haproxy,I/O模型,nginx,tomcat
一、实现haproxy和Keepalived的高可用
路由拓扑:
- 全部服务器初始化环境:
cd /etc/yum.repos.d/
yum install -y wget
wget http://mirrors.aliyun.com/repo/Centos-7.repo
wget http://mirrors.aliyun.com/repo/epel-7.repo
mv CentOS-Base.repo CentOS-Base.repo.bak
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache
systemctl disable firewalld
sed -i 's/SELINUX=enforcing$/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
- web服务器搭建
编译httpd和LAMP搭建方法:LAMP
用yum安装http方式:
hostnamectl set-hostname web
yum install -y httpd
echo web-192.168.116.134>/var/www/html/index.html
systemctl start httpd
- 将2台服务器都编译安装haproxy
haproxy需要安装lua环境,所以需要编译lua
编译lua:
yum install -y gcc readline-devel
wget http://www.lua.org/ftp/lua-5.3.5.tar.gz
tar xf lua-5.3.5.tar.gz -C /usr/local
cd /usr/local/lua-5.3.5/
make linux test
编译haproxy:
yum -y install gcc openssl-devel pcre-devel systemd-devel
wget https://src.fedoraproject.org/repo/pkgs/haproxy/haproxy-2.2.6.tar.gz/sha512/b9afa4a4112dccaf192fce07b1cdbb1547060d998801595147a41674042741b62852f65a65aa9b2d033db8808697fd3a522494097710a19071fbb0c604544de5/haproxy-2.2.6.tar.gz
tar xf haproxy-2.2.6.tar.gz
cd haproxy-2.2.6
make ARCH=x86_64 TARGET=linux-glibc USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1 USE_LUA=1 LUA_INC=/usr/local/lua-5.3.5/src/ LUA_LIB=/usr/local/lua-5.3.5/src/
make install PREFIX=/haproxy
添加变量
echo 'PATH=/haproxy/sbin:$PATH' > /etc/profile.d/haproxy.sh
source /etc/profile.d/haproxy.sh
mkdir /haproxy/log
mkdir /haproxy/pid
mkdir /haproxy/etc
添加service
vi /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/haproxy/sbin/haproxy -f /haproxy/etc/haproxy.cfg -c -q
ExecStart=/haproxy/sbin/haproxy -Ws -f /haproxy/etc/haproxy.cfg -p /haproxy/pid/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
vi /haproxy/etc/haproxy.cfg 创建配置文件
global
maxconn 100000
chroot /haproxy
stats socket /haproxy/haproxy.sock mode 600 level admin
#uid 99
#gid 99
user haproxy
group haproxy
daemon
#nbproc 4
#cpu-map 1 0
#cpu-map 2 1
#cpu-map 3 2
#cpu-map 4 3
pidfile /haproxy/pid/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
listen stats #创建状态页面
mode http
bind 0.0.0.0:9999
stats enable
log global
stats uri /haproxy-status
stats auth admin:admin
useradd -r -s /sbin/nologin -d /haproxy/ haproxy 添加账户
chown haproxy.haproxy -R /haproxy
systemctl daemon-reload
systemctl start haproxy
开启日志记录,和rsyslog搭配使用
vi /etc/rsyslog.conf
#### MODULES #### 全局配置下开启
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
#### RULES #### 定义日志记录路径
local2.* /haproxy/log/haproxy.log
systemctl restart rsyslog 重启服务
http://192.168.116.132:9999/haproxy-status 访问状态页面,确认编译完成
http://192.168.116.133:9999/haproxy-status 访问状态页面,确认编译完成
输入账户admin,密码amdin
- 将2台服务器再编译Keepalived
yum install gcc curl openssl-devel libnl3-devel net-snmp-devel -y
wget https://keepalived.org/software/keepalived-2.0.20.tar.gz --no-check-certificate
tar xf keepalived-2.0.20.tar.gz
cd keepalived-2.0.20
./configure --prefix=/usr/local/keepalived
make && make install
mkdir /etc/keepalived
cp keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
默认编译会自动生成service文件,没有的话用下面文件直接编辑使用也行
vi /usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=network-online.target syslog.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/keepalived.pid
KillMode=process
