- 关闭防火墙和selinux
- rs1-2部署https网站,并设置开机自启
- 部署haproxy
- 实现https负载均衡
| 服务器 | 系统 | IP |
|---|---|---|
| DR | centos 8 | 192.168.164.137 |
| SR1 | Redhat 8 | 192.168.164.133 |
| SR2 | centos 7 | 192.168.164.128 |
三台机器都要做
[root@DR ~]# systemctl disable --now firewalld.service Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@DR ~]# vim /etc/selinux/config SELINUX=disabled # 3台主机都需要关闭防火墙和selinux,这里省略。只做一台rs1-2部署https网站,并设置开机自启
[root@RS1 ~]# yum -y install httpd [root@rs2 ~]# yum -y install httpd [root@RS1 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. [root@RS2 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
https配置
//安装mod_ssl模块实现https加密认证 [root@RS1 ~]# yum install mod_ssl [root@RS2 ~]# yum install mod_ssl
ssl配置
两台虚拟机都需要操作
//生成秘钥(私钥) [root@RS1 ~]# mkdir ssl [root@RS1 ~]# cd ssl/ [root@RS1 ssl]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ...+++++ e is 65537 (0x010001) //生成证书请求文件 [root@RS1 ssl]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn //国家代码 State or Province Name (full name) []:hubei //省份 Locality Name (eg, city) [Default City]:wuhan //城市 Organization Name (eg, company) [Default Company Ltd]:wjm // 公司 Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: //域名 Email Address []: //邮箱地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: //可选密码 An optional company name []: //不填 //生成证书crt [root@RS1 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=C = cn, ST = hubei, L = wuhan, O = wjm, CN = *.wjm.com Getting Private key //复制证书到指定位置 [root@RS1 ssl]# cd /etc/httpd/ [root@RS1 httpd]# cp -r /root/ssl/ /etc/httpd/ [root@RS1 httpd]# ll | grep ssl drwxr-xr-x 2 root root 60 10月 17 15:49 ssl //ssl.conf配置文件导入证书,默认站点使用此配置文件 [root@RS1 httpd]# vim /etc/httpd/conf.d/ssl.conf documentRoot "/var/www/html" 取消这两个注释 ServerName www.example.com:443 # 更改证书路径 SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key //重启服务 [root@localhost ssl]# systemctl restart httpd
网页访问
//下载软件包 [root@DR ~]# wget https://github.com/haproxy/haproxy/archive/refs/tags/v2.4.0.tar.gz //安装依赖包 [root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel //创建haproxy用户 [root@DR ~]# useradd -r -M -s /sbin/nologin haproxy //解压压缩包 [root@DR ~]# tar xf v2.4.0.tar.gz [root@DR ~]# cd haproxy-2.4.0/ [root@DR haproxy-2.4.0]# ls addons ConTRIBUTING include Makefile scripts VERDATE admin dev INSTALL README src VERSION BRANCHES doc LICENSE reg-tests SUBVERS CHANGELOG examples MAINTAINERS ROADMAP tests # 应为里面已经有Makefile,也就是说conf那边已经做过了后面直接make编译安装即可 //编译安装 [root@DR haproxy-2.4.0]# make clean [root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_SYSTEMD=1 //安装到/usr/local/haproxy [root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy [root@DR local]# ls bin games include lib64 sbin src etc haproxy lib libexec share //把haproxy添加到环境变量让系统能找haproxy [root@DR ~]# vim /etc/profile.d/haproxy.sh export PATH=/usr/local/haproxy/sbin:$PATH [root@DR ~]# source /etc/profile.d/haproxy.sh # 读取配置文件 [root@DR ~]# which haproxy /usr/local/haproxy/sbin/haproxy //这样就能找到haproxy了 //配置各个负载的内核参数 [root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf [root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf [root@DR ~]# sysctl -p net.ipv4.ip_nonlocal_bind = 1 //IP绑定,绑定一个非本地的IP,此IP没有在网卡中配置,但是可以用。安装haproxy时自动创建的 net.ipv4.ip_forward = 1 //IP转发功能打开 //提供配置文件 [root@DR ~]# mkdir /etc/haproxy [root@DR ~]# cat > /etc/haproxy/haproxy.cfg <编写一个service文件,设置开机自启
[root@DR ~]# cat /usr/lib/systemd/system/haproxy.service [Unit] Description=HAProxy Load Balancer After=syslog.target network.target [Service] ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid ExecReload=/bin/kill -USR2 [Install] WantedBy=multi-user.target //重新加载配置文件 [root@DR ~]# systemctl daemon-reload //启动日志 [root@DR ~]# vim /etc/rsyslog.conf # Save boot messages also to boot.log local7.* /var/log/boot.log local0.* /var/log/haproxy.log //添加此行内容 //启动并查看端口号 [root@DR ~]# systemctl enable --now haproxy.service Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service. [root@DR ~]# systemctl status haproxy.service ● haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled;> Active: active (running) since Sun 2021-10-17 17:28:43 CST; 14s a> Process: 272736 ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /e> Main PID: 272739 (haproxy) Tasks: 3 (limit: 12096) Memory: 7.9M CGroup: /system.slice/haproxy.service ├─272739 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/hapr> └─272741 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/hapr> 10月 17 17:28:43 DR systemd[1]: Starting HAProxy Load Balancer... 10月 17 17:28:43 DR systemd[1]: Started HAProxy Load Balancer. 10月 17 17:28:43 DR haproxy[272739]: [NOTICE] (272739) : New worke> [root@DR ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:80 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 0.0.0.0:8189 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:*此时去访问调度器IP就可以负载到两台机器
实现https负载均衡
还可以登陆到后台查看web主机的信息和运行情况
//绿色代表运行正常,如果是红色说明这个主机宕机了//修改配置文件 [root@haproxy ~]# vim /etc/haproxy/haproxy.cfg #--------------全局配置---------------- global log 127.0.0.1 local0 info #log loghost local0 info maxconn 20480 #chroot /usr/local/haproxy pidfile /var/run/haproxy.pid #maxconn 4000 user haproxy group haproxy daemon #--------------------------------------------------------------------- #common defaults that all the 'listen' and 'backend' sections will #use if not designated in their block #--------------------------------------------------------------------- defaults mode tcp 将此处改成tcp协议 log global option dontlognull option httpclose option httplog #option forwardfor option redispatch balance roundrobin timeout connect 10s timeout client 10s timeout server 10s timeout check 10s #---------------web设置----------------------- listen webcluster bind 0.0.0.0:443 将端口改成443 mode tcp 使用tcp协议 #option httpchk GET /index.html log global maxconn 3000 balance roundrobin # cookie SESSION_cookie insert indirect nocache server web01 192.168.50.132:443 check inter 2000 fall 5 将端口改成443 server web02 192.168.50.131:443 check inter 2000 fall 5 #server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5第一份访问过后需要等待40秒左右再刷新才能访问到另外一台主机
