Haproxy官方文檔翻譯(第三章)全局參數(1) 附英文原文
3.全局參數html
在global這個節點裏的參數是「進程範圍的」而且常常是「操做系統指定」的。它們一般是一次性設置並且一旦正確設置不須要動來動去的。它們中的
一些和命令行對應。node
global節點支持如下關鍵詞:git
* 進程管理和安全
- ca-base
- chroot
- crt-base
- cpu-map
- daemon
- description
- deviceatlas-json-file
- deviceatlas-log-level
- deviceatlas-separator
- deviceatlas-properties-cookie
- external-check
- gid
- group
- hard-stop-after
- log
- log-tag
- log-send-hostname
- lua-load
- nbproc
- nbthread
- node
- pidfile
- presetenv
- resetenv
- uid
- ulimit-n
- user
- setenv
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
- unix-bind
- unsetenv
- 51degrees-data-file
- 51degrees-property-name-list
- 51degrees-property-separator
- 51degrees-cache-size
- wurfl-data-file
- wurfl-information-list
- wurfl-information-list-separator
- wurfl-engine-mode
- wurfl-cache-size
- wurfl-useragent-prioritygithub
* 性能調節json
- max-spread-checks
- maxconn
- maxconnrate
- maxcomprate
- maxcompcpuusage
- maxpipes
- maxsessrate
- maxsslconn
- maxsslrate
- maxzlibmem
- noepoll
- nokqueue
- nopoll
- nosplice
- nogetaddrinfo
- noreuseport
- profiling.tasks
- spread-checks
- server-state-base
- server-state-file
- ssl-engine
- ssl-mode-async
- tune.buffers.limit
- tune.buffers.reserve
- tune.bufsize
- tune.chksize
- tune.comp.maxlevel
- tune.h2.header-table-size
- tune.h2.initial-window-size
- tune.h2.max-concurrent-streams
- tune.http.cookielen
- tune.http.logurilen
- tune.http.maxhdr
- tune.idletimer
- tune.lua.forced-yield
- tune.lua.maxmem
- tune.lua.session-timeout
- tune.lua.task-timeout
- tune.lua.service-timeout
- tune.maxaccept
- tune.maxpollevents
- tune.maxrewrite
- tune.pattern.cache-size
- tune.pipesize
- tune.rcvbuf.client
- tune.rcvbuf.server
- tune.recv_enough
- tune.runqueue-depth
- tune.sndbuf.client
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
- tune.vars.sess-max-size
- tune.vars.txn-max-size
- tune.zlib.memlevel
- tune.zlib.windowsizewindows
* 排錯安全
- debug
- quietcookie
3.1 進程管理和安全session
ca-base <dir>app
當直接用「ca-file「表示ssL ca證書路徑,「crl-file」關聯crl路徑,這個參數用來指定一個用來獲取SSL CA證書和CRL(證書吊銷列表)
的默認路徑。絕對路徑一般被指定在」ca-file「和「ctl-file」中,而且忽略"ca-base".
