环境
名称 | IP | 类型 |
---|---|---|
客户机 | 172.50.150.200 | CIP |
DR | 172.50.150.100 | VIP |
DR | 192.168.153.20 | DIP |
RS1 | 192.168.153.22 | RIP |
RS2 | 192.168.153.25 | RIP |
搭建HTTP负载均衡集群
1. 在Client上配置CIP,模拟公网地址
[root@Client ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=172.50.150.200
NETMASK=255.255.255.0
GATEWAY=172.50.150.0
DNS=114.114.114.114
2. 在DR上配置DIP和VIP
配置VIP
[root@DR ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno2
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno2
DEVICE=eno2
ONBOOT=yes
IPADDR=172.50.150.100
NETMASK=255.255.255.0
GATEWAY=172.50.150.200 //指向CIP
DNS1=114.114.114.114
[root@DR ~]# systemctl restart network
配置DIP
[root@DR ~]# cat /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.20
NETMASK=255.255.255.0
GATEWAY=192.168.153.2
DNS1=114.114.114.114
3.在DR上开启IP转发,配置转发规则
开启转发功能
[root@DR ~]# vim /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_forward = 1
配置规则
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 172.50.150.100:80 -s rr
[root@DR ~]# ipvsadm -a -t 172.50.150.100:80 -r 192.168.153.22:80 -m
[root@DR ~]# ipvsadm -a -t 172.50.150.100:80 -r 192.168.153.25:80 -m
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
查看规则
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.50.150.100:80 rr
-> 192.168.153.22:80 Masq 1 0 0
-> 192.168.153.25:80 Masq 1 0 0
4. 在RS上配置RIP,并将网关指向DIP
[root@RS1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.22
GATEWAY=192.168.153.20
NETMASK=255.255.255.0
DNS1=114.114.114.114
[root@RS1 ~]# systemctl restart network
[root@RS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.153.25
GATEWAY=192.168.153.20
NETMASK=255.255.255.0
DNS1=114.114.114.114
[root@RS2 ~]# systemctl restart network
5. 在RS上配置HTTP
[root@RS1 ~]# cd /var/www/html/
[root@RS1 html]# echo 'RS1' > index.html
[root@RS1 html]# systemctl start httpd
[root@RS2 ~]# cd /var/www/html/
[root@RS2 html]# echo 'RS1' > index.html
[root@RS2 html]# systemctl start httpd
6. 客户端访问验证
[root@Client ~]# for i in $(seq 4);do curl 172.50.150.100 ;done
RS2
RS1
RS2
RS1
搭建HTTPS负载均衡集群
1. 生成证书
生成一对秘钥
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)
生成自签署证书
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:acom
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]
[root@DR CA]# touch index.txt && echo 01 > serial
在RS生成证书签署请求,并发送给CA
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
...................................................................+++
e is 65537 (0x10001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:a.com
Organizational Unit Name (eg, section) []:a.com
Common Name (eg, your name or your server's hostname) []:a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr httpd.key
[root@RS1 ssl]# scp httpd.csr [email protected]:/root
CA签署证书并发给客户端
[root@DR ~]# ls
httpd.csr
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 13:15:07 2020 GMT
Not After : Jul 24 13:15:07 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = aaa.com
organizationalUnitName = aaa.com
commonName = aaa.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:D7:DC:0C:4C:84:F9:7B:3D:B4:7C:10:CD:96:87:C8:87:56:47:FD
X509v3 Authority Key Identifier:
keyid:1B:FE:4E:5C:52:2F:11:4C:E2:66:73:9E:DD:77:8C:F1:8E:E3:9E:54
Certificate is to be certified until Jul 24 13:15:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
httpd.crt httpd.csr
CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
2. 配置HTTPS
在RS1上将httpd.key传给RS2,并在RS上安装ssl模块
[root@RS1 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@RS1 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl
[root@RS1 ssl]# yum -y install mod_ssl
RS2上查看是否拥有证书和秘钥
[root@RS2 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@RS2 ssl]# yum -y install mod_ssl
在RS1上编辑配置文件
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd
RS2配置同上
3. 在DR上配置规则
[root@DR ~]# ipvsadm -A -t 172.50.150.100:443 -s rr
[root@DR ~]# ipvsadm -a -t 172.50.150.100:443 -r 192.168.153.22 -m
[root@DR ~]# ipvsadm -a -t 172.50.150.100:443 -r 192.168.153.25 -m
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.50.150.100:80 rr
-> 192.168.153.22:80 Masq 1 0 0
-> 192.168.153.25:80 Masq 1 0 0
TCP 172.50.150.100:443 rr
-> 192.168.153.22:443 Masq 1 0 0
-> 192.168.153.25:443 Masq 1 0 0
4. 客户端访问验证
[root@Client ~]# for i in $(seq 4);do curl 172.50.150.100 ;done
RS2
RS1
RS2
RS1