http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
In addition to being a “basic” web server, and providing static and dynamic content to end-users, Apache httpd (as well as most other web servers) can also act as a reverse proxy server, also-known-as a “gateway” server.
除了作为“基本”Web服务器,并为最终用户提供静态和动态内容之外,Apache httpd(以及大多数其他Web服务器)还可充当反向代理服务器,也称为“网关“服务器。
In such scenarios, httpd itself does not generate or host the data, but rather the content is obtained by one or several backend servers, which normally have no direct connection to the external network. As httpd receives a request from a client, the request itself is proxied to one of these backend servers, which then handles the request, generates the content and then sends this content back to httpd, which then generates the actual HTTP response back to the client.
在这种情况下,httpd本身不会生成或托管数据,而是通过一个或多个后端服务器获取内容,这些服务器通常不会直接连接到外部网络。当httpd接收到来自客户端的请求时,请求本身会被代理 到其中一个后端服务器,然后处理请求,生成内容,然后将这些内容发送回httpd,然后httpd生成实际的HTTP响应返回给客户端。
There are numerous reasons for such an implementation, but generally the typical rationales are due to security, high-availability, load-balancing and centralized authentication/authorization. It is critical in these implementations that the layout, design and architecture of the backend infrastructure (those servers which actually handle the requests) are insulated and protected from the outside; as far as the client is concerned, the reverse proxy server is the sole source of all content.
这种实现有很多原因,但通常的典型原因是安全性,高可用性,负载平衡和集中认证/授权。在这些实现中,至关重要的是后端基础设施(实际上处理请求的那些服务器)的布局,设计和体系结构是绝缘的并且不受外部保护; 就客户而言,反向代理服务器是所有内容的唯一来源。
典型的实现如下:
反向代理 (Reverse Proxy)
| 相关模块 | 相关指令 |
|---|---|
| mod_proxy | ProxyPass |
| mod_proxy_balancer | BalancerMember |
| mod_proxy_hcheck |
简单的反向代理 (Simple reverse proxying)
The ProxyPass directive specifies the mapping of incoming requests to the backend server (or a cluster of servers known as a Balancer group). The simpliest example proxies all requests (“/”) to a single backend:
该ProxyPass 指令指定传入请求到后端服务器(或称为群组的服务器集群)的映射Balancer 。最简单的示例将所有请求(”/”)都代理到单个后端:
ProxyPass "/" "http://www.example.com/"To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, the ProxyPassReverse directive is most often required:
为了确保Location:由后端生成的headers被修改为指向反向代理,而不是回到自己,该ProxyPassReverse 指令通常是必需的:
ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"Only specific URIs can be proxied, as shown in this example:
只有特定的URI可以被代理,如下例所示:
ProxyPass "/images" "http://www.example.com/"
ProxyPassReverse "/images" "http://www.example.com/"In the above, any requests which start with the /images path with be proxied to the specified backend, otherwise it will be handled locally.
任何以/images 路径开始的请求都被代理到指定的后端,否则它将在本地处理。
集群和平衡器 (Clusters and Balancers)
As useful as the above is, it still has the deficiencies that should the (single) backend node go down, or become heavily loaded, that proxying those requests provides no real advantage. What is needed is the ability to define a set or group of backend servers which can handle such requests and for the reverse proxy to load balance and failover among them. This group is sometimes called a cluster but Apache httpd’s term is a balancer. One defines a balancer by leveraging the <Proxy> and BalancerMember directives as shown:
尽管如此有用,但它仍然存在缺陷,即(单个)后端节点停机或负载过重,代理这些请求并没有提供真正的优势。我们需要的是能够定义一组或一组后端服务器,这些后端服务器可以处理这些请求,并且可以让反向代理负载均衡和故障转移。这个组有时被称为集群,但Apache httpd的术语是一个平衡器。通过如下所示利用<Proxy>和 BalancerMember指令来定义平衡器 :
<Proxy balancer://myset>
BalancerMember http://www2.example.com:8080
BalancerMember http://www3.example.com:8080
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/images/" "balancer://myset/"
ProxyPassReverse "/images/" "balancer://myset/"The balancer:// scheme is what tells httpd that we are creating a balancer set, with the name myset. It includes 2 backend servers, which httpd calls BalancerMembers. In this case, any requests for /images will be proxied to one of the 2 backends. The ProxySet directive specifies that the myset Balancer use a load balancing algorithm that balances based on I/O bytes.