chroot <jail dir>
把當前目錄切換到指定目錄,而且在切換以前會拋棄全部的權限。這樣作會增長安全等級以防止位置的漏洞被偵測。這樣攻擊者就很難
威脅到整個系統。這個選項只有用超級管理員權限啓動進程的時候纔有效。必定要確保你要切換的目錄<jail_dir>是空的,而且任何用戶沒有寫的權限。
cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
在Linux 2.6內核及以上版本,能夠綁定一個進程或者線程到指定的CPU上。這意味着被指定的進程或者線程永遠不會在指定之外的CPU上運行。「cpu-map」直接
指定CPU給指定的進程或線程用。第一個參數是一個進程,以後跟着一個線程。格式以下:
all | odd | even | number[-[number]]
<number> 必須是1到32者64中的一個,這取決於你的機器字節大小。任何在nbproc之上的進程ID和任何在nbthread之上的
線程ID都是被忽略的。能夠用兩個數字中間加("-")來指定一個範圍。也能夠用「all」指定全部的進程。只有奇數數字用「odd」
或者偶數數字用"even",就像用「bind-process」指令。第二個參數是CPU設置。每一個CPU設置是一個介於0到31或者0到63或者兩
個數字用「-」鏈接的惟一標識。你爲每一個cpu設置了標識,就能夠綁定進程和線程了。顯而易見,若是你想這樣,你得設置
多個「cpu-map」指令。每一個指令會覆蓋以前與它發生衝突的指令。一個線程將綁定在它的映射和它附屬的進程之一。若是線程沒有
被映射並且它的進程也沒有被映射,那麼這個線程則不會被綁定。
咱們能夠定義部分範圍。大的那個數字能夠被省略。若是這樣的話,大的那個數字就會被相應的最大數字替代,好比32或者64.這取決於你的機器字節大小。
你能夠前面加上前綴「auto:」,這樣能夠在增長新的CPU或者新的進程、線程的時候讓Haproxy自動綁定。爲了確保設置有效,兩個設置要有一樣的size。
無論定義的CPU的順序,它老是從下至上搜尋。把「auto:」前綴同時加到進程和線程的範圍前面是不支持的。只有一個範圍被支持,其餘一個必須是精確的數字。
示例:
cpu-map 1-4 0-3 # 綁定標識爲1到4的進程到前4個cpu
cpu-map 1/all 0-3 # 綁定第一個進程的全部線程到前4個CPU
cpu-map 1- 0- # 將會被替換成"cpu-map 1-64 0-63"
# 或者"cpu-map 1-32 0-31"這取決於你的機器字節大小
# 全部這些行綁定進程1到cpu0,進程2到cpu1,以此類推。
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# 全部這些行綁定線程1到cpu0,線程2到cpu1,以此類推
cpu-map auto:1/1-4 0-3
cpu-map auto:1/1-4 0-1 2-3
cpu-map auto:1/1-4 3 2 1 0
# 使用all/odd/even關鍵詞綁定每一個進程到精確到cpu上
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# 無效的cpu-map設置,由於進程和cpu配置沒有一樣的數量
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
# 無效的cpu-map設置,由於自動綁定做用在了進程範圍上
# and a thread range.
cpu-map auto:all/all 0 # invalid
cpu-map auto:all/1-4 0 # invalid
cpu-map auto:1-4/all 0 # invalid
crt-base <dir>
當用「crtfile」指令時,指定一個默認目錄用來獲取從這個指令SSL證書。在"crtfile"指令以後指定絕對路徑會覆蓋"crtfile"設置
而且忽略「crt-base」。
daemon
可讓進程在後臺掛起。這種操做是被推薦的。至關於在命令行中用「-D」參數。也能夠用「-db」來禁用。這個選項在systemd模式無效。
deviceatlas-json-file <path>
設置經過API加載的DeviceAtlas json數據的路徑。這個路徑必須是一個有效的json數據文件而且能被
HAProxy進程訪問。
deviceatlas-log-level <value>
設置API返回信息的等級。這個指令是可選的若是不設置默認爲0.
deviceatlas-separator <char>
設置API屬性結果的字符分隔符。這個指令是可選的若是不設置默認爲|。
deviceatlas-properties-cookie <name>
設置客戶端的cooke名字,它是用來偵測在請求期間DeviceAtlas 客戶端組件是否被使用。這個指令是可選的
若是不設置默認爲DAPROPS.
