I-ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kwebhalansi ye-HTTP/TCP HAProxy 2.0

Ukukhishwa kwebhalansi ye-HTTP/TCP HAProxy 2.0

eshicilelwe ukukhululwa kwe-balancer yokulayisha I-HAProxy 2.0, okuvumela ukuthi usabalalise ithrafikhi ye-HTTP kanye nezicelo ze-TCP ezingafanele phakathi kweqembu lamaseva, ucabangela izici eziningi (isibonelo, ihlola ukutholakala kwamaseva, ihlola izinga lomthwalo, inezinyathelo zokuphikisa ze-DDoS) futhi yenza ukuhlunga idatha okuyisisekelo ( isibonelo, ungakwazi ukuhlaziya izihloko ze-HTTP, imingcele yombuzo yokudlulisa isihlungi, vimba i-SQL ne-XSS esikhundleni, xhuma ama-ejenti okucubungula okuqukethwe). I-HAProxy ingakwazi futhi faka isicelo ukuxhumanisa ukusebenzisana kwezingxenye ezinhlelweni ezisuselwe ekwakhiweni kwama-microservices. Ikhodi yephrojekthi ibhalwe ku-C kanye kuhlinzekiwe ilayisensi ngaphansi kwe-GPLv2. Le phrojekthi isetshenziswa kumasayithi amaningi amakhulu, okuhlanganisa i-Airbnb, i-Alibaba, i-GitHub, i-Imgur, i-Instagram, i-Reddit, i-StackOverflow, i-Tumblr, i-Twitter ne-Vimeo.

Izici eziyinhloko zokukhishwa:

  • I-API entsha yethuliwe Uhlelo Lwemininingwane, ekuvumela ukuthi uphathe izilungiselelo ze-HAProxy ekuhambeni nge-REST Web API. Kubandakanya, ungakwazi ukwengeza ngokuguquguqukayo futhi ususe okungemuva namaseva, udale ama-ACL, ushintshe umzila wesicelo, uguqule ukubophezela kwesibambi ku-IP;
  • Kwengezwe umhlahlandlela we-nbthread, okuvumela ukuthi ulungiselele inani lezintambo ezisetshenziswa ku-HAProxy ukuze uthuthukise ukusebenza kuma-CPU abalulekile. Ngokuzenzakalelayo, inani lezintambo zezisebenzi likhethwa kuye ngama-CPU cores atholakala endaweni yamanje, futhi ezindaweni zamafu okuzenzakalelayo kuwuchungechunge olulodwa. Ukusetha imikhawulo eqinile, izinketho zokuhlanganisa MAX_THREADS kanye ne-MAX_PROCS zingeziwe, okukhawulela umkhawulo ophezulu enanini lezintambo nezinqubo;
  • Ukusetshenziswa komyalelo wokubophezela wezibambi ezibophayo kumakheli enethiwekhi kwenziwe lula. Lapho usetha, akusadingeki ukuchaza amapharamitha enqubo - ngokuzenzakalelayo, ukuxhumana kuzosatshalaliswa phakathi kwemicu kuye ngenani lokuxhumana okusebenzayo.
  • Ukusetha amalogi lapho kusebenza ezitsheni ezingazodwa kwenziwe lula - ilogi manje ingathunyelwa ku-stdout ne-stderr, kanye nakunoma iyiphi inchazelo yefayela ekhona (ngokwesibonelo, “log fd@1 local0”);
  • Ukusekelwa kwe-HTX (Ukumelwa Kwe-HTTP Komdabu) kunikwe amandla ngokuzenzakalela, okuvumela ukulinganisa lapho usebenzisa izici ezithuthukisiwe njenge-HTTP/2 yokuphela, I-Layer 7 Retries kanye ne-gRPC. I-HTX ayishintshi izihloko endaweni, kodwa yehlisa ukusebenza kokuguqulwa ekususeni nasekungezeni unhlokweni omusha ekupheleni kohlu, okuvumela ukuthi ulawule noma yikuphi ukwahluka okunwetshiwe kwephrothokholi ye-HTTP, ulondoloze i-semantics yasekuqaleni yezihloko futhi ikuvumela ukuzuza ukusebenza okuphezulu lapho uhumusha i-HTTP/2 ukuya ku-HTTP/1.1 nangokuphambene;
  • Kwengezwe ukusekelwa okusemthethweni kwemodi ye-End-to-End HTTP/2 (ukucubungula zonke izigaba ku-HTTP/2, okuhlanganisa amakholi aya ngemuva, hhayi nje ukuxhumana phakathi kommeleli neklayenti);
  • Ukusekelwa okugcwele kommeleli oqondiswa kabili wephrothokholi ye-gRPC kusetshenziswe ngamandla okuhlaziya ukusakaza kwe-gRPC, okugqamisa imilayezo ngayinye, okubonisa ithrafikhi ye-gRPC kulogi nokuhlunga imilayezo kusetshenziswa ama-ACL. I-gRPC ikuvumela ukuthi uhlele umsebenzi wama-microservices ngezilimi ezahlukahlukene zokuhlela ezisebenzisana zisebenzisa i-API yendawo yonke. Ukuxhumana kwenethiwekhi ku-gRPC kusetshenziswa phezu kwephrothokholi ye-HTTP/2 futhi kusekelwe ekusetshenzisweni Kwezivimbela Zephrothokholi ukuze kwenziwe uchungechunge lwedatha.
  • Ukwesekwa okwengeziwe kwemodi "Yokuzama Kabusha kwe-Layer 7", ekuvumela ukuthi uthumele izicelo ze-HTTP eziphindaphindiwe uma kwenzeka ukwehluleka kwesofthiwe okungahlobene nezinkinga zokusungula uxhumano lwenethiwekhi (isibonelo, uma ingekho impendulo noma impendulo engenalutho ku- THUMELA isicelo). Ukuze ukhubaze imodi, ifulegi elithi “disable-l7-retry” lengezwe kunketho ethi “http-request”, futhi inketho ethi “retry-on” yengezwe ukuze kulungiswe kahle ezigabeni ezimisiwe, zokulalela nezokusekela emuva. Izimpawu ezilandelayo ziyatholakala ukuze zithunyelwe kabusha: zonke-zamazama kabusha-amaphutha, none, conn-failure, empty-response, junk-response, response-timeout, 0rtt-rejected, kanye nokubophezela ekubuyiseleni amakhodi esimo (404, njll.) ;
  • Umphathi wenqubo omusha uqalisiwe, okuvumela ukuthi ulungiselele ukubiza amafayela asebenzisekayo angaphandle anezibambi ze-HAProxy.
    Isibonelo, i-Data Plan API (/usr/sbin/dataplaneapi), kanye nezinjini ezihlukahlukene zokucubungula umfudlana we-Offload, zisetshenziswa ngendlela yesibambi esinjalo sangaphandle;

  • Izibopho zengeziwe ze-.NET Core, Go, Lua kanye ne-Python ukuze kuthuthukiswe izandiso ze-SPOE (Injini Yokulayishwa Icubungula Ukusakaza) kanye ne-SPOP (I-Stream Processing Offload Protocol). Ngaphambilini, ukuthuthukiswa kwesandiso bekusekelwa kuphela ku-C;
  • Kwengezwe isibambi se-spoa-mirror sangaphandle (/usr/sbin/spoa-mirror) ukuze senze izicelo zesibuko kuseva ehlukile (isibonelo, ukuze kukopishwe ingxenye yethrafikhi yokukhiqiza ukuze kuhlolwe indawo yokuhlola ngaphansi komthwalo wangempela);
  • Kuthunyelwe ngu- I-HAProxy Kubernetes Ingress Controller ukuqinisekisa ukuhlanganiswa nenkundla ye-Kubernetes;
  • Kwengezwe usekelo olwakhelwe ngaphakathi lokuthekelisa izibalo ohlelweni lokuqapha Prometheus;
  • I-Peers Protocol, esetshenziselwa ukushintshanisa ulwazi namanye ama-node asebenzisa i-HAProxy, inwetshiwe. Kubandakanya ukwesekwa okwengeziwe kwe-Heartbeat kanye nokudluliswa kwedatha ebethelwe;
  • Ipharamitha "yesampula" yengezwe kumyalelo "welogi", okuvumela ukuthi ulahle ingxenye yezicelo kuphela kulogi, isibonelo 1 kwezingu-10, ukuze wakhe isampula yokuhlaziya;
  • Kungezwe imodi yokwenza iphrofayela ezenzakalelayo (i-profiling.tasks Direction, engathatha amanani ngokuzenzakalelayo, ivule futhi ivale). Ukwenza iphrofayela okuzenzakalelayo kunikwe amandla uma ukubambezeleka okumaphakathi kudlula u-1000 ms. Ukuze ubuke idatha yokwenza iphrofayela, umyalo "wokwenza iphrofayela" ungeziwe ku-Runtime API noma kungenzeka ukusetha kabusha izibalo kulogu;
  • Ukwesekwa okwengeziwe kokufinyelela amaseva angemuva kusetshenziswa iphrothokholi ye-SOCKS4;
  • Kungezwe ukusekelwa kokuphela komshini wokuvula ngokushesha ukuxhumana kwe-TCP (TFO - TCP Fast Open, RFC 7413), okuvumela ukuthi unciphise inani lezinyathelo zokusetha uxhumano ngokuhlanganisa eyokuqala ibe isicelo esisodwa kanye nesinyathelo sesibili inqubo yokuxoxisana yezinyathelo ezi-3 yakudala futhi yenza kube nokwenzeka ukuthumela idatha esigabeni sokuqala sokusungula ukuxhumana;
  • Izenzo ezintsha zengeziwe:
    • "http-request replace-uri" ukufaka esikhundleni i-URL kusetshenziswa isisho esivamile;
    • “i-tcp-request content do-resolve” kanye “ne-http-request do-resolve” yokuxazulula igama lomethuleli;
    • I-“tcp-request content set-dst” kanye “ne-tcp-request content set-dst-port” ukuze kungene ikheli le-IP eliqondiwe kanye nembobo.
  • Kwengezwe amamojula amasha okuguqula:
    • i-aes_gcm_dev yokususa ukubethela kokusakaza kusetshenziswa ama-algorithms we-AES128-GCM, AES192-GCM kanye ne-AES256-GCM;
    • i-protobuf yokukhipha izinkambu emilayezweni ye-Protocol Buffers;
    • ungrpc ukukhipha izinkambu emilayezweni ye-gRPC.

    Source: opennet.ru

Engeza amazwana