ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-HTTP/TCP balancer HAProxy 3.0

Ukukhutshwa kwe-HTTP/TCP balancer HAProxy 3.0

Kwiminyaka emihlanu emva kokusekwa kwesebe le-2.0, ukukhululwa kwe-balancer yomthwalo we-HAProxy 3.0 yapapashwa, ekuvumela ukuba usasaze i-HTTP ye-traffic kunye nezicelo ze-TCP ezithintekayo phakathi kweqela lamaseva, ukuqwalasela izinto ezininzi (umzekelo, ukukhangela ukufumaneka yeeseva, ivavanya inqanaba lomthwalo, inemilinganiselo echasayo ye-DDoS) kunye nokuqhuba ukuhluzwa kwedatha ephambili (umzekelo, ungacazulula iiheader zeHTTP, ukucoca ukuhanjiswa kweeparamitha zesicelo ezingachanekanga, ibhloko yeSQL kunye neXSS endaweni, qhagamshela iiarhente zokucwangcisa umxholo). I-HAProxy ingasetyenziselwa ukulungelelanisa ukusebenzisana kwamacandelo kwiinkqubo ezisekelwe kwi-architecture ye-microservices. Ikhowudi yeprojekthi ibhalwe kwi-C kwaye ilayisenisi phantsi kwe-GPLv2. Iprojekthi isetyenziswa kwiindawo ezininzi ezinkulu, kuquka i-Airbnb, i-Alibaba, i-GitHub, i-Imgur, i-Instagram, i-Reddit, i-StackOverflow, i-Tumblr, i-Twitter kunye ne-Vimeo.

Isebe le-HAProxy 3.0 lihlelwa njengenkxaso yexesha elide (LTS) yokukhululwa kwaye iya kuxhaswa kude kube yi-2029. Utshintsho oluphambili:

  • Icandelo elitsha "i-crt-store" yongezwe kuqwalaselo ukulungiselela ukugcinwa kunye nokusetyenziswa kwezatifikethi ze-TLS. Ngokungafaniyo noluhlu lwe-crt olukhoyo ngaphambili, kwi-crt-store ugcino lwesatifikethi lwahluliwe kusetyenziso lwazo kwi-frontend, ekuvumela ukuba usete indawo yokugcina indawo nganye yecandelo lesatifikethi (iifayile ezinezatifikethi, izitshixo kunye nedatha ye-OCSP) .
  • Ukongeza ukukwazi ukubeka izithintelo kwizicelo usebenzisa i-HTTP / 2 evunyelwe yiprotocol kodwa inokubangela iingxaki. Umzekelo, ukuthumela uthotho lwezakhelo CONTINUATION kunokukhokelela kuhlaselo lwe-DoS oluqhubekayo.
  • Kongezwe umgaqo omtsha woqwalaselo "guid" onokusetyenziswa kumacandelo "frontend", "backend" kunye "mamela". Lo myalelo ubophelela isazisi esisodwa kula macandelo, ekuvumela ukuba ugcine iinkcukacha-manani ezinxulumene necandelo emva kokuqalisa ngokutsha (imeko yephepha leNkcazo ayisayi kuphinda imiselwe). Umyalelo omtsha othi "ifayile ye-stats-file" yongezwe ukugcina izibalo kwifayile, kwaye i-"stats-file" entsha yoqwalaselo yongezwa ukuba ifundwe kwifayile emva kokuqalisa kwakhona.
  • Izakhono zokulinganisa imiyalezo yeSyslog zandisiwe. Kongezwe ukukwazi ukwabela umlinganiso wobunzima kwimigca enxulumene nomncedisi kwilog yangasemva.
  • Inkxaso eyongeziweyo yokufomatha imigca yelog kwi-JSON kunye nefomathi ye-CBOR.
  • Idatha enokufunyanwa ngokusebenzisa imisebenzi yokubuyisela ulwazi yandisiwe, umzekelo, unokucela ulwazi malunga nenani leeseshoni ze-HTTP ezivulekileyo ze-backend kunye ne-frontend, ubungakanani bomgca olindele ukuqhutyelwa kwesicelo kunye nenani elivumelekileyo ngexesha elinye. iiseshini.
  • Ukusebenza okuphuculweyo kwezikripthi zesiLua ezinomsonto omnye zilayishwe kusetyenziswa "lua-load" myalelo.
  • Ukuphuculwa okuphawulekayo kokusebenza kweendawo zokugcina kwimemori ezidalwe kusetyenziswa umyalelo wetafile yentonga. Ngokomzekelo, kwinkqubo enemicu engama-80, ukusebenza kwanda amaxesha angama-6.
  • Kwiinkqubo ezininzi apho Isatifikethi se-TLS ikhethwe ngokusekelwe kwisihlonzi somsingathi esidluliselwe kusetyenziswa ulwandiso lwe-SNI TLS, ingxoxo ethi "default-crt" yongezwe ukuze ikuvumele ukuba ucacise isatifikethi esimiselweyo esikhethiweyo ukuba akukho satifikethi sikhoyo esinokufaniswa nesiza.
  • Izenzo ezongeziweyo "set-fc-tos" kunye ne "set-bc-tos" endaweni ye-DS (IiNkonzo eziDifferentiated) intsimi, emisela i-priority of traffic, kwiipakethi ze-IP kwi-backend okanye kwicala langaphambili.
  • Izenzo ezongeziweyo "set-fc-mark" kunye ne "set-bc-mark", apho unokumakisha iipakethi ze-IP kwi-backend okanye ngaphambili, umzekelo, ngokubophelela okulandelayo kwitafile ethile yomzila.
  • Inkxaso eyongeziweyo yokudala iziphawuli kwifomathi ye-UUIDv7.
  • Kuphunyezwe ukukwazi ukusebenzisa isimaphambili "@virt" ukwenza i-ACL ebonakalayo kunye neefayile zeMaphu ezingagcinwanga kwidiski. Imixholo ye-ACL kunye neMaphu yeefayile ezibonakalayo zongezwa kwaye zisuswe kusetyenziswa i-Runtime API. Isimaphambili sika "@opt" sikwakhona, apho iifayile ezinenyani zisetyenziswa kuphela ukuba akukho fayile yokwenyani kwidiski.
  • Kuye kwenziwa utshintsho oluphazamisa ukuhambelana okungasemva: ukuthumela imiyalelo emininzi kwi-Runtime API kwisicelo esinye esahlulwe ngumlinganiswa we-line feed akuvumelekanga; ukuseta igama elingundoqo elithi "enabled" kwi-dynamic abancedisi; ukuvavanywa kwee-URIs ezingezizo ezisemgangathweni kuqinisiwe.

umthombo: opennet.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster