Haproxy官方文档翻译(第三章)全局参数(1) 附英文原文
3.全局参数html
在global这个节点里的参数是“进程范围的”而且常常是“操做系统指定”的。它们一般是一次性设置并且一旦正确设置不须要动来动去的。它们中的
一些和命令行对应。node
global节点支持如下关键词:git
* 进程管理和安全
- ca-base
- chroot
- crt-base
- cpu-map
- daemon
- description
- deviceatlas-json-file
- deviceatlas-log-level
- deviceatlas-separator
- deviceatlas-properties-cookie
- external-check
- gid
- group
- hard-stop-after
- log
- log-tag
- log-send-hostname
- lua-load
- nbproc
- nbthread
- node
- pidfile
- presetenv
- resetenv
- uid
- ulimit-n
- user
- setenv
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
- unix-bind
- unsetenv
- 51degrees-data-file
- 51degrees-property-name-list
- 51degrees-property-separator
- 51degrees-cache-size
- wurfl-data-file
- wurfl-information-list
- wurfl-information-list-separator
- wurfl-engine-mode
- wurfl-cache-size
- wurfl-useragent-prioritygithub
* 性能调节json
- max-spread-checks
- maxconn
- maxconnrate
- maxcomprate
- maxcompcpuusage
- maxpipes
- maxsessrate
- maxsslconn
- maxsslrate
- maxzlibmem
- noepoll
- nokqueue
- nopoll
- nosplice
- nogetaddrinfo
- noreuseport
- profiling.tasks
- spread-checks
- server-state-base
- server-state-file
- ssl-engine
- ssl-mode-async
- tune.buffers.limit
- tune.buffers.reserve
- tune.bufsize
- tune.chksize
- tune.comp.maxlevel
- tune.h2.header-table-size
- tune.h2.initial-window-size
- tune.h2.max-concurrent-streams
- tune.http.cookielen
- tune.http.logurilen
- tune.http.maxhdr
- tune.idletimer
- tune.lua.forced-yield
- tune.lua.maxmem
- tune.lua.session-timeout
- tune.lua.task-timeout
- tune.lua.service-timeout
- tune.maxaccept
- tune.maxpollevents
- tune.maxrewrite
- tune.pattern.cache-size
- tune.pipesize
- tune.rcvbuf.client
- tune.rcvbuf.server
- tune.recv_enough
- tune.runqueue-depth
- tune.sndbuf.client
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
- tune.vars.sess-max-size
- tune.vars.txn-max-size
- tune.zlib.memlevel
- tune.zlib.windowsizewindows
* 排错安全
- debug
- quietcookie
3.1 进程管理和安全session
ca-base <dir>app
当直接用“ca-file“表示ssL ca证书路径,“crl-file”关联crl路径,这个参数用来指定一个用来获取SSL CA证书和CRL(证书吊销列表)
的默认路径。绝对路径一般被指定在”ca-file“和“ctl-file”中,而且忽略"ca-base".
