zoukankan      html  css  js  c++  java
  • LVS配置 NAT和DR模式配置HTTPD HTTPS负载均衡

    LVS配置


    ipvsadm命令

    用户空间的命令行工具,用于管理集群服务;(即规则的增删查改)

    //查看帮助
    ipvsadm v1.31 2019/12/24 (compiled with popt and IPVS v1.2.1)
    Usage:
      ipvsadm -A|E virtual-service [-s scheduler] [-p [timeout]] [-M netmask] [--pe persistence_engine] [-b sched-flags]
      ipvsadm -D virtual-service
      ipvsadm -C
      ipvsadm -R
      ipvsadm -S [-n]
      ipvsadm -a|e virtual-service -r server-address [options]
      ipvsadm -d virtual-service -r server-address
      ipvsadm -L|l [virtual-service] [options]
      ipvsadm -Z [virtual-service]
      ipvsadm --set tcp tcpfin udp
      ipvsadm --start-daemon {master|backup} [daemon-options]
      ipvsadm --stop-daemon {master|backup}
      ipvsadm -h
    
    Commands:
    Either long or short options are allowed.
      --add-service     -A        add virtual service with options
      --edit-service    -E        edit virtual service with options
      --delete-service  -D        delete virtual service
      --clear           -C        clear the whole table
      --restore         -R        restore rules from stdin
      --save            -S        save rules to stdout
      --add-server      -a        add real server with options
      --edit-server     -e        edit real server with options
      --delete-server   -d        delete real server
      --list            -L|-l     list the table
      --zero            -Z        zero counters in a service or all services
      --set tcp tcpfin udp        set connection timeout values
      --start-daemon              start connection sync daemon
      --stop-daemon               stop connection sync daemon
      --help            -h        display this help message
    
    virtual-service:
      --tcp-service|-t  service-address   service-address is host[:port]
      --udp-service|-u  service-address   service-address is host[:port]
      --sctp-service    service-address   service-address is host[:port]
      --fwmark-service|-f fwmark          fwmark is an integer greater than zero
    
    Options:
      --ipv6         -6                   fwmark entry uses IPv6
      --scheduler    -s scheduler         one of rr|wrr|lc|wlc|lblc|lblcr|dh|sh|sed|nq|fo|ovf|mh,
                                          the default scheduler is wlc.
      --pe            engine              alternate persistence engine may be sip,
                                          not set by default.
      --persistent   -p [timeout]         persistent service
      --netmask      -M netmask           persistent granularity mask
      --real-server  -r server-address    server-address is host (and port)
      --gatewaying   -g                   gatewaying (direct routing) (default)
      --ipip         -i                   ipip encapsulation (tunneling)
      --masquerading -m                   masquerading (NAT)
      --tun-type      type                one of ipip|gue|gre,
                                          the default tunnel type is ipip.
      --tun-port      port                tunnel destination port
      --tun-nocsum                        tunnel encapsulation without checksum
      --tun-csum                          tunnel encapsulation with checksum
      --tun-remcsum                       tunnel encapsulation with remote checksum
      --weight       -w weight            capacity of real server
      --u-threshold  -x uthreshold        upper threshold of connections
      --l-threshold  -y lthreshold        lower threshold of connections
      --connection   -c                   output of current IPVS connections
      --timeout                           output of timeout (tcp tcpfin udp)
      --daemon                            output of daemon information
      --stats                             output of statistics information
      --rate                              output of rate information
      --exact                             expand numbers (display exact values)
      --thresholds                        output of thresholds information
      --persistent-conn                   output of persistent connection info
      --tun-info                          output of tunnel information
      --nosort                            disable sorting output of service/server entries
      --sort                              does nothing, for backwards compatibility
      --ops          -o                   one-packet scheduling
      --numeric      -n                   numeric output of addresses and ports
      --sched-flags  -b flags             scheduler flags (comma-separated)
    Daemon Options:
      --syncid sid                        syncid for connection sync (default=255)
      --sync-maxlen length                Max sync message length (default=1472)
      --mcast-interface interface         multicast interface for connection sync
      --mcast-group address               IPv4/IPv6 group (default=224.0.0.81)
      --mcast-port port                   UDP port (default=8848)
      --mcast-ttl ttl                     Multicast TTL (default=1)
    

    管理集群服务

    //语法
    #下面的表格中有选项含义说明
    ipvsadm -A|E -t|u|f service-address [-s scheduler][-p [timeout]][-M netmask]
    
