1. HAProxy简介与版本说明
HAProxy是一款开源、高性能的负载均衡器和代理服务器软件,支持TCP和HTTP应用的负载均衡。更多学习教程www.fgedu.net.cn。HAProxy以其卓越的性能、稳定性和丰富的功能而闻名,被众多大型互联网公司广泛使用。
HAProxy工作在四层(TCP)和七层(HTTP),提供丰富的负载均衡算法、健康检查机制、会话保持功能。学习交流加群风哥微信: itpux-com。它能够处理数万并发连接,是构建高可用、高性能服务架构的关键组件。
HAProxy核心特性:
– 七层负载均衡:支持HTTP/HTTPS协议的负载均衡
– 多种调度算法:轮询、加权轮询、最少连接、源地址哈希等
– 健康检查:主动和被动健康检查机制
– 会话保持:支持Cookie和IP哈希会话保持
– SSL/TLS终止:支持HTTPS卸载和端到端加密
– 连接限流:支持连接数和请求速率限制
– 访问控制:基于ACL的访问控制
– 统计监控:内置统计页面和监控接口
– 日志记录:详细的访问日志和错误日志
– 配置热加载:支持无中断配置重载
HAProxy与其他负载均衡器对比:
工作层级 四层/七层 七层 四层
性能 极高 高 极高
配置复杂度 中等 中等 中等
健康检查 内置 需配置 需Keepalived
SSL终止 支持 支持 不支持
会话保持 支持 支持 支持
统计监控 内置 需模块 需工具
动态配置 有限 有限 无
2. HAProxy版本选择与下载地址
HAProxy采用语义化版本号,当前主要维护3.x系列。
HAProxy版本状态:
3.3.6 2026-03-19 最新稳定版
3.2.x 2025-XX-XX 稳定版
3.0.19 2026-03-19 长期支持版
2.8.x 2025-XX-XX 旧版支持
HAProxy 3.3主要更新:
– 性能优化和效率提升
– SSL/TLS功能增强
– 可观测性改进
– 流量控制灵活性增强
– 新的负载均衡算法
– 健康检查功能增强
官方下载地址:
下载页面:https://www.haproxy.org/download/
源码仓库:https://github.com/haproxy/haproxy
文档中心:https://docs.haproxy.org/
Docker镜像:https://hub.docker.com/_/haproxy
3. HAProxy下载方式详解
方式一:源码编译安装(推荐生产环境)
$ cd /fgeudb/software
$ wget https://www.haproxy.org/download/3.3/src/haproxy-3.3.6.tar.gz
输出示例如下:
–2026-04-04 10:00:00– https://www.haproxy.org/download/3.3/src/haproxy-3.3.6.tar.gz
Resolving www.haproxy.org… 51.15.8.218
Connecting to www.haproxy.org|51.15.8.218|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4567890 (4.4M) [application/octet-stream]
Saving to: ‘haproxy-3.3.6.tar.gz’
haproxy-3.3.6.tar.gz 100%[======================================================================>] 4.35M 5.2MB/s in 0.8s
2026-04-04 10:00:01 (5.2 MB/s) – ‘haproxy-3.3.6.tar.gz’ saved [4567890/4567890]
解压源码包:
$ tar -zxvf haproxy-3.3.6.tar.gz -C /fgeudb/
安装编译依赖:
# yum install -y gcc make openssl-devel pcre-devel zlib-devel systemd-devel
或Ubuntu/Debian:
# apt install -y build-essential libssl-dev libpcre3-dev zlib1g-dev libsystemd-dev
编译安装:
$ cd /fgeudb/haproxy-3.3.6
$ make TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_SYSTEMD=1
# make install PREFIX=/fgeudb/haproxy
输出示例如下:
CC src/ev_poll.o
CC src/ev_kqueue.o
CC src/haproxy.o
…
‘haproxy’ -> ‘/fgeudb/haproxy/sbin/haproxy’
验证安装:
$ /fgeudb/haproxy/sbin/haproxy -v
输出示例如下:
HAProxy 3.3.6 – https://www.haproxy.org/
Status: long-term supported branch
Known bugs: https://www.haproxy.org/bugs/bugs-3.3.6.html
Running on: Linux 5.15.0-91-generic #101-Ubuntu SMP x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement
OPTIONS = USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 USE_SYSTEMD=1
方式二:包管理器安装
# yum install -y haproxy
输出示例如下:
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
–> Running transaction check
—> Package haproxy.x86_64 0:3.3.6-1.el7 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
haproxy x86_64 3.3.6-1.el7 base 1.2 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 1.2 M
Installed size: 3.5 M
Downloading packages:
haproxy-3.3.6-1.el7.x86_64.rpm | 1.2 MB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : haproxy-3.3.6-1.el7.x86_64 1/1
Verifying : haproxy-3.3.6-1.el7.x86_64 1/1
Installed:
haproxy.x86_64 0:3.3.6-1.el7
Complete!
