{"id":1722,"date":"2025-11-11T21:29:33","date_gmt":"2025-11-11T18:29:33","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/haproxy-ile-l4-l7-yuk-dengeleme-nasil-sifir-kesinti-sunar-health-check-sticky-sessions-ve-tls-passthroughu-sade-sade-konusalim\/"},"modified":"2025-11-11T21:29:33","modified_gmt":"2025-11-11T18:29:33","slug":"haproxy-ile-l4-l7-yuk-dengeleme-nasil-sifir-kesinti-sunar-health-check-sticky-sessions-ve-tls-passthroughu-sade-sade-konusalim","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/haproxy-ile-l4-l7-yuk-dengeleme-nasil-sifir-kesinti-sunar-health-check-sticky-sessions-ve-tls-passthroughu-sade-sade-konusalim\/","title":{"rendered":"HAProxy ile L4\/L7 Y\u00fck Dengeleme Nas\u0131l S\u0131f\u0131r Kesinti Sunar? Health Check, Sticky Sessions ve TLS Passthrough\u2019u Sade Sade Konu\u015fal\u0131m"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Bir_Aksamustu_Trafik_Firtinasi_ve_Aklima_Dusen_HAProxy\"><span class=\"toc_number toc_depth_1\">1<\/span> Bir Ak\u015fam\u00fcst\u00fc Trafik F\u0131rt\u0131nas\u0131 ve Akl\u0131ma D\u00fc\u015fen HAProxy<\/a><\/li><li><a href=\"#L4_mu_L7_mi_Yol_Agzinda_Durup_Yon_Soranlarin_Hikayesi\"><span class=\"toc_number toc_depth_1\">2<\/span> L4 m\u00fc L7 mi? Yol A\u011fz\u0131nda Durup Y\u00f6n Soranlar\u0131n Hikayesi<\/a><ul><li><a href=\"#Bir_Katman_Masali_Kapida_mi_lobide_mi_karsilarsin\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Bir Katman Masal\u0131: Kap\u0131da m\u0131, lobide mi kar\u015f\u0131lars\u0131n?<\/a><\/li><\/ul><\/li><li><a href=\"#Health_Check_Sunucunun_Nabzini_Parmak_Ucunda_Hissetmek\"><span class=\"toc_number toc_depth_1\">3<\/span> Health Check: Sunucunun Nabz\u0131n\u0131 Parmak Ucunda Hissetmek<\/a><ul><li><a href=\"#Iyi_misin_demenin_otomatik_yolu\"><span class=\"toc_number toc_depth_2\">3.1<\/span> \u201c\u0130yi misin?\u201d demenin otomatik yolu<\/a><\/li><\/ul><\/li><li><a href=\"#Sticky_Sessions_Ziyaretciyi_Taniyan_Kapici\"><span class=\"toc_number toc_depth_1\">4<\/span> Sticky Sessions: Ziyaret\u00e7iyi Tan\u0131yan Kap\u0131c\u0131<\/a><ul><li><a href=\"#Bu_ziyaretci_hep_ayni_masayi_istiyor_durumu\"><span class=\"toc_number toc_depth_2\">4.1<\/span> \u201cBu ziyaret\u00e7i hep ayn\u0131 masay\u0131 istiyor\u201d durumu<\/a><\/li><\/ul><\/li><li><a href=\"#TLS_Termination_ve_TLS_Passthrough_Hangi_Kapida_Paltomuzu_Cikaracagiz\"><span class=\"toc_number toc_depth_1\">5<\/span> TLS Termination ve TLS Passthrough: Hangi Kap\u0131da Paltomuzu \u00c7\u0131karaca\u011f\u0131z?<\/a><ul><li><a href=\"#Bazen_kapida_cozersin_bazen_iceri_alirsin\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Bazen kap\u0131da \u00e7\u00f6zersin, bazen i\u00e7eri al\u0131rs\u0131n<\/a><\/li><\/ul><\/li><li><a href=\"#Sifir_Kesinti_Dagitimi_Sahne_Arkasinda_Degistirirken_Isiklar_Hic_Sonmesin\"><span class=\"toc_number toc_depth_1\">6<\/span> S\u0131f\u0131r Kesinti: Da\u011f\u0131t\u0131m\u0131 Sahne Arkas\u0131nda De\u011fi\u015ftirirken I\u015f\u0131klar Hi\u00e7 S\u00f6nmesin<\/a><ul><li><a href=\"#Hitless_reload_ve_yumusak_gecisler\"><span class=\"toc_number toc_depth_2\">6.1<\/span> \u201cHitless reload\u201d ve yumu\u015fak ge\u00e7i\u015fler<\/a><\/li><\/ul><\/li><li><a href=\"#Gercek_Dunya_Akislari_Web_API_WebSocket_ve_gRPC\"><span class=\"toc_number toc_depth_1\">7<\/span> Ger\u00e7ek D\u00fcnya Ak\u0131\u015flar\u0131: Web, API, WebSocket ve gRPC<\/a><ul><li><a href=\"#Mesela_soyle_dusunun\"><span class=\"toc_number toc_depth_2\">7.1<\/span> \u201cMesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn\u2026\u201d<\/a><\/li><\/ul><\/li><li><a href=\"#Gozlem_Log_ve_Kucuk_Ipuclari_Sorun_Cikmadan_Once_Gormek\"><span class=\"toc_number toc_depth_1\">8<\/span> G\u00f6zlem, Log ve K\u00fc\u00e7\u00fck \u0130pu\u00e7lar\u0131: Sorun \u00c7\u0131kmadan \u00d6nce G\u00f6rmek<\/a><ul><li><a href=\"#Izle_olc_kucuk_duzeltmeler_yap\"><span class=\"toc_number toc_depth_2\">8.1<\/span> \u0130zle, \u00f6l\u00e7, k\u00fc\u00e7\u00fck