    //常见的service-address
      tcp:-t ip:port
      udp:-u ip:port
      fwm:-f mark
    
    //选项-s scheduler
    默认为wlc
    
    //选项 -p [timeout]:
    定义持久连接,timeout不指定时默认300妙
    

    选项含义详情如下:

    选项 含义
    -A 添加虚拟服务器
    -E 修改虚拟服务器
    -D 删除虚拟服务器
    -C,--clear 清除所有虚拟服务
    -R,--restore 从标准输入获取ipvsadm命令。一般结合下边的-S使用。
    -S,--save 从标准输出输出虚拟服务器的规则。可以将虚拟服务器的规则保存,在以后通过-R直接读入,以实现自动化配置。
    -L,-l,--list 列出虚拟服务表中的所有虚拟服务。可以指定地址。添加-c显示连接表
    -Z,--zero 将所有数据相关的记录清零,这些记录一般用于调度策略
    --set tcp tcpfin udp 修改协议的超时时间
    --start-daemon state 设置虚拟服务器的备服务器,用来实现主备服务器冗余(注:该功能只支持ipv4)
    --stop-daemon 停止备服务器

    管理集群服务中的RS

    //语法
    #下面的表格中有选项含义说明
    ipvsadm -a|e -t|u|f service-address -r server-address [-g|i|m][-w weight][-x upper][-y lower]
    
    ipvsadm -d -t|u|f service-address-r server-address
    
    //查看
    ipvsadm -L|l[options]
    #选项内容、含义
    options:
      -n:numeric,基于数字格式显示地址和端口
      -c:connecion,显示当前ipvs连接
      --stats:统计数据
      --rate:输出速率信息
      --exact:显示精确值,不做单位换算
    

    选项含义详情如下:

    选项 含义
    -a 添加真实服务器
    -e 修改真实服务器
    -d 删除真实服务器
    -r 指定真实服务器(Real Server)的地址
    -m 使用NAT模式
    -g 使用DR模式
    -i 使用TUN模式
    -h,--help 查看帮助
    -t 设置集群地址(VIP,Virtual IP)
    -s 指定负载调度算法
    -u,--udp-service service-address 使用udp服务,其他同上
    -w 为节点服务器设置权重,默认为1,权重是0~65535的整数。如果将某个真实服务器的权重设置为0,那么它不会收到新的连接,但是已有连接还会继续维持(这点和直接把某个真实服务器删除时不同的),权重值越大表示性能越好,被调度的资源也会更多
    -f,--fwmark-service integer 用firewall mark取代虚拟地址来指定要被负载均衡的数据包,可以通过这个命令实现把不同地址、端口的虚拟地址整合成一个虚拟服务,可以让虚拟服务器同时截获处理去往多个不同地址的数据包。fwmark可以通过iptables命令指定。如果用在ipv6需要加上-6
    -p,--persistent [timeout] 设置持久连接,这个模式可以使来自客户的多个请求被送到同一个真实服务器,通常用于ftp或者ssl中
    -M,--netmask netmask 指定客户地址的子网掩码。用于将同属一个子网的客户的请求转发到相同服务器
    -x,--u-threshold uthreshold 设置一个服务器可以维持的连接上限。0~65535。设置为0表示没有上限
    --syncid syncid 指定syncid,同样用于主备服务器的同步
    --mcast-interface interface 指定使用备服务器时候的广播接口

    实例部署

    情景一:NAT模式负载均衡

    搭建HTTP负载均衡(NAT模式)

    搭建NAT模式负载均衡步骤:

    1. 需要两张不同模式的网卡(添加一个仅主机模式的网卡)
    2. 配置IP地址:

    DR端:DIP、VIP

    RS端:RIP

    1. 开启的DR的IP转发功能

    2. 在DR端添加并保存规则

    ipvsadm -A -t vip:port -s rr

    ipvsadm -a -t vip:prot -r rip -m

    ipvsadm -S > /etc/sysconfig/ipvsadm

    环境说明:

    主机名称 网卡信息(ens160 NAT模式;ens192仅主机模式) 需要安装的应用 系统版本
    client 192.168.110.60(ens160) redhat 8
    DR DIP:192.168.110.11(ens160) --- VIP:192.168.72.250(ens192) ipvsadm redhat 8
    RS1 RIP:192.168.110.12(ens160) --- gw:192.168.110.11 httpd redhat 8
    RS2 RIP:192.168.110.13(ens160) --- gw:192.168.110.11 httpd redhat 8

    准备工作:

