# cat \/etc\/redhat-release \r\nRed Hat Enterprise Linux release 8.2 (Ootpa)\r\n#\r\n<\/code><\/pre>\n2. \u5b89\u88c5<\/h1>\nyum -y install haproxy\r\n<\/code><\/pre>\n\u6216\u8005<\/p>\n
dnf -y install haproxy\r\n<\/code><\/pre>\n\u53ea\u9700\u8981\u8fd9\u4e9b\u3002<\/p>\n
\u505a\u4f5c\u4e1a\u6240\u9700\u7684\u57fa\u672c\u547d\u4ee4\u3002<\/h1>\n
\u7531\u4e8eHA Proxy\u53ef\u4ee5\u901a\u8fc7systemctl\u8fdb\u884c\u64cd\u4f5c\uff0c\u6240\u4ee5\u57fa\u672c\u64cd\u4f5c\u51e0\u4e4e\u90fd\u53ef\u4ee5\u60f3\u8c61\u5f97\u5230\u3002
\n\u4e3a\u4e86\u5728\u5de5\u4f5c\u8fc7\u7a0b\u4e2d\u65b9\u4fbf\u590d\u5236\u7c98\u8d34\uff0c\u6211\u4eec\u5c06\u5217\u51fa\u5e38\u7528\u7684\u547d\u4ee4\u3002<\/p>\n
# \u8d77\u52d5 \r\n$ systemctl start haproxy\r\n\r\n# \u505c\u6b62\r\n$ systemctl stop haproxy\r\n\r\n# \u8a2d\u5b9a\u306e\u30ea\u30ed\u30fc\u30c9\r\n$ systemctl reload haproxy\r\n\r\n# \u30b9\u30c6\u30fc\u30bf\u30b9\u306e\u78ba\u8a8d\r\n$ systemctl status haproxy\r\n\r\n#\u81ea\u52d5\u8d77\u52d5\r\n$ systemctl enable haproxy\r\n\r\n#\u81ea\u52d5\u8d77\u52d5\u8a2d\u5b9a\u78ba\u8a8d\r\n$ systemctl is-enabled haproxy\r\n\r\n# haproxy.cfg \u306e\u66f8\u5f0f\u78ba\u8a8d (\u66f8\u3044\u305f\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u30a8\u30e9\u30fc\u304c\u7121\u3044\u304b\u78ba\u8a8d\u3059\u308b\u30b3\u30de\u30f3\u30c9\uff09\r\n$ haproxy -f \/etc\/haproxy\/haproxy.cfg -c\r\n\r\n# \u30ed\u30b0\u306e tail \r\ntail -f tail -f \/var\/log\/haproxy.log\r\n<\/code><\/pre>\n4.\u8bbe\u7f6e => \u8bbe\u5b9a<\/h1>\n![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f4137434c4406c19bed\/12-0.png\" "\\"\\"")
<\/div>\n\u8fd9\u4e2a\u6b65\u9aa4\u4e0d\u6d89\u53ca\u5230\u5b89\u88c5\u548c\u914d\u7f6e\u7528\u4e8e\u8f6c\u53d1\u8bf7\u6c42\u7684nginx\u3002<\/p>\n
4.1. Haproxy\u914d\u7f6e\u6587\u4ef6\u7684\u8bbe\u7f6e<\/h2>\n
\u53ea\u9700\u7f16\u8f91\/etdc\/haproxy\/haproxy.cfg\u7684\u914d\u7f6e\u3002<\/p>\n
\u5728RHEL\u4e0a\uff0c\u9ed8\u8ba4\uff08\u793a\u4f8b\uff09\u8bbe\u7f6e\u4e0b\u542f\u7528\u7684\u7aef\u53e35001\u301c5004\u7b49\uff0c\u7531\u4e8eSELinux\u4e0d\u5141\u8bb8HAProxy\u8bbf\u95ee\uff0c\u4f1a\u5bfc\u81f4\u9519\u8bef\uff0c\u6240\u4ee5\u9700\u8981\u5c06\u76f8\u5173\u90e8\u5206\u6ce8\u91ca\u6389\u3002<\/p>\n
#---------------------------------------------------------------------\r\n# Example configuration for a possible web application. See the\r\n# full configuration options online.\r\n#\r\n# https:\/\/www.haproxy.org\/download\/1.8\/doc\/configuration.txt\r\n#\r\n#---------------------------------------------------------------------\r\n<\/span>\r\n#---------------------------------------------------------------------\r\n# Global settings\r\n#---------------------------------------------------------------------\r\n<\/span>global<\/span>\r\n # to have these messages end up in \/var\/log\/haproxy.log you will\r\n<\/span> # need to:\r\n<\/span> #\r\n<\/span> # 1) configure syslog to accept network log events. This is done\r\n<\/span> # by adding the '-r' option to the SYSLOGD_OPTIONS in\r\n<\/span> # \/etc\/sysconfig\/syslog\r\n<\/span> #\r\n<\/span> # 2) configure local2 events to go to the \/var\/log\/haproxy.log\r\n<\/span> # file. A line like the following can be added to\r\n<\/span> # \/etc\/sysconfig\/syslog\r\n<\/span> #\r\n<\/span> # localdomain2.* \/var\/log\/haproxy.log\r\n<\/span> #\r\n<\/span> log<\/span> 127.0.0.1<\/span> local2<\/span>\r\n\r\n chroot<\/span> \/var\/lib\/haproxy<\/span>\r\n pidfile<\/span> \/var\/run\/haproxy.pid<\/span>\r\n maxconn<\/span> 4000<\/span>\r\n user<\/span> haproxy<\/span>\r\n group<\/span> haproxy<\/span>\r\n daemon<\/span>\r\n\r\n # turn on stats unix socket\r\n<\/span> stats<\/span> socket<\/span> \/var\/lib\/haproxy\/stats<\/span>\r\n\r\n # utilize system-wide crypto-policies\r\n<\/span> ssl-default-bind-ciphers<\/span> PROFILE<\/span>=<\/span>SYSTEM<\/span>\r\n ssl-default-server-ciphers<\/span> PROFILE<\/span>=<\/span>SYSTEM<\/span>\r\n\r\n#---------------------------------------------------------------------\r\n# common defaults that all the 'listen' and 'backend' sections will\r\n# use if not designated in their block\r\n#---------------------------------------------------------------------\r\n<\/span> defaults<\/span>\r\n mode<\/span> http<\/span>\r\n log<\/span> global<\/span>\r\n option<\/span> httplog<\/span>\r\n option<\/span> dontlognull<\/span>\r\n option<\/span> http-server-close<\/span>\r\n option<\/span> forwardfor<\/span> except<\/span> 127.0.0.0\/8<\/span>\r\n option<\/span> redispatch<\/span>\r\n retries<\/span> 3<\/span>\r\n timeout<\/span> http-request<\/span> 10s<\/span>\r\n timeout<\/span> queue<\/span> 1m<\/span>\r\n timeout<\/span> connect<\/span> 10s<\/span>\r\n timeout<\/span> client<\/span> 1m<\/span>\r\n timeout<\/span> server<\/span> 1m<\/span>\r\n timeout<\/span> http-keep-alive<\/span> 10s<\/span>\r\n timeout<\/span> check<\/span> 10s<\/span>\r\n maxconn<\/span> 3000<\/span>\r\n\r\n#---------------------------------------------------------------------\r\n# main frontend which proxys to the backends\r\n#---------------------------------------------------------------------\r\n# \u4ee5\u4e0b\u306f\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\r\n# frontend main\r\n# bind *:5000\r\n# acl url_static path_beg -i \/static \/images \/javascript \/stylesheets\r\n# acl url_static path_end -i .jpg .gif .png .css .js\r\n<\/span>\r\n# use_backend static if url_static\r\n# default_backend app\r\n<\/span>\r\n frontend<\/span> http_80<\/span>\r\n default_backend<\/span> http_80<\/span>\r\n mode<\/span> http<\/span>\r\n bind<\/span> *:80<\/span>\r\n\r\n frontend<\/span> http_443<\/span>\r\n default_backend<\/span> http_443<\/span>\r\n mode<\/span> http<\/span>\r\n bind<\/span> *:443<\/span>\r\n\r\n#---------------------------------------------------------------------\r\n# static backend for serving up images, stylesheets and such\r\n#---------------------------------------------------------------------\r\n# backend static\r\n# balance roundrobin\r\n# server static 127.0.0.1:4331 check\r\n<\/span>\r\n#---------------------------------------------------------------------\r\n# round robin balancing between the various backends\r\n#---------------------------------------------------------------------\r\n#\u3000\u4ee5\u4e0b\u306f\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8 (SELinux \u306b\u6012\u3089\u308c\u308b)\r\n# backend app\r\n# balance roundrobin\r\n# server app1 127.0.0.1:5001 check\r\n# server app2 127.0.0.1:5002 check\r\n# server app3 127.0.0.1:5003 check\r\n# server app4 127.0.0.1:5004 check\r\n<\/span>\r\nbackend<\/span> http_80<\/span>\r\n mode<\/span> http<\/span>\r\n balance<\/span> roundrobin<\/span>\r\n server<\/span> nginx1<\/span> nginx1.example.localdomain:80<\/span> check<\/span>\r\n server<\/span> nginx2<\/span> nginx2.example.localdomain:80<\/span> check<\/span>\r\n\r\nbackend<\/span> http_443<\/span>\r\n mode<\/span> http<\/span>\r\n balance<\/span> roundrobin<\/span>\r\n server<\/span> nginx1<\/span> nginx1.example.localdomain:443<\/span> check<\/span>\r\n server<\/span> nginx2<\/span> nginx2.example.localdomain:443<\/span> check<\/span>\r\n<\/code><\/pre>\n![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f4137434c4406c19bed\/18-0.png\" "\\"\\"")
<\/div>\n\u8bf7\u786e\u8ba4\u683c\u5f0f\u662f\u5426\u6b63\u786e\u3002<\/h2>\n
\u56e0\u4e3a\u8bbe\u7f6e\u6587\u4ef6(\/etc\/haproxy\/haproxy.cfg)\u5f88\u957f\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u6765\u68c0\u67e5\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
# haproxy.cfg \u306e\u66f8\u5f0f\u306e\u78ba\u8a8d\uff08\u30a8\u30e9\u30fc\u304c\u3042\u3063\u305f\u5834\u5408\uff09\r\n$ haproxy -f \/etc\/haproxy\/haproxy.cfg -c\r\n[WARNING] 226\/115610 (34205) : parsing [\/etc\/haproxy\/haproxy.cfg:124] : backend 'worker_http', another server named 'worker1' was defined without an explicit ID at line 123, this is not recommended.\r\n[WARNING] 226\/115610 (34205) : parsing [\/etc\/haproxy\/haproxy.cfg:129] : backend 'worker_https', another server named 'worker1' was defined without an explicit ID at line 128, this is not recommended.\r\nConfiguration file is valid\r\n$\r\n\r\n\uff03\u78ba\u8a8d\u304c\u4e0a\u624b\u304f\u884c\u3063\u305f\u30b1\u30fc\u30b9\r\n$ haproxy -f \/etc\/haproxy\/haproxy.cfg -c\r\nConfiguration file is valid\r\n$ \r\n<\/code><\/pre>\n\u5982\u679c\u6ca1\u6709\u95ee\u9898\uff0c\u5e94\u8be5\u663e\u793a\u201c\u914d\u7f6e\u6587\u4ef6\u6709\u6548\u201d\u3002<\/p>\n
5. \u9488\u5bf9HTTP\/HTTPS\u7684\u9632\u706b\u5899\u8bbe\u7f6e<\/h1>\n
