负载均衡开源解决方案LoadBalancingUsingOpenSourceSoftwaresMSN:finalbsd@hotmail.comMAIL:finalbsd@gmail.comCUID:FinalBSD软件工作层F54-7NetScaler4-7LVS4HAProxy4-73/29ScheduleBasically•Hardware/GUI/CLI(Configuremethod)/HA(ConfigSync)Loadbalancerelated•virtualserver/node/pool/poolmember•Monitors•Sorryserver•MaintenanceMode•LoadbalancemethodPersistenceSNAT/RNATServerProtectionACL/ContentSwitchGSLBPerformance4/29WearehereBasicallyLBrelatedPersistenceSNAT/RNATServerProtectionACL/CSGSLB5/29Hardware/GUI/CLI/HACommercialOpenSourceF5NetScalerLVSHAProxyHardwareGUICLIHA6/29HAProxyHotReconfigurationmv/etc/haproxy/config/etc/haproxy/config.oldmv/var/run/haproxy.pid/var/run/haproxy.pid.oldmv/etc/haproxy/config.new/etc/haproxy/configkill-TTOU$(cat/var/run/haproxy.pid.old)ifhaproxy-p/var/run/haproxy.pid-f/etc/haproxy/config;thenechoNewinstancesuccessfullyloaded,stoppingpreviousone.kill-USR1$(cat/var/run/haproxy.pid.old)rm-f/var/run/haproxy.pid.oldexit1elseechoNewinstancefailedtostart,resumingpreviousone.kill-TTIN$(cat/var/run/haproxy.pid.old)rm-f/var/run/haproxy.pidmv/var/run/haproxy.pid.old/var/run/haproxy.pidmv/etc/haproxy/config/etc/haproxy/config.newmv/etc/haproxy/config.old/etc/haproxy/configexit0fi保存之前状态停止老的监听成功,清理老的连接和pid失败,恢复老的配置7/29WearehereBasicallyLBrelatedPersistenceSNAT/RNATServerProtectionACL/CSGSLB8/29Conceptsvirtualserver192.168.101.1:80pool(name=cgi_boxes)member(server=10.1.1.3:80)member(server=10.1.1.2:80)member(server=10.1.1.1:80)pool(name=asp_boxes)member(server=10.1.1.6:80)member(server=10.1.1.5:80)member(server=10.1.1.4:80)VIP192.168.101.1virtualserver192.168.101.1:443pool(name=ssl_boxes)member(server=10.1.1.6:443)member(server=10.1.1.2:443)member(server=10.1.1.1:443)VIP192.168.101.2LoadBalancingIntelligentTrafficControl(lookatURL,clientIPaddr.,etc.)Port-basedTrafficDirectionIPAddr.-basedTrafficDirectionIncomingrequestMonitorAvailabilityrequirementSNAT/NATPriority-basedmemberactivationACTIONofservicedownSlowRampTimePool/poolmemberstatistics9/29MonitorsMonitor类型SimpleECVEAVICMP/GWICMP/TCPECHOTCP/HTTP/HTTPS外部程序/FTP下载一个文件到LTM系统上,看是否下载成功/IMAP/LDAP/MSSQL/NNTP/Oracle/POP3/RADIUS/RealServer/SIP/SMTP/SOAP/WMI自定义monitor10/29HAProxyMonitorlistenwebfarm192.168.1.1:80modehttpbalanceroundrobincookieSERVERIDinsertindirectoptionhttpchkHEAD/index.htmlHTTP/1.0serverwebA192.168.1.11:80cookieAcheckserverwebB192.168.1.12:80cookieBcheckport81inter2000serverwebC192.168.1.13:80cookieCcheckserverwebD192.168.1.14:80cookieDcheck:80modehttpbalanceroundrobincookieSERVERIDinsertindirectoptionhttpchkHEAD/index.htmlHTTP/1.0serverwebA192.168.1.11:80cookieAcheckserverwebB192.168.1.12:80cookieBcheckport81inter2000serverwebC192.168.1.13:80cookieCcheckserverwebD192.168.1.14:80cookieDcheckserverbkpA192.168.1.15:80cookieAcheckbackupserverbkpB192.168.1.16:80cookieBcheckbackup://(Ratio(member),Ratio(Node))DynamicRatio:根据对服务器性能的观察来动态设置weight,观察点包括连接数、响应时间等。Fastest(node)&Fastest(application):服务器/应用的最快响应时间LC(Member)&LC(node)Observed(member)&Observed(node)Predictive(member)&Predictive(node)SourceURLHASHURLParam14/29WearehereBasicallyLBrelatedPersistenceSNAT/RNATServerProtectionACL/CSGSLB15/29PersistenceClientServerAGET/URI1HTTP/1.1HTTPrequest(nocookie)TCPhandshakeTCPhandshakeGET/URI1HTTP/1.1HTTPrequest(nocookie)HTTP/1.1200OKHTTPreply(nocookie)HTTP/1.1200OKHTTPreply(withinsertedcookie)pickserverGET/URI2HTTP/1.1HTTPrequest(withsamecookie)TCPhandshakeTCPhandshakeGET/URI2HTTP/1.1HTTPrequest(withsamecookie)HTTP/1.1200OKHTTPreply(nocookie)HTTP/1.1200OKHTTPreply(updatedcookie)cookiespecifiesserverFirstHitSecondHitSet-Cookie:SERVERID=ACookie:SERVERID=A•Cookiepersistence1.1HTTPCookieInsert1.2HTTPCookieRewrite1.3HTTPCookiePassive1.4CookieHash•DestinationAddressaffinitypersistence•Hashpersistence•MSRDPpersistence•SIPpersistence(sessionInitiationprotocol)•Souceaddressaffnitypersistence•SSLpersistence•Universalpersistence•insert•rewrite•prefixlistenwebfarm192.168.1.1:80modehttpbalanceroundrobincookieSERVERIDinsertindirectoptionhttpchkHEAD/index.htmlHTTP/1.0serverwebA192.168.1.11:80cookieAcheckserverwebB192.168.1.12:80cookieBcheckserverwebC192.168.1.13:80cookieCcheckserverwebD192.168.1.14:80cookieDcheck16/29SNAT&RNATNetScaler10000ExternalvlanInternalvlanVIP:221.238.249.177MAPPEDIP:10.10.1.1eth0:10.10.1.2eth1:192.168.1.2SNATRNATbackendprivate#Connecttotheserversusingour192.168.1.200sourceaddresssource192.168.1.200backendtransparent_ssl1#ConnecttotheSSLfarmfromtheclient'ssourceaddresssource192.168.1.200usesrcclientipserverrailsA192.168.1.11:80source192.168.1.201checkserverrailsB192.168.1.12:80minconn4maxconn12checkserverrailsC192.168.1.13:80minconn4maxconn12check17/29WearehereBasicallyLBrelatedPersistenceSNAT/RNATServerProtectionACL/CSGSLB18/29ServerProtectionAttack(SYNFlood)ConnectionLimi