Haproxy官方文档翻译(第三章)全局参数(1) 附英文原文
3.全局参数
在global这个节点里的参数是“进程范围的”并且经常是“操作系统指定”的。它们通常是一次性设置而且一旦正确设置不需要动来动去的。它们中的
一些和命令行对应。
global节点支持以下关键词:
* 进程管理和安全
- ca-base
- chroot
- crt-base
- cpu-map
- daemon
- description
- deviceatlas-json-file
- deviceatlas-log-level
- deviceatlas-separator
- deviceatlas-properties-cookie
- external-check
- gid
- group
- hard-stop-after
- log
- log-tag
- log-send-hostname
- lua-load
- nbproc
- nbthread
- node
- pidfile
- presetenv
- resetenv
- uid
- ulimit-n
- user
- setenv
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
- unix-bind
- unsetenv
- 51degrees-data-file
- 51degrees-property-name-list
- 51degrees-property-separator
- 51degrees-cache-size
- wurfl-data-file
- wurfl-information-list
- wurfl-information-list-separator
- wurfl-engine-mode
- wurfl-cache-size
- wurfl-useragent-priority
* 性能调节
- max-spread-checks
- maxconn
- maxconnrate
- maxcomprate
- maxcompcpuusage
- maxpipes
- maxsessrate
- maxsslconn
- maxsslrate
- maxzlibmem
- noepoll
- nokqueue
- nopoll
- nosplice
- nogetaddrinfo
- noreuseport
- profiling.tasks
- spread-checks
- server-state-base
- server-state-file
- ssl-engine
- ssl-mode-async
- tune.buffers.limit
- tune.buffers.reserve
- tune.bufsize
- tune.chksize
- tune.comp.maxlevel
- tune.h2.header-table-size
- tune.h2.initial-window-size
- tune.h2.max-concurrent-streams
- tune.http.cookielen
- tune.http.logurilen
- tune.http.maxhdr
- tune.idletimer
- tune.lua.forced-yield
- tune.lua.maxmem
- tune.lua.session-timeout
- tune.lua.task-timeout
- tune.lua.service-timeout
- tune.maxaccept
- tune.maxpollevents
- tune.maxrewrite
- tune.pattern.cache-size
- tune.pipesize
- tune.rcvbuf.client
- tune.rcvbuf.server
- tune.recv_enough
- tune.runqueue-depth
- tune.sndbuf.client
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
- tune.vars.sess-max-size
- tune.vars.txn-max-size
- tune.zlib.memlevel
- tune.zlib.windowsize
* 排错
- debug
- quiet
3.1 进程管理和安全
ca-base <dir>
当直接用“ca-file“表示ssL ca证书路径,“crl-file”关联crl路径,这个参数用来指定一个用来获取SSL CA证书和CRL(证书吊销列表)
的默认路径。绝对路径通常被指定在”ca-file“和“ctl-file”中,并且忽略"ca-base".
chroot <jail dir>
把当前目录切换到指定目录,并且在切换之前会抛弃所有的权限。这样做会增加安全等级以防止位置的漏洞被侦测。这样攻击者就很难
威胁到整个系统。这个选项只有用超级管理员权限启动进程的时候才有效。一定要确保你要切换的目录<jail_dir>是空的,并且任何用户没有写的权限。
cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
在Linux 2.6内核及以上版本,可以绑定一个进程或者线程到指定的CPU上。这意味着被指定的进程或者线程永远不会在指定以外的CPU上运行。“cpu-map”直接
指定CPU给指定的进程或线程用。第一个参数是一个进程,之后跟着一个线程。格式如下:
all | odd | even | number[-[number]]
<number> 必须是1到32者64中的一个,这取决于你的机器字节大小。任何在nbproc之上的进程ID和任何在nbthread之上的
线程ID都是被忽略的。可以用两个数字中间加("-")来指定一个范围。也可以用“all”指定所有的进程。只有奇数数字用“odd”
或者偶数数字用"even",就像用“bind-process”指令。第二个参数是CPU设置。每个CPU设置是一个介于0到31或者0到63或者两
个数字用“-”连接的唯一标识。你为每个cpu设置了标识,就可以绑定进程和线程了。显而易见,如果你想这样,你得设置
多个“cpu-map”指令。每个指令会覆盖之前与它发生冲突的指令。一个线程将绑定在它的映射和它附属的进程之一。如果线程没有
被映射而且它的进程也没有被映射,那么这个线程则不会被绑定。
我们可以定义部分范围。大的那个数字可以被省略。如果这样的话,大的那个数字就会被相应的最大数字替代,比如32或者64.这取决于你的机器字节大小。
你可以前面加上前缀“auto:”,这样可以在增加新的CPU或者新的进程、线程的时候让Haproxy自动绑定。为了确保设置有效,两个设置要有同样的size。
不管定义的CPU的顺序,它总是从下至上搜寻。把“auto:”前缀同时加到进程和线程的范围前面是不支持的。只有一个范围被支持,其他一个必须是精确的数字。
示例:
cpu-map 1-4 0-3 # 绑定标识为1到4的进程到前4个cpu
cpu-map 1/all 0-3 # 绑定第一个进程的所有线程到前4个CPU
cpu-map 1- 0- # 将会被替换成"cpu-map 1-64 0-63"
# 或者"cpu-map 1-32 0-31"这取决于你的机器字节大小
# 所有这些行绑定进程1到cpu0,进程2到cpu1,以此类推。
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# 所有这些行绑定线程1到cpu0,线程2到cpu1,以此类推
cpu-map auto:1/1-4 0-3
cpu-map auto:1/1-4 0-1 2-3
cpu-map auto:1/1-4 3 2 1 0
# 使用all/odd/even关键词绑定每个进程到精确到cpu上
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# 无效的cpu-map设置,因为进程和cpu配置没有同样的数量
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
# 无效的cpu-map设置,因为自动绑定作用在了进程范围上
# and a thread range.
cpu-map auto:all/all 0 # invalid
cpu-map auto:all/1-4 0 # invalid
cpu-map auto:1-4/all 0 # invalid
crt-base <dir>
当用“crtfile”指令时,指定一个默认目录用来获取从这个指令SSL证书。在"crtfile"指令之后指定绝对路径会覆盖"crtfile"设置
并且忽略“crt-base”。
daemon
可以让进程在后台挂起。这种操作是被推荐的。相当于在命令行中用“-D”参数。也可以用“-db”来禁用。这个选项在systemd模式无效。
deviceatlas-json-file <path>
设置通过API加载的DeviceAtlas json数据的路径。这个路径必须是一个有效的json数据文件并且能被
HAProxy进程访问。
deviceatlas-log-level <value>
设置API返回信息的等级。这个指令是可选的如果不设置默认为0.
deviceatlas-separator <char>
设置API属性结果的字符分隔符。这个指令是可选的如果不设置默认为|。
deviceatlas-properties-cookie <name>
设置客户端的cooke名字,它是用来侦测在请求期间DeviceAtlas 客户端组件是否被使用。这个指令是可选的
如果不设置默认为DAPROPS.