RHEL\u3067\u306f\u6a19\u6e96\u3067 firewalld\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u306e\u3067\u3001\u30ed\u30fc\u30c9\u30d0\u30e9\u30f3\u30b7\u30f3\u30b0\u3059\u308b\u30b5\u30fc\u30d3\u30b9\u306b\u5fdc\u3058\u3066\u7a74\u958b\u3051\u3092\u3057\u3066\u3042\u3052\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n
5.1.\u786e\u8ba4\u5f53\u524d\u8bbe\u7f6e<\/h2>\n
\u6211\u4f1a\u68c0\u67e5\u5f53\u524d\u7684\u8bbe\u7f6e\u3002<\/p>\n
$ firewall-cmd --get-active-zones\r\nlibvirt\r\n interfaces: virbr0\r\npublic\r\n interfaces: ens192\r\n$\r\n<\/code><\/pre>\ninterfaces: ens192\u306f\u3001public \u30be\u30fc\u30f3\u306b\u5b58\u5728\u3057\u3066\u3044\u307e\u3059\u3002
\n\u3068\u308a\u3042\u3048\u305a\u3001\u8a2d\u5b9a\u304c\u5fc5\u8981\u306a\u306e\u306f\u300cpublic\u300d\u306e\u30be\u30fc\u30f3\u3067\u3042\u308b\u3068\u8a18\u61b6\u3057\u307e\u3059\u3002
\n\u6b21\u306f\u300cpublic\u300d\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n
$ firewall-cmd --list-services --zone=public\r\ncockpit dhcpv6-client ssh\r\n$\r\n<\/code><\/pre>\n5.2. \u5728\u7f51\u7edc\u7684\u534f\u8bae http \/ https\u4e2d\u5f00\u8f9f\u4e00\u4e2a\u6f0f\u6d1e\u3002<\/h2>\n
http (80) \u3068 https (443)\u306b\u3064\u3044\u3066\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u306e\u4e8b\u524d\u5b9a\u7fa9\u304c\u5b58\u5728\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u305d\u308c\u3092\u8ffd\u52a0\u3059\u308b\u3060\u3051\u3067 firewalld\u306b\u7a74\u3092\u958b\u3051\u308b\u4e8b\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
$ firewall-cmd --add-service=https --zone=public --permanent\r\nsuccess\r\n$ firewall-cmd --add-service=http --zone=public --permanent\r\nsuccess\r\n<\/code><\/pre>\n\u91cd\u65b0\u52a0\u8f7dfirewalld\u7684\u8bbe\u7f6e\u3002\u5982\u679c\u4f7f\u7528”–permanent”\u9009\u9879\u8fdb\u884c\u4e86\u6dfb\u52a0\uff0c\u9700\u8981\u91cd\u65b0\u52a0\u8f7d\u624d\u80fd\u4f7f\u8bbe\u7f6e\u751f\u6548\u3002<\/p>\n
$ firewall-cmd --reload\r\n<\/code><\/pre>\n\u6211\u4f1a\u786e\u8ba4\u8bbe\u7f6e\u5df2\u7ecf\u751f\u6548\u3002<\/p>\n
$ firewall-cmd --list-services --zone=public\r\ncockpit dhcpv6-client http https ssh\r\n<\/code><\/pre>\n\u5df2\u6dfb\u52a0\u4e86httphttps\u3002<\/p>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u6ca1\u6709\u7279\u522b\u66f4\u6539\u5176\u4ed6\u9ed8\u8ba4\u5f00\u653e\u7684\u670d\u52a1\uff0c\u4f46\u53ef\u4ee5\u6839\u636e\u9700\u8981\u5bf9\u5176\u8fdb\u884c\u5f3a\u5316\u5904\u7406\u3002<\/p>\n
\u53ef\u4ee5\u5220\u9664\u4e0d\u5fc5\u8981\u7684\u201c\u670d\u52a1\u201d\u5982\u4e0b\u3002<\/p>\n
firewall-cmd --remove-service=<\u30b5\u30fc\u30d3\u30b9\u540d> --zone=public --permanent\r\n<\/code><\/pre>\n6.Haproxy \u306e\u8d77\u52d5\u3068\u52d5\u4f5c\u306e\u78ba\u8a8d<\/h1>\n6.1 \u542f\u52a8Haproxy<\/h2>\n
\u542f\u52a8Haproxy\u3002<\/p>\n
# haproxy \u3092\u8d77\u52d5\r\n$ systemctl start haproxy\r\n<\/code><\/pre>\n\u81ea\u52d5\u8d77\u52d5\u3092\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/p>\n
$ systemctl enable haproxy\r\n$ systemctl is-enabled haproxy\r\nenabled \r\n<\/code><\/pre>\n6.2 \u52d5\u4f5c\u306e\u78ba\u8a8d<\/h2>\n
http(s):\/\/haproxy.example.localdomain \u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n
\u3053\u306e\u4f8b\u3067\u306f\u3001\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u5272\u308a\u632f\u308b\u30d0\u30c3\u30af\u30a8\u30f3\u30c9\u306e nginx\u306e\u753b\u9762\u3092\u308f\u304b\u308a\u3084\u3059\u3044\u3088\u3046\u306b\u5909\u66f4\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u30ea\u30ed\u30fc\u30c9\u3059\u308b\u5ea6\u306b\u63a5\u7d9a\u5148\u304c\u5207\u308a\u66ff\u308f\u308b\u306f\u305a\u3067\u3059\u3002\u3053\u308c\u306f\u3001haproxy.cfg \u306b roundrobin\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u308b\u305b\u3044\u3067\u3059\u3002<\/p>\n
![\"image.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f4137434c4406c19bed\/50-0.png\" "\\"\\"")
<\/div>\n\u5982\u679c\u53ea\u662f\u60f3\u67e5\u770bHA Proxy\u7684\u8fd0\u884c\u60c5\u51b5\uff0c\u53ef\u4ee5\u6682\u65f6\u907f\u514d\u8bbe\u7f6e7.Security\u3002<\/h1>\n
HA Proxy\u306e\u8a2d\u5b9a\u306f\u3001\u8907\u96d1\u306b\u306a\u3063\u3066\u304f\u308b\u3068\u3001\u307e\u305a\u306fRHEL\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a\u3092OFF\u306b\u3057\u3066haproxy.cfg\u306e\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3057\u305f\u3044\u6642\u304c\u3069\u3046\u3057\u3066\u3082\u51fa\u3066\u304d\u307e\u3059\u3002<\/p>\n
\u4ee5\u4e0b\u306f\u3001RHEL\u306e\u6a19\u6e96\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8a2d\u5b9a(SELinux \u3068 Firewalld) \u3092\u505c\u6b62\u3055\u305b\u308b\u65b9\u6cd5\u3067\u3059\u3002<\/p>\n
7.1.SELinux \u3092\u505c\u6b62<\/h2>\n
SELinux \u3092\u4e00\u6642\u7684\u306b\u505c\u6b62\u3059\u308b<\/p>\n
$ setenforce 0\u3000\u3000\u3000#\u3000\u53cd\u5bfe\u306b\u7a3c\u50cd\u3055\u305b\u308b\u306b\u306f 1 \u3092\u6307\u5b9a\r\n<\/code><\/pre>\n\u6c38\u4e45\u505c\u7528 SELinux<\/p>\n
$ vim \/etc\/selinuxconig\r\n# This file controls the state of SELinux on the system.\r\n# SELINUX= can take one of these three values:\r\n# enforcing - SELinux security policy is enforced.\r\n# permissive - SELinux prints warnings instead of enforcing.\r\n# disabled - No SELinux policy is loaded.\r\nSELINUX=enforcing\u3000\u3000# \u3053\u3053\u3092\u3000disabled \u306b\r\n\u30fb\u30fb\u30fb\r\n\u30fb\u30fb\r\n\u30fb\r\n<\/code><\/pre>\n7.2. \u505c\u6b62 Firewalld<\/h2>\n
\u66ab\u6642\u505c\u4e0b\u7576\u524d\u6b63\u5728\u904b\u884c\u7684\u4e8b\u7269\u3002<\/p>\n
$ systemctl stop firewalld\r\n<\/code><\/pre>\n\u786e\u4fdd\u5728\u7cfb\u7edf\u542f\u52a8\u65f6\u4e5f\u4e0d\u4f1a\u5f39\u51fa\u6765\u3002<\/p>\n
$ systemctl disable firewalld\r\n<\/code><\/pre>\n8.\u4e00\u822c\u7684\u306afirewalld\u306e\u7a74\u3042\u3051\u65b9\u6cd5<\/h1>\n
HA Proxy \u306f L4 (TCP)\u30ec\u30d9\u30eb\u306e\u30ed\u30fc\u30c9\u30d0\u30e9\u30f3\u30b5\u30fc\u306a\u306e\u3067\u3001HTTP\/HTTPS \u4ee5\u5916\u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u30ed\u30fc\u30c9\u30d0\u30e9\u30f3\u30b9\u3082\u884c\u3046\u4e8b\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
8.1.\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u305f\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u306e\u7a74\u958b\u3051\u3092\u884c\u3046<\/h2>\n
\u524d\u8ff0\u306e\u901a\u308a http (80) \u3068 https (443)\u306b\u3064\u3044\u3066\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u306e\u5b9a\u7fa9\u304c\u5b58\u5728\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u305d\u306e\u5b9a\u7fa9\u3092\u4f7f\u7528\u3057\u3066\u6bd4\u8f03\u7684\u7c21\u5358\u306b firewalld \u306b\u7a74\u3092\u958b\u3051\u308b\u4e8b\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u60a8\u53ef\u4ee5\u4f7f\u7528 firewall-cmd –get-services \u547d\u4ee4\u6765\u67e5\u770b\u9884\u5b9a\u4e49\u7684\u9ed8\u8ba4\u201c\u670d\u52a1\u201d\u3002<\/p>\n
$ firewall-cmd --get-services\r\nRH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr machine-config managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server\r\n$\r\n<\/code><\/pre>\n\u4ec5\u901a\u8fc7\u770b\u8fd9\u4e9b\u540d\u5b57\uff0c\u4e5f\u4e0d\u77e5\u9053\u5b83\u4eec\u5230\u5e95\u662f\u4ec0\u4e48\u5b9a\u4e49\u3002<\/p>\n
\u5b9e\u9645\u7684\u9884\u5b9a\u4e49\u201c\u670d\u52a1\u201d\u914d\u7f6e\u6587\u4ef6\u5b58\u50a8\u5728\/usr\/lib\/firewalld\/services\/\u76ee\u5f55\u4e0b\u3002<\/p>\n
$ ls \/usr\/lib\/firewalld\/services\/\r\nRH-Satellite-6.xml freeipa-4.xml libvirt-tls.xml pop3.xml ssh.xml\r\namanda-client.xml freeipa-ldap.xml libvirt.xml pop3s.xml steam-streaming.xml\r\namanda-k5-client.xml freeipa-ldaps.xml lightning-network.xml postgresql.xml svdrp.xml\r\namqp.xml freeipa-replication.xml llmnr.xml privoxy.xml svn.xml\r\namqps.xml freeipa-trust.xml managesieve.xml prometheus.xml syncthing-gui.xml\r\napcupsd.xml ftp.xml matrix.xml proxy-dhcp.xml syncthing.xml\r\n<\u7701\u7565>\r\n<\/code><\/pre>\n\u4f8b\u3048\u3070kube-apiserver \u3068\u3044\u3046\u540d\u524d\u306e\u4e8b\u524d\u5b9a\u7fa9\u306e\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u304c\u3042\u308a\u307e\u3059\u3002
\n\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u306f\u3001\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u540d\u3068\u540c\u3058\u30d5\u30a3\u30eb\u540d\u306e\/usr\/lib\/firewalld\/services\/kube-apiserver.xml\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u3067\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u4e2d\u8eab\u306f\u8aad\u3080\u3068\u306a\u3093\u3068\u306a\u304f\u5224\u5225\u3067\u304d\u308b\u3082\u306e\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n
