zoukankan      html  css  js  c++  java

  • Nginx+Keepalived实现四层及七层负载均衡

    Nginx+Keepalived实现四层及七层负载均衡

    一.Nginx及Openssl编译安装

    1.卸载就版本Nginx及Openssl
    [root@localhost ~]# yum remove nginx
    [root@localhost ~]# yum remove openssl

    2.安装编译环境依赖
    [root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
    [root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc

    3.下载最新版Nginx及openssl(http://nginx.org/en/download.html)
    [root@localhost ~]# mkdir /opt/nginx
    [root@localhost ~]# cd /opt/nginx/
    [root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
    [root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

    4.编译安装Openssl
    [root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
    [root@localhost nginx]# cd openssl-1.1.1k
    [root@localhost openssl-1.1.1k]# ./config
    [root@localhost openssl-1.1.1k]# make && make install

    5.编译安装Nginx
    [root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
    [root@localhost nginx]# cd nginx-1.21.1
    [root@localhost nginx-1.21.1]# ./configure --with-stream  --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
    [root@localhost nginx-1.21.1]# make && make install

    6.添加系统变量
    [root@localhost /]# vi /usr/lib/systemd/system/nginx.service
    [Unit]
    Description=nginx - high performance web server
    Documentation=http://nginx.org/en/docs/
    After=network.target remote-fs.target nss-lookup.target
    [Service]
    Type=forking
    PIDFile=/usr/local/nginx/logs/nginx.pid
    ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
    ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
    PrivateTmp=true
    [Install]
    WantedBy=multi-user.target

    7.[root@localhost /]# systemctl start nginx

    二.keepalived安装

    [root@localhost /]# yum install -y keepalived
    [root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
    [root@localhost /]# vi /etc/keepalived/keepalived.conf
    ! Configuration File for keepalived
    global_defs {
    #   notification_email {    ####此处定义发生替换会邮件通知
    #     cuimingkun@yinwuweiye.com
    #   }
    #   notification_email_from liuqingliang@domain.com
    #   smtp_server 127.0.0.1
    #   smtp_connect_timeout 30
       router_id NGINX_BACK
    }
    vrrp_script chk_http_port {
                    script "/usr/local/sbin/nginx_pid.sh" ##监控脚本位置
                    interval 2
                    weight 2
    }
    vrrp_instance VI_1 {
        state MASTER        #####备机为BACKUP
        interface ens33
        virtual_router_id 51
        priority 100        #####备机要小于主
        advert_int 1
        track_script {
           chk_http_port
        }
        authentication {
            auth_type PASS
            auth_pass 1111
        }
        virtual_ipaddress {     
            172.16.16.15 ####虚拟IP
        }
    }

    [root@localhost /]# service keepalived start
    [root@localhost /]# chkconfig keepalived on

    三.配置Nginx监测脚本

    [root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
    #!/bin/bash
    A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
            /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
            sleep 3
            if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
                    killall keepalived
            fi
    fi

    [root@localhost /]# service keepalived restart

    四.配置nginx四层负载均衡

    [root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
    #user  nobody;
    worker_processes  auto;
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    #pid        logs/nginx.pid;
    events {
        worker_connections  1024;
    }
    stream {
        log_format  proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
                          '"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
        #access_log /var/log/nginx/proxy.log proxy;

    #定义转发ssh的22端口
        upstream ssh {
                hash $remote_addr consistent;
                server 172.16.16.16:22;
                server 172.16.16.17:22;
        }
    #定义转发mysql的3306端口
        upstream mysql {
                hash $remote_addr consistent;
                server 172.16.16.16:3306;
                server 172.16.16.17:3306;
        }
        server {
                listen 2021;
                proxy_connect_timeout 3s;
                proxy_timeout 300s;
                proxy_pass ssh;
        }

        server {
                listen 2022;
                proxy_connect_timeout 3s;
                proxy_timeout 3s;
                proxy_pass mysql;
        }
    }

    root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf

    五.配置nginx七层负载均衡

    5.1nginx七层负载均衡—HTTP

    [root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
    [root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
    #user  nobody;
    worker_processes  auto;
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    events {
        use epoll;
        worker_connections  65535;
    }
    http 
    {
      include       mime.types;
      default_type  application/octet-stream;
      server_tokens off;

        upstream R-Server {
        ip_hash;
        server 172.16.16.16:80;
        server 172.16.16.17:80;
        }
    #HTTP-server    
        server {
            listen       80;
            server_name  localhost;
            location /imedical/web {
                proxy_pass   http://R-Server;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
                }     
        }
    }

    5.2nginx七层负载均衡—HTTPS

    5.2.1自签发SSL证书

    [root@localhost /]# mkdir CA-Server
    [root@localhost /]# cd CA-Server/
    [root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
    #会有两次要求输入密码,输入同一个即可,然后你就获得了一个server.key文件
    #以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
    [root@localhost CA-Server]# openssl rsa -in server.key -out server.key

    #创建服务器证书的申请文件server.csr,运行:
    [root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
    #其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填. 

    #创建CA证书:
    [root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
    #此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名. 

    #创建自当前日期起有效期为期十年的服务器证书server.crt:
    [root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

    #ls你的文件夹,可以看到一共生成了5个文件:
    ca.crt   ca.srl    server.crt   server.csr   server.key
    #其中,server.crt和server.key就是你的nginx需要的证书文件.

    5.2.2配置Nginx

    [root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
    [root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
    #user  nobody;
    worker_processes  auto;
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    events {
        use epoll;
        worker_connections  65535;
    }
    http 
    {
      include       mime.types;
      default_type  application/octet-stream;
      server_tokens off;

        upstream R-Server {
        ip_hash;
        server 172.16.16.16:80;
        server 172.16.16.17:80;
        server 172.16.16.18:80;
        }
    #HTTP-server    
        server {
            listen       80;
            server_name  localhost;
            location /imedical/web {
                proxy_pass   http://R-Server;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
            }
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
                }     
        }

    #HTTPS-server
        server {
            listen       443 ssl;
            server_name  localhost;

            ssl_certificate      /usr/local/nginx/ssl/server.crt;
            ssl_certificate_key  /usr/local/nginx/ssl/server.key;

            ssl_session_cache    shared:SSL:1m;
            ssl_session_timeout  5m;

            ssl_ciphers  HIGH:!aNULL:!MD5;
            ssl_prefer_server_ciphers  on;
            location / {
                 proxy_pass   https://R-Server;
                 proxy_http_version 1.1;
                 proxy_set_header Upgrade $http_upgrade;
                 proxy_set_header Connection "upgrade";
            }
        }
    }

     
  • 相关阅读:
    扫描线算法
    [Baltic 2001]Mars Maps
    Lost Cow
    李超线段树
    多种方法求解Pku3468 A Simple Problem with Integers
    陈老师的福利
    leetcode 673. 最长递增子序列的个数
    #10043.「一本通 2.2 例 1」剪花布条
    PTA7-1
    6-1 实验三哈夫曼树 (15分)
  • 原文地址:https://www.cnblogs.com/liuqingliang/p/14986067.html
Copyright © 2011-2022 走看看