d\u00fczeltmeler yap<\/a><\/li><\/ul><\/li><li><a href=\"#Kucuk_Konfigurasyon_Tarifleri_Tadinda_ve_Yeterince\"><span class=\"toc_number toc_depth_1\">9<\/span> K\u00fc\u00e7\u00fck Konfig\u00fcrasyon Tarifleri: Tad\u0131nda ve Yeterince<\/a><ul><li><a href=\"#Bir_tutam_socket_bir_cimdik_drain\"><span class=\"toc_number toc_depth_2\">9.1<\/span> Bir tutam socket, bir \u00e7imdik drain<\/a><\/li><\/ul><\/li><li><a href=\"#Kapanis_Trafigi_Sakinlestirmek_ve_Gunu_Guzel_Bitirmek\"><span class=\"toc_number toc_depth_1\">10<\/span> Kapan\u0131\u015f: Trafi\u011fi Sakinle\u015ftirmek ve G\u00fcn\u00fc G\u00fczel Bitirmek<\/a><ul><li><a href=\"#Yaniniza_alacaginiz_kucuk_notlar\"><span class=\"toc_number toc_depth_2\">10.1<\/span> Yan\u0131n\u0131za alaca\u011f\u0131n\u0131z k\u00fc\u00e7\u00fck notlar<\/a><\/li><\/ul><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Bir_Aksamustu_Trafik_Firtinasi_ve_Aklima_Dusen_HAProxy\">Bir Ak\u015fam\u00fcst\u00fc Trafik F\u0131rt\u0131nas\u0131 ve Akl\u0131ma D\u00fc\u015fen HAProxy<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? Trafik sanki s\u00f6zle\u015fmi\u015f gibi ayn\u0131 anda y\u00fckselir, destek ekibi nefesini tutar, herkes monit\u00f6re yap\u0131\u015f\u0131r. Benim i\u00e7in \u00f6yle bir ak\u015fam\u00fcst\u00fcyd\u00fc. Sipari\u015fler art\u0131yor, kullan\u0131c\u0131lar ko\u015fturuyor, bir yandan yeni versiyon da\u011f\u0131t\u0131m\u0131 i\u00e7in dakikalar say\u0131l\u0131yor. Tam o s\u0131rada d\u00fc\u015f\u00fcnd\u00fcm: \u201cBu ak\u0131\u015f\u0131 kim sakince y\u00f6netiyor?\u201d Cevap asl\u0131nda bir s\u00fcredir hayat\u0131m\u0131zdayd\u0131: <strong>HAProxy ile L4\/L7 y\u00fck dengeleme<\/strong>. Kibar bir trafik polisi gibi, hem sokaklar aras\u0131 y\u00f6nlendirme yap\u0131yor, hem de kim nereye gidecek, kim yorulmu\u015f, kim din\u00e7 anl\u0131yor. \u00dcstelik do\u011fru kurarsak, t\u00fcm bu dans s\u0131f\u0131r kesintiyle ak\u0131p gidiyor.<\/p>\n<p>Bu yaz\u0131da, L4 ve L7 y\u00fck dengelemeyi bir hikaye gibi ele alaca\u011f\u0131z. <strong>Health check<\/strong> ile sunucular\u0131n nabz\u0131n\u0131 nas\u0131l tuttu\u011fumuzu, <strong>sticky sessions<\/strong> ile ziyaret\u00e7iyi nas\u0131l tan\u0131y\u0131p ayn\u0131 uygulama sunucusuna \u201cnazik\u00e7e\u201d y\u00f6nlendirdi\u011fimizi konu\u015faca\u011f\u0131z. Sonra <strong>TLS termination<\/strong> ve <strong>TLS passthrough<\/strong> aras\u0131ndaki fark\u0131, g\u00fcnl\u00fck hayattan \u00f6rneklerle a\u00e7aca\u011f\u0131z. Son olarak da \u201cs\u0131f\u0131r kesinti\u201d da\u011f\u0131t\u0131m\u0131n nas\u0131l ger\u00e7ek bir \u015fey oldu\u011funu, k\u00fc\u00e7\u00fck p\u00fcf noktalar\u0131yla anlataca\u011f\u0131m. Haz\u0131rsan\u0131z, birlikte o ak\u015fam\u00fcst\u00fc pani\u011fini sakin bir ak\u0131\u015fa \u00e7evirelim.<\/p>\n<h2 id=\"section-2\"><span id=\"L4_mu_L7_mi_Yol_Agzinda_Durup_Yon_Soranlarin_Hikayesi\">L4 m\u00fc L7 mi? Yol A\u011fz\u0131nda Durup Y\u00f6n Soranlar\u0131n Hikayesi<\/span><\/h2>\n<h3><span id=\"Bir_Katman_Masali_Kapida_mi_lobide_mi_karsilarsin\">Bir Katman Masal\u0131: Kap\u0131da m\u0131, lobide mi kar\u015f\u0131lars\u0131n?<\/span><\/h3>\n<p>Y\u00fck dengelemede L4 demek, biraz kap\u0131daki g\u00fcvenlik g\u00f6revlisi gibi. Kim geldi, hangi porta girmek istiyor, IP\u2019si ne, o kadar. H\u0131zl\u0131 karar verir, dosdo\u011fru uygun kap\u0131ya y\u00f6nlendirir. L7 ise lobideki dan\u0131\u015fma gibi; gelenin ne istedi\u011fini daha iyi anlar. URL nedir, ba\u015fl\u0131klar ne diyor, \u00e7erezi var m\u0131, belki dil tercihi bile\u2026 L4 h\u0131zl\u0131 ve masrafs\u0131zd\u0131r, L7 ise daha \u201cak\u0131ll\u0131\u201d y\u00f6nlendirmeler yapar. \u015eimdi bunu g\u00fcnl\u00fck hayata ta\u015f\u0131yal\u0131m. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Bir e-ticaret sitesinde baz\u0131 istekler dosya indirmeye gidiyor, baz\u0131lar\u0131 sepete. Dosya indirmeyi L4 ile h\u0131zl\u0131ca bir node\u2019a atmak isteyebilirsin, sepet ve \u00f6deme gibi daha hassas ak\u0131\u015flar\u0131 L7\u2019nin ince ayar\u0131yla ele alabilirsin.<\/p>\n<p>Benim pratikte sevdi\u011fim yakla\u015f\u0131m, d\u0131\u015far\u0131da L4\u2019\u00fcn g\u00fcc\u00fcn\u00fc kullan\u0131p kritik uygulamalarda L7\u2019nin zekas\u0131na ba\u015fvurmak. Bu sayede hem h\u0131z hem esneklik dengesi kuruluyor. A\u015fa\u011f\u0131da \u00e7ok ufak bir tat:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Basit L4 (TCP) terminasyonu olmadan ge\u00e7i\u015f - TLS passthrough \u00f6rne\u011fi\nfrontend fe_tls\n  bind :443\n  mode tcp\n  tcp-request inspect-delay 5s\n  use_backend bk_api if { req.ssl_sni -i api.example.com }\n  use_backend bk_www if { req.ssl_sni -i www.example.com }\n\nbackend bk_api\n  mode tcp\n  balance roundrobin\n  server api1 10.0.0.11:443 check\n  server api2 10.0.0.12:443 check\n\nbackend bk_www\n  mode tcp\n  balance roundrobin\n  server www1 10.0.0.21:443 check\n  server www2 10.0.0.22:443 check\n<\/code><\/pre>\n<p>Burada L4\u2019teyiz; TLS\u2019i \u00e7\u00f6zmeden sadece <strong>SNI<\/strong>\u2019ya bak\u0131p trafi\u011fi ilgili arka uca yolluyoruz. E\u011fer L7 ile i\u015fleri daha renkli yapmak isterseniz, TLS\u2019i burada sonland\u0131r\u0131p HTTP seviyesinde karar alabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># L7 (HTTP) - TLS termination ve ak\u0131ll\u0131 y\u00f6nlendirme\nfrontend fe_https\n  bind :443 ssl crt \/etc\/haproxy\/certs\/ alpn h2,http\/1.1\n  mode http\n  option forwardfor\n  http-request set-header X-Forwarded-Proto https\n  use_backend bk_static if { path_beg \/assets\/ }\n  default_backend bk_app\n\nbackend bk_static\n  mode http\n  balance roundrobin\n  http-response set-header Cache-Control max-age=600\n  server cdn1 10.0.0.31:80 check\n  server cdn2 10.0.0.32:80 check\n\nbackend bk_app\n  mode http\n  balance leastconn\n  server app1 10.0.0.41:8080 check\n  server app2 10.0.0.42:8080 check\n<\/code><\/pre>\n<p>G\u00f6rd\u00fc\u011f\u00fcn\u00fcz gibi, L7 ile daha ince kararlar alabiliyoruz. Statikleri bir yere, uygulamay\u0131 ba\u015fka yere al\u0131rken, \u00fcst\u00fcne ufak \u00f6nbellek ba\u015fl\u0131klar\u0131 bile ekleyebiliyoruz. D\u00fcz konu\u015fal\u0131m: \u0130\u015f ihtiyac\u0131na g\u00f6re kar\u0131\u015f\u0131k kullanmak olduk\u00e7a do\u011fal ve i\u015fe yar\u0131yor.<\/p>\n<h2 id=\"section-3\"><span id=\"Health_Check_Sunucunun_Nabzini_Parmak_Ucunda_Hissetmek\">Health Check: Sunucunun Nabz\u0131n\u0131 Parmak Ucunda Hissetmek<\/span><\/h2>\n<h3><span id=\"Iyi_misin_demenin_otomatik_yolu\">\u201c\u0130yi misin?\u201d demenin otomatik yolu<\/span><\/h3>\n<p>Bir kullan\u0131c\u0131 404 g\u00f6r\u00fcnce moral bozulur, 500 g\u00f6r\u00fcnce g\u00fcven bozulur. Sa\u011fl\u0131k kontrol\u00fc tam burada sahneye \u00e7\u0131kar. HAProxy arka u\u00e7lardaki sunuculara d\u00fczenli \u201ciyisin, de\u011fil mi?\u201d sorusu sorar. Bu sadece ping atmak de\u011fildir; bazen belirli bir URL\u2019den, belirli bir yan\u0131t beklemek gerekir. Mesela uygulama sa\u011fl\u0131kl\u0131ysa \u201cOK\u201d yazan bir endpoint verir, HAProxy de onu arar. E\u011fer iki defa \u00fcst \u00fcste k\u00f6t\u00fc cevap al\u0131rsa, o sunucuyu trafikten \u00e7\u0131kar\u0131r; sonra d\u00fczelince tekrar oyuna al\u0131r.