ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-HTTP/TCP balancer HAProxy 2.0

Ukukhutshwa kwe-HTTP/TCP balancer HAProxy 2.0

ipapashiwe ukukhululwa kwe-balancer yomthwalo IHAProxy 2.0, ekuvumela ukuba usasaze i-HTTP ye-traffic kunye nezicelo ze-TCP ezithintekayo phakathi kweqela labancedisi, ngokuqwalasela izinto ezininzi (umzekelo, ihlola ukufumaneka kwamaseva, ihlola izinga lomthwalo, inemilinganiselo ye-DDoS) kwaye yenza ukucoca idatha yokuqala ( umzekelo, unokwahlula iiheader zeHTTP, ukuhanjiswa kombuzo ongachanekanga kwiparameters, ibhlokhi iSQL kunye neXSS substitution, qhagamshela iiarhente zokucwangcisa umxholo. I-HAProxy nayo inako faka isicelo ukulungelelanisa intsebenziswano yamacandelo kwiisistim ezisekwe kulwakhiwo lwee-microservices. Ikhowudi yeprojekthi ibhalwe kwi-C kunye inikwe ilayisenisi phantsi kwe-GPLv2. Iprojekthi isetyenziswa kwiindawo ezininzi ezinkulu, kuquka i-Airbnb, i-Alibaba, i-GitHub, i-Imgur, i-Instagram, i-Reddit, i-StackOverflow, i-Tumblr, i-Twitter kunye ne-Vimeo.

Iimpawu eziphambili zokukhupha:

  • I-API entsha yaziswa Isicwangciso seDatha, ekuvumela ukuba ulawule izicwangciso ze-HAProxy kwi-fly nge-REST Web API. Ukubandakanya, unokongeza ngokuguquguqukayo kwaye ususe ii-backends kunye neeseva, wenze ii-ACL, utshintshe indlela yokucela, utshintshe izibophelelo zomphathi kwi-IP;
  • Yongeza umyalelo we-nbthread, okuvumela ukuba uqwalasele inani lemicu esetyenziswe kwi-HAProxy ukwenzela ukuba usebenze kakuhle kwii-CPU ezininzi. Ngokungagqibekanga, inani lemisonto yabasebenzi likhethwa ngokuxhomekeke kwi-CPU cores ekhoyo kwindawo yangoku, kwaye kwiimeko zefu ukungagqibeki ngumsonto omnye. Ukumisela imida enzima, iinketho zendibano MAX_THREADS kunye ne-MAX_PROCS zongeziwe, ukunciphisa umda ophezulu kwinani leentambo kunye neenkqubo;
  • Ukusetyenziswa komyalelo we-bind kubaphathi ababophelelayo kwiidilesi zenethiwekhi kwenziwe lula. Xa ucwangcisa, akusekho mfuneko yokuchaza iiparameters zenkqubo - ngokuzenzekelayo, uxhulumaniso luya kusasazwa phakathi kwemisonto ngokuxhomekeke kwinani loqhagamshelwano olusebenzayo.
  • Ukuseta iilog xa uqhuba kwizikhongozeli ezizimeleyo kwenziwe lula - ilog ngoku ingathunyelwa kwi stdout kunye ne stderr, nakuyo nayiphi na inkcazo yefayile ekhoyo (umzekelo, “log fd@1 local0”);
  • Inkxaso ye-HTX (i-Native HTTP Representation) inikwe amandla ngokungagqibekanga, ivumela ukulinganisa xa usebenzisa iimpawu eziphambili ezifana ne-HTTP / 2 yokuphela, i-Layer 7 Retries kunye ne-gRPC. I-HTX ayithathi ndawo iiheader endaweni, kodwa inciphisa umsebenzi wokuguqula ukususa kunye nokongeza i-header entsha ukuya ekupheleni koluhlu, ekuvumela ukuba ulawule naluphi na uhlobo olwandisiweyo lweprotocol ye-HTTP, ugcina i-semantics yokuqala yezihloko kwaye ikuvumela ukufezekisa ukusebenza okuphezulu xa uguqulela i-HTTP / 2 ukuya kwi-HTTP / 1.1 kunye nokunye;
  • Inkxaso esemthethweni eyongeziweyo ye-End-to-End HTTP / 2 imodi (ukulungiswa kwazo zonke izigaba kwi-HTTP / 2, kubandakanywa iifowuni kwi-backend, kwaye kungekhona nje ukusebenzisana phakathi kwe-proxy kunye nomxhasi);
  • Inkxaso epheleleyo yokwenziwa kommeli we-bidirectional yeprotocol ye-gRPC iphunyeziwe ngokukwazi ukwahlula imisinga ye-gRPC, iqaqambisa imiyalezo yomntu ngamnye, ebonisa ukugcwala kwe-gRPC kwilogi kunye nokuhluza imiyalezo kusetyenziswa ii-ACLs. I-gRPC ikuvumela ukuba ulungelelanise umsebenzi wee-microservices kwiilwimi ezahlukeneyo zokucwangcisa ezisebenzisana nomnye usebenzisa i-API yehlabathi. Uthungelwano lothungelwano kwi-gRPC luphunyezwe ngaphezulu kwe-HTTP/2 iprothokholi kwaye isekwe kusetyenziso lweProtocol Buffers yokulandelelana kwedatha.
  • Inkxaso eyongeziweyo ye "Layer 7 Retries" imowudi, ekuvumela ukuba uthumele izicelo eziphindaphindiweyo ze-HTTP kwimeko yokusilela kwesoftware engahambelani neengxaki zokuseka unxibelelwano lwenethiwekhi (umzekelo, ukuba akukho mpendulo okanye impendulo engenanto POST isicelo). Ukukhubaza imodi, iflegi ethi "disable-l7-retry" yongezwe kwi-"http-request" inketho, kwaye inketho ethi "zama kwakhona" yongezwe ukulungiswa kakuhle kwizinto ezingagqibekanga, mamela kunye namacandelo omva. Ezi mpawu zilandelayo ziyafumaneka ukuze zithunyelwe kwakhona: zonke-iphinde zizanywa-iimpazamo, akukho, conn-ukusilela, impendulo engenanto, ijunk-response, impendulo-timeout, 0rtt-yaliwe, kunye nokubophelela ukubuyisela iikhowudi zesimo (404, njl.) ;
  • Umphathi wenkqubo omtsha uphunyeziwe, okuvumela ukuba uqwalasele ukubiza iifayile eziphunyezwayo zangaphandle kunye nabaphangi be-HAProxy.
    Ngokomzekelo, i-API yeSicwangciso seDatha (/usr/sbin/dataplaneapi), kunye neenjini ezahlukeneyo zokuSebenza komjelo wokuhambisa, ziphunyezwa ngendlela yomphathi onjalo wangaphandle;

