lvs配置方法
ip类型 | ip地址 |
---|
VIP仅主机模式 | 192.168.96.134 |
DIP | 192.168.149.143 |
host1IP | 192.168.149.140 |
host2IP | 192.168.149.137 |
host1配置
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
生成httpds
[root@host1 ~]
[root@host1 ~]
[root@host1 CA]
[root@host1 CA]
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
.......+++++
e is 65537 (0x010001)
[root@host1 CA]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:xkq
Organizational Unit Name (eg, section) []:xkq
Common Name (eg, your name or your server's hostname) []:xkq.com
Email Address []:1@1.com
[root@host1 CA]# mkdir certs newcerts crl
[root@host1 CA]# touch index.txt && echo 01 > serial
[root@host1 CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
...........................................+++++
e is 65537 (0x010001)
[root@host1 CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:xkq
Organizational Unit Name (eg, section) []:xkq
Common Name (eg, your name or your server's hostname) []:xkq.com
Email Address []:1@1.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host1 CA]
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 12:04:15 2021 GMT
Not After : Jun 14 12:04:15 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = xkq
organizationalUnitName = xkq
commonName = xkq.com
emailAddress = 1@1.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:D6:51:6F:21:A7:7D:A7:FF:06:D4:6D:13:85:11:50:6C:FD:D5:8C
X509v3 Authority Key Identifier:
keyid:2B:BA:85:7C:6B:8E:0C:74:24:B2:E0:CF:83:43:9D:21:C3:8D:DF:95
Certificate is to be certified until Jun 14 12:04:15 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
安装ssl模板
[root@host1 ~]
[root@host1 CA]
[root@host1 CA]
[root@host1 conf.d]
修改路径
......
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
......
重启httpd
[root@host1 conf.d]
[root@host1 CA]
[root@host1 CA]
root@192.168.149.137's password:
httpd.crt 100% 4495 2.5MB/s 00:00
[root@host1 CA]# scp /etc/httpd/httpd.key 192.168.149.137:/etc/httpd/
root@192.168.149.137's password:
httpd.key 100% 1675 1.6MB/s 00:00
将网关改为调度器的ip
[root@host1 ~]
TYPE=Ethernet
OTPROTO=static
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.149.140
PREFIX=24
GATEWAY=192.168.149.143
DNS1=114.114.114.114
[root@host1 ~]
host2配置
[root@host2 ~]
[root@host2 ~]
[root@host2 ~]
[root@host2 ~]
[root@host1 ~]
[root@host2 ~]
[root@host2 ~]
[root@host2 conf.d]
修改路径
......
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
......
重启httpd
[root@host2 conf.d]
将网关改为调度器的ip
[root@host2 ~]
TYPE=Ethernet
OTPROTO=static
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.149.137
PREFIX=24
GATEWAY=192.168.149.143
DNS1=114.114.114.114
[root@host2 ~]
调度器配置
[root@lb ~]
[root@lb ~]
[root@lb ~]
开启 IP转发 功能
[root@lb ~]
[root@lb ~]
net.ipv4.ip_forward = 1
添加并保持规则
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
-A -t 192.168.96.134:80 -s rr
-a -t 192.168.96.134:80 -r 192.168.149.137:80 -m -w 1
-a -t 192.168.96.134:80 -r 192.168.149.140:80 -m -w 1
-A -t 192.168.96.134:443 -s rr
-a -t 192.168.96.134:443 -r 192.168.149.137:443 -m -w 1
-a -t 192.168.96.134:443 -r 192.168.149.140:443 -m -w 1
测试
dr模式
ip类型 | ip地址 |
---|
VIP虚拟的 | 192.168.149.144 |
DIP | 192.168.149.143 |
host1IP | 192.168.149.140 |
host2IP | 192.168.149.137 |
host1配置
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
[root@host1 ~]
生成httpds
[root@host1 ~]
[root@host1 ~]
[root@host1 CA]
[root@host1 CA]
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
.......+++++
e is 65537 (0x010001)
[root@host1 CA]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:xkq
Organizational Unit Name (eg, section) []:xkq
Common Name (eg, your name or your server's hostname) []:xkq.com
Email Address []:1@1.com
[root@host1 CA]# mkdir certs newcerts crl
[root@host1 CA]# touch index.txt && echo 01 > serial
[root@host1 CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
...........................................+++++
e is 65537 (0x010001)
[root@host1 CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:xkq
Organizational Unit Name (eg, section) []:xkq
Common Name (eg, your name or your server's hostname) []:xkq.com
Email Address []:1@1.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@host1 CA]
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 12:04:15 2021 GMT
Not After : Jun 14 12:04:15 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = xkq
organizationalUnitName = xkq
commonName = xkq.com
emailAddress = 1@1.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
1E:D6:51:6F:21:A7:7D:A7:FF:06:D4:6D:13:85:11:50:6C:FD:D5:8C
X509v3 Authority Key Identifier:
keyid:2B:BA:85:7C:6B:8E:0C:74:24:B2:E0:CF:83:43:9D:21:C3:8D:DF:95
Certificate is to be certified until Jun 14 12:04:15 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
安装ssl模板
[root@host1 ~]
[root@host1 CA]
[root@host1 CA]
[root@host1 conf.d]
修改路径
......
