Izici eziyinhloko zokukhishwa:
- I-API entsha yethuliwe
Uhlelo Lwemininingwane , ekuvumela ukuthi uphathe izilungiselelo ze-HAProxy ekuhambeni nge-REST Web API. Kubandakanya, ungakwazi ukwengeza ngokuguquguqukayo futhi ususe okungemuva namaseva, udale ama-ACL, ushintshe umzila wesicelo, uguqule ukubophezela kwesibambi ku-IP; - Kwengezwe umhlahlandlela we-nbthread, okuvumela ukuthi ulungiselele inani lezintambo ezisetshenziswa ku-HAProxy ukuze uthuthukise ukusebenza kuma-CPU abalulekile. Ngokuzenzakalelayo, inani lezintambo zezisebenzi likhethwa kuye ngama-CPU cores atholakala endaweni yamanje, futhi ezindaweni zamafu okuzenzakalelayo kuwuchungechunge olulodwa. Ukusetha imikhawulo eqinile, izinketho zokuhlanganisa MAX_THREADS kanye ne-MAX_PROCS zingeziwe, okukhawulela umkhawulo ophezulu enanini lezintambo nezinqubo;
- Ukusetshenziswa komyalelo wokubophezela wezibambi ezibophayo kumakheli enethiwekhi kwenziwe lula. Lapho usetha, akusadingeki ukuchaza amapharamitha enqubo - ngokuzenzakalelayo, ukuxhumana kuzosatshalaliswa phakathi kwemicu kuye ngenani lokuxhumana okusebenzayo.
- Ukusetha amalogi lapho kusebenza ezitsheni ezingazodwa kwenziwe lula - ilogi manje ingathunyelwa ku-stdout ne-stderr, kanye nakunoma iyiphi inchazelo yefayela ekhona (ngokwesibonelo, “log fd@1 local0”);
- Ukusekelwa kwe-HTX (Ukumelwa Kwe-HTTP Komdabu) kunikwe amandla ngokuzenzakalela, okuvumela ukulinganisa lapho usebenzisa izici ezithuthukisiwe njenge-HTTP/2 yokuphela, I-Layer 7 Retries kanye ne-gRPC. I-HTX ayishintshi izihloko endaweni, kodwa yehlisa ukusebenza kokuguqulwa ekususeni nasekungezeni unhlokweni omusha ekupheleni kohlu, okuvumela ukuthi ulawule noma yikuphi ukwahluka okunwetshiwe kwephrothokholi ye-HTTP, ulondoloze i-semantics yasekuqaleni yezihloko futhi ikuvumela ukuzuza ukusebenza okuphezulu lapho uhumusha i-HTTP/2 ukuya ku-HTTP/1.1 nangokuphambene;
- Kwengezwe ukusekelwa okusemthethweni kwemodi ye-End-to-End HTTP/2 (ukucubungula zonke izigaba ku-HTTP/2, okuhlanganisa amakholi aya ngemuva, hhayi nje ukuxhumana phakathi kommeleli neklayenti);
- Ukusekelwa okugcwele kommeleli oqondiswa kabili wephrothokholi ye-gRPC kusetshenziswe ngamandla okuhlaziya ukusakaza kwe-gRPC, okugqamisa imilayezo ngayinye, okubonisa ithrafikhi ye-gRPC kulogi nokuhlunga imilayezo kusetshenziswa ama-ACL. I-gRPC ikuvumela ukuthi uhlele umsebenzi wama-microservices ngezilimi ezahlukahlukene zokuhlela ezisebenzisana zisebenzisa i-API yendawo yonke. Ukuxhumana kwenethiwekhi ku-gRPC kusetshenziswa phezu kwephrothokholi ye-HTTP/2 futhi kusekelwe ekusetshenzisweni Kwezivimbela Zephrothokholi ukuze kwenziwe uchungechunge lwedatha.
- Ukwesekwa okwengeziwe kwemodi "Yokuzama Kabusha kwe-Layer 7", ekuvumela ukuthi uthumele izicelo ze-HTTP eziphindaphindiwe uma kwenzeka ukwehluleka kwesofthiwe okungahlobene nezinkinga zokusungula uxhumano lwenethiwekhi (isibonelo, uma ingekho impendulo noma impendulo engenalutho ku- THUMELA isicelo). Ukuze ukhubaze imodi, ifulegi elithi “disable-l7-retry” lengezwe kunketho ethi “http-request”, futhi inketho ethi “retry-on” yengezwe ukuze kulungiswe kahle ezigabeni ezimisiwe, zokulalela nezokusekela emuva. Izimpawu ezilandelayo ziyatholakala ukuze zithunyelwe kabusha: zonke-zamazama kabusha-amaphutha, none, conn-failure, empty-response, junk-response, response-timeout, 0rtt-rejected, kanye nokubophezela ekubuyiseleni amakhodi esimo (404, njll.) ;
- Umphathi wenqubo omusha uqalisiwe, okuvumela ukuthi ulungiselele ukubiza amafayela asebenzisekayo angaphandle anezibambi ze-HAProxy.
