lvs-nat模式实现http和https两种负载均衡集群

其他 2020-08-12 06:58:40 阅读次数: 0

环境

名称 IP 类型
客户机 172.50.150.200 CIP
DR 172.50.150.100 VIP
DR 192.168.153.20 DIP
RS1 192.168.153.22 RIP
RS2 192.168.153.25 RIP

搭建HTTP负载均衡集群

1. 在Client上配置CIP,模拟公网地址

[root@Client ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno16777736 
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=172.50.150.200
NETMASK=255.255.255.0
GATEWAY=172.50.150.0
DNS=114.114.114.114

2. 在DR上配置DIP和VIP

配置VIP

[root@DR ~]#  cat /etc/sysconfig/network-scripts/ifcfg-eno2 
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno2
DEVICE=eno2
ONBOOT=yes
IPADDR=172.50.150.100
NETMASK=255.255.255.0
GATEWAY=172.50.150.200 //指向CIP
DNS1=114.114.114.114
[root@DR ~]# systemctl restart network

配置DIP

[root@DR ~]#  cat /etc/sysconfig/network-scripts/ifcfg-eno16777736 
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.20
NETMASK=255.255.255.0
GATEWAY=192.168.153.2
DNS1=114.114.114.114

3.在DR上开启IP转发,配置转发规则

开启转发功能

[root@DR ~]# vim /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_forward = 1

配置规则

[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 172.50.150.100:80 -s rr
[root@DR ~]# ipvsadm -a -t 172.50.150.100:80 -r 192.168.153.22:80 -m
[root@DR ~]# ipvsadm -a -t 172.50.150.100:80 -r 192.168.153.25:80 -m
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm

查看规则

[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.50.150.100:80 rr
  -> 192.168.153.22:80            Masq    1      0          0         
  -> 192.168.153.25:80            Masq    1      0          0

4. 在RS上配置RIP,并将网关指向DIP

[root@RS1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736 

TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.22
GATEWAY=192.168.153.20
NETMASK=255.255.255.0
DNS1=114.114.114.114
[root@RS1 ~]# systemctl restart network

[root@RS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736 
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.25
GATEWAY=192.168.153.20
NETMASK=255.255.255.0
DNS1=114.114.114.114
[root@RS2 ~]# systemctl restart network

5. 在RS上配置HTTP

[root@RS1 ~]# cd /var/www/html/
[root@RS1 html]# echo 'RS1' > index.html
[root@RS1 html]# systemctl start httpd

[root@RS2 ~]# cd /var/www/html/
[root@RS2 html]# echo 'RS1' > index.html
[root@RS2 html]# systemctl start httpd

6. 客户端访问验证

[root@Client ~]# for i in $(seq 4);do curl 172.50.150.100 ;done
RS2
RS1
RS2
RS1

搭建HTTPS负载均衡集群

1. 生成证书

生成一对秘钥

[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)

生成自签署证书

[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:acom
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]
[root@DR CA]# touch index.txt && echo 01 > serial

在RS生成证书签署请求,并发送给CA

[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
...................................................................+++
e is 65537 (0x10001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:a.com
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr  httpd.key
[root@RS1 ssl]# scp httpd.csr [email protected]:/root

CA签署证书并发给客户端

[root@DR ~]# ls
httpd.csr
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 24 13:15:07 2020 GMT
            Not After : Jul 24 13:15:07 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = aaa.com
            organizationalUnitName    = aaa.com
            commonName                = aaa.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B5:D7:DC:0C:4C:84:F9:7B:3D:B4:7C:10:CD:96:87:C8:87:56:47:FD
            X509v3 Authority Key Identifier: 
                keyid:1B:FE:4E:5C:52:2F:11:4C:E2:66:73:9E:DD:77:8C:F1:8E:E3:9E:54

Certificate is to be certified until Jul 24 13:15:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@DR ~]# ls
httpd.crt  httpd.csr

CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端

[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl

2. 配置HTTPS

在RS1上将httpd.key传给RS2,并在RS上安装ssl模块

[root@RS1 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS1 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl
[root@RS1 ssl]# yum -y install mod_ssl

RS2上查看是否拥有证书和秘钥

[root@RS2 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS2 ssl]# yum -y install mod_ssl

在RS1上编辑配置文件

[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf 
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443

//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd

RS2配置同上

3. 在DR上配置规则

[root@DR ~]# ipvsadm -A -t 172.50.150.100:443 -s rr
[root@DR ~]# ipvsadm -a -t 172.50.150.100:443 -r 192.168.153.22 -m
[root@DR ~]# ipvsadm -a -t 172.50.150.100:443 -r 192.168.153.25 -m
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.50.150.100:80 rr
  -> 192.168.153.22:80           Masq    1      0          0         
  -> 192.168.153.25:80           Masq    1      0          0         
TCP  172.50.150.100:443 rr
  -> 192.168.153.22:443          Masq    1      0          0         
  -> 192.168.153.25:443          Masq    1      0          0

4. 客户端访问验证

[root@Client ~]# for i in $(seq 4);do curl 172.50.150.100 ;done
RS2
RS1
RS2
RS1

猜你喜欢

转载自blog.csdn.net/lnsistw/article/details/107623112
今日推荐
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
火速冲上 GitHub 热榜 —— 开源编程语言、框架哪有这么可爱?
北京人形机器人创新中心发布全球首个纯电驱拟人奔跑的全尺寸人形机器人“天工”
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
周排行
循环神经网络(rnn)讲解
Tigao教程四:单独的关节运动
金蝶K3WISE15.0-注册套打教程
如何在Mac上配置Kubernetes
Android应用结束自身进程的方法
SpringMVC学习 十三 拦截器栈
中国驻洛杉矶总领馆举行新春招待会
HttpClient get post 发送
11 - three.js 笔记 - 绘制三维字体模型
Mysql递归获取某个父节点下面的所有子节点和子节点上的所有父节点
每日归档
更多
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022