haproxy 负载均衡 https
| haproxy服务器(DR)(CA) | IP:192.168.47.158 |
|---|---|
| httpd服务器(RS1) | IP:192.168.47.163 |
| httpd服务器(RS2) | IP:192.168.47.164 |
//三台关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
//安装服务
[root@DR ~]# yum -y install openssl make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
//上传haproxy包
[root@DR ~]# ls
anaconda-ks.cfg haproxy-2.4.0.tar.gz
[root@DR ~]# tar xf haproxy-2.4.0.tar.gz -C /usr/src/
[root@DR ~]# cd /usr/src/
[root@DR src]# ls
debug haproxy-2.4.0 kernels
[root@DR src]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# make clean
[root@DR haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install prefix=/usr/local/haproxy
//配置内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
[root@DR ~]#
//提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# touch haproxy.cfg
[root@DR haproxy]# cat haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_cookie insert indirect nocache
server web01 192.168.47.163:80 check inter 2000 fall 5
server web02 192.168.47.164:80 check inter 2000 fall 5
#server web01 192.168.47.158:80 cookie web01 check inter 2000 fall 5
//haproxy.service文件编写
[root@DR ~]# vi /usr/lib/systemd/system/haproxy.service
[root@DR ~]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
[root@DR ~]# systemctl daemon-reload
[root@DR ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
//启动日志
[root@DR ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log //加入这行
//重启服务
[root@DR ~]# systemctl restart rsyslog.service
[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//在RS上安装httpd服务
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo "awm-RS1" >/var/www/html/index.html
[root@RS1 ~]# systemctl restart httpd
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo "awm-RS2" >/var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS1 ~]# curl 192.168.47.163
awm-RS1
[root@RS2 ~]# curl 192.168.47.164
awm-RS2
//证书生成
[root@RS1 ~]# yum -y install openssl
[root@RS1 ~]# mkdir ~/keys
[root@RS1 ~]# cd keys/
[root@RS1 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........+++++
....+++++
e is 65537 (0x010001)
[root@RS1 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:passport
Common Name (eg, your name or your server's hostname) []:web01.com
Email Address []:passport@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1
string is too short, it needs to be at least 4 bytes long
A challenge password []:1@2.com
An optional company name []:
[root@RS1 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = CN, ST = HB, L = WH, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com
[root@RS1 keys]# ls
passport.com.crt passport.com.csr passport.com.key
//将文件传输到RS2上面去
[root@RS1 keys]# ls
passport.com.crt passport.com.csr passport.com.key
[root@RS1 keys]# scp passport.com.crt passport.com.key 192.168.47.164:/root/
The authenticity of host '192.168.47.164 (192.168.47.164)' can't be established.
ECDSA key fingerprint is SHA256:yFTuSjTbwIcX/TTSfFBiOWU5ws6FCJegG7L8xSoPxHo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.164' (ECDSA) to the list of known hosts.
root@192.168.47.164's password:
passport.com.crt 100% 1277 1.9MB/s 00:00
passport.com.key 100% 1679 2.3MB/s 00:00
//RS1和RS2上配置https
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@RS2 ~]# mv passport.com.* /etc/httpd/ssl/
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
passport.com.crt passport.com.key
[root@RS2 ssl]# cd ..
[root@RS2 httpd]# ls
conf conf.modules.d modules ssl
conf.d logs run state
[root@RS2 httpd]# cd conf.d
[root@RS2 conf.d]# ls
autoindex.conf ssl.conf welcome.conf
README userdir.conf
[root@RS2 conf.d]# vim ssl.conf
documentRoot "/var/www/html" //取消掉这两汉的注释
ServerName www.example.com:443
#修改此两行路径
SSLCertificateFile /etc/httpd/ssl/passport.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key
//重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
//修改配置文件
[root@DR haproxy]# vim haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp //模式改为tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443 //端口改为443
mode tcp //模式改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.47.163:443 check inter 2000 fall 5 //端口改为443
server web02 192.168.47.163:443 check inter 2000 fall 5 //端口改为443
#server web01 192.168.47.163:80 cookie web01 check inter 2000 fall 5
[root@DR haproxy]# systemctl restart haproxy.service
