美文网首页
Haproxy基于ACL做访问控制

Haproxy基于ACL做访问控制

作者: 芷_念 | 来源:发表于2017-09-13 16:04 被阅读0次

    Haproxy基于ACL做访问控制

    基于ACL做访问控制(四层代理)

    网络拓扑

    环境

    前端HAProxy 172.16.253.108
    后端web1    172.16.253.105
    后端web2    172.16.252.1
    client      172.16.253.177
    

    安装HAproxy

    HAproxy

    [root@HAProxy ~]# yum install haproxy -y
    [root@HAProxy ~]# rpm -ql haproxy
    [root@HAProxy ~]# iptables -F
    [root@HAProxy ~]# setenforce 0
    [root@HAProxy ~]# systemctl enable haproxy
    [root@HAProxy ~]# cp /etc/haproxy/haproxy.cfg{,.bak}
    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
    

    web1

    [root@web1 ~]# yum -y install httpd
    [root@web1 ~]# vim /var/www/html/index.html 
    <h1> Backend Server 1 </h1>
    [root@web1 ~]# systemctl start httpd
    [root@web1 ~]# setenforce 0
    [root@web1 ~]# iptables -F
    

    web2

    [root@web2 ~]# yum -y install httpd
    [root@web2 ~]# vim /var/www/html/index.html 
    <h1> Backend Server 2 </h1>
    [root@web2 ~]# service httpd start 
    [root@web2 ~]# setenforce 0
    [root@web2 ~]# iptables -F
    

    HAproxy

    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
        frontend myweb *:80
            default_backend websrvs
    
        backend websrvs
            balance roundrobin
            server srv1 172.16.253.105:80 check weight 2
            server srv2 172.16.252.1:80 check weight 1
        listen stats
            bind *:9000
            acl allowstats src 172.16.251.196
            block if allowstats  \\阻塞allowstats中的IP访问stats界面
            errorloc 403 http://172.16.253.108:10080/403.html
            stats enable
            stats uri /myproxy?admin
            stats realm "HAProxy Stats Page"
            stats auth admin:admin
            stats admin if TRUE
    [root@HAProxy ~]# systemctl restart haproxy 
    

    访问测试

    172.16.251.196使用浏览器访问测试http://172.16.253.108:10080/403.html
    
    • http-request允许某主机访问stats状态界面
      允许172.16.251.196用户访问http://172.16.253.108服务器的HAProxy的状态界面

    HAProxy

    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
        frontend myweb *:80
            default_backend websrvs
    
        backend websrvs
            balance roundrobin
            server srv1 172.16.253.105:80 check weight 2
            server srv2 172.16.252.1:80 check weight 1
        listen stats
            bind *:9000
            acl allowstats src 172.16.251.196
            # http-request allow if allowstats  \\允许allowstats中的IP访问stats状态界面
            http-request deny  unless allowstats \\除了allowstats之外全部拒绝访问,即仅允许allowstats访问
            # http-request deny if allowstats \\拒绝allowstats访问
            errorloc 403 http://172.16.253.108:10080/403.html \\错误网页文件
            stats enable
            stats uri /myproxy?admin
            stats realm "HAProxy Stats Page"
            stats auth admin:admin
            stats admin if TRUE
    [root@HAProxy ~]# systemctl restart haproxy 
    

    访问测试

    图形化浏览器
        172.16.251.196使用浏览器访问测试http://172.16.253.108:10080/403.html    
    字符界面 
        [root@client ~]# curl --basic --user admin:admin http://172.16.253.108:9000/myproxy?admin   
    

    基于ACL做访问控制(七层代理)

    动态网页存放在动态服务器组中,静态网页存放在静态服务器组中

    拓扑环境

    环境

    前端HAProxy 172.16.253.108
    后端web1    172.16.253.105
    后端web2    172.16.253.191
    client      172.16.253.177
    
    • web1使用虚拟主机技术搭建两个web server,用来存放动态网页内容
    • web2使用虚拟主机搭建两个web server用来替代静态网页内容

    web1创建虚拟主机

    [root@web1 ~]# yum -y install php httpd
    [root@web1 ~]# mkdir /data/web/vhost{1,2} -pv
    [root@web1 ~]# vim /data/web/vhost1/index.php
    <h1> Application Server 1</h1>
    <?php
        phpinfo();
    ?>
    [root@web1 ~]# vim /data/web/vhost2/index.php
    <h1> Application Server 2</h1>
    <?php
        phpinfo();
    ?>
    
    虚拟主机1的配置文件
    [root@web1 ~]# vim /etc/httpd/conf.d/vhost1.conf \\编辑vhost1虚拟主机的配置文件
    <VirtualHost *:80>
        ServerName www1.danran.com
        DocumentRoot "/data/web/vhost1"
        <Directory "/data/web/vhost1">
                Options FollowSymLinks \\允许使用连接文件目录
                AllowOverride None \\不允许其他配置文件覆盖此文件中的设置
                Require all granted
        </Directory>
    </VirtualHost>
    
    虚拟主机2的配置文件
    [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf
    [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf
    Listen 8080
    <VirtualHost *:8080>
        ServerName www2.danran.com
        DocumentRoot "/data/web/vhost2"
        <Directory "/data/web/vhost2">
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
    </VirtualHost>
    
