基本框架

2026-03-21 04:36:06 +08:00
commit de1be1dbe5
125 changed files with 10302 additions and 0 deletions
--- a/ansible/files/01-08-haproxy/README.md
+++ b/ansible/files/01-08-haproxy/README.md
@@ -0,0 +1,11 @@
+# 01-08 HAProxy 配置
+
+用于 `docs/01-08-openwrt-haproxy.md`，可与 Ansible 共用（复制到 OpenWrt 或通过 playbook 下发）。
+
+| 文件 | 说明 |
+|------|------|
+| haproxy.cfg | 基础配置，TCP 健康检查 |
+| haproxy-proxy.cfg | 启用 send-proxy-v2（Traefik 真实 IP） |
+| haproxy-proxy-http-tls.cfg | HTTP 检查 + TLS 检查 + PROXY 组合 |
+
+按实际节点 IP 修改 `192.168.2.61`～`192.168.2.64`。80/443 被封时可将 `bind *:80` / `bind *:443` 改为 `*:18080` / `*:18443`。
--- a/ansible/files/01-08-haproxy/haproxy-proxy-http-tls.cfg
+++ b/ansible/files/01-08-haproxy/haproxy-proxy-http-tls.cfg
@@ -0,0 +1,39 @@
+# 01-08 HAProxy - 健康检查升级（HTTP+TLS）+ PROXY Protocol
+# 组合：k3s_http 用 option httpchk，k3s_https 用 ssl-hello-chk，均带 send-proxy-v2
+# 文档：docs/01-08-openwrt-haproxy.md 第 5 节「健康检查与 PROXY 组合」
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:80
+    default_backend k3s_http
+
+frontend https_in
+    bind *:443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    option httpchk GET /
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check send-proxy-v2
+    server ylc62 192.168.2.62:80 check send-proxy-v2
+    server ylc63 192.168.2.63:80 check send-proxy-v2
+    server ylc64 192.168.2.64:80 check send-proxy-v2
+
+backend k3s_https
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check send-proxy-v2
+    server ylc62 192.168.2.62:443 check send-proxy-v2
+    server ylc63 192.168.2.63:443 check send-proxy-v2
+    server ylc64 192.168.2.64:443 check send-proxy-v2
--- a/ansible/files/01-08-haproxy/haproxy-proxy.cfg
+++ b/ansible/files/01-08-haproxy/haproxy-proxy.cfg
@@ -0,0 +1,37 @@
+# 01-08 HAProxy - 启用 PROXY Protocol（send-proxy-v2）
+# 用于 Traefik 获取真实客户端 IP，需配合 Traefik trustedIPs
+# 文档：docs/01-08-openwrt-haproxy.md 第 5 节
+global
+    log /dev/log local0
+    maxconn 4096
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:80
+    default_backend k3s_http
+
+frontend https_in
+    bind *:443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check send-proxy-v2
+    server ylc62 192.168.2.62:80 check send-proxy-v2
+    server ylc63 192.168.2.63:80 check send-proxy-v2
+    server ylc64 192.168.2.64:80 check send-proxy-v2
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check send-proxy-v2
+    server ylc62 192.168.2.62:443 check send-proxy-v2
+    server ylc63 192.168.2.63:443 check send-proxy-v2
+    server ylc64 192.168.2.64:443 check send-proxy-v2
--- a/ansible/files/01-08-haproxy/haproxy.cfg
+++ b/ansible/files/01-08-haproxy/haproxy.cfg
@@ -0,0 +1,38 @@
+# 01-08 OpenWrt HAProxy 负载均衡 - 基础配置
+# 文档：docs/01-08-openwrt-haproxy.md
+# 将 192.168.2.61～64 按实际 K3s 节点 IP 修改
+global
+    log /dev/log local0
+    maxconn 4096
+    # 部分 OpenWrt 需 daemon / pidfile，按发行版调整；若无 /dev/log 可改 log 127.0.0.1 local0
+
+defaults
+    mode http
+    option httplog
+    timeout connect 5s
+    timeout client 30s
+    timeout server 30s
+
+frontend http_in
+    bind *:80
+    default_backend k3s_http
+
+frontend https_in
+    bind *:443
+    mode tcp
+    default_backend k3s_https
+
+backend k3s_http
+    balance roundrobin
+    server ylc61 192.168.2.61:80 check
+    server ylc62 192.168.2.62:80 check
+    server ylc63 192.168.2.63:80 check
+    server ylc64 192.168.2.64:80 check
+
+backend k3s_https
+    mode tcp
+    balance roundrobin
+    server ylc61 192.168.2.61:443 check
+    server ylc62 192.168.2.62:443 check
+    server ylc63 192.168.2.63:443 check
+    server ylc64 192.168.2.64:443 check