<\/p>\n<p>Basit ve anla\u015f\u0131l\u0131r bir yap\u0131 i\u00e7in \u015f\u00f6yle d\u00fc\u015f\u00fcnebilirsiniz: Uygulaman\u0131zda \/healthz gibi hafif bir kontrol noktas\u0131 a\u00e7\u0131n. Veritaban\u0131na, d\u0131\u015f servislere gerek duymadan \u201cayaktay\u0131m\u201d desin. HAProxy buna bakar, y\u00fck\u00fc g\u00fcvende tutar. K\u00fc\u00e7\u00fck bir \u00f6rnek:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">backend bk_app\n  mode http\n  option httpchk GET \/healthz\n  http-check expect status 200\n  default-server inter 2s fall 3 rise 2\n  server app1 10.0.0.41:8080 check\n  server app2 10.0.0.42:8080 check\n<\/code><\/pre>\n<p>\u201cFall 3, rise 2\u201d gibi ayarlar, d\u00fc\u015fmeden \u00f6nce ka\u00e7 kez t\u00f6kezledi, toparlanmak i\u00e7in ka\u00e7 iyi cevap verdi, bunu anlat\u0131r. Bu sayede tek seferlik bir tak\u0131lma y\u00fcz\u00fcnden sunucular hemen oyundan d\u00fc\u015fmez. L4\u2019teyseniz <strong>tcp-check<\/strong> kullanarak port seviyesinde nab\u0131z tutabilirsiniz. Daha karma\u015f\u0131k senaryolarda birden fazla kontrol yapmak, hatta kritik ba\u011f\u0131ml\u0131l\u0131klar\u0131 ayr\u0131 bir \u201c\/readyz\u201d endpoint\u2019i ile kontrol etmek iyi hissettirir.<\/p>\n<h2 id=\"section-4\"><span id=\"Sticky_Sessions_Ziyaretciyi_Taniyan_Kapici\">Sticky Sessions: Ziyaret\u00e7iyi Tan\u0131yan Kap\u0131c\u0131<\/span><\/h2>\n<h3><span id=\"Bu_ziyaretci_hep_ayni_masayi_istiyor_durumu\">\u201cBu ziyaret\u00e7i hep ayn\u0131 masay\u0131 istiyor\u201d durumu<\/span><\/h3>\n<p>Kimi uygulamalar, \u00f6zellikle oturum tabanl\u0131 olanlar, kullan\u0131c\u0131y\u0131 hep ayn\u0131 sunucuda g\u00f6rmek ister. Neden? \u00c7\u00fcnk\u00fc sunucu belle\u011finde oturum bilgisi duruyordur, payla\u015f\u0131ml\u0131 bir oturum deposu yoktur ya da hen\u00fcz buna haz\u0131r de\u011filsinizdir. Sticky sessions, bu ziyaret\u00e7iyi nazik\u00e7e ayn\u0131 arka uca y\u00f6nlendirir. \u00c7erezle, IP ile, hatta \u00f6zel kurallarla yap\u0131labilir. En pratik olan\u0131 \u00e7erez y\u00f6ntemidir.<\/p>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Giri\u015f yapan kullan\u0131c\u0131 sepetini dolduruyor. Sunucu 1\u2019de olu\u015fan sepet bellekte duruyor. E\u011fer kullan\u0131c\u0131 ak\u0131\u015f i\u00e7inde bir anda Sunucu 2\u2019ye d\u00fc\u015ferse, sepet sanki kaybolmu\u015f gibi olur. Bunu engellemek i\u00e7in HAProxy ile \u00e7erez ekleyip, bir kere ba\u011flanan kullan\u0131c\u0131y\u0131 ayn\u0131 sunucuya ta\u015f\u0131r\u0131z:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">backend bk_app\n  mode http\n  balance roundrobin\n  cookie SRV insert indirect nocache\n  server app1 10.0.0.41:8080 cookie s1 check\n  server app2 10.0.0.42:8080 cookie s2 check\n<\/code><\/pre>\n<p>Bu yap\u0131, ziyaret\u00e7iye g\u00f6r\u00fcnmez bir not veriyor gibi. \u201cBu arkada\u015f s1 masas\u0131nda oturuyordu\u201d diyor. Alternatif olarak IP tabanl\u0131 tutarl\u0131l\u0131k da kullanabilirsiniz. Bu daha kaba bir y\u00f6ntemdir ama bazen i\u015f g\u00f6r\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">backend bk_api\n  mode http\n  balance source\n  hash-type consistent\n  server api1 10.0.0.11:8080 check\n  server api2 10.0.0.12:8080 check\n<\/code><\/pre>\n<p>Sticky sessions sihirli de\u011fnek de\u011fil. E\u011fer uygulama sunucusunu yeniden ba\u015flat\u0131rsan\u0131z, bellekteki oturumlar u\u00e7abilir. O y\u00fczden orta vadede payla\u015f\u0131ml\u0131 bir oturum deposu ya da stateless tasar\u0131ma ge\u00e7mek hep i\u00e7i ferahlat\u0131r. Bu arada, veri katman\u0131nda tutarl\u0131l\u0131k ve da\u011f\u0131t\u0131m dendi mi, ben backend d\u00fcnyas\u0131nda <a href=\"https:\/\/www.dchost.com\/blog\/proxysql-ile-mysql-read-write-split-ve-baglanti-havuzu-woocommerce-laravel-icin-gercek-dunya-rehberi\/\">ProxySQL ile read\/write ak\u0131\u015f\u0131n\u0131 tatl\u0131 tatl\u0131 ay\u0131rman\u0131n<\/a> uygulama deneyimini nas\u0131l rahatlatt\u0131\u011f\u0131n\u0131 \u00e7ok g\u00f6rd\u00fcm; uygulama katman\u0131 ile veri katman\u0131n\u0131 birlikte d\u00fc\u015f\u00fcnmek g\u00fczel ak\u0131\u015f yarat\u0131r.<\/p>\n<h2 id=\"section-5\"><span id=\"TLS_Termination_ve_TLS_Passthrough_Hangi_Kapida_Paltomuzu_Cikaracagiz\">TLS Termination ve TLS Passthrough: Hangi Kap\u0131da Paltomuzu \u00c7\u0131karaca\u011f\u0131z?