external-check
允许使用外部代理来进行健康检查。这个指令由于安全原因默认被禁止的。
gid <number>
修改进程的group ID 为指定数字。推荐group id使用HAProxy的专用id或者一个类似的小的守护进程设置。
HAProxy必须用一个属于这个组的用户或者拥有超级用户权限的用户启动。注意,如果haproxy从一个
拥有额外组的用户启动了,那么如果从一个超级用户启动它只能丢弃这些额外组的权限。
你还可以参考“group”和“uid”。
hard-stop-after <time>
定义了用来处理一个清除软停止(clean soft-stop)所能执行的最大时间。
讨论:
<time> 是soft-stop在收到SIGUSR1信号后一个应用所能存活的最长时间(默认毫秒为单位)。
这可能是用来确保就算应用在软停止(soft-stop)期间,就算连接还在保持打开状态,应用依然会
被关闭。(比如tcp代理模式中的long timeouts)此设置TCP和HTTP模式都有效。
示例:
global
hard-stop-after 30s
group <group name>
类似于"gid",但是用/etc/group 中的group name来替代GID。可以参考gid和user指令。
未完待续,这章比较长,要分很多篇来完成。
------------------------------以下是英文原文-------------------------------
3. Global parameters
Parameters in the "global" section are process-wide and often OS-specific. They
are generally set once for all and do not need being changed once correct. Some
of them have command-line equivalents. The following keywords are supported in the "global" section : * Process management and security
- ca-base
- chroot
- crt-base
- cpu-map
- daemon
- description
- deviceatlas-json-file
- deviceatlas-log-level
- deviceatlas-separator
- deviceatlas-properties-cookie
- external-check
- gid
- group
- hard-stop-after
- log
- log-tag
- log-send-hostname
- lua-load
- nbproc
- nbthread
- node
- pidfile
- presetenv
- resetenv
- uid
- ulimit-n
- user
- setenv
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
- unix-bind
- unsetenv
- 51degrees-data-file
- 51degrees-property-name-list
- 51degrees-property-separator
- 51degrees-cache-size
- wurfl-data-file
- wurfl-information-list
- wurfl-information-list-separator
- wurfl-engine-mode
- wurfl-cache-size
- wurfl-useragent-priority * Performance tuning
- max-spread-checks
- maxconn
- maxconnrate
- maxcomprate
- maxcompcpuusage
- maxpipes
- maxsessrate
- maxsslconn
- maxsslrate
- maxzlibmem
- noepoll
- nokqueue
- nopoll
- nosplice
- nogetaddrinfo
- noreuseport
- profiling.tasks
- spread-checks
- server-state-base
- server-state-file
- ssl-engine
- ssl-mode-async
- tune.buffers.limit
- tune.buffers.reserve
- tune.bufsize
- tune.chksize
- tune.comp.maxlevel
- tune.h2.header-table-size
- tune.h2.initial-window-size
- tune.h2.max-concurrent-streams
- tune.http.cookielen
- tune.http.logurilen
- tune.http.maxhdr
- tune.idletimer
- tune.lua.forced-yield
- tune.lua.maxmem
- tune.lua.session-timeout
- tune.lua.task-timeout
- tune.lua.service-timeout
- tune.maxaccept
- tune.maxpollevents
- tune.maxrewrite
- tune.pattern.cache-size
- tune.pipesize
- tune.rcvbuf.client
- tune.rcvbuf.server
- tune.recv_enough
- tune.runqueue-depth
- tune.sndbuf.client
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
- tune.vars.sess-max-size
- tune.vars.txn-max-size
- tune.zlib.memlevel
- tune.zlib.windowsize * Debugging
- debug
- quiet
3.1. Process management and security
Assigns a default directory to fetch SSL CA certificates and CRLs from when a
relative path is used with "ca-file" or "crl-file" directives. Absolute
locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Changes current directory to <jail dir> and performs a chroot() there before
dropping privileges. This increases the security level in case an unknown
vulnerability would be exploited, since it would make it very hard for the
attacker to exploit the system. This only works when the process is started
with superuser privileges. It is important to ensure that <jail_dir> is both
empty and non-writable to anyone.
