lvs-dr模型实现http和https两种负载均衡集群

其他 2020-08-12 06:58:25 阅读次数: 0

环境

名称 IP 类型
客户机 192.168.153.27 CIP
DR 192.168.153.200 VIP
DR 192.168.153.20 DIP
RS1 192.168.153.200 VIP
RS1 192.168.153.22 RIP
RS2 192.168.153.200 VIP
RS2 192.168.153.25 RIP

搭建HTTP负载均衡集群

1. 在Client上配置CIP

[root@Client ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:86:24:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.153.27/24 brd 192.168.153.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe86:24c1/64 scope link 
       valid_lft forever preferred_lft forever

2. 在DR上配置DIP和VIP

[root@DR ~]# ip addr add 192.168.153.200/32 dev lo
[root@DR ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.153.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:97:c3:66 brd ff:ff:ff:ff:ff:ff
    inet 192.168.153.20/24 brd 192.168.153.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe97:c366/64 scope link 
       valid_lft forever preferred_lft forever

3. 在RS上修改网卡内核参数

[root@RS1 ~]# vim /etc/sysctl.conf 
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root@RS2 ~]# vim /etc/sysctl.conf 
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

4. 在RS上配置VIP和RIP

RS1

[root@RS1 ~]# ip addr add 192.168.153.200/32 dev lo
[root@RS1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.153.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:2d:e0:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.153.22/24 brd 192.168.153.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe2d:e0d6/64 scope link 
       valid_lft forever preferred_lft forever

RS2

[root@RS2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.153.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:9b:a5:b7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.153.25/24 brd 192.168.153.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe9b:a5b7/64 scope link 
       valid_lft forever preferred_lft forever

5. 配置路由信息

[root@DR ~]# route add -host 192.168.153.200 dev lo
[root@RS1 ~]# route add -host 192.168.153.200 dev lo
[root@RS2 ~]# route add -host 192.168.153.200 dev lo

6. 在DR上添加规则

[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.153.200:80 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.153.200:80 -r 192.168.153.22:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.153.200:80 -r 192.168.153.25:80 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.207.200:80 wrr
  -> 192.168.153.22:80           Route   1      0          0         
  -> 192.168.153.25:80           Route   1      0          0

7. 在DR上配置http

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo 'RS1' > /var/www/html/index.html
[root@RS1 ~]# systemctl start httpd

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo 'RS2' > /var/www/html/index.html
[root@RS2 ~]# systemctl start httpd

8. 在客户端访问验证

[root@Client ~]# for i in $(seq 4);do curl 192.168.153.200 ;done
RS2
RS1
RS2
RS1

搭建HTTPS负载均衡集群

1. 生成证书

生成一对秘钥

[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)

生成自签署证书

[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:a.com
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]
[root@DR CA]# touch index.txt && echo 01 > serial

在RS生成证书签署请求,并发送给CA

[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
...................................................................+++
e is 65537 (0x10001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:a.com
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr  httpd.key
[root@RS1 ssl]# scp httpd.csr [email protected]:/root

CA签署证书并发给客户端

[root@DR ~]# ls
httpd.csr
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 24 13:15:07 2020 GMT
            Not After : Jul 24 13:15:07 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = aaa.com
            organizationalUnitName    = aaa.com
            commonName                = aaa.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B5:D7:DC:0C:4C:84:F9:7B:3D:B4:7C:10:CD:96:87:C8:87:56:47:FD
            X509v3 Authority Key Identifier: 
                keyid:1B:FE:4E:5C:52:2F:11:4C:E2:66:73:9E:DD:77:8C:F1:8E:E3:9E:54

Certificate is to be certified until Jul 24 13:15:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@DR ~]# ls
httpd.crt  httpd.csr

CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端

[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl

2. 配置HTTPS

在RS1上将httpd.key传给RS2,并在RS上安装ssl模块

[root@RS1 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS1 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl
[root@RS1 ssl]# yum -y install mod_ssl

//RS2上查看是否拥有证书和秘钥
[root@RS2 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS2 ssl]# yum -y install mod_ssl

在RS上编辑配置文件

[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf 
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd

//RS2上的配置同上

3. 在DR上配置规则

[root@DR ~]# ipvsadm -A -t 192.168.153.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.153.200:443 -r 192.168.153.22 -g
[root@DR ~]# ipvsadm -a -t 192.168.153.200:443 -r 192.168.153.25 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.153.200:80 wrr
  -> 192.168.153.22:80           Route   1      0          0         
  -> 192.168.153.25:80           Route   1      0          0         
TCP  192.168.153.200:443 wrr
  -> 192.168.153.22:443          Route   1      0          0         
  -> 192.168.153.25:443          Route   1      0          0

4. 在客户端访问验证

[root@Client ~]# for i in $(seq 4);do curl -k https://192.168.153.200 ;done
RS2
RS1
RS2
RS1

猜你喜欢

转载自blog.csdn.net/lnsistw/article/details/107622765
今日推荐
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
周排行
rbac——界面、权限
Apache CXF + SpringMVC 整合发布WebService
so插件化
Vue.js实战系列---图标字体制作(svg格式)
PAT乙级 1007 素数对猜想(孪生素数对) (20分) ---(C语言 + 详细注释)
被IRM保护的文档,打开失败
Calendar和Date计算日期差的小问题
win10子系统ubuntu18.4安装docker
利用Wrap Shell Script定位Android Native内存泄漏
MySQL: Transaction (Part I - Basic Concept)
每日归档
更多
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022