請求重定向至指定的URL;
weight <weight>:權重,默認爲1;OK --> PROBLEM OK --> PROBLEM --> PROBLEM --> PROBLEM PROBLEM --> OK 統計接口啓用相關的參數: stats enable 啓用統計頁;基於默認的參數啓用stats page; - stats uri : /haproxy?stats
- stats realm : "HAProxy Statistics"
- stats auth : no authentication
-
stats scope : no restriction
stats auth <user>:<passwd> 認證時的賬號和密碼,可使用多次; stats realm <realm> 認證時的realm; stats uri <prefix> 自定義stats page uri stats refresh <delay> 設定自動刷新時間間隔; stats admin { if | unless } <cond> 啓用stats page中的管理功能 配置示例: listen stats bind :9099 stats enable stats realm HAPorxy\ Stats\ Page stats auth admin:admin stats admin if TRUE maxconn <conns>:爲指定的frontend定義其最大併發連接數;默認爲2000; Fix the maximum number of concurrent connections on a frontend. mode { tcp|http|health } 定義haproxy的工作模式; tcp:基於layer4實現代理;可代理mysql, pgsql, ssh, ssl等協議; http:僅當代理的協議爲http時使用; health:工作爲健康狀態檢查的響應模式,當連接請求到達時迴應“OK”後即斷開連接; 示例: listen ssh bind :22022 balance leastconn mode tcp server sshsrv1 172.16.100.6:22 check server sshsrv2 172.16.100.7:22 check cookie <name> [ rewrite | insert | prefix ] [ indirect ] [ nocache ] [ postonly ] [ preserve ] [ httponly ] [ secure ] [ domain <domain> ]* [ maxidle <idle> ] [ maxlife <life> ] <name>:is the name of the cookie which will be monitored, modified or inserted in order to bring persistence. rewirte:重寫; insert:插入; prefix:前綴; 基於cookie的session sticky的實現: backend websrvs cookie WEBSRV insert nocache indirect server srv1 172.16.100.6:80 weight 2 check rise 1 fall 2 maxconn 3000 cookie srv1 server srv2 172.16.100.7:80 weight 1 check rise 1 fall 2 maxconn 3000 cookie srv2 注意:cookie實現會話綁定,但是curl默認是不使用cookie的; option forwardfor [ except <network> ] [ header <name> ] [ if-none ] Enable insertion of the X-Forwarded-For header to requests sent to servers 在由haproxy發往後端主機的請求報文中添加“X-Forwarded-For”首部,其值前端客戶端的地址;用於向後端主發送真實的客戶端IP; [ except <network> ]:請求報請來自此處指定的網絡時不予添加此首部; [ header <name> ]:使用自定義的首部名稱,而非“X-Forwarded-For”; 例子:vim haproxy.cfg 前端配置
defaluts
option forwardfor except 127.0.0.0/8
vim /etc/httpd/conf/httpd.conf rs配置
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-Agent}i\"" combined
systemctl reload httpd
tail /var/log/httpd/access_log 查看日誌可以看到真實客戶端iperrorfile <code> <file> Return a file contents instead of errors generated by HAProxy <code>:is the HTTP status code. Currently, HAProxy is capable of generating codes 200, 400, 403, 408, 500, 502, 503, and 504.沒有404的原因:是rs生成的,沒法子改變;
<file>:designates a file containing the full HTTP response.示例: errorfile 400 /etc/haproxy/errorfiles/400badreq.http errorfile 408 /dev/null # workaround Chrome pre-connect bug errorfile 403 /etc/haproxy/errorfiles/403forbid.http errorfile 503 /etc/haproxy/errorfiles/503sorry.http errorloc <code> <url> errorloc302 <code> <url> errorfile 403 http://www.magedu.com/error_pages/403.html reqadd <string> [{if | unless} <cond>] Add a header at the end of the HTTP request rspadd <string> [{if | unless} <cond>] Add a header at the end of the HTTP response rspadd X-Via:\ HAPorxy 對由haproxy轉發的響應報文首部添加字段,不能直接添加到響應報文,因爲響應報文是由rs生成的;
reqdel <search> [{if | unless} <cond>]
reqidel <search> [{if | unless} <cond>] (ignore case)
Delete all headers matching a regular expression in an HTTP request
刪除忽略字符大小寫的某個首部字段
rspdel <search> [{if | unless} <cond>]
rspidel <search> [{if | unless} <cond>] (ignore case)