<\/span><\/h2>\n<h3><span id=\"Bazen_kapida_cozersin_bazen_iceri_alirsin\">Bazen kap\u0131da \u00e7\u00f6zersin, bazen i\u00e7eri al\u0131rs\u0131n<\/span><\/h3>\n<p>TLS, trafi\u011fi \u015fifreleyen paltomuz. Bu paltoyu HAProxy\u2019de \u00e7\u0131karabilirsiniz (termination), ya da hi\u00e7 dokunmadan arka uca iletebilirsiniz (passthrough). Termination oldu\u011funda HAProxy i\u00e7eri\u011fi g\u00f6r\u00fcr; y\u00f6nlendirme, WAF, ba\u015fl\u0131k d\u00fczenleme gibi ak\u0131ll\u0131 i\u015fler yapar. Passthrough\u2019da ise HAProxy paltosuna kar\u0131\u015fmaz, sadece SNI\u2019a bakarak nereye gidece\u011fini s\u00f6yler, \u015fifre \u00e7\u00f6zme i\u015fi arka uca kal\u0131r.<\/p>\n<p>Hangi durumda neyi se\u00e7elim? E\u011fer L7 kararlar\u0131na ihtiyac\u0131n\u0131z varsa, TLS\u2019i \u00f6nde k\u0131rmak \u00e7ok i\u015f g\u00f6r\u00fcyor. Ancak reg\u00fclasyon, g\u00fcvenlik politikas\u0131 ya da performans sebebiyle \u015fifre \u00e7\u00f6zmeyi uygulama sunucular\u0131na b\u0131rakmak istiyorsan\u0131z, passthrough do\u011fru se\u00e7im. SNI y\u00f6nlendirmesiyle birden fazla domain\u2019i tek noktada ta\u015f\u0131yabilirsiniz. Sertifika y\u00f6netimi taraf\u0131nda ben genelde otomasyonu severim; \u00f6rne\u011fin <a href=\"https:\/\/letsencrypt.org\/docs\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt belgelerinde anlat\u0131lan ACME ak\u0131\u015f\u0131<\/a> ile sertifika yenilemeyi script\u2019lerle r\u00fczg\u00e2r gibi d\u00f6nd\u00fcrmek m\u00fcmk\u00fcn.<\/p>\n<p>Bir not: Arka u\u00e7ta servisleriniz birbirini do\u011frulas\u0131n isterseniz, mTLS yani kar\u015f\u0131l\u0131kl\u0131 sertifika do\u011frulama ak\u0131\u015f\u0131 \u00e7ok \u015f\u0131k duruyor. Bu konuyu ayr\u0131 bir d\u00fcnyada, <a href=\"https:\/\/www.dchost.com\/blog\/nginx-ve-caddyde-mtls-nasil-kurulur-mikroservislerde-sertifika-dogrulamanin-tatli-sirlari\/\">mTLS ile mikroservisleri nas\u0131l kale gibi sa\u011flamla\u015ft\u0131rabilece\u011finize dair rehberde<\/a> detayl\u0131 konu\u015fmu\u015ftuk. HAProxy \u00f6nde TLS\u2019i sonland\u0131r\u0131rken, i\u00e7eride servisler aras\u0131 trafi\u011fi mTLS ile korumak i\u00e7imizi rahatlat\u0131r.<\/p>\n<h2 id=\"section-6\"><span id=\"Sifir_Kesinti_Dagitimi_Sahne_Arkasinda_Degistirirken_Isiklar_Hic_Sonmesin\">S\u0131f\u0131r Kesinti: Da\u011f\u0131t\u0131m\u0131 Sahne Arkas\u0131nda De\u011fi\u015ftirirken I\u015f\u0131klar Hi\u00e7 S\u00f6nmesin<\/span><\/h2>\n<h3><span id=\"Hitless_reload_ve_yumusak_gecisler\">\u201cHitless reload\u201d ve yumu\u015fak ge\u00e7i\u015fler<\/span><\/h3>\n<p>Bir ger\u00e7ek: Konfig\u00fcrasyonlar de\u011fi\u015fir, sertifikalar yenilenir, yeni s\u00fcr\u00fcmler gelir. \u00d6nemli olan bunlar olurken kullan\u0131c\u0131 ak\u0131\u015f\u0131n\u0131n tak\u0131lmamas\u0131. HAProxy\u2019nin g\u00fczelli\u011fi, do\u011fru kurdu\u011funuzda yeniden y\u00fcklemeyi trafi\u011fi kesmeden yapabilmesi. Master-worker modeli ve \u201chitless reload\u201d yakla\u015f\u0131m\u0131yla, yeni s\u00fcre\u00e7 aya\u011fa kalkarken eskisi i\u015fini bitirene kadar bekler. Ben pratikte \u015fu yakla\u015f\u0131m\u0131 seviyorum: Control socket ile sunucular\u0131 nazik\u00e7e \u201cdrain\u201d moduna al\u0131p, yeni istek almalar\u0131n\u0131 engellemek, var olan isteklerin bitmesini beklemek; sonra yeni s\u00fcr\u00fcm\u00fc koyup geri almak. Bu, bebek uyurken oda de\u011fi\u015ftirmek gibi sakince yap\u0131lmal\u0131.<\/p>\n<p>HAProxy taraf\u0131nda bunu desteklemek i\u00e7in \u201cstats socket\u201d a\u00e7mak iyi bir al\u0131\u015fkanl\u0131k. B\u00f6ylece komutla \u201c\u015fu sunucuyu ge\u00e7ici olarak devre d\u0131\u015f\u0131 b\u0131rak, a\u011f\u0131rl\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcr\u201d gibi hamleler yapabiliyorsunuz. Konfig\u00fcrasyonu tekrar y\u00fcklerseniz de stick-table ve ba\u011flant\u0131lar\u0131n nazik aktar\u0131m\u0131 gibi detaylar i\u015finizi kolayla\u015ft\u0131r\u0131r. Bu konuda <a href=\"https:\/\/www.haproxy.com\/blog\/hitless-reloads-with-haproxy\/\" rel=\"nofollow noopener\" target=\"_blank\">seamless reloads anlat\u0131m\u0131n\u0131n yap\u0131ld\u0131\u011f\u0131 rehber<\/a> zahmetsiz ge\u00e7i\u015fin mant\u0131\u011f\u0131n\u0131 \u00e7ok g\u00fczel anlat\u0131r.