$ cat \/usr\/lib\/firewalld\/services\/kube-apiserver.xml\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<service>\r\n <short>Kubernetes Api Server<\/short>\r\n <description>The Kubernetes API server validates and configures data for the api objects which include pods, services, replicationcontrollers, and others.<\/description>\r\n <port protocol=\"tcp\" port=\"6443\"\/>\r\n<\/service>\r\n$\r\n<\/code><\/pre>\n\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u306e\u5b9a\u7fa9\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u8eab\u306f\u4e0a\u8a18\u306e\u3088\u3046\u306a\u3082\u306e\u306a\u306e\u3067\u3001\u81ea\u5206\u304c\u4f7f\u3044\u305f\u3044\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u304c\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308b\u304b\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u8eab\u3092\u691c\u7d22\u3059\u308b\u4e8b\u3067\u767a\u898b\u3067\u304d\u307e\u3059\u3002\u4f8b\u3048\u3070\u30dd\u30fc\u30c86443\u3092\u4f7f\u3046\u30b5\u30fc\u30d3\u30b9\u304c\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u691c\u7d22\u3067\u304d\u307e\u3059\u3002<\/p>\n
$ find \/usr\/lib\/firewalld\/services -type f -print | xargs grep 6443\r\n\/usr\/lib\/firewalld\/services\/kube-apiserver.xml: <port protocol=\"tcp\" port=\"6443\"\/>\r\n$\r\n<\/code><\/pre>\n\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u3066\u3044\u308b\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u306e firewalld \u3078\u306e\u7a74\u958b\u3051\u306e\u65b9\u6cd5\u306f\u3001\u57fa\u672c\u7684\u306b\u5168\u3066\u540c\u3058\u3067\u3001\u4f8b\u3048\u3070kube-apiserver\u3092public\u30be\u30fc\u30f3\u306b\u8ffd\u52a0\u3059\u308b\u306b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n
# permanent (\u518d\u8d77\u52d5\u5f8c\u3082\u6709\u52b9\uff09\u306b\u3001\u8a2d\u5b9a\u3092\u8ffd\u52a0\r\n$ firewall-cmd --add-service=kube-apiserver --zone=public --permanent\r\nsuccess\r\n\r\n# \u8a2d\u5b9a\u306e\u518d\u8aad\u8fbc\r\n$ firewall-cmd --reload\r\n<\/code><\/pre>\n8.2.\u30ab\u30b9\u30bf\u30e0\u306e\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u3092\u4f5c\u6210\u3057\u3066\u7a74\u958b\u3051\u3092\u884c\u3046<\/h2>\n
\u4f8b\u3068\u3057\u3066\u300cMachine Config\u300d\u3068\u3044\u3046\u30b5\u30fc\u30d3\u30b9\u304c\u3042\u308a\u300122623 \/tcp \u3068\u3044\u3046\u30dd\u30fc\u30c8\u3092\u4f7f\u7528\u3057\u305f\u3044\u3068\u3057\u307e\u3059\u3002
\n\u307e\u305a\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u81ea\u5206\u306e\u4f7f\u7528\u3057\u3044\u305f\u3044port\u304c\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u3066\u306a\u3044\u304b\u63a2\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n
find \/usr\/lib\/firewalld\/services -type f -print | xargs grep <\u81ea\u5206\u306e\u4f7f\u7528\u3057\u305f\u3044\u30b5\u30fc\u30d3\u30b9\u306e\u30dd\u30fc\u30c8>\r\n<\/code><\/pre>\n\u3082\u3057\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u306f\u3001\u81ea\u5206\u3067\u65b0\u3057\u3044\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5c06\u521b\u5efa\u4e00\u4e2a\u540d\u4e3a”machine-config”\u5e76\u4f7f\u752822623\/tcp\u7684\u65b0\u670d\u52a1\u3002<\/p>\n
\u6dfb\u52a0\u65b0\u670d\u52a1\u540d\u79f0<\/p>\n
$ firewall-cmd --permanent --new-service machine-config\r\nsuccess\r\n<\/code><\/pre>\n\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u300cmachine-config\u300d\u306e\u8aac\u660e\u3092\u8ffd\u52a0<\/p>\n
$ firewall-cmd --permanent --service=machine-config --set-description=\"OpenShift machine config access\"\r\nsuccess\r\n<\/code><\/pre>\n\u589e\u52a0\u65b0\u7684\u201c\u670d\u52a1\u201d\u201cmachine-config\u201d\u7684\u7aef\u53e3\u5b9a\u4e49<\/p>\n
$ firewall-cmd --service=machine-config --add-port=22623\/tcp --permanent \r\nsuccess\r\n<\/code><\/pre>\n\u786e\u8ba4\u65b0\u5efa\u4e86\u4e00\u4e2a\u540d\u4e3a\u201c\u670d\u52a1\u201d\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u7528\u6237\u5b9a\u4e49\u7684\u201c\u670d\u52a1\u201d\u4e0e\u9884\u5b9a\u4e49\u7684\u201c\u670d\u52a1\u201d\u6587\u4ef6\u7684\u8def\u5f84\u4e0d\u540c\uff0c\u5b83\u4eec\u88ab\u521b\u5efa\u5728\/etc\/firewalld\/services\/\u76ee\u5f55\u4e0b\u3002<\/p>\n
$ cat \/etc\/firewalld\/services\/machine-config.xml\r\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<service>\r\n <description>OpenShift machine config access<\/description>\r\n <port port=\"22623\" protocol=\"tcp\"\/>\r\n<\/service>\r\n<\/code><\/pre>\n\u8bfb\u53d6\u65b0\u521b\u5efa\u7684\u201c\u670d\u52a1\u201d\u6587\u4ef6\u3002<\/p>\n
