我已经使用运行vsftpd的HAProxy和2个FTP服务器成功建立了负载平衡环境.这是设置到目前为止的样子:
代理:ftp00 | 192.168.2.135(public,eth0)| 10.11.130.1(私人,eth1)
Node01:ftp01 | 10.11.130.140
Node02:ftp02 | 10.11.130.141
操作系统:CentOS 6.6
HA代理:版本1.5.2 2014/07/12
vsftpd:2.2.2版
ftp00:/etc/haproxy/haproxy.conf
#---------------------------------------------------------------------
# GLOBAL CONFIG
#---------------------------------------------------------------------
global
daemon
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
log 127.0.0.1 local5 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# DEFAULTS CONFIG
#---------------------------------------------------------------------
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
option redispatch
option tcpka
maxconn 2000
contimeout 5000
#---------------------------------------------------------------------
# POOL CONFIG
#---------------------------------------------------------------------
listen ftp-lb
bind 192.168.2.135:21
mode tcp
option tcplog
balance roundrobin
server ftp01 10.11.130.140:21 weight 10 minconn 30 maxconn 1000 check
server ftp02 10.11.130.141:21 weight 10 minconn 30 maxconn 1000 check
#---------------------------------------------------------------------
# HAPROXY DASHBOARD CONFIG
#---------------------------------------------------------------------
listen stats
bind 192.168.2.135:81
mode http
stats enable
stats refresh 30s
stats show-node
stats uri /stats
stats auth admin:password
ftp00:/ etc / sysconfig / iptablesfound [here]
*nat
:PREROUTING ACCEPT [7:724]
:POSTROUTING ACCEPT [5:300]
:OUTPUT ACCEPT [5:300]
-A PREROUTING -d 192.168.2.135/32 -i eth1 -p tcp -m tcp --dport 12001:14000 -j DNAT --to-destination 10.11.130.140
-A PREROUTING -d 192.168.2.135/32 -i eth1 -p tcp -m tcp --dport 16001:18000 -j DNAT --to-destination 10.11.130.141
-A POSTROUTING -s 10.11.130.140/32 -o eth1 -j SNAT --to-source 192.168.2.135
-A POSTROUTING -s 10.11.130.141/32 -o eth1 -j SNAT --to-source 192.168.2.135
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [732:64731]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 81 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
ftp01:/etc/vsftpd/vsftpd.conf
#------------------------------------------
# GENERAL CONFIG
#------------------------------------------
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
pam_service_name=vsftpd
#------------------------------------------
# LOG CONFIG
#------------------------------------------
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
#------------------------------------------
# USER WHITELIST
#------------------------------------------
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list
#------------------------------------------
# PASSIVE MODE CONFIG
#------------------------------------------
#tcp_wrappers=YES
pasv_enable=YES
port_enable=YES
pasv_min_port=12001
pasv_max_port=14000
pasv_address=192.168.2.135
pasv_addr_resolve=NO
connect_from_port_20=YES
#------------------------------------------
# Added listen address for internal only
#------------------------------------------
listen=YES
listen_address=10.11.130.140
#-----------------------------------------
# BANNER CONFIG
#-----------------------------------------
banner_file=/etc/vsftpd/issue
ftp01:/ etc / sysconfig / iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 12001:14000 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
ftp02:/etc/vsftpd/vsftpd.conf
与ftp01配置的区别:
pasv_min_port=16001
pasv_max_port=18000
listen_address=10.11.130.141
ftp02:/ etc / sysconfig / iptables
Same as **ftp01** with respective port ranges
所有节点:/ etc / sysconfig / iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"
SELinux在所有机器上都已停用.我已经按照几个教程(如this和this),但我仍然无法使用被动模式.我可以通过HAproxy负载均衡器(设置为roundrobin,这也可以)登录到FTP服务器,它一直给我这个:
220-***FTP SERVER CLUSTER NODE 02***
220
Name (192.168.2.135:root): root
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,2,135,67,94).
ftp: connect: Connection timed out
ftp>
既然我已经完成了所有我能想到的事情,几乎所有那些处理这个的事情,我都会感到有些沮丧.我的配置与教程中的配置相同,但它不起作用.也许我错过了一些我没有注意到的东西,所以任何帮助都非常感谢!
至少端口号似乎是正确的. ftp02设置为使用16001 – 18000,进入被动模式使用67 * 256 94 = 17246,这是完全正常的.
根据我阅读的有关Passive FTP LB的RH文档,您可能需要启用内核模块
# modprobe ip_vs_ftp
Red_Hat_Enterprise_Linux-6-Load_Balancer_Administration-EN-US
In order to enable passive FTP connections, ensure that you have the ip_vs_ftp kernel module loaded, which you can do by running the command modprobe ip_vs_ftp as an administrative user at a shell prompt.