Ubuntu/Debian安装:
# apt update
# apt install -y haproxy
输出示例如下:
Reading package lists… Done
Building dependency tree… Done
The following NEW packages will be installed:
haproxy
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,234 kB of archives.
After this operation, 3,456 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy/main amd64 haproxy amd64 3.3.6-1 [1,234 kB]
Fetched 1,234 kB in 2s (617 kB/s)
Selecting previously unselected package haproxy…
(Reading database … 123456 files and directories currently installed.)
Preparing to unpack …/haproxy_3.3.6-1_amd64.deb …
Unpacking haproxy (3.3.6-1) …
Setting up haproxy (3.3.6-1) …
验证安装:
$ haproxy -v
输出示例如下:
HAProxy 3.3.6 – https://www.haproxy.org/
方式三:Docker容器部署
$ docker pull haproxy:3.3.6
输出示例如下:
3.3.6: Pulling from library/haproxy
Digest: sha256:abc123def456…
Status: Downloaded newer image for haproxy:3.3.6
启动HAProxy容器:
$ docker run –name haproxy-lb \
-p 80:80 \
-p 443:443 \
-p 8404:8404 \
-v /fgeudb/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \
-v /fgeudb/haproxy/ssl:/etc/ssl/haproxy:ro \
-d haproxy:3.3.6
输出示例如下:
abc123def456789…
查看容器状态:
$ docker ps | grep haproxy
输出示例如下:
abc123def456 haproxy:3.3.6 “docker-entrypoint.s…” 10 seconds ago Up 9 seconds 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8404->8404/tcp haproxy-lb
4. HAProxy安装部署实战
步骤1:创建目录结构
# mkdir -p /fgeudb/haproxy/{conf,logs,ssl,run}
# mkdir -p /fgeudb/haproxy/conf/{conf.d,errors}
创建haproxy用户:
# groupadd haproxy
# useradd -g haproxy -s /sbin/nologin -M haproxy
设置权限:
# chown -R haproxy:haproxy /fgeudb/haproxy
# chmod -R 755 /fgeudb/haproxy
步骤2:配置systemd服务
# vi /etc/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
Documentation=https://www.haproxy.org/
After=network.target
[Service]
Type=notify
User=haproxy
Group=haproxy
ExecStart=/fgeudb/haproxy/sbin/haproxy -f /fgeudb/haproxy/conf/haproxy.cfg -p /fgeudb/haproxy/run/haproxy.pid -Ws
ExecReload=/bin/kill -USR2 $MAINPID
ExecStop=/bin/kill -SIGTERM $MAINPID
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
重载服务配置:
# systemctl daemon-reload
启动服务:
# systemctl start haproxy
设置开机自启:
# systemctl enable haproxy
查看服务状态:
# systemctl status haproxy
输出示例如下:
● haproxy.service – HAProxy Load Balancer
Loaded: loaded (/etc/systemd/system/haproxy.service; enabled)
Active: active (running) since Fri 2026-04-04 10:05:00 CST; 10s ago
Main PID: 12345 (haproxy)
CGroup: /system.slice/haproxy.service
└─12345 /fgeudb/haproxy/sbin/haproxy -f /fgeudb/haproxy/conf/haproxy.cfg -p /fgeudb/haproxy/run/haproxy.pid -Ws
5. HAProxy配置文件详解
步骤1:创建主配置文件
# vi /fgeudb/haproxy/conf/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /fgeudb/haproxy
stats socket /fgeudb/haproxy/run/haproxy.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 65535
pidfile /fgeudb/haproxy/run/haproxy.pid