$ firewall-cmd --reload\r\n<\/code><\/pre>\n\u4f5c\u6210\u3057\u305f\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u3092 firewalld \u3092\u900f\u904e\u3055\u305b\u308b\u300c\u30b5\u30fc\u30d3\u30b9\u300d\u3068\u3057\u3066\u3001\u3053\u3053\u3067\u306fpublic\u30be\u30fc\u30f3\u306b\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/p>\n
$ firewall-cmd --add-service=machine-config --zone=public \r\nsuccess\r\n<\/code><\/pre>\n\u73b0\u5728\uff0c\u6211\u4eec\u8981\u786e\u8ba4\u54ea\u4e9b\u201c\u670d\u52a1\u201d\u5df2\u7ecf\u8bbe\u7f6e\u4e3a\u900f\u8fc7firewalld\u3002\u6211\u4eec\u8981\u68c0\u67e5\u662f\u5426\u5df2\u6dfb\u52a0\u4e86machine-config\u3002<\/p>\n
$ firewall-cmd --list-services\r\ncockpit dhcpv6-client http https kube-apiserver machine-config ssh\r\n$\r\n<\/code><\/pre>\n\u518d\u8d77\u52d5\u3057\u3066\u3082\u8a2d\u5b9a\u304c\u5916\u308c\u306a\u3044\u3088\u3046\u306b\u3001\u73fe\u5728\u306e\u8a2d\u5b9a\u3092 permanent \u306b\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n
$ firewall-cmd --runtime-to-permanent\r\nsuccess\r\n<\/code><\/pre>\n9. SELinux\u7684\u8bbe\u7f6e<\/h1>\n
\u7279\u7a2e\u306a\u30dd\u30fc\u30c8\u3092\u4f7f\u3046\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30ed\u30fc\u30c9\u30d0\u30e9\u30f3\u30b9\u3092\u884c\u3046\u5834\u5408\u3001HA Proxy\u304c\u305d\u306e\u30dd\u30fc\u30c8\u3092\u4f7f\u7528\u3059\u308b\u4e8b\u304c\u8a31\u53ef\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u306f\u3001SELinux\u304cHA Proxy\u306e\u52d5\u304d\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u305f\u3081\u3001haproxy \u304c\u8d77\u52d5\u3057\u307e\u305b\u3093\u3002<\/p>\n
\u4f8b\u3048\u3070\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u3066\u3001systemctl\u3067\u518d\u8d77\u52d5\u3057\u3088\u3046\u3068\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u8d77\u52d5\u3067\u304d\u306a\u3044\u306f\u305a\u3067\u3059\u3002<\/p>\n
$ systemctl restart haproxy.service\r\nJob for haproxy.service failed because the control process exited with error code.\r\nSee \"systemctl status haproxy.service\" and \"journalctl -xe\" for details.\r\n$\r\n<\/code><\/pre>\n9.1 \u5ba1\u8ba1\u65e5\u5fd7\u7684\u9a8c\u8bc1<\/h2>\n
\u5982\u679chaproxy\u65e0\u6cd5\u8fd0\u884c\uff0c\u8bf7\u68c0\u67e5\u662f\u5426\u5df2\u505c\u6b62\u8fd0\u884c\uff0c\u6216\u68c0\u67e5audit.log\u65e5\u5fd7\u6587\u4ef6\uff0c\u8be5\u65e5\u5fd7\u6587\u4ef6\u88ab\u8f93\u51fa\u5230\/var\/log\/audit\/audit.log\u3002<\/p>\n
\u4f46\u662f audit.log \u6587\u4ef6\u672c\u8eab\u4e0d\u6613\u8bfb\u53d6\uff0c\u56e0\u6b64\u901a\u8fc7 ausearch \u547d\u4ee4\u63d0\u4f9b\u4e86\u4e00\u4e2a\u5de5\u5177\u6765\u67e5\u770b\u7ecf\u8fc7\u683c\u5f0f\u5316\u7684 audit.log\u3002<\/p>\n
haproxy \u95a2\u9023\u306e audit.log \u306e\u30a8\u30e9\u30fc\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3059\u308b\u4e8b\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
[root@lb1 ~]# ausearch -c 'haproxy' --raw\r\ntype=AVC msg=audit(1602169554.880:195): avc: denied { name_bind } for pid=2903 comm=\"haproxy\" src=6443 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0\r\ntype=AVC msg=audit(1602169554.880:196): avc: denied { name_bind } for pid=2903 comm=\"haproxy\" src=22623 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0\r\n[root@lb1 ~]# \r\n<\/code><\/pre>\n\u6211\u53ef\u4ee5\u770b\u5230\u5b57\u8bcd”\u62d2\u7edd”\uff0c\u6240\u4ee5\u53ef\u4ee5\u7406\u89e3\u6709\u67d0\u4ef6\u4e8b\u88ab\u5426\u51b3\u4e86\u3002<\/p>\n
9.2 \u4f7f\u7528 audit2allow<\/h2>\n
ausearch \u3067\u306e\u51fa\u529b\u3055\u308c\u305f denied \u306e\u30ed\u30b0\u3092 audit2allow \u3068\u3044\u3046\u30b3\u30de\u30f3\u30c9\u306b\u30d1\u30a4\u30d7\u3067\u6e21\u3059\u4e8b\u3067\u3001\u884c\u3046\u3079\u304d SELinux\u306e\u8a2d\u5b9a\u3092\u63d0\u6848\u3057\u3066\u304f\u308c\u307e\u3059\u3002\u3053\u3053\u3067\u306f\u3001my-haproxy\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u540d\u306b\u3057\u307e\u3059\u3002<\/p>\n
$ ausearch -c 'haproxy' --raw | audit2allow -M my-haproxy\r\n******************** IMPORTANT ***********************\r\nTo make this policy package active, execute:\r\n\r\nsemodule -i my-haproxy.pp\r\n\r\n$ ls -ltr\r\n-rw-r--r--. 1 root root 308 Oct 8 11:12 my-haproxy.te\r\n-rw-r--r--. 1 root root 969 Oct 8 11:12 my-haproxy.pp\r\n$\r\n<\/code><\/pre>\n.pp\u3068.te \u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u304c\u3067\u304d\u307e\u3059\u304c\u3001.te\u306f\u53ef\u8aad\u306a\u306e\u3067\u4e2d\u8eab\u3092\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n