    注意:NAT模式调度器(DR)上要保证有两个不同类型的网卡

    这里我们添加一个仅主机模式的网卡

    image

    //DR
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    [root@DR ~]# systemctl disable --now firewalld
    Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
    Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
    [root@DR ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    [root@DR ~]# setenforce 0
    #安装ipvsadm应用
    [root@DR ~]# yum -y install ipvsadm
    
    //RS1
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    [root@RS1 ~]# systemctl disable --now firewalld
    Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
    Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
    [root@RS1 ~]#  sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    [root@RS1 ~]# setenforce 0
    #安装httpd服务
    [root@RS1 ~]# yum -y install httpd
    #设置httpd开机自启动
    [root@RS1 ~]# systemctl enable --now httpd
    Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
    
    //RS2
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    [root@RS2 ~]# systemctl disable --now firewalld
    Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
    Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
    [root@RS2 ~]#  sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    [root@RS2 ~]# setenforce 0
    #安装httpd服务
    [root@RS2 ~]# yum -y install httpd
    #设置httpd开机自启动
    [root@RS2 ~]# systemctl enable --now httpd
    Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
    

    开始部署

    查看DR的网卡信息

    [root@DR ~]# ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:ea:5b:7a brd ff:ff:ff:ff:ff:ff
        inet 192.168.110.11/24 brd 192.168.110.255 scope global noprefixroute ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:feea:5b7a/64 scope link 
           valid_lft forever preferred_lft forever
    3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:ea:5b:84 brd ff:ff:ff:ff:ff:ff
        inet 192.168.72.130/24 brd 192.168.72.255 scope global dynamic noprefixroute ens192
           valid_lft 1526sec preferred_lft 1526sec
        inet6 fe80::1ec:69c4:6c00:a8a2/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
    

    配置DR端的网络环境

    //DR
    #配置DIP
    [root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=ens160
    DEVICE=ens160
    ONBOOT=yes
    IPADDR=192.168.110.11
    PREFIX=24
    DNS1=114.114.114.114
    
    #配置VIP
    [root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens192
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=ens192
    DEVICE=ens192
    ONBOOT=yes
    IPADDR=192.168.72.250
    PREFIX=24
    DNS1=114.114.114.114
    
    #重启网卡服务
    [root@DR ~]# systemctl restart NetworkManager
    
    [root@DR ~]# ifdown ens160;ifup ens160
    Connection 'ens160' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
    
    [root@DR ~]# ifdown ens192;ifup ens192
    Error: '/etc/sysconfig/network-scripts/ifcfg-ens192' is not an active connection.
    Error: no active connection provided.
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
    
    #查看网卡信息,已经修改成功
    [root@DR ~]# ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:ea:5b:7a brd ff:ff:ff:ff:ff:ff
        inet 192.168.110.11/24 brd 192.168.110.255 scope global noprefixroute ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:feea:5b7a/64 scope link 
           valid_lft forever preferred_lft forever
    3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:ea:5b:84 brd ff:ff:ff:ff:ff:ff
        inet 192.168.72.250/24 brd 192.168.72.255 scope global noprefixroute ens192
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:feea:5b84/64 scope link 
           valid_lft forever preferred_lft forever
    

    测试是否可以在本机ping通

    image

    配置RS端的网络环境

    //RS1
    #RS1的网关指定为DR的DIP
    [root@RS1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=ens160
    DEVICE=ens160
    ONBOOT=yes
    IPADDR=192.168.110.12
    PREFIX=24
    GATEWAY=192.168.110.11   //指定为DR的DIP
    DNS1=114.114.114.114
    #重启网卡服务
    [root@RS1 ~]# nmcli c reload
    [root@RS1 ~]# nmcli c up ens160
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
    
    //RS2
    #RS2的网关指定为DR的DIP
    [root@RS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=ens160
    DEVICE=ens160
    ONBOOT=yes
    IPADDR=192.168.110.13
    PREFIX=24
    GATEWAY=192.168.110.11
    DNS1=114.114.114.114
    #重启网卡服务
    [root@RS2 ~]# nmcli c reload
    [root@RS2 ~]# nmcli c up ens160
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
    

    开启IP转发功能

    配置NAT模式下的ip转发,让通过Load Balancer的ip包能够转发到真正提供服务的Real Server之上进行处理

    //DR
    #编辑sysctl.conf文件
    [root@RS2 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    [root@RS2 ~]# cat /etc/sysctl.conf 
    # sysctl settings are defined through files in
    # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
    #
    # Vendors settings live in /usr/lib/sysctl.d/.
    # To override a whole file, create a new file with the same in
    # /etc/sysctl.d/ and put new settings there. To override
    # only specific settings, add a file with a lexically later
    # name in /etc/sysctl.d/ and put new settings there.
    #
    # For more information, see sysctl.conf(5) and sysctl.d(5).
    net.ipv4.ip_forward = 1
    
    [root@RS2 ~]# sysctl -p
    net.ipv4.ip_forward = 1
    

    添加调度器并保存规则

    //DR
    #添加调度器
    [root@DR ~]# ipvsadm -A -t 192.168.72.250:80 -s rr
    
    #添加跳转的IP地址规则
    [root@DR ~]# ipvsadm -a -t 192.168.72.250:80 -r 192.168.110.12:80 -m
    [root@DR ~]# ipvsadm -a -t 192.168.72.250:80 -r 192.168.110.13:80 -m
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    TCP  192.168.72.250:80 rr
      -> 192.168.110.12:80            Masq    1      0          0         
      -> 192.168.110.13:80            Masq    1      0          0 
      
    #保存规则
    [root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
    
    #查看规则
    [root@DR ~]# cat /etc/sysconfig/ipvsadm
    -A -t 192.168.72.250:80 -s rr
    -a -t 192.168.72.250:80 -r 192.168.110.12:80 -m -w 1
    -a -t 192.168.72.250:80 -r 192.168.110.13:80 -m -w 1
    

    访问测试

    //RS1
    #为了更加方便的查看效果,添加一个测试网页
    [root@RS1 ~]# echo "It's RS1 webserver" > /var/www/html/index.html
    [root@RS1 ~]# curl localhost
    It's RS1 webserver
    
    //RS2
    #为了更加方便的查看效果,添加一个测试网页
    [root@RS2 ~]# echo "It's RS2 webserver" > /var/www/html/index.html
    [root@RS2 ~]# curl localhost
    It's RS2 webserver
    
    //client
    #开始访问
    [root@DR ~]# curl 192.168.72.250
    It's RS2 webserver
    [root@DR ~]# curl 192.168.72.250
    It's RS1 webserver
    [root@DR ~]# curl 192.168.72.250
    It's RS2 webserver
    [root@DR ~]# curl 192.168.72.250
    It's RS1 webserver
    
    //DR
    #测试清空规则后,重读规则是否可以成功访问
    [root@DR ~]# ipvsadm -C
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    [root@DR ~]# ipvsadm -R < /etc/sysconfig/ipvsadm
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    TCP  192.168.72.250:80 rr
      -> 192.168.110.12:80            Masq    1      0          0         
      -> 192.168.110.13:80            Masq    1      0          0 
    
    //client
    #成功访问
    [root@client ~]# curl 192.168.72.250
    It's RS2 webserver
    [root@client ~]# curl 192.168.72.250
    It's RS1 webserver
    [root@client ~]# curl 192.168.72.250
    It's RS2 webserver
    [root@client ~]# curl 192.168.72.250
    It's RS1 webserver
    

    网页测试

    RS1

    image

    RS2

    image

    搭建HTTP负载均衡(NAT模式)

    准备工作:

    实验环境如上不变

    //RS1
    #配置本地源,因为上面修改了网卡信息,这里需要使用本地源装包
    [root@RS1 ~]# mount /dev/cdrom /mnt/
    mount: /mnt: WARNING: device write-protected, mounted read-only.
    [root@RS1 ~]# cd /etc/yum.repos.d/
    [root@RS1 yum.repos.d]# rm -f *
    [root@RS1 yum.repos.d]# vi xx.repo
    [BaseOS]
    name=baseos
    baseurl=file:///mnt/BaseOS
    enabled=1
    gpgcheck=0
    [AppStream]
    name=appstream
    baseurl=file:///mnt/AppStream
    enabled=1
    gpgcheck=0
    
    //RS2
    #配置本地源,因为上面修改了网卡信息,这里需要使用本地源装包
    [root@RS2 ~]# mount /dev/cdrom /mnt/
    mount: /mnt: WARNING: device write-protected, mounted read-only.
    [root@RS2 ~]# cd /etc/yum.repos.d/
    [root@RS2 yum.repos.d]# rm -f *
    [root@RS2 yum.repos.d]# vi xx.repo
    [BaseOS]
    name=baseos
    baseurl=file:///mnt/BaseOS
    enabled=1
    gpgcheck=0
    [AppStream]
    name=appstream
    baseurl=file:///mnt/AppStream
    enabled=1
    gpgcheck=0
    