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout http-request 10s
timeout http-keep-alive 10s
timeout check 10s
retries 3
option redispatch
option http-server-close
option forwardfor except 127.0.0.0/8
frontend http_front
bind *:80
mode http
default_backend http_back
backend http_back
balance roundrobin
option httpchk GET /health
http-check expect status 200
server web1 192.168.1.52:80 check inter 3s fall 3 rise 2 weight 3
server web2 192.168.1.53:80 check inter 3s fall 3 rise 2 weight 2
server web3 192.168.1.54:80 check inter 3s fall 3 rise 2 weight 1
frontend stats
bind *:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
stats auth admin:admin123
步骤2:配置日志
# vi /etc/rsyslog.d/haproxy.conf
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
local0.* /fgeudb/haproxy/logs/haproxy.log
local1.* /fgeudb/haproxy/logs/haproxy-notice.log
重启rsyslog:
# systemctl restart rsyslog
配置日志轮转:
# vi /etc/logrotate.d/haproxy
/fgeudb/haproxy/logs/*.log {
daily
rotate 30
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
/bin/kill -HUP `cat /fgeudb/haproxy/run/haproxy.pid 2>/dev/null` 2>/dev/null || true
endscript
}
6. HAProxy负载均衡配置
步骤1:配置HTTP负载均衡
bind *:80
mode http
ACL规则:
acl is_api path_beg /api
acl is_static path_beg /static
根据路径分发:
use_backend api_back if is_api
use_backend static_back if is_static
default_backend web_back
backend web_back
balance roundrobin
option httpchk GET /health
http-check expect status 200
cookie会话保持:
cookie SERVERID insert indirect nocache
server web1 192.168.1.52:80 check cookie s1 weight 3
server web2 192.168.1.53:80 check cookie s2 weight 2
server web3 192.168.1.54:80 check cookie s3 weight 1
backend api_back
balance leastconn
option httpchk GET /api/health
server api1 192.168.1.55:8080 check
server api2 192.168.1.56:8080 check
backend static_back
balance uri
server static1 192.168.1.57:80 check
server static2 192.168.1.58:80 check
步骤2:配置TCP负载均衡
bind *:3306
mode tcp
option tcplog
default_backend mysql_back
backend mysql_back
balance leastconn
option mysql-check user haproxy_check
server mysql1 192.168.1.52:3306 check inter 3s fall 3 rise 2
server mysql2 192.168.1.53:3306 check inter 3s fall 3 rise 2 backup
frontend redis_front
bind *:6379
mode tcp
option tcplog
default_backend redis_back
backend redis_back
balance roundrobin
option tcp-check
tcp-check connect
tcp-check send PING\r\n
tcp-check expect string +PONG
server redis1 192.168.1.54:6379 check inter 3s
server redis2 192.168.1.55:6379 check inter 3s
步骤3:配置健康检查
backend http_back
option httpchk GET /health HTTP/1.1\r\nHost:\ www.fgedu.net.cn
http-check expect status 200-399
server web1 192.168.1.52:80 check inter 2s fall 3 rise 2
server web2 192.168.1.53:80 check inter 2s fall 3 rise 2
参数说明:
– inter:检查间隔时间
– fall:连续失败次数后标记为down