Delete all headers matching a regular expression in an HTTP responserspidel Server.* 日誌系統: log: log global log <address> [len <length>] <facility> [<level> [<minlevel>]] no log 注意: 默認發往本機的日誌服務器; (1) local2.* /var/log/local2.log (2) $ModLoad imudp $UDPServerRun 514 log-format <string>: 課外實踐:參考文檔實現combined格式的記錄 capture cookie <name> len <length> Capture and log a cookie in the request and in the response. capture request header <name> len <length> Capture and log the last occurrence of the specified request header. capture request header X-Forwarded-For len 15 capture response header <name> len <length> Capture and log the last occurrence of the specified response header. capture response header Content-length len 9 capture response header Location len 15 爲指定的MIME類型啓用壓縮傳輸功能 compression algo <algorithm> ...:啓用http協議的壓縮機制,指明壓縮算法gzip, deflate; compression type <mime type> ...:指明壓縮的MIME類型;常適用於壓縮的類型爲文本類型; 對後端服務器做http協議的健康狀態檢測: option httpchk 7層檢測 option httpchk <uri> option httpchk <method> <uri> option httpchk <method> <uri> <version> 定義基於http協議的7層健康狀態檢測機制; http-check expect [!] <match> <pattern> Make HTTP health checks consider response contents or specific status codes. 連接超時時長: timeout client <timeout> Set the maximum inactivity time on the client side. 默認單位是毫秒; timeout server <timeout> Set the maximum inactivity time on the server side. timeout http-keep-alive <timeout> 持久連接的持久時長; timeout http-request <timeout> Set the maximum allowed time to wait for a complete HTTP request timeout connect <timeout> Set the maximum time to wait for a connection attempt to a server to succeed. timeout client-fin <timeout> Set the inactivity timeout on the client side for half-closed connections. timeout server-fin <timeout> Set the inactivity timeout on the server side for half-closed connections. use_backend <backend> [{if | unless} <condition>] Switch to a specific backend if/unless an ACL-based condition is matched. 當符合指定的條件時使用特定的backend; block { if | unless } <condition> Block a layer 7 request if/unless a condition is matched acl invalid_src src 172.16.200.2 block if invalid_src errorfile 403 /etc/fstab http-request { allow | deny } [ { if | unless } <condition> ] Access control for Layer 7 requests tcp-request connection {accept|reject} [{if | unless} <condition>] Perform an action on an incoming connection depending on a layer 4 condition 示例: listen ssh bind :22022 balance leastconn acl invalid_src src 172.16.200.2 tcp-request connection reject if invalid_src mode tcp server sshsrv1 172.16.100.6:22 check server sshsrv2 172.16.100.7:22 check backupacl:
The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status.acl <aclname> <criterion> [flags] [operator] [<value>] ... <aclname>:ACL names must be formed from upper and lower case letters, digits, '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon).ACL names are case-sensitive. <value>的類型: - boolean - integer or integer range - IP address / network - string (exact, substring, suffix, prefix, subdir, domain) - regular expression - hex block <flags> -i : ignore case during matching of all subsequent patterns. -m : use a specific pattern matching method -n : forbid the DNS resolutions -u : force the unique id of the ACL -- : force end of flags. Useful when a string looks like one of the flags. [operator] 匹配整數值:eq、ge、gt、le、lt 匹配字符串: - exact match (-m str) : the extracted string must exactly match the patterns ; - substring match (-m sub) : the patterns are looked up inside the extracted string, and the ACL matches if any of them is found inside ; - prefix match (-m beg) : the patterns are compared with the beginning of the extracted string, and the ACL matches if any of them matches. - suffix match (-m end) : the patterns are compared with the end of the extracted string, and the ACL matches if any of them matches. - subdir match (-m dir) : the patterns are looked up inside the extracted string, delimited with slashes ("/"), and the ACL matches if any of them matches. - domain match (-m dom) : the patterns are looked up inside the extracted string, delimited with dots ("."), and the ACL matches if any of them matches. acl作爲條件時的邏輯關係: - AND (implicit) - OR (explicit with the "or" keyword or the "||" operator) - Negation with the exclamation mark ("!") if invalid_src invalid_port if invalid_src || invalid_port if ! invalid_src invalid_port 非只作用於第一個條件 <criterion> : dst : ip dst_port : integer src : ip src_port : integer acl invalid_src src 172.16.200.2 path : string This extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part). /path;<params> path : exact string match path_beg : prefix match path_dir : subdir match path_dom : domain match path_end : suffix match path_len : length match path_reg : regex match path_sub : substring match 例子: path_beg /images/ path_end .jpg .jpeg .png .gif path_reg ^/images.