  • Izibophelelo zongezwe kwi-.NET Core, Go, Lua kunye nePython ekuphuhliseni i-SPOE (i-Streaming Processing Offload Engine) kunye ne-SPOP (i-Streaming Processing Offload Protocol) izandiso. Ngaphambili, uphuhliso olwandisiweyo lwaluxhaswa kuphela kwi-C;
  • Ukongeza i-spoa-mirror handler yangaphandle (/usr/sbin/spoa-mirror) kwizicelo zemirroring kumncedisi owahlukileyo (umzekelo, ukukopa inxalenye yetrafikhi yokuvelisa ukuvavanya indawo yovavanyo phantsi komthwalo wangempela);
  • Yaziswa HAProxy Kubernetes Umlawuli Wokungena ukuqinisekisa ukudityaniswa kunye neqonga leKubernetes;
  • Inkxaso eyongeziweyo eyakhelwe-ngaphakathi yokuthumela iinkcukacha-manani kwinkqubo yokubeka iliso Prometheus;
  • IProtocol yePeers, esetyenziselwa ukutshintshiselana ngolwazi kunye namanye ama-node aqhuba i-HAProxy, yandisiwe. Kubandakanya inkxaso eyongezelelweyo ye-Heartbeat kunye nokuhanjiswa kwedatha efihliweyo;
  • Iparameter "yesampuli" yongezwe kwi-"log" yomyalelo, evumela ukuba ulahle kuphela inxalenye yezicelo kwilogi, umzekelo 1 ngaphandle kwe-10, ukwenza isampuli yohlalutyo;
  • Imo eyongeziweyo yeprofayili ezenzekelayo (iprofiling.tasks Directive, enokuthi ithathe amaxabiso ngokuzenzekela, ivule kwaye icime). Iprofayili ezenzekelayo yenziwe ukuba umndilili wokulibaziseka udlula i-1000 ms. Ukujonga idatha yeprofayili, umyalelo "womboniso weprofayili" wongezwe kwi-Runtime API okanye kunokwenzeka ukuseta kwakhona izibalo kwilog;
  • Inkxaso eyongeziweyo yokufikelela kwiiseva ze-backend usebenzisa i-SOCKS4 protocol;
  • Inkxaso eyongeziweyo ekupheleni ukuya ekupheleni kwendlela yokuvula ngokukhawuleza uxhulumaniso lweTCP (TFO - TCP Fast Open, RFC 7413), ekuvumela ukuba unciphise inani lamanyathelo okuseta uqhagamshelo ngokudibanisa eyokuqala kwisicelo esinye kunye nenyathelo lesibini inkqubo yothethathethwano lwe-3-step classic kwaye yenza kube lula ukuthumela idatha kwinqanaba lokuqala lokuseka uxhumano;
  • Iintshukumo ezitsha zongeziwe:
    • "http-request replace-uri" endaweni ye-URL usebenzisa intetho eqhelekileyo;
    • “tcp-request content do-resolve” kunye “ne-http-request do-resolve” yokusombulula igama lenginginya;
    • I-"tcp-request content set-dst" kunye ne "tcp-request content set-dst-port" endaweni yedilesi ye-IP ekujoliswe kuyo kunye nezibuko.
  • Kongezwe iimodyuli ezintsha zoguqulo:
    • i-aes_gcm_dev yokususa ukuntsonkotha kwemilambo usebenzisa i-AES128-GCM, i-AES192-GCM kunye ne-AES256-GCM algorithms;
    • iprotobuf yokutsala imihlaba kwimiyalezo yeProtocol Buffers;
    • ungrpc ukukhupha imihlaba kwimiyalezo ye gRPC.

    umthombo: opennet.ru

Yongeza izimvo