该balancer://方案告诉httpd我们正在创建一个名为myset的平衡器集。它包括2个后端服务器,httpd调用BalancerMembers。在这种情况下,对于任何请求 /images将被代理到一个 2个后端。该ProxySet指令指定myset Balancer使用基于I / O字节平衡的负载平衡算法。
Hint : BalancerMembers are also sometimes referred to as workers.
平衡器和平衡器成员配置(Balancer and BalancerMember configuration)
You can adjust numerous configuration details of the balancers and the workers via the various parameters defined in ProxyPass. For example, assuming we would want http://www3.example.com:8080 to handle 3x the traffic with a timeout of 1 second, we would adjust the configuration as follows:
您可以通过ProxyPass中定义的各种参数调整balancers 和workers 的大量配置细节。例如,假设我们想要http://www3.example.com:8080以1秒的超时处理流量的3倍,我们将按如下方式调整配置:
<Proxy balancer://myset>
BalancerMember http://www2.example.com:8080
BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/images" "balancer://myset/"
ProxyPassReverse "/images" "balancer://myset/"故障转移 (Failover)
You can also fine-tune various failover scenarios, detailing which workers and even which balancers should be accessed in such cases. For example, the below setup implements three failover cases:
您还可以微调各种故障切换方案,详细说明在这种情况下应该访问哪些工作人员以及哪些平衡器。例如,下面的设置实现了三个故障转移情况:
http://spare1.example.com:8080 and http://spare2.example.com:8080 are only sent traffic if one or both of http://www2.example.com:8080 or http://www3.example.com:8080 is unavailable. (One spare will be used to replace one unusable member of the same balancer set.)
只有在http://www2.example.com:8080、 http://www3.example.com:8080一个或两个不可用时,http://spare1.example.com:8080和 http://spare2.example.com:8080才发送流量。(一个备件将用于替换同一平衡器组中的一个不可用部件。)
http://hstandby.example.com:8080 is only sent traffic if all other workers in balancer set 0 are not available.
只有平衡器组设置为0的其他workers 都不可用时,http://hstandby.example.com:8080才会发送流量。
If all load balancer set 0 workers, spares, and the standby are unavailable, only then will the http://bkup1.example.com:8080 and http://bkup2.example.com:8080 workers from balancer set 1 be brought into rotation.
Thus, it is possible to have one or more hot spares and hot standbys for each load balancer set.如果所有负载均衡器组设置0个workers,spares,并且standby都不可用,那么只有平衡器组设置为1时,http://bkup1.example.com:8080和 http://bkup2.example.com:8080的workers才会轮换。因此,每个负载均衡器组可以有一个或多个热备用和热备用。
<Proxy balancer://myset>
BalancerMember http://www2.example.com:8080
BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
BalancerMember http://spare1.example.com:8080 status=+R
BalancerMember http://spare2.example.com:8080 status=+R
BalancerMember http://hstandby.example.com:8080 status=+H
BalancerMember http://bkup1.example.com:8080 lbset=1
BalancerMember http://bkup2.example.com:8080 lbset=1
ProxySet lbmethod=byrequests
</Proxy>
ProxyPass "/images/" "balancer://myset/"
ProxyPassReverse "/images/" "balancer://myset/"For failover, hot spares are used as replacements for unusable workers in the same load balancer set. A worker is considered unusable if it is draining, stopped, or otherwise in an error/failed state. Hot standbys are used if all workers and spares in the load balancer set are unavailable. Load balancer sets (with their respective hot spares and standbys) are always tried in order from lowest to highest.