external-check
容許使用外部代理來進行健康檢查。這個指令因爲安全緣由默認被禁止的。
gid <number>
修改進程的group ID 爲指定數字。推薦group id使用HAProxy的專用id或者一個相似的小的守護進程設置。
HAProxy必須用一個屬於這個組的用戶或者擁有超級用戶權限的用戶啓動。注意,若是haproxy從一個
擁有額外組的用戶啓動了,那麼若是從一個超級用戶啓動它只能丟棄這些額外組的權限。
你還能夠參考「group」和「uid」。
hard-stop-after <time>
定義了用來處理一個清除軟中止(clean soft-stop)所能執行的最大時間。
討論:
<time> 是soft-stop在收到SIGUSR1信號後一個應用所能存活的最長時間(默認毫秒爲單位)。
這多是用來確保就算應用在軟中止(soft-stop)期間,就算鏈接還在保持打開狀態,應用依然會
被關閉。(好比tcp代理模式中的long timeouts)此設置TCP和HTTP模式都有效。
示例:
global
hard-stop-after 30s
group <group name>
相似於"gid",可是用/etc/group 中的group name來替代GID。能夠參考gid和user指令。
未完待續,這章比較長,要分不少篇來完成。
------------------------------如下是英文原文-------------------------------
3. Global parameters
Parameters in the "global" section are process-wide and often OS-specific. They are generally set once for all and do not need being changed once correct. Some of them have command-line equivalents. The following keywords are supported in the "global" section : * Process management and security - ca-base - chroot - crt-base - cpu-map - daemon - description - deviceatlas-json-file - deviceatlas-log-level - deviceatlas-separator - deviceatlas-properties-cookie - external-check - gid - group - hard-stop-after - log - log-tag - log-send-hostname - lua-load - nbproc - nbthread - node - pidfile - presetenv - resetenv - uid - ulimit-n - user - setenv - stats - ssl-default-bind-ciphers - ssl-default-bind-ciphersuites - ssl-default-bind-options - ssl-default-server-ciphers - ssl-default-server-ciphersuites - ssl-default-server-options - ssl-dh-param-file - ssl-server-verify - unix-bind - unsetenv - 51degrees-data-file - 51degrees-property-name-list - 51degrees-property-separator - 51degrees-cache-size - wurfl-data-file - wurfl-information-list - wurfl-information-list-separator - wurfl-engine-mode - wurfl-cache-size - wurfl-useragent-priority * Performance tuning - max-spread-checks - maxconn - maxconnrate - maxcomprate - maxcompcpuusage - maxpipes - maxsessrate - maxsslconn - maxsslrate - maxzlibmem - noepoll - nokqueue - nopoll - nosplice - nogetaddrinfo - noreuseport - profiling.tasks - spread-checks - server-state-base - server-state-file - ssl-engine - ssl-mode-async - tune.buffers.limit - tune.buffers.reserve - tune.bufsize - tune.chksize - tune.comp.maxlevel - tune.h2.header-table-size - tune.h2.initial-window-size - tune.h2.max-concurrent-streams - tune.http.cookielen - tune.http.logurilen - tune.http.maxhdr - tune.idletimer - tune.lua.forced-yield - tune.lua.maxmem - tune.lua.session-timeout - tune.lua.task-timeout - tune.lua.service-timeout - tune.maxaccept - tune.maxpollevents - tune.maxrewrite - tune.pattern.cache-size - tune.pipesize - tune.rcvbuf.client - tune.rcvbuf.server - tune.recv_enough - tune.runqueue-depth - tune.sndbuf.client - tune.sndbuf.server - tune.ssl.cachesize - tune.ssl.lifetime - tune.ssl.force-private-cache - tune.ssl.maxrecord - tune.ssl.default-dh-param - tune.ssl.ssl-ctx-cache-size - tune.ssl.capture-cipherlist-size - tune.vars.global-max-size - tune.vars.proc-max-size - tune.vars.reqres-max-size - tune.vars.sess-max-size - tune.vars.txn-max-size - tune.zlib.memlevel - tune.zlib.windowsize * Debugging - debug - quiet
3.1. Process management and security
Assigns a default directory to fetch SSL CA certificates and CRLs from when a
relative path is used with "ca-file" or "crl-file" directives. Absolute locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Changes current directory to <jail dir> and performs a chroot() there before dropping privileges. This increases the security level in case an unknown vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system. This only works when the process is started with superuser privileges. It is important to ensure that <jail_dir> is both empty and non-writable to anyone.
