Multi-tier архитектура, service mesh, edge routing, global load balancing
Multi-tier архитектура, service mesh, edge routing, global load balancing.
┌─────────────────┐
│ Edge HAProxy │
│ (SSL term) │
│ Port 443 │
└────────┬────────┘
│
│ HTTP/80
│
┌────────▼────────┐
│ Internal HAProxy│
│ (L7 routing) │
│ Port 8080 │
└────────┬────────┘
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Web │ │ API │ │ Admin │
│ Servers │ │ Servers │ │ Servers │
└──────────┘ └──────────┘ └──────────┘
Edge HAProxy:
# /etc/haproxy/edge.cfg
global
maxconn 100000
defaults
timeout connect 5s
timeout client 30s
timeout server 30s
frontend https_edge
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# SSL termination
http-response set-header Strict-Transport-Security "max-age=31536000"
# Forward на internal
default_backend internal_haproxy
backend internal_haproxy
balance roundrobin
server int1 10.0.1.10:80 check
server int2 10.0.1.11:80 checkInternal HAProxy:
# /etc/haproxy/internal.cfg
global
maxconn 50000
defaults
timeout connect 5s
timeout client 30s
timeout server 30s
frontend http_internal
bind *:80
# L7 routing
acl is_api path_beg /api
acl is_admin path_beg /admin
use_backend api_servers if is_api
use_backend admin_servers if is_admin
default_backend web_servers
backend web_servers
balance roundrobin
server web1 10.0.2.10:8080 check
server web2 10.0.2.11:8080 check
backend api_servers
balance leastconn
server api1 10.0.3.10:8080 check
server api2 10.0.3.11:8080 check
backend admin_servers
balance roundrobin
acl is_internal src 10.0.0.0/8
http-request deny if !is_internal
server admin1 10.0.4.10:8080 checkПреимущества:
frontend edge_front
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# Гео-маршрутизация
acl is_us src -m geoip -f /usr/share/GeoIP/GeoIP.dat US
acl is_eu src -m geoip -f /usr/share/GeoIP/GeoIP.dat EU
acl is_asia src -m geoip -f /usr/share/GeoIP/GeoIP.dat CN JP KR
use_backend us_servers if is_us
use_backend eu_servers if is_eu
use_backend asia_servers if is_asia
default_backend default_servers
backend us_servers
server us1 198.51.100.10:8080 check
server us2 198.51.100.11:8080 check
backend eu_servers
server eu1 203.0.113.10:8080 check
server eu2 203.0.113.11:8080 check
backend asia_servers
server asia1 192.0.2.10:8080 check
server asia2 192.0.2.11:8080 check
backend default_servers
server default1 198.51.100.10:8080 checkfrontend edge_waf
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# Rate limiting
stick-table type ip size 1m expire 30s store http_req_rate(10s)
http-request track-sc0 src
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited
# WAF правила
acl sql_injection url_param -m regex "(?i)(union|select|drop)"
acl xss_attack url_param -m regex "(?i)(<script|javascript:)"
http-request deny deny_status 400 if sql_injection or xss_attack
# Блокировка по GeoIP
acl blocked_country src -m geoip -f /usr/share/GeoIP/GeoIP.dat KP IR
http-request deny deny_status 403 if blocked_country
default_backend origin_servers
backend origin_servers
balance roundrobin
server origin1 10.0.1.10:8080 check
server origin2 10.0.1.11:8080 check┌─────────────────────────────────────┐
│ Pod │
│ ┌─────────────┐ ┌───────────────┐ │
│ │ Application │ │ HAProxy Sidecar│ │
│ │ :8080 │ │ :80 │ │
│ └─────────────┘ └───────────────┘ │
└─────────────────────────────────────┘
Sidecar конфигурация:
# /etc/haproxy/sidecar.cfg
global
maxconn 10000
defaults
timeout connect 5s
timeout client 30s
timeout server 30s
frontend sidecar_front
bind *:80
# mTLS (если требуется)
# bind *:80 ssl crt /etc/haproxy/certs/sidecar.pem
# Observability
http-request set-header X-Request-ID %[uuid()]
http-request set-header X-Forwarded-Service %[req.hdr(X-Service-Name)]
default_backend app_server
backend app_server
server app 127.0.0.1:8080 checkKubernetes manifest:
apiVersion: v1
kind: Pod
metadata:
name: app-with-sidecar
spec:
containers:
- name: app
image: myapp:latest
ports:
- containerPort: 8080
- name: haproxy-sidecar
image: haproxy:2.8
volumeMounts:
- name: haproxy-config
mountPath: /usr/local/etc/haproxy
ports:
- containerPort: 80
volumes:
- name: haproxy-config
configMap:
name: haproxy-sidecar-configfrontend api_gateway
bind *:443 ssl crt /etc/haproxy/certs/api.pem
# Service discovery
acl is_users_service path_beg /users
acl is_orders_service path_beg /orders
acl is_products_service path_beg /products
# Rate limiting per service
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
# Authentication
acl has_auth hdr(Authorization) -m found
http-request deny deny_status 401 if is_users_service !has_auth
# Routing
use_backend users_service if is_users_service
use_backend orders_service if is_orders_service
use_backend products_service if is_products_service
default_backend default_service
backend users_service
balance roundrobin
server users1 10.0.1.10:8080 check
server users2 10.0.1.11:8080 check
backend orders_service
balance leastconn
server orders1 10.0.2.10:8080 check
server orders2 10.0.2.11:8080 check
backend products_service
balance roundrobin