– rise:连续成功次数后标记为up
– check:启用健康检查
TCP健康检查:
backend tcp_back
option tcp-check
tcp-check connect port 80
tcp-check send GET\ /health\r\n
tcp-check expect string OK
server srv1 192.168.1.52:80 check
MySQL健康检查:
backend mysql_back
option mysql-check user haproxy_check post-41
server mysql1 192.168.1.52:3306 check
7. HAProxy SSL/HTTPS配置
步骤1:配置SSL终止
$ mkdir -p /fgeudb/haproxy/ssl
$ openssl genrsa -out /fgeudb/haproxy/ssl/fgedu.key 2048
$ openssl req -new -key /fgeudb/haproxy/ssl/fgedu.key -out /fgeudb/haproxy/ssl/fgedu.csr \
-subj “/C=CN/ST=Beijing/L=Beijing/O=/CN=fgedu.net.cn”
$ openssl x509 -req -days 365 -in /fgeudb/haproxy/ssl/fgedu.csr \
-signkey /fgeudb/haproxy/ssl/fgedu.key -out /fgeudb/haproxy/ssl/fgedu.crt
合并证书和私钥:
$ cat /fgeudb/haproxy/ssl/fgedu.crt /fgeudb/haproxy/ssl/fgedu.key > /fgeudb/haproxy/ssl/fgedu.pem
$ chmod 600 /fgeudb/haproxy/ssl/fgedu.pem
配置HTTPS前端:
frontend https_front
bind *:443 ssl crt /fgeudb/haproxy/ssl/fgedu.pem alpn h2,http/1.1
mode http
HSTS头:
http-response set-header Strict-Transport-Security “max-age=31536000; includeSubDomains”
default_backend web_back
HTTP到HTTPS重定向:
frontend http_front
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
步骤2:配置多域名SSL
bind *:443 ssl crt /fgeudb/haproxy/ssl/fgedu.pem crt /fgeudb/haproxy/ssl/api.pem alpn h2,http/1.1
mode http
根据证书选择后端:
acl is_fgedu ssl_fc_sni fgedu.net.cn
acl is_api ssl_fc_sni api.fgedu.net.cn
use_backend api_back if is_api
default_backend web_back
SNI路由:
frontend https_front
bind *:443 ssl crt-list /fgeudb/haproxy/ssl/crt-list.txt
crt-list.txt内容:
/fgeudb/haproxy/ssl/fgedu.pem fgedu.net.cn www.fgedu.net.cn
/fgeudb/haproxy/ssl/api.pem api.fgedu.net.cn
8. 安装验证与测试
查看HAProxy状态
$ ps -ef | grep haproxy
输出示例如下:
haproxy 12345 1 0 10:05 ? 00:00:00 /fgeudb/haproxy/sbin/haproxy -f /fgeudb/haproxy/conf/haproxy.cfg -p /fgeudb/haproxy/run/haproxy.pid -Ws
查看端口监听:
$ netstat -tlnp | grep haproxy
输出示例如下:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12345/haproxy
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12345/haproxy
tcp 0 0 0.0.0.0:8404 0.0.0.0:* LISTEN 12345/haproxy
查看HAProxy版本:
$ haproxy -v
输出示例如下:
HAProxy 3.3.6 – https://www.haproxy.org/
验证配置文件:
$ haproxy -c -f /fgeudb/haproxy/conf/haproxy.cfg
输出示例如下:
Configuration file is valid
访问测试
$ curl -I http://192.168.1.51
输出示例如下:
HTTP/1.1 200 OK
date: Fri, 04 Apr 2026 10:10:00 GMT
content-type: text/html
content-length: 1234
server: nginx
测试HTTPS访问:
$ curl -I -k https://192.168.1.51
输出示例如下:
HTTP/2 200
date: Fri, 04 Apr 2026 10:10:00 GMT
content-type: text/html
strict-transport-security: max-age=31536000; includeSubDomains
测试统计页面:
$ curl http://192.168.1.51:8404/stats
输出示例如下:
HAProxy Statistics Report…
性能测试
$ ab -n 10000 -c 100 http://192.168.1.51/
输出示例如下:
This is ApacheBench, Version 2.3 <$Revision: 1879490 $>