chroot <jail dir>
把当前目录切换到指定目录,而且在切换以前会抛弃全部的权限。这样作会增长安全等级以防止位置的漏洞被侦测。这样攻击者就很难
威胁到整个系统。这个选项只有用超级管理员权限启动进程的时候才有效。必定要确保你要切换的目录<jail_dir>是空的,而且任何用户没有写的权限。
cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
在Linux 2.6内核及以上版本,能够绑定一个进程或者线程到指定的CPU上。这意味着被指定的进程或者线程永远不会在指定之外的CPU上运行。“cpu-map”直接
指定CPU给指定的进程或线程用。第一个参数是一个进程,以后跟着一个线程。格式以下:
all | odd | even | number[-[number]]
<number> 必须是1到32者64中的一个,这取决于你的机器字节大小。任何在nbproc之上的进程ID和任何在nbthread之上的
线程ID都是被忽略的。能够用两个数字中间加("-")来指定一个范围。也能够用“all”指定全部的进程。只有奇数数字用“odd”
或者偶数数字用"even",就像用“bind-process”指令。第二个参数是CPU设置。每一个CPU设置是一个介于0到31或者0到63或者两
个数字用“-”链接的惟一标识。你为每一个cpu设置了标识,就能够绑定进程和线程了。显而易见,若是你想这样,你得设置
多个“cpu-map”指令。每一个指令会覆盖以前与它发生冲突的指令。一个线程将绑定在它的映射和它附属的进程之一。若是线程没有
被映射并且它的进程也没有被映射,那么这个线程则不会被绑定。
咱们能够定义部分范围。大的那个数字能够被省略。若是这样的话,大的那个数字就会被相应的最大数字替代,好比32或者64.这取决于你的机器字节大小。
你能够前面加上前缀“auto:”,这样能够在增长新的CPU或者新的进程、线程的时候让Haproxy自动绑定。为了确保设置有效,两个设置要有一样的size。
无论定义的CPU的顺序,它老是从下至上搜寻。把“auto:”前缀同时加到进程和线程的范围前面是不支持的。只有一个范围被支持,其余一个必须是精确的数字。
示例:
cpu-map 1-4 0-3 # 绑定标识为1到4的进程到前4个cpu
cpu-map 1/all 0-3 # 绑定第一个进程的全部线程到前4个CPU
cpu-map 1- 0- # 将会被替换成"cpu-map 1-64 0-63"
# 或者"cpu-map 1-32 0-31"这取决于你的机器字节大小
# 全部这些行绑定进程1到cpu0,进程2到cpu1,以此类推。
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# 全部这些行绑定线程1到cpu0,线程2到cpu1,以此类推
cpu-map auto:1/1-4 0-3
cpu-map auto:1/1-4 0-1 2-3
cpu-map auto:1/1-4 3 2 1 0
# 使用all/odd/even关键词绑定每一个进程到精确到cpu上
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# 无效的cpu-map设置,由于进程和cpu配置没有一样的数量
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
# 无效的cpu-map设置,由于自动绑定做用在了进程范围上
# and a thread range.
cpu-map auto:all/all 0 # invalid
cpu-map auto:all/1-4 0 # invalid
cpu-map auto:1-4/all 0 # invalid
crt-base <dir>
当用“crtfile”指令时,指定一个默认目录用来获取从这个指令SSL证书。在"crtfile"指令以后指定绝对路径会覆盖"crtfile"设置
而且忽略“crt-base”。
daemon
可让进程在后台挂起。这种操做是被推荐的。至关于在命令行中用“-D”参数。也能够用“-db”来禁用。这个选项在systemd模式无效。
deviceatlas-json-file <path>
设置经过API加载的DeviceAtlas json数据的路径。这个路径必须是一个有效的json数据文件而且能被
HAProxy进程访问。
deviceatlas-log-level <value>
设置API返回信息的等级。这个指令是可选的若是不设置默认为0.
deviceatlas-separator <char>
设置API属性结果的字符分隔符。这个指令是可选的若是不设置默认为|。
deviceatlas-properties-cookie <name>
设置客户端的cooke名字,它是用来侦测在请求期间DeviceAtlas 客户端组件是否被使用。这个指令是可选的
若是不设置默认为DAPROPS.