server products1 10.0.3.10:8080 check
server products2 10.0.3.11:8080 check ┌─────────────┐
│ DNS │
│ (Route53) │
└──────┬──────┘
│
┌─────────────────┼─────────────────┐
│ │ │
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ US Edge │ │ EU Edge │ │ Asia Edge│
│ HAProxy │ │ HAProxy │ │ HAProxy │
└──────────┘ └──────────┘ └──────────┘
Конфигурация для каждого региона:
# US Edge
frontend us_edge
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# Health check origin
option httpchk GET /health
# Local preference
acl is_us_origin src -m geoip -f /usr/share/GeoIP/GeoIP.dat US
use_backend us_origin if is_us_origin
# Fallback
default_backend eu_origin
backend us_origin
server us1 198.51.100.10:8080 check
server us2 198.51.100.11:8080 check
backend eu_origin
server eu1 203.0.113.10:8080 check
server eu2 203.0.113.11:8080 checkfrontend multi_region
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# Stickiness по региону
stick-table type ip size 1m expire 24h store server_id
stick on src
# Региональные backend'ы
server region_us 198.51.100.10:8080 check weight 100
server region_eu 203.0.113.10:8080 check weight 100
server region_asia 192.0.2.10:8080 check weight 100
# Health check всех регионов
option httpchk GET /health
# Fallback при недоступности региона
backup# On-premise HAProxy
frontend hybrid_front
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem
# Сначала on-premise серверы
use_backend onprem_servers if { nbsrv(onprem_servers) gt 0 }
# Fallback на cloud при перегрузке
default_backend cloud_servers
backend onprem_servers
balance leastconn
server onprem1 192.168.1.10:8080 check
server onprem2 192.168.1.11:8080 check
backend cloud_servers
balance roundrobin
# Cloud серверы через VPN/Direct Connect
server cloud1 10.0.0.10:8080 check
server cloud2 10.0.0.11:8080 check# /etc/haproxy/enterprise.cfg
global
log /dev/log local0 info
maxconn 100000
nbthread 8
tune.bufsize 16384
defaults
log global
mode http
option httplog
option dontlognull
timeout http-request 5s
timeout connect 5s
timeout client 30s
timeout server 30s
timeout queue 30s
# === Edge Frontend ===
frontend edge_front
bind *:443 ssl crt /etc/haproxy/certs/wildcard.pem alpn h2,http/1.1
# Security headers
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Content-Type-Options "nosniff"
# Rate limiting
stick-table type ip size 1m expire 30s store http_req_rate(10s),conn_cur
http-request track-sc0 src
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited
# WAF
acl sql_injection url_param -m regex "(?i)(union|select|drop)"
acl xss_attack url_param -m regex "(?i)(<script|javascript:)"
http-request deny deny_status 400 if sql_injection or xss_attack
# Routing
acl is_api path_beg /api
acl is_admin path_beg /admin
acl is_static path_end .css .js .png .jpg .gif
use_backend api_gateway if is_api
use_backend admin_servers if is_admin
use_backend cdn_cache if is_static
default_backend web_servers
# === API Gateway ===
backend api_gateway
balance roundrobin
# Service routing
acl is_users path_beg /api/users
acl is_orders path_beg /api/orders
use_backend users_service if is_users
use_backend orders_service if is_orders
default_backend api_default
backend users_service
server users1 10.0.1.10:8080 check
server users2 10.0.1.11:8080 check
backend orders_service
server orders1 10.0.2.10:8080 check
server orders2 10.0.2.11:8080 check
backend api_default
server api1 10.0.3.10:8080 check
server api2 10.0.3.11:8080 check
# === Web Servers ===
backend web_servers
balance roundrobin
cookie SERVERID insert indirect nocache
server web1 10.0.4.10:8080 check cookie web1
server web2 10.0.4.11:8080 check cookie web2
# === Admin Servers ===
backend admin_servers
balance roundrobin
acl is_internal src 10.0.0.0/8 192.168.0.0/16
http-request deny if !is_internal
server admin1 10.0.5.10:8080 check
server admin2 10.0.5.11:8080 check
# === CDN Cache ===
backend cdn_cache
http-cache cdn_cache
http-cache-rule cache-static path_end .css .js .png .jpg .gif .svg .ico 86400
server cache1 10.0.6.10:8080 check
server cache2 10.0.6.11:8080 check
# === Stats ===
listen stats
bind *:8404
stats enable
stats uri /
stats refresh 5s
stats auth admin:strong_password
acl internal src 10.0.0.0/8
http-request deny if !internal# ✅ Хорошо (горизонтальное)
# - Несколько edge HAProxy за DNS
# - Internal HAProxy кластер
# - Автоматическое масштабирование backend
# ❌ Плохо (вертикальное)
# - Один большой HAProxy сервер
# - Нет redundancy# ✅ Хорошо
# - Edge: SSL termination, WAF, rate limiting
# - Internal: network segmentation, ACL
# - Admin: IP whitelist, MFA
# ❌ Плохо
# - Нет WAF на edge
# - Admin доступен из интернета
# - Нет rate limiting# ✅ Хорошо
# - Prometheus метрики
# - Centralized logging (ELK)
# - Distributed tracing (X-Request-ID)
# - Алерты на ключевые метрики
# ❌ Плохо
# - Только локальные логи
# - Нет мониторинга
# - Нет tracingПоздравляем! Вы прошли полный курс по HAProxy Expert.
Что вы освоили:
Следующие шаги:
Вопросы ещё не добавлены
Вопросы для этой подтемы ещё не добавлены.