EnvironmentFile=-/usr/local/keepalived/etc/sysconfig/keepalived
ExecStart=/usr/local/keepalived/sbin/keepalived $KEEPALIVED_OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
- 第一台haproxy配置:
hostnamectl set-hostname haproxy1 设置主机名
内核开启参数,这个参数是IP没配置在网卡也能生效
echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf
sysctl -p
配置Keepalived
yum install -y psmisc 安装工具
vi /etc/keepalived/check_haproxy.sh 创建检查脚本,这个是用来切换VIP的
#!/bin/bash
/usr/bin/killall -0 haproxy &>/dev/null
chmod +x /etc/keepalived/check_haproxy.sh
vi /etc/keepalived/keepalived.conf 删除文件内容,改为这些配置
! Configuration File for keepalived
global_defs {
notification_email {
}
notification_email_from [email protected]
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id k1
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 11
priority 100 #优先级值
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.116.100/24 dev eth0 label eth0:1
}
track_interface {
eth0
}
track_script {
check_haproxy
}
}
vrrp_script check_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 1
weight -30 #这里的值要比2个优先级的差值大。主100-备80=20,要比20大
fall 3
rise 2
timeout 2
}
配置haproxy代理
vi /haproxy/etc/haproxy.cfg 文件底部添加代理
listen web
bind 192.168.116.100:80
mode http
log global
server web1 192.168.116.134:80
systemctl restart keepalived
systemctl restart haproxy
ip a 确认192.168.116.100这个VIP生效
- 第二台haproxy配置:
hostnamectl set-hostname haproxy2 设置主机名
内核开启参数,这个参数是IP没配置在网卡也能生效
echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf
sysctl -p
配置Keepalived
yum install -y psmisc 安装工具
vi /etc/keepalived/check_haproxy.sh 创建检查脚本
#!/bin/bash
/usr/bin/killall -0 haproxy &>/dev/null
chmod +x /etc/keepalived/check_haproxy.sh
vi /etc/keepalived/keepalived.conf 删除文件内容,改为这些配置
! Configuration File for keepalived
global_defs {
notification_email {
}
notification_email_from [email protected]
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id k2 #2个服务器名字需要不一致
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP #修改这里为backup
interface eth0
virtual_router_id 11
priority 80 #优先级值,备的要低一些
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
192.168.116.100/24 dev eth0 label eth0:1
}
track_interface {
eth0
}
track_script {
check_haproxy
}
}
vrrp_script check_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 1
weight -30 #这里的值要比2个优先级的差值大。主100-备80=20,要比20大
fall 3
rise 2
timeout 2
}
vi /haproxy/etc/haproxy.cfg 文件底部添加代理
listen web
bind 192.168.116.100:80
mode http
log global
server web1 192.168.116.134:80
systemctl restart keepalived
systemctl restart haproxy
ip a 默认VIP在主的Keepalived服务器上,也就是haproxy1这台服务器
- 测试主从是否能切换
客户端访问VIP的网站
while true;do curl http://192.168.116.100;sleep 1;done 一直访问VIP网站
在haproxy1这台关闭haproxy服务,可以看到短暂不能访问后,页面恢复正常访问
systemctl stop haproxy
查看haproxy2的状态
查看到192.168.116.100这个IP被切换到了haproxy2这台服务器上,证明切换成功,实现可haproxy的高可用
ip a
在haproxy1可以看到日志
tail -n 30 /var/log/messages
#这里可以看到Keepalived的优先级从100变成了70
Dec 29 13:23:19 haproxy1 Keepalived_vrrp[43920]: (VI_1) Changing effective priority from 100 to 70
#因为Keepalived1的优先级低于Keepalived2的优先级,也就是70<80,所以Keepalived1变成了backup状态
Dec 29 13:23:22 haproxy1 Keepalived_vrrp[43920]: (VI_1) Master received advert from 192.168.116.133 with higher priority 80, ours 70
Dec 29 13:23:22 haproxy1 Keepalived_vrrp[43920]: (VI_1) Entering BACKUP STATE
二、几种IO模型的原理
数据访问:
- 客户端发起服务器网站访问
- 服务器httpd进程接收请求
- 服务器httpd进程向内核发送数据调用请求