external-check
容许使用外部代理来进行健康检查。这个指令因为安全缘由默认被禁止的。
gid <number>
修改进程的group ID 为指定数字。推荐group id使用HAProxy的专用id或者一个相似的小的守护进程设置。
HAProxy必须用一个属于这个组的用户或者拥有超级用户权限的用户启动。注意,若是haproxy从一个
拥有额外组的用户启动了,那么若是从一个超级用户启动它只能丢弃这些额外组的权限。
你还能够参考“group”和“uid”。
hard-stop-after <time>
定义了用来处理一个清除软中止(clean soft-stop)所能执行的最大时间。
讨论:
<time> 是soft-stop在收到SIGUSR1信号后一个应用所能存活的最长时间(默认毫秒为单位)。
这多是用来确保就算应用在软中止(soft-stop)期间,就算链接还在保持打开状态,应用依然会
被关闭。(好比tcp代理模式中的long timeouts)此设置TCP和HTTP模式都有效。
示例:
global
hard-stop-after 30s
group <group name>
相似于"gid",可是用/etc/group 中的group name来替代GID。能够参考gid和user指令。
未完待续,这章比较长,要分不少篇来完成。
------------------------------如下是英文原文-------------------------------
3. Global parameters
Parameters in the "global" section are process-wide and often OS-specific. They are generally set once for all and do not need being changed once correct. Some of them have command-line equivalents. The following keywords are supported in the "global" section : * Process management and security - ca-base - chroot - crt-base - cpu-map - daemon - description - deviceatlas-json-file - deviceatlas-log-level - deviceatlas-separator - deviceatlas-properties-cookie - external-check - gid - group - hard-stop-after - log - log-tag - log-send-hostname - lua-load - nbproc - nbthread - node - pidfile - presetenv - resetenv - uid - ulimit-n - user - setenv - stats - ssl-default-bind-ciphers - ssl-default-bind-ciphersuites - ssl-default-bind-options - ssl-default-server-ciphers - ssl-default-server-ciphersuites - ssl-default-server-options - ssl-dh-param-file - ssl-server-verify - unix-bind - unsetenv - 51degrees-data-file - 51degrees-property-name-list - 51degrees-property-separator - 51degrees-cache-size - wurfl-data-file - wurfl-information-list - wurfl-information-list-separator - wurfl-engine-mode - wurfl-cache-size - wurfl-useragent-priority * Performance tuning - max-spread-checks - maxconn - maxconnrate - maxcomprate - maxcompcpuusage - maxpipes - maxsessrate - maxsslconn - maxsslrate - maxzlibmem - noepoll - nokqueue - nopoll - nosplice - nogetaddrinfo - noreuseport - profiling.tasks - spread-checks - server-state-base - server-state-file - ssl-engine - ssl-mode-async - tune.buffers.limit - tune.buffers.reserve - tune.bufsize - tune.chksize - tune.comp.maxlevel - tune.h2.header-table-size - tune.h2.initial-window-size - tune.h2.max-concurrent-streams - tune.http.cookielen - tune.http.logurilen - tune.http.maxhdr - tune.idletimer - tune.lua.forced-yield - tune.lua.maxmem - tune.lua.session-timeout - tune.lua.task-timeout - tune.lua.service-timeout - tune.maxaccept - tune.maxpollevents - tune.maxrewrite - tune.pattern.cache-size - tune.pipesize - tune.rcvbuf.client - tune.rcvbuf.server - tune.recv_enough - tune.runqueue-depth - tune.sndbuf.client - tune.sndbuf.server - tune.ssl.cachesize - tune.ssl.lifetime - tune.ssl.force-private-cache - tune.ssl.maxrecord - tune.ssl.default-dh-param - tune.ssl.ssl-ctx-cache-size - tune.ssl.capture-cipherlist-size - tune.vars.global-max-size - tune.vars.proc-max-size - tune.vars.reqres-max-size - tune.vars.sess-max-size - tune.vars.txn-max-size - tune.zlib.memlevel - tune.zlib.windowsize * Debugging - debug - quiet
3.1. Process management and security
Assigns a default directory to fetch SSL CA certificates and CRLs from when a
relative path is used with "ca-file" or "crl-file" directives. Absolute locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Changes current directory to <jail dir> and performs a chroot() there before dropping privileges. This increases the security level in case an unknown vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system. This only works when the process is started with superuser privileges. It is important to ensure that <jail_dir> is both empty and non-writable to anyone.