…
Complete requests: 10000
Failed requests: 0
Total transferred: 12340000 bytes
HTML transferred: 6170000 bytes
Requests per second: 45678.32 [#/sec] (mean)
Time per request: 2.189 [ms] (mean)
Time per request: 0.022 [ms] (mean, across all concurrent requests)
Transfer rate: 5508.45 [Kbytes/sec] received
使用wrk进行压力测试:
$ wrk -t4 -c100 -d30s http://192.168.1.51/
输出示例如下:
Running 30s test @ http://192.168.1.51/
4 threads and 100 connections
Thread Stats Avg Stdev Max +/- Stdev
Latency 2.19ms 0.85ms 18.34ms 78.25%
Req/Sec 11.56k 789.45 13.45k 71.50%
1378456 requests in 30.02s, 1.89GB read
Requests/sec: 45921.45
Transfer/sec: 64.56MB
9. 常见问题与解决方案
问题1:后端服务器无法访问
解决方案:
1. 检查健康检查配置:
backend http_back
option httpchk GET /health
http-check expect status 200
2. 检查后端服务状态:
$ curl http://192.168.1.52/health
3. 检查网络连通性:
$ telnet 192.168.1.52 80
4. 查看HAProxy日志:
$ tail -f /fgeudb/haproxy/logs/haproxy.log
5. 使用socket命令查看状态:
$ echo “show stat” | socat stdio /fgeudb/haproxy/run/haproxy.sock
问题2:配置文件语法错误
解决方案:
1. 验证配置文件:
$ haproxy -c -f /fgeudb/haproxy/conf/haproxy.cfg
2. 检查常见语法错误:
– 花括号不匹配
– 指令拼写错误
– 缩进不正确
– 端口被占用
3. 查看详细错误:
$ haproxy -d -f /fgeudb/haproxy/conf/haproxy.cfg
4. 使用调试模式:
$ haproxy -db -f /fgeudb/haproxy/conf/haproxy.cfg
问题3:连接数不足
解决方案:
1. 检查当前限制:
$ ulimit -n
2. 增加系统限制:
# vi /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535
3. 在HAProxy配置中设置:
global
maxconn 65535
4. 在systemd服务中设置:
[Service]
LimitNOFILE=65535
5. 检查内核参数:
# sysctl -w net.core.somaxconn=65535
问题4:SSL证书错误
解决方案:
1. 检查证书文件:
$ openssl x509 -in /fgeudb/haproxy/ssl/fgedu.pem -text -noout
2. 检查证书链:
$ openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /fgeudb/haproxy/ssl/fgedu.pem
3. 检查证书格式:
– 确保证书和私钥合并为一个PEM文件
– 确保私钥在证书之后
4. 测试SSL连接:
$ openssl s_client -connect 192.168.1.51:443 -servername fgedu.net.cn
HAProxy管理命令
# systemctl start haproxy
或
$ /fgeudb/haproxy/sbin/haproxy -f /fgeudb/haproxy/conf/haproxy.cfg
停止服务:
# systemctl stop haproxy
重载配置:
# systemctl reload haproxy
或
$ haproxy -f /fgeudb/haproxy/conf/haproxy.cfg -p /fgeudb/haproxy/run/haproxy.pid -sf $(cat /fgeudb/haproxy/run/haproxy.pid)
验证配置:
$ haproxy -c -f /fgeudb/haproxy/conf/haproxy.cfg
查看版本:
$ haproxy -v
查看统计信息(通过socket):
$ echo “show stat” | socat stdio /fgeudb/haproxy/run/haproxy.sock
查看服务器状态:
$ echo “show servers state” | socat stdio /fgeudb/haproxy/run/haproxy.sock
启用/禁用服务器:
$ echo “set server http_back/web1 state ready” | socat stdio /fgeudb/haproxy/run/haproxy.sock
$ echo “set server http_back/web1 state maint” | socat stdio /fgeudb/haproxy/run/haproxy.sock
查看帮助:
$ haproxy -h
1. 使用HAProxy 3.3.x最新稳定版本;2. 配置systemd服务实现自动重启;3. 启用健康检查确保服务可用性;4. 配置会话保持保证用户体验;5. 启用SSL终止减轻后端负担;6. 配置完善的日志记录;7. 使用统计页面监控运行状态;8. 配置连接限制防止过载;9. 定期更新版本修复安全漏洞;10. 配置高可用实现故障切换。
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