*\.jpeg$ path_sub image path_dir jpegs 2個斜線之間的精確匹配 path_dom ilinux 2個.之間的精確匹配 /images/jpegs/20180312/logo.jpg url : string This extracts the request's URL as presented in the request. A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and keep them in caches. url : exact string match url_beg : prefix match url_dir : subdir match url_dom : domain match url_end : suffix match url_len : length match url_reg : regex match url_sub : substring match req.hdr([<name>[,<occ>]]) : string This extracts the last occurrence of header <name> in an HTTP request. hdr([<name>[,<occ>]]) : exact string match hdr_beg([<name>[,<occ>]]) : prefix match hdr_dir([<name>[,<occ>]]) : subdir match hdr_dom([<name>[,<occ>]]) : domain match hdr_end([<name>[,<occ>]]) : suffix match hdr_len([<name>[,<occ>]]) : length match hdr_reg([<name>[,<occ>]]) : regex match hdr_sub([<name>[,<occ>]]) : substring match 示例: acl bad_curl hdr_sub(User-Agent) -i curl block if bad_curl status : integer Returns an integer containing the HTTP status code in the HTTP response. Pre-defined ACLs 預定義,內建的acl ACL name Equivalent to Usage FALSE always_false never match HTTP req_proto_http match if protocol is valid HTTP HTTP_1.0 req_ver 1.0 match HTTP version 1.0 HTTP_1.1 req_ver 1.1 match HTTP version 1.1 HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme HTTP_URL_SLASH url_beg / match URL beginning with "/" HTTP_URL_STAR url * match URL equal to "*" LOCALHOST src 127.0.0.1/8 match connection from local host METH_CONNECT method CONNECT match HTTP CONNECT method METH_GET method GET HEAD match HTTP GET or HEAD method METH_HEAD method HEAD match HTTP HEAD method METH_OPTIONS method OPTIONS match HTTP OPTIONS method METH_POST method POST match HTTP POST method METH_TRACE method TRACE match HTTP TRACE method RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie REQ_CONTENT req_len gt 0 match data in the request buffer TRUE always_true always match WAIT_END wait_end wait for end of content analysisHAProxy:global, proxies(fronted, backend, listen, defaults)
balance:
roundrobin, static-rr 後端web服務器都是靜態資源
leastconn mysql調度要用到
first
source
hdr(<name>)
uri (hash-type) 緩存調度用到
url_paramNginx調度算法:ip_hash, hash, leastconn, lvs調度算法: rr/wrr/sh/dh, lc/wlc/sed/nq/lblc/lblcr 基於ACL的動靜分離示例: frontend web *:80 acl url_static path_beg -i /static /images /javascript /stylesheets acl url_static path_end -i .jpg .gif .png .css .js .html .txt .htm use_backend staticsrvs if url_static default_backend appsrvs backend staticsrvs balance roundrobin server stcsrv1 172.16.100.6:80 check backend appsrvs balance roundrobin server app1 172.16.100.7:80 check server app1 172.16.100.7:8080 check listen stats bind :9091 stats enable stats auth admin:admin stats admin if TRUE配置HAProxy支持https協議:
1 支持ssl會話;
bind *:443 ssl crt /PATH/TO/SOME_PEM_FILEcrt後的證書文件要求PEM格式,且同時包含證書和與之匹配的所有私鑰; cat demo.crt demo.key > demo.pem 2 把80端口的請求重向定443; bind *:80 redirect scheme https if !{ ssl_fc } 另一種配置:對非ssl的任何url的訪問統統定向至https主機的主頁; redirect location https://172.16.0.67/ if !{ ssl_fc } 3 如何向後端傳遞用戶請求的協議和端口 http_request set-header X-Forwarded-Port %[dst_port] http_request add-header X-Forwared-Proto https if { ssl_fc }配置時常用的功能:
http --> httpsmode http 壓縮、條件式轉發、算法、stats page、自定義錯誤頁、訪問控制、日誌功能 最大併發連接; global, defaults, frontend, listen, server 基於cookie的session粘滯 後端主機的健康狀態檢測 請求和響應報文首部的操縱