- 内核接收数据调用请求,将数据复制到内核空间
- 内核将内核空间的数据再调用给httpd进程(用户空间)
- httpd进程返回数据给客户端
同步:如客户端访问服务器网站,进程向内核发起请求,在内核调用磁盘的数据过程中,进程一直发送消息询问内核是否完成数据调用,这个就是同步。比如:记者一直发起问题询问被采访人。
异步:如客户端访问服务器网站,进程向内核发起请求,在内核调用磁盘的数据过程中,进程只会等待内核进行数据调用完成,不会一直询问内核,当内核数据调用完成后再通知进程。比如:微信发送消息后,发送方去做其他事情,等待别人的回复再聊天。
同步和异步的区别:注重内核在调用数据过程中的消息通知
阻塞:当客户端发起请问时,进程向内核发起请求,然后一直等待内核调用数据完成,期间进程不能做其他工作。比如年龄,年龄一直增长,但是不能倒退。
非阻塞:当客户端发起请问时,进程向内核发起请求,在等待内核调用数据过程中,进程可以去做其他事情,不会一直等待。比如:看网络视频时,遇到广告就去上洗手间一样。
阻塞和非阻塞区别:注重在内核调用数据过程中进程的状态
- 阻塞型(同步阻塞)
在这个过程中,进程会一直等待内核的数据调用,同时还会一直询问内核是否调用完成,期间不会去做其他工作。当内核空间复制完成后,httpd接收数据到用户空间,然后返回用户。httpd进程一直属于阻塞状态。
特性:数据不会丢失,数据完整性高。每个请求就会挂起一个进程,会造成系统资源的浪费,当发生大量请求时,系统容易卡死。
- 非阻塞型(同步非阻塞)
在这个过程中,进程会一直询问内核是否调用完成,但是等待期间可以去做其他事情。一旦内核空间复制完成,httpd进程需要接收数据到用户空间,然后返回数据。
特点:数据基本不会丢失,数据完整性较高。每个请求就会挂起一个进程,会造成系统资源的浪费,当发生大量请求时,系统容易卡死。
- 多路复用型(异步半阻塞)
在这个过程中,httpd进程只需要向代理进程发起代理请求后,代理进程会把请求转护给内核,询问都是代理进程进行询问,代理进程属于阻塞状态,而httpd进程可以接收更多请求。当内核空间复制完成后,httpd进程接收数据到内核空间,然后返回数据。
特性:httpd进程可以接收更多请求,适用于多个协议的不同请求,系统资源利用率较高。
- 信号驱动型(异步半阻塞)
在这个过程中,httpd进程发送信号请求给内核,内核收到请求后进行系统调用,期间httpd进程去做其他事情,不会生成询问。只有当内核空间复制完成后,内核发送信号通知httpd进程接收数据,在httpd进程接收数据过程中属于阻塞状态。
特性:httpd进程可以接收更多请求,系统资源利用率提高,但是当发生大量请求时,信号队列会有延迟,数据可能会不能及时同步。
- 异步非阻塞
在这个过程中,httpd进程接到请求后就发送请求给内核,内核收到请求后进行系统调用,期间httpd进程可以去做其他事情,不会生成询问。当用户空间复制完成后,通知httpd进程返回数据给客户。
特性:能接收大量请求,系统资源利用性高。
三、haproxy配置虚拟主机,实现强制https跳转访问www.test.haproxy.com(test.haproxy.com为自己定义的域名)
路由拓扑:
- web服务器搭建:
编译httpd和LAMP搭建方法:LAMP
用yum安装http方式:
hostnamectl set-hostname web
yum install -y httpd
echo web-192.168.116.134>/var/www/html/index.html
systemctl start httpd
- 按照上面编译安装haproxy
ssl证书原理:ssl
在haproxy服务器上生成证书:
mkdir /haproxy/etc/ssl -p 创建ssl证书存放目录
cd /haproxy/etc/ssl/
vi ssl.sh 利用脚本快速生成证书
#!/bin/bash
#设置CA
CA_SUBJECT="/O=heaven/CN=haproxy.com"
#设置客户端名称
SUBJECT="/C=CN/ST=Beijing/L=Beijing/O=nginx/CN=test.haproxy.com"
#设置证书文件名
FILE=www.test.haproxy.com
KEY_SIZE=2048
SERIAL=34
SERIAL2=35
CA_EXPIRE=202002
EXPIRE=365
#生成自签名的CA证书
openssl req -x509 -newkey rsa:${KEY_SIZE} -subj $CA_SUBJECT -keyout ca.key -nodes -days $CA_EXPIRE -out ca.crt
#客户端生成私钥和证书申请
openssl req -newkey rsa:${KEY_SIZE} -nodes -keyout ${FILE}.key -subj $SUBJECT -out ${FILE}.csr
#颁发证书
openssl x509 -req -in ${FILE}.csr -CA ca.crt -CAkey ca.key -set_serial $SERIAL -days $EXPIRE -out ${FILE}.crt
chmod 600 *.key
将客户端的证书和秘钥合并
cat www.test.haproxy.com.crt www.test.haproxy.com.key >www.test.haproxy.com.pem
ls
配置haproxy:
vi /etc/hosts 修改hosts
192.168.116.132 www.test.haproxy.com
vi /haproxy/etc/haproxy.cfg 文件底部添加
listen web
bind www.test.haproxy.com:80
bind www.test.haproxy.com:443 ssl crt /haproxy/etc/ssl/www.test.haproxy.com.pem
mode http
log global
redirect scheme https if !{
ssl_fc }
http-request set-header X-forwarded-Port %[dst_port]
http-request add-header X-forwarded-Proto https if {
ssl_fc }
server web1 192.168.116.134:80
systemctl restart haproxy
- 客户端测试
vi /etc/hosts 没有DNS解析,所以需要设置hosts
192.168.116.132 www.test.haproxy.com
Windows客户端测试访问
在这个路径下添加hosts解析
C:\Windows\System32\drivers\etc\hosts
192.168.116.132 www.test.haproxy.com
可以看到访问http://www.test.haproxy.com
自动重定向到了https://www.test.haproxy.com
四、配置nginx通过不同path反代至不同后端tomcat(即访问www.nginx.tomcat.com/tomcat1/反代至tomcat1,访问www.nginx.tomcat.com/tomcat2/反代至tomcat2)
路由拓扑:
- 2台tomcat都进行编译安装
tomcat依赖Java服务,所以要先安装Java服务
Java编译安装:
Java 8的源码包需要注册账户后才能下载:java下载