    [root@web1 ~]# systemctl restart httpd.service 
    [root@web1 ~]# ss -ntl
    

    web2创建虚拟主机

    [root@web2 ~]# yum -y install httpd
    [root@web2 ~]# mkdir -pv /data/web/vhost{1,2}
    [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost1/ \;
    [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost2/ \;
    [root@web2 ~]# vim /data/web/vhost1/index.html
    <h1> Image Server 1 </h1>
    [root@web2 ~]# vim /data/web/vhost2/index.html
    <h1> Image Server 2 </h1>
    
    编辑虚拟主机1的配置文件
    [root@web2 ~]# vim  /etc/httpd/conf.d/vhost1.conf 
    <VirtualHost *:80>
        ServerName www1.danran.com
        DocumentRoot "/data/web/vhost1"
        <Directory "/data/web/vhost1">
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
    </VirtualHost>
    
    编辑虚拟主机2的配置文件
    [root@web2 ~]# vim  /etc/httpd/conf.d/vhost2.conf 
    Listen 8080
    <VirtualHost *:8080>
        ServerName www2.danran.com
        DocumentRoot "/data/web/vhost1"
        <Directory "/data/web/vhost1">
                Options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
    </VirtualHost>
    
    [root@web2 ~]# systemctl start httpd.service 
    

    HAproxy

    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
        frontend myweb *:80
            cookie WEBSRV indirect nocache
            acl static path_end .jpg .jpeg .png .gif .txt .html \\定义ACL的组static以.jpg .jpeg .png .gif .txt .html结尾的文件
            use_backend staticsrvs  if static  \\当符合条件时使用static主机组
            default_backend dynsrvs  \\当不符合use_bckend条件时使用默认default_backend主机组
    
            backend dynsrvs \\定义动态主机组
                balance roundrobin
                server dynsrv1 172.16.253.105:80 check cookie dynsrv1
                server dynsrv2 172.16.253.105:8080 check cookie dynsrv2
            backend staticsrvs  \\定义静态主机组
                balance roundrobin
                server staticsrv1 172.16.253.191:80 check
                server staticsrv2 172.16.253.191:8080 check
    [root@HAProxy ~]# systemctl restart haproxy
    

    client

    [root@client ~]# curl http://172.16.253.108/index.html
    <h1> Image Server 1 </h1>
    [root@client ~]# curl http://172.16.253.108/index.html
    <h1> image Server 2 </h1>
    [root@client ~]# curl http://172.16.253.108/index.php
    <h1> Application Server 2</h1>
    [root@client ~]# curl http://172.16.253.108/index.php
    <h1> Application Server 2</h1>
    

    拒绝curl访问web

    HAproxy

    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
        frontend myweb *:80
            cookie WEBSRV indirect nocache
            acl static path_end .jpg .jpeg .png .gif .txt .html \\定义ACL的组static以.jpg .jpeg .png .gif .txt .html结尾的文件
            use_backend staticsrvs  if static  \\当符合条件时使用static主机组
            default_backend dynsrvs  \\当不符合use_bckend条件时使用默认default_backend主机组
            acl bad_browsers hdr_reg(User-Agent) .*curl.* \\定义请求报文中包含curl的ACL组为bad_browsers
            block if bad_browsers \\阻塞bad_browsers组的访问
    
            backend dynsrvs \\定义动态主机组
                balance roundrobin
                server dynsrv1 172.16.253.105:80 check cookie dynsrv1
                server dynsrv2 172.16.253.105:8080 check cookie dynsrv2
            backend staticsrvs  \\定义静态主机组
                balance roundrobin
                server staticsrv1 172.16.253.191:80 check
                server staticsrv2 172.16.253.191:8080 check
    [root@HAProxy ~]# systemctl restart haproxy
    

    client

    [root@client ~]# curl http://172.16.253.108/index.html
    <html><body><h1>403 Forbidden</h1>
    Request forbidden by administrative rules.
    </body></html>
    

    定义仅允许cxjing.com域内的主机访问

    HAproxy

    [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
        frontend myweb *:80
            cookie WEBSRV indirect nocache
            acl static path_end .jpg .jpeg .png .gif .txt .html \\定义ACL的组static以.jpg .jpeg .png .gif .txt .html结尾的文件
            use_backend staticsrvs  if static  \\当符合条件时使用static主机组
            default_backend dynsrvs  \\当不符合use_bckend条件时使用默认default_backend主机组
            acl valid_referers hdr_reg(Referer) \.cxjing\.com
            block unless valid_referers \\阻塞除了valid_referers组之外的所有人的访问
    
            backend dynsrvs \\定义动态主机组
                balance roundrobin
                server dynsrv1 172.16.253.105:80 check cookie dynsrv1
                server dynsrv2 172.16.253.105:8080 check cookie dynsrv2
            backend staticsrvs  \\定义静态主机组
                balance roundrobin
                server staticsrv1 172.16.253.191:80 check
                server staticsrv2 172.16.253.191:8080 check
    [root@HAProxy ~]# systemctl restart haproxy
    

    client

    模拟www.cxjing.com主机访问
    [root@client ~]# curl -e "http://www.cxjing.com/index.php" http://172.16.253.108/index.php 
    <h1> Application Server 2</h1>
    

    相关文章

      网友评论

          本文标题:Haproxy基于ACL做访问控制

          本文链接:https://www.haomeiwen.com/subject/lyqlsxtx.html