对于故障转移,热备件可用作同一负载均衡器组中不可用工作人员的替代。如果工人正在耗尽,停止或处于错误/失败状态,则认为工人不可用。如果负载平衡器组中的所有工作人员和备件都不可用,则使用热备用。负载均衡器集合(以及它们各自的热备用和备用)始终按照从最低到最高的顺序进行尝试。
平衡器Manager(Balancer Manager)
One of the most unique and useful features of Apache httpd’s reverse proxy is the embedded balancer-manager application. Similar to mod_status, balancer-manager displays the current working configuration and status of the enabled balancers and workers currently in use. However, not only does it display these parameters, it also allows for dynamic, runtime, on-the-fly reconfiguration of almost all of them, including adding new BalancerMembers (workers) to an existing balancer. To enable these capability, the following needs to be added to your configuration:
Apache httpd的反向代理最独特和有用的特性之一是嵌入式平衡器管理器应用程序。类似 mod_status, balancer-manager ,显示当前正在使用的balancers和workers的当前工作配置和状态。但是,它不仅显示这些参数,还允许动态的,运行时的几乎所有的重新配置,包括将新的BalancerMembers(workers)添加到现有的平衡器。要启用这些功能,需要将以下内容添加到您的配置中:
<Location "/balancer-manager">
SetHandler balancer-manager
Require host localhost
</Location>警告:在保证服务器安全之前,请不要启用平衡器管理器。尤其要确保对URL的访问受到严格限制。
当反向代理服务器通过该URL访问时(例如:http://rproxy.example.com/balancer-manager/,您将看到类似于以下的页面:
这种形式允许devops admin调整各种参数,让工作人员脱机,改变负载平衡方法并添加新作品。例如,点击平衡器本身,您将看到以下页面:
而点击一个work,显示此页面:
要使这些更改持续重新启动逆向代理,请确保 BalancerPersist已启用。
动态健康检查(Dynamic Health Checks)
Before httpd proxies a request to a worker, it can “test” if that worker is available via setting the ping parameter for that worker using ProxyPass. Oftentimes it is more useful to check the health of the workers out of band, in a dynamic fashion. This is achieved in Apache httpd by the mod_proxy_hcheck module.
在httpd将请求代理给工作人员之前,它可以通过使用ProxyPass为该工作者设置ping参数来“测试”该工作者是否可用。通常情况下,以动态方式检查工作人员的健康状况会更有用。这是在Apache httpd的mod_proxy_hcheck 模块中实现的。
BalancerMember状态标志(BalancerMember status flags)
In the balancer-manager the current state, or status, of a worker is displayed and can be set/reset. The meanings of these statuses are as follows:
在平衡器管理器中,显示了worker当前的state或status,并且可以设置/重置。这些状态的含义如下:
| Flag | String | Description |
|---|---|---|
| Ok | Worker is available Worker 可用 |
|
| Init | Worker has been initialized Worker 已经初始化 |
|
| D | Dis | Worker is disabled and will not accept any requests; will be automatically retried. Worker 被禁用,不会接受任何请求; 将自动重试。 |
| S | Stop | Worker is administratively stopped; will not accept requests and will not be automatically retried Worker 在行政上被停止; 不会接受请求,不会自动重试 |
| I | Ign | Worker is in ignore-errors mode and will always be considered available. Worker 处于忽略错误模式,并始终被视为可用。 |
| R | Spar | Worker is a hot spare. For each worker in a given lbset that is unusable (draining, stopped, in error, etc.), a usable hot spare with the same lbset will be used in its place. Hot spares can help ensure that a specific number of workers are always available for use by a balancer. Worker 是一个热备用。对于给定的lbset中不可用的每个工人(排空,停止,出错等),使用相同lbset的可用热备件将用于其位置。热备件可以帮助确保特定数量的工人始终可供平衡器使用。 |
| H | Stby | Worker is in hot-standby mode and will only be used if no other viable workers or spares are available in the balancer set. Worker 处于热备用模式,只有在平衡器组中没有其他可行的工作人员或备件时才能使用。 |
| E | Err | Worker is in an error state, usually due to failing pre-request check; requests will not be proxied to this worker, but it will be retried depending on the retry setting of the worker. Worker 处于错误状态,通常是由于预先请求检查失败; 请求将不会被代理给这名工作人员,但会根据retry工作人员的设置重试。 |
| N | Drn | Worker is in drain mode and will only accept existing sticky sessions destined for itself and ignore all other requests. Worker 处于流失模式,并且只会接受发往自己的现有粘性会话并忽略所有其他请求。 |
| C | HcFl | Worker has failed dynamic health check and will not be used until it passes subsequent health checks. Worker 未通过动态健康检查,在通过后续健康检查之前不会使用。> |