    开始部署

    在DR服务器搭建CA服务器

    //DR
    #生成一对密钥
    [root@DR ~]# mkdir -p /etc/pki/CA/private
    [root@DR ~]# cd /etc/pki/CA
    [root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .........................................+++++
    ....................................+++++
    e is 65537 (0x010001)
    [root@DR CA]# openssl rsa -in private/cakey.pem -pubout
    writing RSA key
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4wAMYLm1DLgztV9z3+Fa
    WXxCVVLdl3nMoAIG6DHjLn58VSqZss1tW4stl2/02inc/40/MuMeEZ6twWLH3DpG
    iVKUuDmHJXOtB7qST+Xe85bcN7asdtdQav0QCuOhMP9id38PzfWLX5Y/rTyys5ed
    /+v1S33MJ/XeTGMUFRKn2K4KveyYuRV8mvKimJWh9ha0rawJ/Zx3BPPcbSoV1WNG
    t1v2t8a5QjqyeXdtDaFQI7z5U/5iy7hqljiF9bC1WHnD7leDlfDX/mX1b7VsRdUC
    5ZI9/6dJ3pGkIYQpJIhDMVzO9HWM2wlYhZ6RvKZ81ayN2kBsVPmXZ5MQTp/yD7eq
    3QIDAQAB
    -----END PUBLIC KEY-----
    
    #生成自签署证书
    [root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN    
    State or Province Name (full name) []:HB
    Locality Name (eg, city) [Default City]:WH  
    Organization Name (eg, company) [Default Company Ltd]:ldaz
    Organizational Unit Name (eg, section) []:ldaz
    Common Name (eg, your name or your server's hostname) []:ldaz
    Email Address []:1@2.com
    [root@DR CA]# touch index.txt && echo 01 > serial
    
    //RS1
    #RS1生成证书签署请求,并发送给CA
    [root@RS1 ~]# yum -y install mod_ssl
    [root@RS1 ~]# mkdir /etc/httpd/ssl
    [root@RS1 ~]# cd /etc/httpd/ssl
    [root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
    Generating RSA private key, 2048 bit long modulus (2 primes)
    .........................................................................................+++++
    ...........+++++
    e is 65537 (0x010001)
    [root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
    Ignoring -days; not generating a certificate
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:HB
    Locality Name (eg, city) [Default City]:WH
    Organization Name (eg, company) [Default Company Ltd]:ldaz    
    Organizational Unit Name (eg, section) []:ldaz
    Common Name (eg, your name or your server's hostname) []:ldaz
    Email Address []:1@2.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:(直接回车)
    An optional company name []:(直接回车)
    
    #把证书签署请求文件发送给CA
    [root@RS1 ssl]# scp httpd.csr root@192.168.110.11:/root/
    The authenticity of host '192.168.110.11 (192.168.110.11)' can't be established.
    ECDSA key fingerprint is SHA256:7Kqh1XILaVXU3uGikQSF3V6RXoZB9X5zyLVPDzfyaus.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '192.168.110.11' (ECDSA) to the list of known hosts.
    root@192.168.110.11's password: 
    httpd.csr 
    [root@RS1 ssl]# ls
    httpd.csr  httpd.key
    
    //DR
    #在DR上查看
    [root@DR ~]# ls
    anaconda-ks.cfg  httpd.csr
    
    #CA签署证书并发给RS1
    [root@DR ~]# mkdir /etc/pki/CA/newcerts
    [root@DR ~]# touch /etc/pki/CA/index.txt 
    
    #跟踪最后一次颁发证书的序列号
    [root@DR ~]# echo "01" > /etc/pki/CA/serial 
    [root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: May  9 08:49:03 2021 GMT
                Not After : Feb 27 08:49:03 2024 GMT
            Subject:
                countryName               = CN
                stateOrProvinceName       = HB
                organizationName          = ldaz
                organizationalUnitName    = ldaz
                commonName                = ldaz
                emailAddress              = 1@2.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    13:45:39:AF:6F:97:C1:79:BE:E4:B2:B8:81:61:96:54:0B:BC:B5:3C
                X509v3 Authority Key Identifier: 
                    keyid:B6:5A:51:56:14:38:FA:32:65:76:64:31:94:D9:29:EA:5F:2C:E4:99
    
    Certificate is to be certified until Feb 27 08:49:03 2024 GMT (1024 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    [root@DR ~]# ls
    anaconda-ks.cfg  httpd.crt  httpd.csr
    