$ cat my-haproxy.te \r\n\r\nmodule my-haproxy 1.0;\r\n\r\nrequire {\r\n type haproxy_t;\r\n type unreserved_port_t;\r\n class tcp_socket name_bind;\r\n}\r\n\r\n#============= haproxy_t ==============\r\n\r\n#!!!! This avc can be allowed using one of the these booleans:\r\n# nis_enabled, haproxy_connect_any\r\nallow haproxy_t unreserved_port_t:tcp_socket { name_bind name_connect };\r\n$\r\n<\/code><\/pre>\n\u5efa\u8bae\u6267\u884c `allow haproxy_t unreserved_port_t:tcp_socket name_bind;` \u8fd9\u4e2a\u8bbe\u7f6e\u3002<\/p>\n
\u3053\u306e\u8a2d\u5b9a\u3092\u9069\u7528\u3059\u308b\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n
semodule -i my-haproxy.pp\r\n<\/code><\/pre>\n\u8fd9\u6837\u5e94\u8be5\u53ef\u4ee5\u542f\u52a8haproxy\u4e86\u3002<\/p>\n
\u542f\u7528rsyslog<\/h1>\n
HA Proxy \u304c\u304d\u3061\u3093\u3068\u52d5\u3044\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3001\u78ba\u8a8d\u3057\u305f\u3044\u306a\u3068\u601d\u3044\u3001\u30ed\u30b0\u306f\u3069\u3053\u304b\u30fb\u30fb\u30fb\u3068\u63a2\u3057\u305f\u6240\u3001rsyslog \u3067\u5916\u306b\u5410\u304f\u8a2d\u5b9a\u3092\u3057\u3066\u3042\u3052\u308b\u5fc5\u8981\u304c\u3042\u308b\u3088\u3046\u3067\u3059\u3002\/var\/log\/haproxy.log \u3000\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u306b\u30ed\u30b0\u3092\u5410\u304f\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n
\/etc\/rsyslog.conf\u3000\u3092\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u7de8\u96c6\u3057\u307e\u3059\u3002<\/p>\n
\u30fb\u30fb\u30fb\r\n# Provides UDP syslog reception\r\n# for parameters see http:\/\/www.rsyslog.com\/doc\/imudp.html\r\n#\r\n#module(load=\"imudp\") # needs to be done just once\r\n#input(type=\"imudp\" port=\"514\")\r\n# \u4ee5\u4e0b\u306e2\u884c\u3092\u8ffd\u52a0\r\n$ModLoad imudp\r\n$UDPServerRun 514\r\n\r\n<\u7701\u7565>\r\n\r\n# *.info;mail.none;authpriv.none;cron.none \/var\/log\/messages\r\n# \u4ee5\u4e0b\u306b\u66f8\u304d\u63db\u3048 (local2 \u304c \/var\/log\/message \u306b\u51fa\u529b\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u3002 \/var\/log\/haproxy.log \u306b\u51fa\u529b\u3057\u305f\u3044)\r\n*.info;mail.none;authpriv.none;cron.none;local2.none \/var\/log\/messages\r\n\r\n<\u7701\u7565>\r\n\r\n# Save boot messages also to boot.log\r\nlocal7.* \/var\/log\/boot.log\r\n\r\n# \u3053\u3053\u3082\u8ffd\u52a0 \/var\/log\/haproxy.log \u306b\u30ed\u30b0\u3092\u51fa\u529b\u3059\u308b\u3002\r\n# Save HAProxy maessage to haproxy.log\r\nlocal2.* \/var\/log\/haproxy.log\r\n<\/code><\/pre>\n\u7f16\u8f91\u8bbe\u7f6e\u540e\uff0c\u5c06\u91cd\u65b0\u542f\u52a8 rsyslog\u3002<\/p>\n
systemctl restart rsyslog\r\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u4fdd\u8b77\u662f\u6211\u5011\u5171\u540c\u7684\u8cac\u4efb\uff0c\u6211\u5011\u61c9\u8a72\u52aa\u529b\u4fdd\u8b77\u6211\u5011\u7684\u74b0\u5883\u3002 \u6211\u4f7f\u7528\u4e86RHEL 8.2\u3002 # cat \/etc\/redh […]<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-34759","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"\n
\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy - Blog - Silicon Cloud<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.silicloud.com\/zh\/blog\/\u5728rhel-8\u4e0a\u5b89\u88c5ha-proxy\u3002\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy\" \/>\n<meta property=\"og:description\" content=\"\u4fdd\u8b77\u662f\u6211\u5011\u5171\u540c\u7684\u8cac\u4efb\uff0c\u6211\u5011\u61c9\u8a72\u52aa\u529b\u4fdd\u8b77\u6211\u5011\u7684\u74b0\u5883\u3002 \u6211\u4f7f\u7528\u4e86RHEL 8.2\u3002 # cat \/etc\/redh […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.silicloud.com\/zh\/blog\/\u5728rhel-8\u4e0a\u5b89\u88c5ha-proxy\u3002\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog - Silicon Cloud\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-05T10:34:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-29T09:46:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f4137434c4406c19bed\/12-0.png\" \/>\n<meta name=\"author\" content=\"\u9038, \u79d1\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u9038, \u79d1\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/\",\"name\":\"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy - Blog - Silicon Cloud\",\"isPartOf\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\"},\"datePublished\":\"2023-09-05T10:34:47+00:00\",\"dateModified\":\"2024-04-29T09:46:26+00:00\",\"author\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/85c1dae56e6ea1e695c73d33c684d487\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.silicloud.com\/zh\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/\",\"name\":\"Blog - Silicon Cloud\",\"description\":\"\",\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/85c1dae56e6ea1e695c73d33c684d487\",\"name\":\"\u9038, \u79d1\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c94f6d9cbbfbca863fab309840bd690c153c95f8490c290ad2ed54dd693dad16?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c94f6d9cbbfbca863fab309840bd690c153c95f8490c290ad2ed54dd693dad16?s=96&d=mm&r=g\",\"caption\":\"\u9038, \u79d1\"},\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/author\/keyi\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"Blog - Silicon Cloud\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy - Blog - Silicon Cloud","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.silicloud.com\/zh\/blog\/\u5728rhel-8\u4e0a\u5b89\u88c5ha-proxy\u3002\/","og_locale":"zh_CN","og_type":"article","og_title":"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy","og_description":"\u4fdd\u8b77\u662f\u6211\u5011\u5171\u540c\u7684\u8cac\u4efb\uff0c\u6211\u5011\u61c9\u8a72\u52aa\u529b\u4fdd\u8b77\u6211\u5011\u7684\u74b0\u5883\u3002 \u6211\u4f7f\u7528\u4e86RHEL 8.2\u3002 # cat \/etc\/redh […]","og_url":"https:\/\/www.silicloud.com\/zh\/blog\/\u5728rhel-8\u4e0a\u5b89\u88c5ha-proxy\u3002\/","og_site_name":"Blog - Silicon Cloud","article_published_time":"2023-09-05T10:34:47+00:00","article_modified_time":"2024-04-29T09:46:26+00:00","og_image":[{"url":"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d1f4137434c4406c19bed\/12-0.png"}],"author":"\u9038, \u79d1","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"\u9038, \u79d1","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"7 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/","url":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/","name":"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy - Blog - Silicon Cloud","isPartOf":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website"},"datePublished":"2023-09-05T10:34:47+00:00","dateModified":"2024-04-29T09:46:26+00:00","author":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/85c1dae56e6ea1e695c73d33c684d487"},"breadcrumb":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.silicloud.com\/zh\/blog\/"},{"@type":"ListItem","position":2,"name":"\u5728RHEL 8\u4e0a\u5b89\u88c5HA Proxy"}]},{"@type":"WebSite","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website","url":"https:\/\/www.silicloud.com\/zh\/blog\/","name":"Blog - Silicon Cloud","description":"","inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/85c1dae56e6ea1e695c73d33c684d487","name":"\u9038, \u79d1","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/c94f6d9cbbfbca863fab309840bd690c153c95f8490c290ad2ed54dd693dad16?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c94f6d9cbbfbca863fab309840bd690c153c95f8490c290ad2ed54dd693dad16?s=96&d=mm&r=g","caption":"\u9038, \u79d1"},"url":"https:\/\/www.silicloud.com\/zh\/blog\/author\/keyi\/"},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e5%9c%a8rhel-8%e4%b8%8a%e5%ae%89%e8%a3%85ha-proxy%e3%80%82\/#local-main-organization-logo","url":"","contentUrl":"","caption":"Blog - Silicon Cloud"}]}},"_links":{"self":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/34759","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/comments?post=34759"}],"version-history":[{"count":2,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/34759\/revisions"}],"predecessor-version":[{"id":86718,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/34759\/revisions\/86718"}],"wp:attachment":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/media?parent=34759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/categories?post=34759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/tags?post=34759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}