On Linux 2.6 and above, it is possible to bind a process or a thread to a specific CPU set. This means that the process or the thread will never run on other CPUs. The "cpu-map" directive specifies CPU sets for process or thread sets. The first argument is a process set, eventually followed by a thread set. These sets have the format all | odd | even | number[-[number]] <number>> must be a number between 1 and 32 or 64, depending on the machine's word size. Any process IDs above nbproc and any thread IDs above nbthread are ignored. It is possible to specify a range with two such number delimited by a dash ('-'). It also is possible to specify all processes at once using "all", only odd numbers using "odd" or even numbers using "even", just like with the "bind-process" directive. The second and forthcoming arguments are CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a range with two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges may be specified, and the processes or threads will be allowed to bind to all of them. Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map" directive will replace the previous ones when they overlap. A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific binding will be set for the thread. Ranges can be partially defined. The higher bound can be omitted. In such case, it is replaced by the corresponding maximum value, 32 or 64 depending on the machine's word size. The prefix "auto:" can be added before the process set to let HAProxy automatically bind a process or a thread to a CPU by incrementing process/thread and CPU sets. To be valid, both sets must have the same size. No matter the declaration order of the CPU sets, it will be bound from the lowest to the highest bound. Having a process and a thread range with the "auto:" prefix is not supported. Only one range is supported, the other one must be a fixed number.
cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs cpu-map 1/all 0-3 # bind all threads of the first process on the # first 4 CPUs cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63" # or "cpu-map 1-32 0-31" depending on the machine's # word size. # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1 # and so on. cpu-map auto:1-4 0-3 cpu-map auto:1-4 0-1 2-3 cpu-map auto:1-4 3 2 1 0 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1 # and so on. cpu-map auto:1/1-4 0-3 cpu-map auto:1/1-4 0-1 2-3 cpu-map auto:1/1-4 3 2 1 0 # bind each process to exactly one CPU using all/odd/even keyword cpu-map auto:all 0-63 cpu-map auto:even 0-31 cpu-map auto:odd 32-63 # invalid cpu-map because process and CPU sets have different sizes. cpu-map auto:1-4 0 # invalid cpu-map auto:1 0-3 # invalid # invalid cpu-map because automatic binding is used with a process range # and a thread range. cpu-map auto:all/all 0 # invalid cpu-map auto:all/1-4 0 # invalid cpu-map auto:1-4/all 0 # invalid
Assigns a default directory to fetch SSL certificates from when a relative path is used with "crtfile" directives. Absolute locations specified after "crtfile" prevail and ignore "crt-base".
Makes the process fork into background. This is the recommended mode of operation. It is equivalent to the command line "-D" argument. It can be disabled by the command line "-db" argument. This option is ignored in systemd mode.
Sets the path of the DeviceAtlas JSON data file to be loaded by the API. The path must be a valid JSON data file and accessible by HAProxy process.
Sets the level of information returned by the API. This directive is optional and set to 0 by default if not set.
Sets the character separator for the API properties results. This directive is optional and set to | by default if not set.
Sets the client cookie's name used for the detection if the DeviceAtlas Client-side component was used during the request. This directive is optional and set to DAPROPS by default if not set.
Allows the use of an external agent to perform health checks. This is disabled by default as a security precaution. See "option external-check".
Changes the process' group ID to <number>. It is recommended that the group
ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with a user belonging to this group, or with superuser privileges.
Note that if haproxy is started from a user having supplementary groups, it
will only be able to drop these groups if started with superuser privileges.
See also "group" and "uid".
Defines the maximum time allowed to perform a clean soft-stop.
<time> is the maximum time (by default in milliseconds) for which the
instance will remain alive when a soft-stop is received via the
SIGUSR1 signal.
This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop (for example with long timeouts for a proxy in tcp mode). It applies both in TCP and HTTP mode.
global hard-stop-after 30s
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
- 1. Haproxy官方文档翻译(第二章)配置Haproxy 附英文原文
- 2. Spring官方文档翻译(1~6章)
- 3. HAProxy官方文档1.4 解析:3全局参数
- 4. os.path官方文档(附翻译)
- 5. MHA官方文档翻译
- 6. (翻译)Mantra官方文档
- 7. FluentData官方文档翻译
- 8. Consumer.java官方文档翻译
- 9. Spring官方文档翻译
- 10. Markdown官方文档[翻译]
- 更多相关文章...
- • WSDL 文档 - WSDL 教程
- • XSL-FO 文档 - XSL-FO 教程
- • 三篇文章了解 TiDB 技术内幕——说存储
- • 三篇文章了解 TiDB 技术内幕 —— 说计算
-
每一个你不满意的现在,都有一个你没有努力的曾经。