zoukankan      html  css  js  c++  java
  • Nginx+Keepalived实现四层及七层负载均衡

    Nginx+Keepalived实现四层及七层负载均衡

    一.Nginx及Openssl编译安装

    1.卸载就版本Nginx及Openssl
    [root@localhost ~]# yum remove nginx
    [root@localhost ~]# yum remove openssl

    2.安装编译环境依赖
    [root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
    [root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc

    3.下载最新版Nginx及openssl(http://nginx.org/en/download.html)
    [root@localhost ~]# mkdir /opt/nginx
    [root@localhost ~]# cd /opt/nginx/
    [root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
    [root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

    4.编译安装Openssl
    [root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
    [root@localhost nginx]# cd openssl-1.1.1k
    [root@localhost openssl-1.1.1k]# ./config
    [root@localhost openssl-1.1.1k]# make && make install

    5.编译安装Nginx
    [root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
    [root@localhost nginx]# cd nginx-1.21.1
    [root@localhost nginx-1.21.1]# ./configure --with-stream --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
    [root@localhost nginx-1.21.1]# make && make install

    6.添加系统变量
    [root@localhost /]# vi /usr/lib/systemd/system/nginx.service
    [Unit]
    Description=nginx - high performance web server
    Documentation=http://nginx.org/en/docs/
    After=network.target remote-fs.target nss-lookup.target
    [Service]
    Type=forking
    PIDFile=/usr/local/nginx/logs/nginx.pid
    ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
    ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
    PrivateTmp=true
    [Install]
    WantedBy=multi-user.target

    7.[root@localhost /]# systemctl start nginx

    二.keepalived安装

    [root@localhost /]# yum install -y keepalived
    [root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
    [root@localhost /]# vi /etc/keepalived/keepalived.conf
    ! Configuration File for keepalived
    global_defs {
    #   notification_email {   ####此处定义发生替换会邮件通知
    #     cuimingkun@yinwuweiye.com
    #   }
    #   notification_email_from liuqingliang@domain.com
    #   smtp_server 127.0.0.1
    #   smtp_connect_timeout 30
      router_id NGINX_BACK
    }
    vrrp_script chk_http_port {
                  script "/usr/local/sbin/nginx_pid.sh" ##监控脚本位置
                  interval 2
                  weight 2
    }
    vrrp_instance VI_1 {
      state MASTER        #####备机为BACKUP
      interface ens33
      virtual_router_id 51
      priority 100        #####备机要小于主
      advert_int 1
      track_script {
          chk_http_port
      }
      authentication {
          auth_type PASS
          auth_pass 1111
      }
      virtual_ipaddress {    
    172.16.16.15 ####虚拟IP
      }
    }

    [root@localhost /]# service keepalived start
    [root@localhost /]# chkconfig keepalived on

    三.配置Nginx监测脚本

    [root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
    #!/bin/bash
    A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
          /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
           sleep 3
           if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
                   killall keepalived
           fi
    fi

    [root@localhost /]# service keepalived restart

    四.配置nginx四层负载均衡

    [root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
    #user nobody;
    worker_processes auto;
    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;
    #pid       logs/nginx.pid;
    events {
      worker_connections  1024;
    }
    stream {
      log_format proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
                         '"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
       #access_log /var/log/nginx/proxy.log proxy;

    #定义转发ssh的22端口
      upstream ssh {
              hash $remote_addr consistent;
              server 172.16.16.16:22;
              server 172.16.16.17:22;
      }
    #定义转发mysql的3306端口
      upstream mysql {
              hash $remote_addr consistent;
              server 172.16.16.16:3306;
              server 172.16.16.17:3306;
      }
      server {
              listen 2021;
              proxy_connect_timeout 3s;
              proxy_timeout 300s;
              proxy_pass ssh;
      }

      server {
              listen 2022;
              proxy_connect_timeout 3s;
              proxy_timeout 3s;
              proxy_pass mysql;
      }
    }

    root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf

    五.配置nginx七层负载均衡

    5.1nginx七层负载均衡—HTTP

    [root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
    [root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
    #user nobody;
    worker_processes auto;
    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;
    events {
      use epoll;
      worker_connections  65535;
    }
    http
    {
    include       mime.types;
    default_type application/octet-stream;
    server_tokens off;

      upstream R-Server {
      ip_hash;
      server 172.16.16.16:80;
      server 172.16.16.17:80;
      }
    #HTTP-server    
      server {
          listen       80;
          server_name localhost;
          location /imedical/web {
              proxy_pass   http://R-Server;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
          }
          error_page   500 502 503 504 /50x.html;
          location = /50x.html {
              root   html;
              }    
      }
    }

    5.2nginx七层负载均衡—HTTPS

    5.2.1自签发SSL证书

    [root@localhost /]# mkdir CA-Server
    [root@localhost /]# cd CA-Server/
    [root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
    #会有两次要求输入密码,输入同一个即可,然后你就获得了一个server.key文件
    #以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
    [root@localhost CA-Server]# openssl rsa -in server.key -out server.key

    #创建服务器证书的申请文件server.csr,运行:
    [root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
    #其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填.

    #创建CA证书:
    [root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
    #此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名.

    #创建自当前日期起有效期为期十年的服务器证书server.crt:
    [root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

    #ls你的文件夹,可以看到一共生成了5个文件:
    ca.crt   ca.srl   server.crt   server.csr   server.key
    #其中,server.crt和server.key就是你的nginx需要的证书文件.

    5.2.2配置Nginx

    [root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
    [root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
    #user nobody;
    worker_processes auto;
    #error_log logs/error.log;
    #error_log logs/error.log notice;
    #error_log logs/error.log info;
    events {
      use epoll;
      worker_connections  65535;
    }
    http
    {
    include       mime.types;
    default_type application/octet-stream;
    server_tokens off;

      upstream R-Server {
      ip_hash;
      server 172.16.16.16:80;
      server 172.16.16.17:80;
      server 172.16.16.18:80;
      }
    #HTTP-server    
      server {
          listen       80;
          server_name localhost;
          location /imedical/web {
              proxy_pass   http://R-Server;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
          }
          error_page   500 502 503 504 /50x.html;
          location = /50x.html {
              root   html;
              }    
      }

    #HTTPS-server
      server {
          listen       443 ssl;
          server_name localhost;

          ssl_certificate     /usr/local/nginx/ssl/server.crt;
          ssl_certificate_key /usr/local/nginx/ssl/server.key;

          ssl_session_cache   shared:SSL:1m;
          ssl_session_timeout 5m;

          ssl_ciphers HIGH:!aNULL:!MD5;
          ssl_prefer_server_ciphers on;
          location / {
                proxy_pass   https://R-Server;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
          }
      }
    }

     

  • 相关阅读:
    之所以菜鸟依旧
    单点登陆
    让entityframework.extend库同时支持mysql,sqlsever
    背包算法
    JS中实现继承
    Altium Designer 生成 Mach3 G代码的程序
    test博客嵌入pbi
    testPBI报表
    html中隐藏title属性方法
    Spring mvc 中有关 Shiro 1.2.3 配置问题
  • 原文地址:https://www.cnblogs.com/liuqingliang/p/14986067.html
Copyright © 2011-2022 走看看