<\/p>\n<p>Da\u011f\u0131t\u0131m\u0131 daha da tatland\u0131rmak isterseniz, mavi-ye\u015fil gibi iki ortam kurup, trafi\u011fi yava\u015f\u00e7a yenisine kayd\u0131rabilirsiniz. DNS taraf\u0131nda da otomasyonla destek verince, i\u015f iyice p\u00fcr\u00fczs\u00fcz olur. Biz bunu anlat\u0131rken, <a href=\"https:\/\/www.dchost.com\/blog\/terraform-ile-vps-ve-dns-otomasyonu-cloudflare-proxmox-openstack-ve-sifir-kesinti-dagitim-nasil-bir-araya-gelir\/\">Terraform, Cloudflare ve s\u0131f\u0131r kesinti da\u011f\u0131t\u0131m\u0131n nas\u0131l birle\u015fti\u011fine<\/a> dair yaz\u0131da DNS\u2019i de oyuna dahil ederek anlatm\u0131\u015ft\u0131k; HAProxy ile bu orkestrasyon \u00e7ok uyumlu \u00e7al\u0131\u015f\u0131yor.<\/p>\n<h2 id=\"section-7\"><span id=\"Gercek_Dunya_Akislari_Web_API_WebSocket_ve_gRPC\">Ger\u00e7ek D\u00fcnya Ak\u0131\u015flar\u0131: Web, API, WebSocket ve gRPC<\/span><\/h2>\n<h3><span id=\"Mesela_soyle_dusunun\">\u201cMesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn\u2026\u201d<\/span><\/h3>\n<p>Bir WordPress e-ticaret sitem var diyelim; kampanya s\u0131ras\u0131nda trafik patl\u0131yor. L7 ile statik dosyalar\u0131 hafif sunuculara, PHP isteklerini ise daha g\u00fc\u00e7l\u00fc d\u00fc\u011f\u00fcmlere y\u00f6nlendiriyorum. Health check ile yorulan\u0131 kenara \u00e7ekiyorum. Sticky session ile sepet kar\u0131\u015fm\u0131yor. Bir de \u00f6nbellek ba\u015fl\u0131\u011f\u0131 takviyesiyle sayfa ak\u0131\u015f\u0131 h\u0131zlan\u0131yor. Benzer bir durumda, kenarda k\u00fc\u00e7\u00fck bir mikro \u00f6nbellek bile hava a\u00e7ar; Nginx taraf\u0131nda bu konuya merak\u0131n\u0131z varsa, <a href=\"https:\/\/www.dchost.com\/blog\/nginx-mikro-onbellekleme-ile-php-uygulamalarini-ucurmak-1-5-sn-cache-bypass-ve-purge-ne-zaman-nasil\/\">mikro \u00f6nbelleklemenin PHP uygulamalar\u0131n\u0131 nas\u0131l u\u00e7urdu\u011funu<\/a> anlatt\u0131\u011f\u0131m rehber ho\u015funuza gider.<\/p>\n<p>API\u2019lerde ise L7\u2019nin yetenekleri parl\u0131yor. Belirli endpoint\u2019leri farkl\u0131 havuzlara atmak, limit koymak, ba\u015fl\u0131k d\u00fczenlemek katk\u0131 sa\u011flar. Baz\u0131 ekipler WebSocket ya da gRPC kullan\u0131yor; orada ba\u011flant\u0131lar uzun s\u00fcre a\u00e7\u0131k kal\u0131r, kalp at\u0131\u015flar\u0131 \u00f6nemlidir. Zaman a\u015f\u0131mlar\u0131n\u0131 \u00f6zenle ayarlay\u0131n. E\u011fer u\u00e7ta bir CDN veya proxy katman\u0131n\u0131z da varsa, oradaki bekleme ayarlar\u0131n\u0131n HAProxy ile uyumlu oldu\u011fundan emin olmak gerekir. Bu konuda, <a href=\"https:\/\/www.dchost.com\/blog\/cloudflare-ile-websocket-ve-grpc-yayini-nasil-hep-canli-kalir-nginx-timeout-keep%e2%80%91alive-ve-kesintisiz-dagitimin-sirlari\/\">WebSocket ve gRPC ak\u0131\u015f\u0131n\u0131 canl\u0131 tutman\u0131n s\u0131rlar\u0131n\u0131<\/a> payla\u015ft\u0131\u011f\u0131m yaz\u0131daki ipu\u00e7lar\u0131 HAProxy\u2019nin arkas\u0131nda da i\u015finize yarar.<\/p>\n<p>\u0130\u00e7 servisler aras\u0131 ileti\u015fimde g\u00fcven taraf\u0131 ayr\u0131 bir keyifli konu. Baz\u0131 ekipler \u00f6nde HAProxy ile L7 kararlar\u0131n\u0131 al\u0131p, i\u00e7eride servisler aras\u0131 konu\u015fmay\u0131 mTLS ile g\u00fcvene al\u0131yor. B\u00f6ylece i\u00e7erideki trafik \u015fifreli ve kimlik do\u011frulanm\u0131\u015f oluyor. \u00dcstelik sertifika yenileme ve da\u011f\u0131t\u0131m, k\u00fc\u00e7\u00fck bir otomasyonla g\u00fcnl\u00fck i\u015fler aras\u0131na kar\u0131\u015f\u0131yor. Yeri gelmi\u015fken, HAProxy yap\u0131land\u0131rmas\u0131n\u0131 \u00f6\u011frenirken <a href=\"https:\/\/www.haproxy.org\/download\/2.8\/doc\/configuration.txt\" rel=\"nofollow noopener\" target=\"_blank\">HAProxy\u2019nin resmi dok\u00fcmantasyonundaki yap\u0131land\u0131rma k\u0131lavuzu<\/a> hayat kurtar\u0131r; ihtiya\u00e7 duydu\u011funuzda sayfay\u0131 bir i\u015faretleyin, arad\u0131\u011f\u0131n\u0131z direktif an\u0131nda \u00f6n\u00fcn\u00fcze gelir.