环境
| 环境 | DIP | VIP | 需要安装的应用 | 系统版本 |
|---|---|---|---|---|
| client | 192.168.23.141 | / | / | RedHat 8 |
| DR | 192.168.23.142 | 192.168.80.250 | ipvsadm | RedHat 8 |
| RS1 | 192.168.23.143 | / | httpd | RedHat 8 |
| RS2 | 192.168.23.144 | / | httpd | RedHat 8 |
| 准备工作 |
//关闭防火墙和selnux0
DR
[root@DR ~]# systemctl stop firewalld
[root@DR ~]# setenforce 0
RS1
[root@RS1 ~]# systemctl stop firewalld
[root@RS1 ~]# setenforce 0
RS2
[root@RS2 ~]# systemctl stop firewalld
[root@RS2 ~]# setenforce 0
//在rs1与rs2上启动httpd服务
rs1
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
rs2
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
//下载httpd以及添加html文件
RS1
[root@RS1 ~]# yum -y install httpd net-tools
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# echo rs1 > /var/www/html/index.html
RS2
[root@RS2 ~]# yum -y install httpd net-tools
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# echo rs2 > /var/www/html/index.html
//将网关指向DIP
RS1
[root@RS1 ~]# route add default gw 192.168.23.142
RS2
[root@RS2 ~]# route add default gw 192.168.23.142
//开启ip转发功能
[root@DR ~]# vim /etc/sysctl.conf
......
net.ipv4.ip_forward = 1 //在最后添加这一行
[root@DR ~]# sysctl -p
net.ipv4.ip_forward = 1
//添加并保存规则
DR
//配置DR的第二张网卡
[root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
NAME=ens192
DEVICE=ens192
IPADDR=192.168.80.250
PREFIX=24
[root@DR ~]# systemctl restart NetworkManager
[root@DR ~]# ifdown ens192;ifup ens192
[root@DR ~]# ip a
......
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:07:02:c4 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.130/24 brd 192.168.80.255 scope global dynamic noprefixroute ens192
valid_lft 1512sec preferred_lft 1512sec
inet 192.168.80.250/24 scope global secondary ens192
valid_lft forever preferred_lft forever
inet6 fe80::cb2e:f939:795d:d898/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//添加调度器
[root@DR ~]# ipvsadm -A -t 192.168.80.250:80 -s rr
[root@DR ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.80.250:http rr
//添加跳转ip
[root@DR ~]# ipvsadm -a -t 192.168.80.250:80 -r 192.168.23.143:80 -m
[root@DR ~]# ipvsadm -a -t 192.168.80.250:80 -r 192.168.23.144:80 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.80.250:80 rr
-> 192.168.23.143:80 Masq 1 0 0
-> 192.168.23.144:80 Masq 1 0 0
//保存规则
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
[root@DR ~]# systemctl enable --now ipvsadm
//客户端访问测试
[root@client ~]# curl 192.168.80.250
rs1
[root@client ~]# curl 192.168.80.250
rs2
[root@client ~]# curl 192.168.80.250
rs1
[root@client ~]# curl 192.168.80.250
rs2
[root@client ~]# curl 192.168.80.250
rs1
搭建NAT模式的HTTPS负载集群
在以上配置基础下搭建https
环境
| 环境 | DIP | VIP | 需要安装的应用 | 系统版本 |
|---|---|---|---|---|
| client | 192.168.23.141 | / | / | RedHat 8 |
| DR | 192.168.23.142 | 192.168.23.250 | ipvsadm | RedHat 8 |
| RS1 | 192.168.23.143 | 192.168.23.250 | httpd | RedHat 8 |
| RS2 | 192.168.23.144 | 192.168.23.250 | httpd | RedHat 8 |
| 准备工作 | ||||
| LVS服务器搭建CA服务端 |
DR
//生成一对密钥
[root@DR ~]# mkdir -p /etc/pki/CA/private
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@DR CA]# openssl rsa -in private/cakey.pem -pubout
//生成自签署证书
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:HW
Organization Name (eg, company) [Default Company Ltd]:yc
Organizational Unit Name (eg, section) []:yc
Common Name (eg, your name or your server's hostname) []:yc
Email Address []:x@x.com
[root@DR CA]# touch index.txt && echo 01 > serial
//RS1生成证书签署请求,并发送给CA
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:baozi
Organizational Unit Name (eg, section) []:baozi
Common Name (eg, your name or your server's hostname) []:baozi
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr httpd.key
#把证书签署请求文件发送给CA
[root@RS1 ssl]# scp httpd.csr root@192.168.23.142:/root/
//CA签署证书并发给RS1
#DR
[root@DR ~]# mkdir /etc/pki/CA/newcerts
[root@DR ~]# touch /etc/pki/CA/index.txt
//跟踪最后一次颁发证书的序列号
[root@DR ~]# echo "01" > /etc/pki/CA/serial
[root@DR ~]# ls
anaconda-ks.cfg httpd.csr
[root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 6 09:02:00 2021 GMT
Not After : Feb 24 09:02:00 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = yc
organizationalUnitName = yc
commonName = yc
emailAddress = x@x.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C7:3B:A3:CD:87:98:12:12:CC:88:1A:ED:23:66:97:8A:66:EB:65:29
X509v3 Authority Key Identifier:
keyid:CD:31:DC:BD:F4:70:26:6A:EA:AA:B1:83:08:8E:E6:FB:AD:F7:0B:BA
Certificate is to be certified until Feb 24 09:02:00 2024 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
//CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1
[root@DR ~]# scp httpd.crt root@192.168.23.143:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.23.143:/etc/httpd/ssl