    #CA把签署的证书httpd.crt和服务端的证书cacert.pem发给RS1
    [root@DR ~]# scp httpd.crt root@192.168.110.12:/etc/httpd/ssl
    [root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.110.12:/etc/httpd/ssl
    

    配置https

    //RS2
    #安装mod_ssl,创建目录
    [root@RS2 ~]# yum -y install mod_ssl
    [root@RS2 ~]# mkdir /etc/httpd/ssl
    
    //RS1
    #把RS1的证书和密钥发送给RS2
    [root@RS1 ~]# cd /etc/httpd/ssl/
    [root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.110.13:/etc/httpd/ssl
    The authenticity of host '192.168.110.13 (192.168.110.13)' can't be established.
    ECDSA key fingerprint is SHA256:+UR5bwjFNEKZsJ+X/qSSsMGCvtq5ByludUEL47JqwoU.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '192.168.110.13' (ECDSA) to the list of known hosts.
    root@192.168.110.13's password: 
    cacert.pem                                        100% 1350     1.5MB/s   00:00    
    httpd.crt                                         100% 4489     3.7MB/s   00:00    
    httpd.key                                         100% 1675     2.6MB/s   00:00  
    
    //RS2
    #查看
    [root@RS2 ~]# ls /etc/httpd/ssl/
    cacert.pem  httpd.crt  httpd.key
    

    修改https配置文件

    //RS1
    #修改配置文件
    [root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
    ...
    SSLCertificateFile /etc/httpd/ssl/httpd.crt    //修改路径
    ...
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key    //修改路径
    ...
    SSLCACertificateFile /etc/httpd/ssl/cacert.pem    //添加此行
    
    #重启服务
    [root@RS1 ~]# systemctl restart httpd
    [root@RS1 ~]# ss -antl
    State     Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    
    LISTEN    0          128                  0.0.0.0:22                0.0.0.0:*       
    LISTEN    0          128                  0.0.0.0:443               0.0.0.0:*       
    LISTEN    0          128                  0.0.0.0:80                0.0.0.0:*       
    LISTEN    0          128                     [::]:22                   [::]:* 
    
    //RS2
    #修改配置文件
    [root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
    ...
    SSLCertificateFile /etc/httpd/ssl/httpd.crt    //修改路径
    ...
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key    //修改路径
    ...
    SSLCACertificateFile /etc/httpd/ssl/cacert.pem    //添加此行
    
    #重启服务
    [root@RS2 ~]# systemctl restart httpd
    [root@RS2 ~]# ss -antl
    State     Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    
    LISTEN    0          128                  0.0.0.0:22                0.0.0.0:*       
    LISTEN    0          128                  0.0.0.0:443               0.0.0.0:*       
    LISTEN    0          128                  0.0.0.0:80                0.0.0.0:*       
    LISTEN    0          128                     [::]:22                   [::]:* 
    

    添加调度器并保存规则

    //DR
    #添加调度器
    [root@DR ~]# ipvsadm -A -t 192.168.72.250:443 -s rr
    
    #添加跳转的IP地址规则
    [root@DR ~]# ipvsadm -a -t 192.168.72.250:443 -r 192.168.110.12 -m
    [root@DR ~]# ipvsadm -a -t 192.168.72.250:443 -r 192.168.110.13 -m
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    TCP  192.168.72.250:80 rr
      -> 192.168.110.12:80            Masq    1      0          0         
      -> 192.168.110.13:80            Masq    1      0          0         
    TCP  192.168.72.250:443 rr
      -> 192.168.110.12:443           Masq    1      0          0         
      -> 192.168.110.13:443           Masq    1      0          0         
    
    #保存规则
    [root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
    
    #查看规则
    [root@DR ~]# cat /etc/sysconfig/ipvsadm
    -A -t 192.168.72.250:80 -s rr
    -a -t 192.168.72.250:80 -r 192.168.110.12:80 -m -w 1
    -a -t 192.168.72.250:80 -r 192.168.110.13:80 -m -w 1
    -A -t 192.168.72.250:443 -s rr
    -a -t 192.168.72.250:443 -r 192.168.110.12:443 -m -w 1
    -a -t 192.168.72.250:443 -r 192.168.110.13:443 -m -w 1
    

    访问测试

    //client
    #成功访问
    [root@client ~]# curl -k https://192.168.72.250
    It's RS2 webserver
    [root@client ~]# curl -k https://192.168.72.250
    It's RS1 webserver
    [root@client ~]# curl -k https://192.168.72.250
    It's RS2 webserver
    [root@client ~]# curl -k https://192.168.72.250
    It's RS1 webserver
    