<\/p>\n<h2 id=\"section-8\"><span id=\"Gozlem_Log_ve_Kucuk_Ipuclari_Sorun_Cikmadan_Once_Gormek\">G\u00f6zlem, Log ve K\u00fc\u00e7\u00fck \u0130pu\u00e7lar\u0131: Sorun \u00c7\u0131kmadan \u00d6nce G\u00f6rmek<\/span><\/h2>\n<h3><span id=\"Izle_olc_kucuk_duzeltmeler_yap\">\u0130zle, \u00f6l\u00e7, k\u00fc\u00e7\u00fck d\u00fczeltmeler yap<\/span><\/h3>\n<p>Benim en sevdi\u011fim anlardan biri, bir grafikte ufak bir di\u015f g\u00f6r\u00fcp \u201cAha, burada bir \u015fey var\u201d demek. HAProxy loglar\u0131n\u0131 anla\u015f\u0131l\u0131r tutmak, ba\u015fl\u0131klarla IP ve ger\u00e7ek istemciyi not d\u00fc\u015fmek, yava\u015f istekleri i\u015faretlemek b\u00fcy\u00fck fark yarat\u0131r. Ard\u0131ndan uygulama taraf\u0131nda ayr\u0131nt\u0131l\u0131 izler toplamak, u\u00e7tan uca saflar\u0131 s\u0131kla\u015ft\u0131r\u0131r. Bu konuda, \u201cne nerede gecikiyor\u201d sorusuna dair merak\u0131n\u0131z\u0131 <a href=\"https:\/\/www.dchost.com\/blog\/opentelemetry-ile-izlenebilirlik-laravel-ve-node-jste-jaeger-tempoya-uctan-uca-izler-nasil-kurulur\/\">OpenTelemetry ile izlenebilirlik rehberinde<\/a> ger\u00e7e\u011fe d\u00f6n\u00fc\u015ft\u00fcrecek \u00f6rnek ak\u0131\u015flar var; HAProxy \u00f6n\u00fcnde ko\u015fan uygulamalarda bu \u00e7ok i\u015fe yar\u0131yor.<\/p>\n<p>Ufak ama \u00f6nemli bir not: Zaman a\u015f\u0131m\u0131 de\u011ferleri. \u0130stemci, HAProxy ve arka u\u00e7 aras\u0131nda bu de\u011ferlerin uyumlu olmas\u0131, gereksiz kopmalar\u0131 \u00f6nler. WebSocket\/gRPC gibi uzun soluklu ba\u011flant\u0131larda bu ayarlar adeta emniyet kemeri. Sertifika yenileme taraf\u0131nda da otomasyonu unutmay\u0131n; bir gece yar\u0131s\u0131 sertifikan\u0131n s\u00fcresi bitmi\u015f, taray\u0131c\u0131 ba\u011f\u0131r\u0131yorsa can s\u0131k\u0131c\u0131 olur. Otomasyon i\u00e7in basit bir ACME istemcisi ve \u201chitless reload\u201d \u00e7ok i\u015f g\u00f6r\u00fcr.<\/p>\n<h2 id=\"section-9\"><span id=\"Kucuk_Konfigurasyon_Tarifleri_Tadinda_ve_Yeterince\">K\u00fc\u00e7\u00fck Konfig\u00fcrasyon Tarifleri: Tad\u0131nda ve Yeterince<\/span><\/h2>\n<h3><span id=\"Bir_tutam_socket_bir_cimdik_drain\">Bir tutam socket, bir \u00e7imdik drain<\/span><\/h3>\n<p>Bazen minimallik en iyisidir. A\u015fa\u011f\u0131daki \u00f6rnekte, hem socket \u00fczerinden kontrol, hem de yumu\u015fak da\u011f\u0131t\u0131m pratikleri bir arada:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">global\n  log \/dev\/log local0\n  stats socket \/run\/haproxy\/admin.sock mode 660 level admin expose-fd listeners\n  master-worker\n\ndefaults\n  log global\n  mode http\n  option httplog\n  timeout connect 5s\n  timeout client  50s\n  timeout server  50s\n\nfrontend fe_https\n  bind :443 ssl crt \/etc\/haproxy\/certs\/ alpn h2,http\/1.1\n  default_backend bk_app\n\nbackend bk_app\n  balance leastconn\n  option httpchk GET \/healthz\n  default-server inter 2s fall 3 rise 2\n  server app1 10.0.0.41:8080 check\n  server app2 10.0.0.42:8080 check\n<\/code><\/pre>\n<p>Da\u011f\u0131t\u0131m \u00f6ncesi, a\u015fa\u011f\u0131daki gibi sunucuyu nazik\u00e7e sahneden \u00e7ekebilirsiniz. Bu komutlar, aktif ba\u011flant\u0131lar\u0131 koparmadan \u201cyeni misafir alma, eskileri u\u011furla\u201d demek oluyor:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">echo &quot;set server bk_app\/app2 state drain&quot; | socat stdio \/run\/haproxy\/admin.sock\n# Yeni s\u00fcr\u00fcm app2'ye, sa\u011fl\u0131k kontrol\u00fc ye\u015fil, sonra geri al:\necho &quot;set server bk_app\/app2 state ready&quot; | socat stdio \/run\/haproxy\/admin.sock\n<\/code><\/pre>\n<p>Konfig\u00fcrasyonu g\u00fcncelledikten sonra \u201creload\u201d verdi\u011finizde ba\u011flant\u0131lar hit almadan ge\u00e7i\u015f yapar. Bu tekni\u011fin ince noktalar\u0131n\u0131 \u00f6\u011frenmek i\u00e7in yine <a href=\"https:\/\/www.haproxy.com\/blog\/hitless-reloads-with-haproxy\/\" rel=\"nofollow noopener\" target=\"_blank\">hitless reload yakla\u015f\u0131m\u0131na dair a\u00e7\u0131klamalar\u0131<\/a> okumak olduk\u00e7a faydal\u0131.