使用Ha代理负载均衡docker swarm
我在AWS上有一个Docker Swarm集群,我试图使用HAProxy进行负载平衡。 我在VPC背后的设置看起来类似于:
haproxy_server 10.10.0.10 docker_swarm_master1 10.10.0.12 docker_swarm_master2 10.10.0.13 docker_swarm_worker3 10.10.0.14 我唯一的Tomcat容器当前在master_1上,下面是我当前的HAProxy config文件:
global log 127.0.0.1 local0 log 127.0.0.1 local0 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http maxconn 2000 frontend servers bind *:80 bind *:8443 ssl crt /etc/haproxy/certs/ssl.pem default_backend hosts backend hosts mode http balance roundrobin option httpchk OPTIONS / option forwardfor option http-server-close server swarm 10.10.0.12:8443 check inter 5000
当我从HAProxy服务器执行以下操作时,我能够看到webapps目录中的index.html页面:
curl -k https://10.10.0.12:8443/docs/index.html
但是,当我尝试下面的curl命令,我得到一个503服务器不可用的错误
curl -k https://10.10.0.10:8443/docs/index.html
任何人都知道我在做什么错了? 我已经花了半天的时间对此无济于事。
编辑
curl -XOPTIONS -vk https://10.10.0.10:8443/docs/index.html * Trying 10.10.0.10... * Connected to 10.10.0.10 (10.10.0.10) port 8443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 692 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: *.secreturl.com (does not match '10.10.0.10') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: OU=Domain Control Validated,CN=*.secreturl.com * start date: Sat, 27 Jun 2016 16:39:39 GMT * expire date: Tue, 11 Jun 2020 18:09:38 GMT * issuer: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2 * compression: NULL * ALPN, server did not agree to a protocol > OPTIONS / HTTP/1.1 > Host: 10.10.0.10:8443 > User-Agent: curl/7.47.0 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 503 Service Unavailable < Cache-Control: no-cache < Connection: close < Content-Type: text/html < <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> * Closing connection 0 curl -XOPTIONS -vk https://10.10.0.12:8443/docs/index.html * Trying 10.10.0.12... * Connected to 10.10.0.12 (10.10.0.12) port 8443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 692 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification SKIPPED * server certificate status verification SKIPPED * common name: *.secreturl.com (does not match '10.10.0.10') * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: OU=Domain Control Validated,CN=*.secreturl.com * start date: Sat, 27 Jun 2016 16:39:39 GMT * expire date: Tue, 11 Jun 2020 18:09:38 GMT * issuer: C=US,ST=Arizona,L=Scottsdale,O=GoDaddy.com\, Inc.,OU=http://certs.godaddy.com/repository/,CN=Go Daddy Secure Certificate Authority - G2 * compression: NULL * ALPN, server did not agree to a protocol > OPTIONS / HTTP/1.1 > Host: 10.10.0.12:8443 > User-Agent: curl/7.47.0 > Accept: */* > < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS < Content-Length: 0 < Date: Sat, 24 Dec 2016 18:39:27 GMT < * Connection #0 to host 10.10.0.12 left intact
如果您得到503 Service Not Available ,那么您的健康检查失败。
从您的configuration,HAProxy将使用OPTIONS http://10.10.0.12:8443/将失败:您的后端接受HTTPS连接。 要解决这个问题,请告诉HAProxy使用HTTPS:
server swarm 10.10.0.12:8443 check inter 5000 ssl verify none
注意:您可以启用统计页面
listen haproxy_admin bind 127.0.0.1:22002 mode http stats enable stats uri /
这应该有助于您debugging更多的问题。
编辑:
统计页面显示L7STS/404 ,这是HAProxy获取的http代码。 当您testinghttps://10.10.0.12:8443/docs/index.html时,HAProxy目前会检查https://10.10.0.12:8443/docs/index.html 。 也许你应该在你的支票中使用这个URL:
option httpchk OPTIONS /docs/index.html