Varnish Cache,如何根据客户端源 IP 地址路由客户端流量?
[英]Varnish Cache, How do I route client traffic based on client source IP address?
问题描述
@varnishcache HELP? 
@varnishcache 帮助? How do I route client traffic based on client source IP address?如何根据客户端源 IP 地址路由客户端流量?
NB: I have install two varnish-cache servers in two different data center.注意:我在两个不同的数据中心安装了两个清漆缓存服务器。
1 个解决方案
解决方案1
0 2022-04-01 10:37:13
As a point of reference I'd like you to look at https://www.varnish-software.com/developers/tutorials/multiple-backends/ .作为参考,我希望您查看https://www.varnish-software.com/developers/tutorials/multiple-backends/ 。 This is a tutorial that explains how to use multiple backends.这是一个解释如何使用多个后端的教程。
If your goal is to have a "sticky IP" strategy, you could use some VCL code like the example below:如果您的目标是拥有“粘性 IP”策略,您可以使用一些 VCL 代码,如下例所示:
vcl 4.1;
import directors;
backend backend1 {
.host = "backend1.example.com";
.port = "80";
}
backend backend2 {
.host = "backend2.example.com";
.port = "80";
}
backend backend3 {
.host = "backend3.example.com";
.port = "80";
}
sub vcl_init {
new vdir = directors.hash();
vdir.add_backend(backend1);
vdir.add_backend(backend2);
vdir.add_backend(backend3);
}
sub vcl_recv {
set req.backend_hint = vdir.backend(client.ip);
}
In this case you'll create a hash based on the client.ip value and route traffic to the backend based on that hash. Every request by the IP address will end up on the same backend.在这种情况下,您将基于client.ip值创建一个 hash,并根据该 hash 将流量路由到后端。IP 地址的每个请求都将在同一后端结束。
Watch out with TLS termination注意 TLS 终止
It's important that the client.ip value contains the right value. client.ip值包含正确的值很重要。 If you're running a TLS proxy in front of Varnish the client.ip value will always be the one of the TLS proxy, unless you leverage the PROXY protocol .如果您在 Varnish 前面运行 TLS 代理,则client.ip值将始终是 TLS 代理之一,除非您利用PROXY 协议。
If you're not using the PROXY protocol, you may want to consider using req.http.X-Forwarded-For as the value to hash on, because that header will contain the IP addresses of the actual client (and potentially other proxies in between).如果您不使用 PROXY 协议,您可能需要考虑使用req.http.X-Forwarded-For作为 hash 的值,因为 header 将包含实际客户端的 IP 地址(以及可能的其他代理)之间)。
UPDATE更新
Based on extra comments and a detailed specification of requirements, here's a new VCL file.
vcl 4.1;
import std;
probe health {
.url = "/";
.timeout = 2s;
.interval = 5s;
.window = 10;
.threshold = 5;
}
backend cdn1 {
.host = "cdn1.example.com";
.port = "80";
.probe = health;
}
backend cdn2 {
.host = "cdn2.example.com";
.port = "80";
.probe = health;
}
backend origin {
.host = "origin.example.com";
.port = "80";
.probe = health;
}
acl cdn2_acl {
"12.13.14/24";
}
sub vcl_recv {
set req.grace = 10s;
if(std.ip(req.http.X-Forwarded-For,"0.0.0.0") ~ cdn2_acl) {
set req.backend_hint = cdn2;
} elseif(std.healthy(cdn1)) {
set req.backend_hint = cdn1;
} else {
set req.backend_hint = origin;
set req.grace = 24h;
}
}
sub vcl_backend_response {
set beresp.grace = 24h;
}
Summary of what this VCL file does:此 VCL 文件的作用摘要:
- If the value of the
X-Forwarded-Forheader matches an IP address that is defined in thecdn2_aclACL, route the traffic to thecdn2backend如果X-Forwarded-Forheader 的值与cdn2_aclACL 中定义的 IP 地址匹配,则将流量路由到cdn2后端 - If the value of the
X-Forwarded-Forheader doesn't match the ACL, try to route traffic to thecdn1backend如果X-Forwarded-Forheader 的值与 ACL 不匹配,尝试将流量路由到cdn1后端 - If the
cdn1backend is healthy, serve content fromcdn1如果cdn1后端健康,则提供来自cdn1的内容 - If the
cdn1backend is unhealthy, directly connect to theoriginbackend and ramp the grace value up to 24h;如果cdn1后端不健康,直接连接到origin后端并将宽限值提升到 24h; - If any of the CDNs are used, decrease the grace to 10 seconds如果使用任何 CDN,请将宽限期减少到 10 秒
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.