    网页测试

    RS1

    image

    RS2

    image

    情景二:DR模式负载均衡

    搭建HTTP负载均衡(DR模式)

    环境说明:

    主机名称 DIP VIP 需要安装的应用 系统版本
    client 192.168.100.2 / / redhat 8
    DR 192.168.100.3 192.168.222.250 ipvsadm redhat 8
    RS1 192.168.100.4 / httpd redhat 8
    RS2 192.168.100.5 / httpd redhat 8

    准备工作:

    删除默认网关,所以需要使用yum本地源仓库

    //DR
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    systemctl disable --now firewalld
    sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    setenforce 0
    
    #安装ipvsadm应用
    [root@DR ~]# yum -y install ipvsadm
    
    #配置VIP
    [root@DR ~]# ip addr add 192.168.100.250/32 dev ens160
    [root@DR ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:56:9e:92 brd ff:ff:ff:ff:ff:ff
        inet 192.168.100.3/24 brd 192.168.100.255 scope global noprefixroute ens160
           valid_lft forever preferred_lft forever
        inet 192.168.100.250/32 scope global ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:fe56:9e92/64 scope link 
           valid_lft forever preferred_lft forever
    
    //RS1
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    systemctl disable --now firewalld
    sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    setenforce 0
    
    #安装ipvsadm,httpd应用
    [root@RS1 ~]# yum -y install httpd net-tools
    
    #设置httpd开机自启,创建测试网页
    [root@RS1 ~]# systemctl enable --now httpd
    [root@RS1 ~]# echo RS1 > /var/www/html/index.html
    
    //RS2
    #关闭防火墙,关闭selinux,设置开启开机不自启动
    systemctl disable --now firewalld
    sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
    setenforce 0
    
    #安装ipvsadm,httpd应用
    [root@RS2 ~]# yum -y install httpd net-tools
    
    #设置httpd开机自启,创建测试网页
    [root@RS2 ~]# systemctl enable --now httpd
    [root@RS2 ~]# echo RS2 > /var/www/html/index.html
    

    开始部署

    配置RS端服务器

    //RS1
    [root@RS1 ~]# vim /etc/sysctl.conf
    # 在最后面插入如下两行
    net.ipv4.conf.all.arp_ignore = 1	# 将对应网卡设置为只回应目标IP为自身接口地址的ARP请求
    net.ipv4.conf.all.arp_announce = 2	# 将ARP请求的源IP设置为eth0上的IP,也就是RIP
    
    [root@RS1 ~]# sysctl -p
    net.ipv4.conf.all.arp_ignore = 1
    net.ipv4.conf.all.arp_announce = 2
    
    //RS2
    [root@RS2 ~]# vim /etc/sysctl.conf
    # 在最后面插入如下两行
    net.ipv4.conf.all.arp_ignore = 1
    net.ipv4.conf.all.arp_announce = 2
    
    [root@RS2 ~]# sysctl -p
    net.ipv4.conf.all.arp_ignore = 1
    net.ipv4.conf.all.arp_announce = 2
    

    配置VIP

    一定要先设置好内核参数在配置VIP,如果先配置VIP,VIP配置好后会立即通告给所有人,而修改内核参数就是为了不通告

    //RS1
    [root@RS1 ~]# ip addr add 192.168.100.250/32 dev ens160
    [root@RS1 ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:61:17:d4 brd ff:ff:ff:ff:ff:ff
        inet 192.168.100.4/24 brd 192.168.100.255 scope global noprefixroute ens160
           valid_lft forever preferred_lft forever
        inet 192.168.100.250/32 scope global ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:fe61:17d4/64 scope link 
           valid_lft forever preferred_lft forever
    
    //RS2
    [root@RS2 ~]# ip addr add 192.168.100.250/32 dev ens160
    [root@RS2 ~]# ip a
    2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
        link/ether 00:0c:29:24:c8:11 brd ff:ff:ff:ff:ff:ff
        inet 192.168.100.5/24 brd 192.168.100.255 scope global noprefixroute ens160
           valid_lft forever preferred_lft forever
        inet 192.168.100.250/32 scope global ens160
           valid_lft forever preferred_lft forever
        inet6 fe80::20c:29ff:fe24:c811/64 scope link 
           valid_lft forever preferred_lft forever
    