Isibonelo, i-Data Plan API (/usr/sbin/dataplaneapi), kanye nezinjini ezihlukahlukene zokucubungula umfudlana we-Offload, zisetshenziswa ngendlela yesibambi esinjalo sangaphandle; - Izibopho zengeziwe ze-.NET Core, Go, Lua kanye ne-Python ukuze kuthuthukiswe izandiso ze-SPOE (Injini Yokulayishwa Icubungula Ukusakaza) kanye ne-SPOP (I-Stream Processing Offload Protocol). Ngaphambilini, ukuthuthukiswa kwesandiso bekusekelwa kuphela ku-C;
- Kwengezwe isibambi se-spoa-mirror sangaphandle (/usr/sbin/spoa-mirror) ukuze senze izicelo zesibuko kuseva ehlukile (isibonelo, ukuze kukopishwe ingxenye yethrafikhi yokukhiqiza ukuze kuhlolwe indawo yokuhlola ngaphansi komthwalo wangempela);
- Kuthunyelwe ngu-
I-HAProxy Kubernetes Ingress Controller ukuqinisekisa ukuhlanganiswa nenkundla ye-Kubernetes; - Kwengezwe usekelo olwakhelwe ngaphakathi lokuthekelisa izibalo ohlelweni lokuqapha
Prometheus ; - I-Peers Protocol, esetshenziselwa ukushintshanisa ulwazi namanye ama-node asebenzisa i-HAProxy, inwetshiwe. Kubandakanya ukwesekwa okwengeziwe kwe-Heartbeat kanye nokudluliswa kwedatha ebethelwe;
- Ipharamitha "yesampula" yengezwe kumyalelo "welogi", okuvumela ukuthi ulahle ingxenye yezicelo kuphela kulogi, isibonelo 1 kwezingu-10, ukuze wakhe isampula yokuhlaziya;
- Kungezwe imodi yokwenza iphrofayela ezenzakalelayo (i-profiling.tasks Direction, engathatha amanani ngokuzenzakalelayo, ivule futhi ivale). Ukwenza iphrofayela okuzenzakalelayo kunikwe amandla uma ukubambezeleka okumaphakathi kudlula u-1000 ms. Ukuze ubuke idatha yokwenza iphrofayela, umyalo "wokwenza iphrofayela" ungeziwe ku-Runtime API noma kungenzeka ukusetha kabusha izibalo kulogu;
- Ukwesekwa okwengeziwe kokufinyelela amaseva angemuva kusetshenziswa iphrothokholi ye-SOCKS4;
- Kungezwe ukusekelwa kokuphela komshini wokuvula ngokushesha ukuxhumana kwe-TCP (TFO - TCP Fast Open, RFC 7413), okuvumela ukuthi unciphise inani lezinyathelo zokusetha uxhumano ngokuhlanganisa eyokuqala ibe isicelo esisodwa kanye nesinyathelo sesibili inqubo yokuxoxisana yezinyathelo ezi-3 yakudala futhi yenza kube nokwenzeka ukuthumela idatha esigabeni sokuqala sokusungula ukuxhumana;
- Izenzo ezintsha zengeziwe:
- "http-request replace-uri" ukufaka esikhundleni i-URL kusetshenziswa isisho esivamile;
- “i-tcp-request content do-resolve” kanye “ne-http-request do-resolve” yokuxazulula igama lomethuleli;
- I-“tcp-request content set-dst” kanye “ne-tcp-request content set-dst-port” ukuze kungene ikheli le-IP eliqondiwe kanye nembobo.
- Kwengezwe amamojula amasha okuguqula:
- i-aes_gcm_dev yokususa ukubethela kokusakaza kusetshenziswa ama-algorithms we-AES128-GCM, AES192-GCM kanye ne-AES256-GCM;
- i-protobuf yokukhipha izinkambu emilayezweni ye-Protocol Buffers;
- ungrpc ukukhipha izinkambu emilayezweni ye-gRPC.
Source: opennet.ru