On Linux 2.6 and above, it is possible to bind a process or a thread to a
specific CPU set. This means that the process or the thread will never run on
other CPUs. The "cpu-map" directive specifies CPU sets for process or thread
sets. The first argument is a process set, eventually followed by a thread
set. These sets have the format all | odd | even | number[-[number]] <number>> must be a number between 1 and 32 or 64, depending on the machine's
word size. Any process IDs above nbproc and any thread IDs above nbthread are
ignored. It is possible to specify a range with two such number delimited by
a dash ('-'). It also is possible to specify all processes at once using
"all", only odd numbers using "odd" or even numbers using "even", just like
with the "bind-process" directive. The second and forthcoming arguments are
CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a
range with two such numbers delimited by a dash ('-'). Multiple CPU numbers
or ranges may be specified, and the processes or threads will be allowed to
bind to all of them. Obviously, multiple "cpu-map" directives may be
specified. Each "cpu-map" directive will replace the previous ones when they
overlap. A thread will be bound on the intersection of its mapping and the
one of the process on which it is attached. If the intersection is null, no
specific binding will be set for the thread. Ranges can be partially defined. The higher bound can be omitted. In such
case, it is replaced by the corresponding maximum value, 32 or 64 depending
on the machine's word size. The prefix "auto:" can be added before the process set to let HAProxy
automatically bind a process or a thread to a CPU by incrementing
process/thread and CPU sets. To be valid, both sets must have the same
size. No matter the declaration order of the CPU sets, it will be bound from
the lowest to the highest bound. Having a process and a thread range with the
"auto:" prefix is not supported. Only one range is supported, the other one
must be a fixed number.
cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs
cpu-map 1/all 0-3 # bind all threads of the first process on the
# first 4 CPUs
cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63"
# or "cpu-map 1-32 0-31" depending on the machine's
# word size.
# all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1
# and so on.
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1
# and so on.
cpu-map auto:1/1-4 0-3
cpu-map auto:1/1-4 0-1 2-3
cpu-map auto:1/1-4 3 2 1 0
# bind each process to exactly one CPU using all/odd/even keyword
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# invalid cpu-map because process and CPU sets have different sizes.
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
# invalid cpu-map because automatic binding is used with a process range
# and a thread range.
cpu-map auto:all/all 0 # invalid
cpu-map auto:all/1-4 0 # invalid
cpu-map auto:1-4/all 0 # invalid
Assigns a default directory to fetch SSL certificates from when a relative
path is used with "crtfile" directives. Absolute locations specified after
"crtfile" prevail and ignore "crt-base".
Makes the process fork into background. This is the recommended mode of
operation. It is equivalent to the command line "-D" argument. It can be
disabled by the command line "-db" argument. This option is ignored in
systemd mode.
Sets the path of the DeviceAtlas JSON data file to be loaded by the API.
The path must be a valid JSON data file and accessible by HAProxy process.
Sets the level of information returned by the API. This directive is
optional and set to 0 by default if not set.
Sets the character separator for the API properties results. This directive
is optional and set to | by default if not set.
Sets the client cookie's name used for the detection if the DeviceAtlas
Client-side component was used during the request. This directive is optional
and set to DAPROPS by default if not set.
Allows the use of an external agent to perform health checks.
This is disabled by default as a security precaution.
See "option external-check".
Changes the process' group ID to <number>. It is recommended that the group
ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with a user belonging to this group, or with superuser privileges.
Note that if haproxy is started from a user having supplementary groups, it
will only be able to drop these groups if started with superuser privileges.
See also "group" and "uid".
Defines the maximum time allowed to perform a clean soft-stop.
<time> is the maximum time (by default in milliseconds) for which the
instance will remain alive when a soft-stop is received via the
SIGUSR1 signal.
This may be used to ensure that the instance will quit even if connections
remain opened during a soft-stop (for example with long timeouts for a proxy
in tcp mode). It applies both in TCP and HTTP mode.
global
hard-stop-after 30s
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
Haproxy官方文档翻译(第三章)全局参数(1) 附英文原文的更多相关文章
- Haproxy官方文档翻译(第二章)配置Haproxy 附英文原文
2.配置 HAProxy 2.1 配置文件格式 Haproxy的配置过程包含了3部分的参数资源:- 命令行中的参数,此种参数总是享有优先权被使用- 配置文件中global节点中的参数,此种参数是进程范 ...
- MySQL文档翻译(八)附英文原文---性能优化概览
优化概述 数据库性能表现依赖于数据库级别的几个因素,比如表,查询和配置设置.这些软件在硬件级别通过CPU和IO操作构筑结果,你需要尽可能的使用最少的资源达到最大的效果.当你专注于数据库的性能表现时,你 ...