tar xf jdk-8u301-linux-x64.tar.gz -C /usr/local/ 解压下载的压缩包
cd /usr/local/
ln -s jdk1.8.0_301/ jdk
vi /etc/profile.d/java.sh
编辑环境变量
export JAVA_HOME=/usr/local/jdk
export PATH=$PATH:$JAVA_HOME/bin
export JRE_HOME=$JAVA_HOME/jre
export CLASSPATH=$JAVA_HOME/lib/:$JRE_HOME/lib
source /etc/profile.d/java.sh
tomcat编译:
wget https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.70/bin/apache-tomcat-8.5.70.tar.gz
tar xf apache-tomcat-8.5.70.tar.gz -C /usr/local/
cd /usr/local/
ln -s apache-tomcat-8.5.70/ tomcat
echo 'PATH=/usr/local/tomcat/bin:$PATH' > /etc/profile.d/tomcat.sh
source /etc/profile.d/tomcat.sh
useradd -r -s /sbin/nologin tomcat
echo "JAVA_HOME=/usr/local/jdk"> /usr/local/tomcat/conf/tomcat.conf
chown -R tomcat.tomcat /usr/local/tomcat/
创建service文件
vi /lib/systemd/system/tomcat.service
[Unit]
Description=Tomcat
#After=syslog.target network.target remote-fs.target nss-lookup.target
After=syslog.target network.target
[Service]
Type=forking
EnvironmentFile=/usr/local/tomcat/conf/tomcat.conf
ExecStart=/usr/local/tomcat/bin/startup.sh
ExecStop=/usr/local/tomcat/bin/shutdown.sh
PrivateTmp=true
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable tomcat
systemctl start tomcat
- 编译安装nginx:
hostnamectl set-hostname nginx
vi /etc/hosts
192.168.116.130 www.nginx.tomcat.com
wget http://nginx.org/download/nginx-1.18.0.tar.gz
yum install -y gcc pcre-devel openssl-devel zlib-devel 安装依赖包
tar xf nginx-1.18.0.tar.gz
cd nginx-1.18.0
useradd -r -s /sbin/nologin nginx 设置nginx账户
编译安装
./configure --prefix=/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
make && make install
echo 'PATH=/nginx/sbin:$PATH' >/etc/profile.d/nginx.sh
source /etc/profile.d/nginx.sh
mkdir /nginx/run
vi /nginx/conf/nginx.conf
pid /nginx/run/nginx.pid; 修改PID这行
chown -R nginx.nginx /nginx
配置service
vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/nginx/run/nginx.pid
ExecStart=/nginx/sbin/nginx -c /nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
systemctl daemon-reload 加载service文件
- tomcat1创建index.jsp页面
hostnamectl set-hostname tomcat1
vi /etc/hosts
192.168.116.130 www.nginx.tomcat.com
vi /usr/local/tomcat/webapps/ROOT/index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>tomcat1</title>
</head>
<body>
<h1>tomcat1</h1>
systemctl restart tomcat
- tomcat2创建index.jsp页面
hostnamectl set-hostname tomcat2
vi /etc/hosts
192.168.116.130 www.nginx.tomcat.com
vi /usr/local/tomcat/webapps/ROOT/index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>tomcat2</title>
</head>
<body>
<h1>tomcat2</h1>
systemctl restart tomcat
- nginx配置反向代理
vi /etc/nginx/nginx.conf 删除文件内容,改为下面这些
user nginx;
worker_processes auto;
error_log /nginx/logs/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /nginx/logs/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
server_name www.nginx.tomcat.com;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location / {
root /nginx/html;
index index.html;
}
location /tomcat1 {
proxy_pass http://192.168.116.132:8080/;
index index.jsp;
}
location /tomcat2 {
proxy_pass http://192.168.116.133:8080/;
index index.jsp;
}
}
}
systemctl start nginx
- Windows客户端访问测试
在这个路径下添加hosts解析
C:\Windows\System32\drivers\etc\hosts 添加内容
192.168.116.130 www.nginx.tomcat.com
http://www.nginx.tomcat.com/tomcat1/ 访问网站
http://www.nginx.tomcat.com/tomcat2/ 访问网站
