當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

Haproxy基于ACL做访问控制

發布時間：2025/3/15 编程问答 13 豆豆

生活随笔收集整理的這篇文章主要介紹了 Haproxy基于ACL做访问控制小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

author：JevonWei
版權聲明：原創作品

haproxy配置文檔 https://cbonte.github.io/haproxy-dconv/

基于ACL做訪問控制(四層代理)

網絡拓撲

環境

前端HAProxy 172.16.253.108 后端web1 172.16.253.105 后端web2 172.16.252.1 client 172.16.253.177

安裝HAProxy

HAProxy

[root@HAProxy ~]# yum install haproxy -y [root@HAProxy ~]# rpm -ql haproxy [root@HAProxy ~]# iptables -F [root@HAProxy ~]# setenforce 0 [root@HAProxy ~]# systemctl enable haproxy [root@HAProxy ~]# cp /etc/haproxy/haproxy.cfg{,.bak} [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg

web1

[root@web1 ~]# yum -y install httpd [root@web1 ~]# vim /var/www/html/index.html <h1> Backend Server 1 </h1> [root@web1 ~]# systemctl start httpd [root@web1 ~]# setenforce 0 [root@web1 ~]# iptables -F

web 2

[root@web2 ~]# yum -y install httpd [root@web2 ~]# vim /var/www/html/index.html <h1> Backend Server 2 </h1> [root@web2 ~]# service httpd start [root@web2 ~]# setenforce 0 [root@web2 ~]# iptables -F

block阻塞主機訪問

172.16.251.196用戶訪問stats狀態界面，并顯示錯誤網頁http://172.16.253.108:10080/403.html

HAProxy

[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80default_backend websrvsbackend websrvsbalance roundrobinserver srv1 172.16.253.105:80 check weight 2server srv2 172.16.252.1:80 check weight 1listen statsbind *:9000acl allowstats src 172.16.251.196block if allowstats \\阻塞allowstats中的IP訪問stats界面errorloc 403 http://172.16.253.108:10080/403.htmlstats enablestats uri /myproxy?adminstats realm "HAProxy Stats Page"stats auth admin:adminstats admin if TRUE [root@HAProxy ~]# systemctl restart haproxy

訪問測試

172.16.251.196使用瀏覽器訪問測試http://172.16.253.108:10080/403.html

http-request允許某主機訪問stats狀態界面

允許172.16.251.196用戶訪問http://172.16.253.108服務器的HAProxy的狀態界面

HAProxy

[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80default_backend websrvsbackend websrvsbalance roundrobinserver srv1 172.16.253.105:80 check weight 2server srv2 172.16.252.1:80 check weight 1listen statsbind *:9000acl allowstats src 172.16.251.196# http-request allow if allowstats \\允許allowstats中的IP訪問stats狀態界面http-request deny unless allowstats \\除了allowstats之外全部拒絕訪問，即僅允許allowstats訪問# http-request deny if allowstats \\拒絕allowstats訪問errorloc 403 http://172.16.253.108:10080/403.html \\錯誤網頁文件stats enablestats uri /myproxy?adminstats realm "HAProxy Stats Page"stats auth admin:adminstats admin if TRUE [root@HAProxy ~]# systemctl restart haproxy

訪問測試

圖形化瀏覽器172.16.251.196使用瀏覽器訪問測試http://172.16.253.108:10080/403.html 字符界面 [root@client ~]# curl --basic --user admin:admin http://172.16.253.108:9000/myproxy?admin

基于ACL做訪問控制(七層代理)

動態網頁存放在動態服務器組中，靜態網頁存放在靜態服務器組中

拓撲環境

環境

前端HAProxy 172.16.253.108 后端web1 172.16.253.105 后端web2 172.16.253.191 client 172.16.253.177

web1使用虛擬主機技術搭建兩個web server，用來存放動態網頁內榮容
web2使用虛擬主機搭建兩個web server用來替代靜態網頁內容

web1創建虛擬主機

[root@web1 ~]# yum -y install php httpd [root@web1 ~]# mkdir /data/web/vhost{1,2} -pv [root@web1 ~]# vim /data/web/vhost1/index.php <h1> Application Server 1</h1> <?phpphpinfo(); ?> [root@web1 ~]# vim /data/web/vhost2/index.php <h1> Application Server 2</h1> <?phpphpinfo(); ?>虛擬主機1的配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/vhost1.conf \\編輯vhost1虛擬主機的配置文件 <VirtualHost *:80>ServerName www1.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinks \\允許使用連接文件目錄AllowOverride None \\不允許其他配置文件覆蓋此文件中的設置Require all granted</Directory> </VirtualHost>虛擬主機2的配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf Listen 8080 <VirtualHost *:8080>ServerName www2.danran.comDocumentRoot "/data/web/vhost2"<Directory "/data/web/vhost2">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>[root@web1 ~]# systemctl restart httpd.service [root@web1 ~]# ss -ntl

web2創建虛擬主機

[root@web2 ~]# yum -y install httpd [root@web2 ~]# mkdir -pv /data/web/vhost{1,2} [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost1/ \; [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost2/ \; [root@web2 ~]# vim /data/web/vhost1/index.html <h1> Image Server 1 </h1> [root@web2 ~]# vim /data/web/vhost2/index.html <h1> Image Server 2 </h1>編輯虛擬主機1的配置文件 [root@web2 ~]# vim /etc/httpd/conf.d/vhost1.conf <VirtualHost *:80>ServerName www1.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>編輯虛擬主機2的配置文件 [root@web2 ~]# vim /etc/httpd/conf.d/vhost2.conf Listen 8080 <VirtualHost *:8080>ServerName www2.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>[root@web2 ~]# systemctl start httpd.service

HAProxy

[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組backend dynsrvs \\定義動態主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxy

client

[root@client ~]# curl http://172.16.253.108/index.html <h1> Image Server 1 </h1> [root@client ~]# curl http://172.16.253.108/index.html <h1> image Server 2 </h1> [root@client ~]# curl http://172.16.253.108/index.php <h1> Application Server 2</h1> [root@client ~]# curl http://172.16.253.108/index.php <h1> Application Server 2</h1>

拒絕curl訪問web

HAProxy

[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組acl bad_browsers hdr_reg(User-Agent) .*curl.* \\定義請求報文中包含curl的ACL組為bad_browsersblock if bad_browsers \\阻塞bad_browsers組的訪問backend dynsrvs \\定義動態主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxy

client

[root@client ~]# curl http://172.16.253.108/index.html <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>

定義僅允許danran.com域內的的主機訪問

HAProxy

[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組acl valid_referers hdr_reg(Referer) \.danran\.comblock unless valid_referers \\阻塞除了valid_referers組之外的所有人的訪問backend dynsrvs \\定義動態主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxy

client

模擬www.danran.com主機訪問 [root@client ~]# curl -e "http://www.danran.com/index.php" http://172.16.253.108/index.php <h1> Application Server 2</h1>

轉載于:https://www.cnblogs.com/JevonWei/p/7468486.html

總結

以上是生活随笔為你收集整理的Haproxy基于ACL做访问控制的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： Java笔记第七篇数据类型初了解（下，
下一篇： spark报错处理