On Linux 2.6 and above, it is possible to bind a process or a thread to a specific CPU set. This means that the process or the thread will never run on other CPUs. The "cpu-map" directive specifies CPU sets for process or thread sets. The first argument is a process set, eventually followed by a thread set. These sets have the format all | odd | even | number[-[number]] <number>> must be a number between 1 and 32 or 64, depending on the machine's word size. Any process IDs above nbproc and any thread IDs above nbthread are ignored. It is possible to specify a range with two such number delimited by a dash ('-'). It also is possible to specify all processes at once using "all", only odd numbers using "odd" or even numbers using "even", just like with the "bind-process" directive. The second and forthcoming arguments are CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a range with two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges may be specified, and the processes or threads will be allowed to bind to all of them. Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map" directive will replace the previous ones when they overlap. A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific binding will be set for the thread. Ranges can be partially defined. The higher bound can be omitted. In such case, it is replaced by the corresponding maximum value, 32 or 64 depending on the machine's word size. The prefix "auto:" can be added before the process set to let HAProxy automatically bind a process or a thread to a CPU by incrementing process/thread and CPU sets. To be valid, both sets must have the same size. No matter the declaration order of the CPU sets, it will be bound from the lowest to the highest bound. Having a process and a thread range with the "auto:" prefix is not supported. Only one range is supported, the other one must be a fixed number.
cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs cpu-map 1/all 0-3 # bind all threads of the first process on the # first 4 CPUs cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63" # or "cpu-map 1-32 0-31" depending on the machine's # word size. # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1 # and so on. cpu-map auto:1-4 0-3 cpu-map auto:1-4 0-1 2-3 cpu-map auto:1-4 3 2 1 0 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1 # and so on. cpu-map auto:1/1-4 0-3 cpu-map auto:1/1-4 0-1 2-3 cpu-map auto:1/1-4 3 2 1 0 # bind each process to exactly one CPU using all/odd/even keyword cpu-map auto:all 0-63 cpu-map auto:even 0-31 cpu-map auto:odd 32-63 # invalid cpu-map because process and CPU sets have different sizes. cpu-map auto:1-4 0 # invalid cpu-map auto:1 0-3 # invalid # invalid cpu-map because automatic binding is used with a process range # and a thread range. cpu-map auto:all/all 0 # invalid cpu-map auto:all/1-4 0 # invalid cpu-map auto:1-4/all 0 # invalid
Assigns a default directory to fetch SSL certificates from when a relative path is used with "crtfile" directives. Absolute locations specified after "crtfile" prevail and ignore "crt-base".
Makes the process fork into background. This is the recommended mode of operation. It is equivalent to the command line "-D" argument. It can be disabled by the command line "-db" argument. This option is ignored in systemd mode.
Sets the path of the DeviceAtlas JSON data file to be loaded by the API. The path must be a valid JSON data file and accessible by HAProxy process.
Sets the level of information returned by the API. This directive is optional and set to 0 by default if not set.
Sets the character separator for the API properties results. This directive is optional and set to | by default if not set.
Sets the client cookie's name used for the detection if the DeviceAtlas Client-side component was used during the request. This directive is optional and set to DAPROPS by default if not set.
Allows the use of an external agent to perform health checks. This is disabled by default as a security precaution. See "option external-check".
Changes the process' group ID to <number>. It is recommended that the group
ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with a user belonging to this group, or with superuser privileges.
Note that if haproxy is started from a user having supplementary groups, it
will only be able to drop these groups if started with superuser privileges.
See also "group" and "uid".
Defines the maximum time allowed to perform a clean soft-stop.
<time> is the maximum time (by default in milliseconds) for which the
instance will remain alive when a soft-stop is received via the
SIGUSR1 signal.
This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop (for example with long timeouts for a proxy in tcp mode). It applies both in TCP and HTTP mode.
global hard-stop-after 30s
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
- 1. Haproxy官方文檔翻譯(第二章)配置Haproxy 附英文原文
- 2. Spring官方文檔翻譯(1~6章)
- 3. HAProxy官方文檔1.4 解析:3全局參數
- 4. os.path官方文檔(附翻譯)
- 5. MHA官方文檔翻譯
- 6. (翻譯)Mantra官方文檔
- 7. FluentData官方文檔翻譯
- 8. Consumer.java官方文檔翻譯
- 9. Spring官方文檔翻譯
- 10. Markdown官方文檔[翻譯]
- 更多相關文章...
- • WSDL 文檔 - WSDL 教程
- • XSL-FO 文檔 - XSL-FO 教程
- • 三篇文章瞭解 TiDB 技術內幕——說存儲
- • 三篇文章瞭解 TiDB 技術內幕 —— 說計算
-
每一个你不满意的现在,都有一个你没有努力的曾经。