<\/p>\n<h2 id=\"section-10\"><span id=\"Kapanis_Trafigi_Sakinlestirmek_ve_Gunu_Guzel_Bitirmek\">Kapan\u0131\u015f: Trafi\u011fi Sakinle\u015ftirmek ve G\u00fcn\u00fc G\u00fczel Bitirmek<\/span><\/h2>\n<h3><span id=\"Yaniniza_alacaginiz_kucuk_notlar\">Yan\u0131n\u0131za alaca\u011f\u0131n\u0131z k\u00fc\u00e7\u00fck notlar<\/span><\/h3>\n<p>HAProxy ile L4\/L7 y\u00fck dengeleme, do\u011fru kuruldu\u011funda trafi\u011fi sakinle\u015ftiriyor. Health check ile sunucular\u0131n nabz\u0131n\u0131 tutuyor, sticky sessions ile kullan\u0131c\u0131 deneyimini dengede tutuyor, TLS termination ya da passthrough ile g\u00fcvenli\u011fi ve esnekli\u011fi yerli yerine koyuyoruz. \u00dcst\u00fcne bir de s\u0131f\u0131r kesinti da\u011f\u0131t\u0131m pratikleri eklenince, gece yar\u0131s\u0131 alarm kurma ihtiyac\u0131 azal\u0131yor. Bu i\u015fin s\u0131rr\u0131, k\u00fc\u00e7\u00fck ad\u0131mlar, tutarl\u0131 otomasyon ve d\u00fczenli g\u00f6zlem. Bir de sade, anla\u015f\u0131l\u0131r konfig\u00fcrasyonlar.<\/p>\n<p>Pratik bir rota \u00e7izeyim: \u00d6nce basit bir health endpoint\u2019i a\u00e7\u0131n, HAProxy\u2019de kontrol edin. Ard\u0131ndan sticky ihtiyac\u0131n\u0131z\u0131 \u00e7erezle mi, IP ile mi \u00e7\u00f6zece\u011finize karar verin. TLS\u2019te nerede sonland\u0131raca\u011f\u0131n\u0131z hem g\u00fcvenlik politikan\u0131za hem de y\u00f6nlendirme ihtiya\u00e7lar\u0131n\u0131za ba\u011fl\u0131. Yenileme i\u015fini otomatikle\u015ftirin; isterseniz <a href=\"https:\/\/letsencrypt.org\/docs\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt dok\u00fcmanlar\u0131ndan ilhamla<\/a> ba\u015flay\u0131n. \u0130\u015f \u00e7o\u011fal\u0131nca otomasyon ve orkestrasyon ka\u00e7\u0131n\u0131lmaz; burada <a href=\"https:\/\/www.dchost.com\/blog\/terraform-ile-vps-ve-dns-otomasyonu-cloudflare-proxmox-openstack-ve-sifir-kesinti-dagitim-nasil-bir-araya-gelir\/\">Terraform ile DNS ve altyap\u0131y\u0131 birlikte ele alan pratikleri<\/a> g\u00f6zden ge\u00e7irin. \u0130\u015fi b\u00fct\u00fcnsel g\u00f6rmek rahatlat\u0131r.<\/p>\n<p>Umar\u0131m bu rehber, ak\u015fam\u00fcst\u00fc pani\u011fini g\u00fcne\u015f batarkenki o tatl\u0131 dinginli\u011fe \u00e7evirir. Bir g\u00fcn yine yo\u011fun bir da\u011f\u0131t\u0131m an\u0131nda, HAProxy konfig\u00fcrasyonunuzu g\u00fcvenle \u201creload\u201d ederken akl\u0131n\u0131za bu sat\u0131rlar gelsin. Sorular\u0131n\u0131z, merak ettikleriniz olursa payla\u015f\u0131n. Bir dahaki yaz\u0131da g\u00f6r\u00fc\u015fmek \u00fczere, trafi\u011finiz hep ak\u0131c\u0131, kesintiniz s\u0131f\u0131r olsun.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Bir Ak\u015fam\u00fcst\u00fc Trafik F\u0131rt\u0131nas\u0131 ve Akl\u0131ma D\u00fc\u015fen HAProxy2 L4 m\u00fc L7 mi? Yol A\u011fz\u0131nda Durup Y\u00f6n Soranlar\u0131n Hikayesi2.1 Bir Katman Masal\u0131: Kap\u0131da m\u0131, lobide mi kar\u015f\u0131lars\u0131n?3 Health Check: Sunucunun Nabz\u0131n\u0131 Parmak Ucunda Hissetmek3.1 \u201c\u0130yi misin?\u201d demenin otomatik yolu4 Sticky Sessions: Ziyaret\u00e7iyi Tan\u0131yan Kap\u0131c\u01314.1 \u201cBu ziyaret\u00e7i hep ayn\u0131 masay\u0131 istiyor\u201d durumu5 TLS Termination ve TLS [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1723,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1722","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1722","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1722"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1722\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1723"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1722"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1722"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1722"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}