//将RS1的证书和密钥发给RS2
RS2
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
RS1
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.100.5:/etc/httpd/ssl
RS2
[root@RS2 ~]# ls /etc/httpd/ssl/
cacert.pem httpd.crt httpd.key
//修改https配置文件
#RS1
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
#修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······
//重启服务
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
#RS2
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
#修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······
//重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
//添加并保存规则
#DR
//添加调度器
[root@DR ~]# ipvsadm -A -t 192.168.80.250:443 -s rr
//添加跳转的IP地址
[root@DR ~]# ipvsadm -a -t 192.168.80.250:443 -r 192.168.23.143 -m
[root@DR ~]# ipvsadm -a -t 192.168.80.250:443 -r 192.168.23.144 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.80.250:80 rr
-> 192.168.23.143:80 Masq 1 0 0
-> 192.168.23.144:80 Masq 1 0 0
TCP 192.168.80.250:443 rr
-> 192.168.23.143:443 Masq 1 0 0
-> 192.168.23.144:443 Masq 1 0 0
//保存规则
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
//客户端访问测试
[root@client ~]# curl -k https://192.168.222.250
rs2
[root@client ~]# curl -k https://192.168.222.250
rs1
[root@client ~]# curl -k https://192.168.222.250
rs2
[root@client ~]# curl -k https://192.168.222.250
rs1
搭建DR模式的HTTP负载集群
DR模式是通过director将报文源和目标MAC地址修改,发送给RS,RS将响应报文直接发送给client
准备工作:
//DR
[root@DR ~]# systemctl disable --now firewalld
[root@DR ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@DR ~]# setenforce 0
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ip addr add 192.168.23.250/32 dev ens160
[root@DR ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:56:9e:92 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.142/24 brd 192.168.23.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet 192.168.23.250/32 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe56:9e92/64 scope link
valid_lft forever preferred_lft forever
//#RS1:
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# yum -y install httpd net-tools
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# echo rs1 > /var/www/html/index.html
//RS2
[root@RS2 ~]# systemctl disable --now firewalld
[root@RS2 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# yum -y install httpd net-tools
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# echo rs2 > /var/www/html/index.html
//RS服务器配置
RS1
[root@RS1 ~]# vim /etc/sysctl.conf
//在最后面插入如下两行
net.ipv4.conf.all.arp_ignore = 1 //将对应网卡设置为只回应目标IP为自身接口地址的ARP请求
net.ipv4.conf.all.arp_announce = 2 //将ARP请求的源IP设置为eth0上的IP,也就是RIP
[root@RS1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
RS2
[root@RS2 ~]# vim /etc/sysctl.conf
//在最后面插入如下两行
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
//配置VIP(一定要先设置好内核参数在配置VIP,如果先配置VIP,VIP配置好后会立即通告给所有人,而修改内核参数就是为了不通告)
RS1
[root@RS1 ~]# ip addr add 192.168.23.250/32 dev lo
[root@RS1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.23.250/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
RS2
[root@RS2 ~]# ip addr add 192.168.23.250/32 dev lo
[root@RS2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.23.250/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
//配置路由信息
RS1
[root@RS1 ~]# route add -host 192.168.23.250/32 dev lo
//永久配置
[root@RS1 ~]# echo '192.168.23.250/32 via 0.0.0.0 dev lo' > /etc/sysconfig/network-scripts/route-lo
[root@RS1 ~]# route -n
[root@RS1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.23.2 0.0.0.0 UG 100 0 0 ens160
192.168.23.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
192.168.23.250 0.0.0.0 255.255.255.255 UH 0 0 0 lo
RS2
[root@RS2 ~]# route add -host 192.168.23.250/32 dev lo
//永久配置
[root@RS2 ~]# echo '192.168.23.250/32 via 0.0.0.0 dev lo' > /etc/sysconfig/network-scripts/route-lo
[root@RS2 ~]# route -n
[root@RS2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.23.2 0.0.0.0 UG 100 0 0 ens160
192.168.23.0 0.0.0.0 255.255.255.0 U 100 0 0 ens160
192.168.23.250 0.0.0.0 255.255.255.255 UH 0 0 0 lo
//添加并保存规则
DR
[root@DR ~]# ipvsadm -A -t 192.168.23.250:80 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.23.250:80 -r 192.168.23.143 -g
[root@DR ~]# ipvsadm -a -t 192.168.23.250:80 -r 192.168.23.144 -g
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.23.250:80 wrr
-> 192.168.23.143:80 Route 1 0 0
-> 192.168.24.144:80 Route 1 0 0
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
[root@DR ~]# systemctl enable --now ipvsadm
//客户端访问测试
[root@client ~]# curl 192.168.23.250
rs2
[root@client ~]# curl 192.168.23.250
rs1
[root@client ~]# curl 192.168.23.250
rs2
[root@client ~]# curl 192.168.23.250
rs1