haproxy 流控模式
1.滑动窗模式
frontend website
bind :80
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
default_backend servers
2.固定窗口模式
frontend website
bind :80
stick-table type ipv6 size 100k expire 24h store http_req_cnt
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_cnt(0) gt 1000 }
default_backend servers
3.其他模式 HTTP URL模式、HTTP Parameter 模式,不适合需求场景,不做介绍。
4.在四种模式中,最常用、最科学的流控模式是“滑动窗口模式”
5.在滑动窗口模式下(例如上述配置中,每10秒内的请求不能超过 20条),客户端请求超过限制haproxy会返回:
<html><body><h1>429 Too Many Requests</h1> You have sent too many requests in a given amount of time. </body></html>
haproxy 白名单
1.设置白名单文件
$ cat /etc/haproxy/whitelisted.ips ip1
ip2
2.haproxy配置文件
frontend website
bind :80
acl is-whitelisted-ip src -f /etc/haproxy/whitelisted.ips
http-request deny if !is-whitelisted-ip
default_backend servers
3.如果不在白名单中的客户端访问api,haproxy会返回:
<html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>
4.注:whitelisted.ips 白名单文件一行一个IP或者IP段。
滑动窗口流控模式+白名单测试
1.测试环境haproxy版本
[root@ytj-control-10e101e8e46 ~]# haproxy -v HA-Proxy version 1.8.12-8a200c7 2018/06/27 Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
2.配置白名单
$ cat /etc/haproxy/whitelisted.ips ip1
ip2
2.修改haproxy 中关于 nova-api的配置(每10秒内的请求不能超过 20条)
listen nova-api bind nova-api:81
# 流控配置 start stick-table type ipv6 size 100k expire 30s store http_req_rate(10s) http-request track-sc0 src http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } # 流控配置 end # 白名单配置 start acl is-whitelisted-ip src -f /etc/haproxy/whitelisted.ips http-request deny if !is-whitelisted-ip # 白名单配置 end balance roundrobin option tcpka option httpchk option httplog server node-1 ip1:80 check inter 2000 rise 2 fall 5 server node-2 ip2:80 check inter 2000 rise 2 fall 5 server node-3 ip3:80 check inter 2000 rise 2 fall 5
3.在控制节点模拟 nova-api 请求(模拟短时间内30条nova-api 请求)
#!/bin/bash for((i=1;i<=30;i++)); do echo -e " " curl nova-api:81 done
4.输出
....
{"versions": [{"status": "SUPPORTED", "updated": "2011-01-21T11:33:21Z", "links": [{"href": "http://nova-api:81/v2/", "rel": "self"}], "min_version": "", "version": "", "id": "v2.0"}, {"status": "CURRENT", "updated": "2013-07-23T11:33:21Z", "links": [{"href": "http://nova-api.cty.os:10010/v2.1/", "rel": "self"}], "min_version": "2.1", "version": "2.61", "id": "v2.1"}]}
{"versions": [{"status": "SUPPORTED", "updated": "2011-01-21T11:33:21Z", "links": [{"href": "http://nova-api:81/v2/", "rel": "self"}], "min_version": "", "version": "", "id": "v2.0"}, {"status": "CURRENT", "updated": "2013-07-23T11:33:21Z", "links": [{"href": "http://nova-api.cty.os:10010/v2.1/", "rel": "self"}], "min_version": "2.1", "version": "2.61", "id": "v2.1"}]}
<html><body><h1>429 Too Many Requests</h1>
You have sent too many requests in a given amount of time.
</body></html>
<html><body><h1>429 Too Many Requests</h1>
You have sent too many requests in a given amount of time.
</body></html>
<html><body><h1>429 Too Many Requests</h1>
You have sent too many requests in a given amount of time.
</body></html>
....
5.从输出中我们可以看到,在时间窗口内(10s),请求数量超过了20条,那么haproxy 会返回 429的错误码。并提示 too many request。符合预期
6.在控制节点3(ip不在白名单中)上访问nova-api:
<html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>
7.从输出中可看到 haproxy 返回 403错误码。并提示 Request forbidden by administrative rules. 符合预期