- Spring官方文档翻译(1~6章)
Spring官方文档翻译(1~6章) 转载至 http://blog.csdn.net/tangtong1/article/details/51326887 Spring官方文档.参考中文文档 一.S ...
- omnet++:官方文档翻译总结(三)
翻译总结自:Turning it Into a Real Network - OMNeT++ Technical Articles 接官方文档翻译总结(二),本节主要是真实网络的搭建 Part 4 - ...
- kong插件官方文档翻译
kong插件官方文档翻译 目录 介绍 文件结构 编写自定义逻辑 存储配置 访问数据存储 自定义实体 缓存自定义实体 扩展Admin API 编写测试 (卸载)安装你的插件 插件开发 - 介绍 什么是插 ...
- 简学Python第三章__函数式编程、递归、内置函数
#cnblogs_post_body h2 { background: linear-gradient(to bottom, #18c0ff 0%,#0c7eff 100%); color: #fff ...
- 第三章 JavaScript操作BOM对象
第三章 JavaScript操作BOM对象 一.window对象 浏览器对象模型(BOM)是javascript的组成之一,它提供了独立与浏览器窗口进行交换的对象,使用浏览器对象模型可以实现与HT ...
- Java Persistence with MyBatis 3(中文版) 第三章 使用XML配置SQL映射器
关系型数据库和SQL是经受时间考验和验证的数据存储机制.和其他的ORM 框架如Hibernate不同,MyBatis鼓励开发者可以直接使用数据库,而不是将其对开发者隐藏,因为这样可以充分发挥数据库服务 ...
- 多线程---iOS-Apple苹果官方文档翻译
本系列所有开发文档翻译链接地址:iOS7开发-Apple苹果iPhone开发Xcode官方文档翻译PDF下载地址(2013年12月29日更新版) 多线程 技术博客http://www.cnblo ...
随机推荐
- iview menu组件手动收起与展开
本文主要介绍menu组件在有子菜单时如何手动的展开与收起. 展开: 在需要展开的地方先设置openname变量如this.openname = ["设置"]; 再在$nextTic ...
- 壁虎书8 Dimensionality Reduction
many Machine Learning problems involve thousands or even millions of features for each training inst ...
- High Performance Networking in Google Chrome
小结: 1. 小文件存储于一个文件中: 在内部,磁盘缓存(disk cache)实现了它自己的一组数据结构, 它们被存储在一个单独的缓存目录里.其中有索引文件(在浏览器启动时加载到内存中),数据文件( ...
- python 科学计算与可视化
一.Numpy 库 NumPy(Numerical Python) 是 Python 语言的一个扩展程序库,支持大量的维度数组与矩阵运算,此外也针对数组运算提供大量的数学函数库. 引用: import ...
- oracle学习笔记第一天
oracle学习笔记第一天 --oracle学习的第一天 --一.几个基础的关键字 1.select select (挑选) 挑选出显示的--列--(可以多列,用“,”隔开,*表示所有列),为一条 ...
- 魔方---java
package LMS; import java.awt.AWTException;import java.awt.Robot;import java.awt.event.InputEvent;imp ...
- 常用数据类型的方法--str、int、list、dict
一.字符串类型(str) class str(basestring): """ str(object='') -> string Return a nice str ...
- REDHAT YUM本地源的搭建和使用
yum源一般分为两种,本地yum源和本地网络yum源,前者是通过文件提供安装包,后者是通过网络下载安装包: 由于Redhat7.3的yum源需要注册付费,所以往往会出现下载yum源安装包失败,如下图: ...
- virtual dom 简单了解
管理应用程序状态和用户界面的同步一直是前端UI开发复杂性的主要来源.目前出现了不同的方式来处理这个问题.本文简单讨论其中一种方式virtual dom. 文章概要: virtual dom 基本概念, ...
- php实现栈操作(不用push pop 库函数)
直接上代码 <?php /*php不用库函数实现栈操作 * @author Geyaru 2019-04-20 */ class stack{ private $top = -1; //栈指针初 ...