    配置路由信息

    //RS1
    [root@RS1 ~]# route add -host 192.168.100.250/32 dev ens160
    [root@RS1 ~]# echo '192.168.100.250/32 via 192.168.100.3' > /etc/sysconfig/network-Sncripts/route-ens160
    
    //RS2
    [root@RS2 ~]# route add -host 192.168.100.250/32 dev ens160
    [root@RS2 ~]# echo '192.168.100.250/32 via 192.168.100.3' > /etc/sysconfig/network-Sncripts/route-ens160
    

    添加并保存规则

    //DR
    [root@DR ~]# ipvsadm -A -t 192.168.100.250:80 -s wrr
    [root@DR ~]# ipvsadm -a -t 192.168.100.250:80 -r 192.168.100.4 -g
    [root@DR ~]# ipvsadm -a -t 192.168.100.250:80 -r 192.168.100.5 -g
       
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    TCP  192.168.100.250:80 wrr
      -> 192.168.100.4:80             Route   1      0          0         
      -> 192.168.100.5:80             Route   1      0          0  
      
    [root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
    [root@DR ~]# systemctl enable --now ipvsadm
    

    client上访问测试

    //client
    [root@client ~]# curl 192.168.100.250
    RS2
    [root@client ~]# curl 192.168.100.250
    RS1
    [root@client ~]# curl 192.168.100.250
    RS2
    [root@client ~]# curl 192.168.100.250
    RS1
    [root@client ~]# curl 192.168.100.250
    RS2
    [root@client ~]# curl 192.168.100.250
    RS1
    

    搭建HTTPS负载均衡(DR模式)

    注意:在以上配置基础下搭建https

    安装mod_ssl,开启https

    //RS1和RS2
    #安装mod_ssl
    [root@RS1 ~]# yum -y install mod_ssl
    [root@RS2 ~]# yum -y install mod_ssl
    
    #这里就不做证书,使用默认的证书,重启服务查看443是否启动
    [root@RS1 ~]# systemctl restart httpd
    [root@RS2 ~]# systemctl restart httpd
    
    # 443端口已经起来
    [root@RS1 ~]# ss -antl
    State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
    LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
    LISTEN      0           128                          *:80                          *:*   
    LISTEN      0           128                       [::]:22                       [::]:*   
    LISTEN      0           128                          *:443                         *:*  
    
    [root@RS2 ~]# ss -antl
    State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
    LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
    LISTEN      0           128                          *:80                          *:*   
    LISTEN      0           128                       [::]:22                       [::]:*   
    LISTEN      0           128                          *:443                         *:*  
    

    添加并保存规则

    //DR
    [root@DR ~]# ipvsadm -C
    [root@DR ~]# ipvsadm -A -t 192.168.100.250:443 -s wrr
    [root@DR ~]# ipvsadm -a -t 192.168.100.250:443 -r 192.168.100.4 -g
    [root@DR ~]# ipvsadm -a -t 192.168.100.250:443 -r 192.168.100.5 -g
    [root@DR ~]# ipvsadm -Ln
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
      -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
    TCP  192.168.100.250:443 wrr
      -> 192.168.100.4:443            Route   1      0          0         
      -> 192.168.100.5:443            Route   1      0          0 
      
    [root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
    

    client上访问测试

    //client
    [root@client ~]# curl -k https://192.168.100.250
    RS2
    [root@client ~]# curl -k https://192.168.100.250
    RS1
    [root@client ~]# curl -k https://192.168.100.250
    RS2
    [root@client ~]# curl -k https://192.168.100.250
    RS1
    [root@client ~]# curl -k https://192.168.100.250
    RS2
    [root@client ~]# curl -k https://192.168.100.250
    Rs1
    

    大功告成,以上就是配置LVS负载均衡的全部步骤!!!

  • 相关阅读:
    Mybatis和Spring整合也是能用BatchExecutor的
    与Spring整合的Mybatis没法真正使用BatchExecutor
    Mybatis和Spring整合后sqlsession啥时候关闭的
    Mybatis和Spring的整合原理
    Mybatis是怎么执行一条语句的
    8.11查询结果排序
    8.10、11(select分组和过滤)()
    8.7、8、9(select语句基本用法)(select语句基本运算符)(select聚合查询)
    8.4SQL(DML数据操作语言)-(insert插入数据)(updata更新数据),(delete数据)
    8.2数据库DDL语言(即数据库定义语言)(命名规则以及数据类型)
  • 原文地址:https://www.cnblogs.com/leixixi/p/14738932.html
Copyright © 2011-2022 走看看