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
......
重启httpd
[root@host1 conf.d]
将证书传给host2
[root@host1 CA]
root@192.168.149.137's password:
httpd.crt 100% 4495 2.5MB/s 00:00
[root@host1 CA]# scp /etc/httpd/httpd.key 192.168.149.137:/etc/httpd/
root@192.168.149.137's password:
httpd.key 100% 1675 1.6MB/s 00:00
[root@host1 httpd]
[root@host1 httpd]
[root@host1 ~]
TYPE=Ethernet
OTPROTO=static
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.149.140
PREFIX=24
GATEWAY=192.168.149.2
DNS1=114.114.114.114
[root@host1 ~]
[root@host1 httpd]
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@host1 httpd]
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@host1 ~]
host2配置
[root@host2 ~]
[root@host2 ~]
[root@host2 ~]
[root@host2 ~]
[root@host1 ~]
[root@host2 ~]
[root@host2 ~]
[root@host2 conf.d]
修改路径
......
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
......
重启httpd
[root@host2 conf.d]
[root@host2 ~]
[root@host2 ~]
[root@host2 ~]
TYPE=Ethernet
OTPROTO=static
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.149.137
PREFIX=24
GATEWAY=192.168.149.2
DNS1=114.114.114.114
[root@host2 ~]
[root@host2 ~]
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@host2 ~]
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
调度器配置
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
TYPE=Ethernet
BOOTPROTO=static
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR0=192.168.149.143
PREFIX0=24
IPADDR1=192.168.149.144
PREFIX1=24
GATEWAY=192.168.149.2
DNS1=114.114.114.114
[root@lb ~]
添加规则
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.149.144:80 rr
-> 192.168.149.137:80 Route 1 0 0
-> 192.168.149.140:80 Route 1 0 0
TCP 192.168.149.144:443 rr
-> 192.168.149.137:443 Route 1 0 0
-> 192.168.149.140:443 Route 1 0 0
haproxy配置
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb ~]
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
> TARGET=linux-glibc \
> USE_OPENSSL=1 \
> USE_ZLIB=1 \
> USE_PCRE=1 \
> USE_SYSTEMD=1
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
/usr/local/haproxy/sbin/haproxy
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
>
> global
> log 127.0.0.1 local0 info
>
> maxconn 20480
>
> pidfile /var/run/haproxy.pid
>
> user haproxy
> group haproxy
> daemon
>
>
>
>
> defaults
> mode http
> log global
> option dontlognull
> option httpclose
> option httplog
>
> option redispatch
> balance roundrobin
> timeout connect 10s
> timeout client 10s
> timeout server 10s
> timeout check 10s
> maxconn 60000
> retries 3
>
> listen admin_stats
> bind 0.0.0.0:8189
> stats enable
> mode http
> log global
> stats uri /haproxy_stats
> stats realm Haproxy\ Statistics
> stats auth admin:admin
>
> stats admin if TRUE
> stats refresh 30s
>
> listen webcluster
> bind 0.0.0.0:80
> mode http
>
> log global
> maxconn 3000
> balance roundrobin
> cookie SESSION_COOKIE insert indirect nocache
> server web01 192.168.149.140:80 check inter 2000 fall 5
> server web02 192.168.149.137:80 check inter 2000 fall 5
> EOF
[root@lb haproxy-2.3.0]
> [Unit]
> Description=HAProxy Load Balancer
> After=syslog.target network.target
>
> [Service]
> ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
> ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
> ExecReload=/bin/kill -USR2 $MAINPID
>
> [Install]
> WantedBy=multi-user.target
> EOF
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
local0.* /var/log/boot.log
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
[root@lb haproxy-2.3.0]
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
测试
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)