haproxy负载均衡

- 1.安装httpd，生成证书
- 2.部署haproxy，实现http负载均衡
- 3.配置https负载均衡

1.安装httpd，生成证书

关闭防火墙和selinux

[root@DR ~]# systemctl disable --now firewalld.service 
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 
[root@DR ~]# reboot

[root@RS1 ~]# systemctl disable --now firewalld.service 
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@RS1 ~]# reboot

[root@RS2 ~]# systemctl disable --now firewalld.service 
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@RS2 ~]# reboot

RS1、RS2安装httpd

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS1 ~]# echo 'test1' > /var/www/html/index.html

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS2 ~]# echo 'test2' > /var/www/html/index.html

生成证书，实现https认证加密
RS1和RS2相同操作

//安装mod_ssl模块
[root@RS1 ~]# yum -y install mod_ssl
[root@RS2 ~]# yum -y install mod_ssl

//生成秘钥（私钥）
[root@RS1 ~]# mkdir ssl
[root@RS1 ~]# cd ssl/
[root@RS1 ssl]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
..........................................................................................................................+++++
e is 65537 (0x010001)

//生成证书请求文件
[root@RS1 ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:zz
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   
An optional company name []:

//生成证书crt
[root@RS1 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = cn, ST = hubei, L = wuhan, O = zz
Getting Private key

//复制证书到指定位置
[root@RS1 ~]# cp -r ssl/ /etc/httpd/

//修改配置文件
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf 
#取消注释
documentRoot "/var/www/html"		
ServerName www.example.com:443		
#修改路径
SSLCertificateFile /etc/httpd/ssl/server.crt	
SSLCertificateKeyFile /etc/httpd/ssl/server.key

//重启httpd
[root@RS1 ~]# systemctl restart httpd

网页访问
RS1

RS2

2.部署haproxy，实现http负载均衡

//下载软件包
[root@DR ~]# wget https://github.com/haproxy/haproxy/archive/refs/tags/v2.4.0.tar.gz

//安装依赖包
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel

//创建haproxy用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy

//解压
[root@DR ~]# tar xf v2.4.0.tar.gz 
[root@DR ~]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# ls
addons    CHANGELOG     doc       INSTALL      Makefile   ROADMAP  SUBVERS  VERSION
admin     ConTRIBUTING  examples  LICENSE      README     scripts  tests
BRANCHES  dev           include   MAINTAINERS  reg-tests  src      VERDATE
#Makefile已存在，直接执行make编译

//编译安装
[root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l)  
TARGET=linux-glibc  
USE_OPENSSL=1  
USE_ZLIB=1  
USE_PCRE=1  
USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy	//指定安装目录

//添加环境变量
[root@DR ~]# cat /etc/profile.d/haproxy.sh
export PATH=/usr/local/haproxy/sbin:$PATH
[root@DR ~]# source /etc/profile.d/haproxy.sh 
[root@DR ~]# which haproxy 
/usr/local/haproxy/sbin/haproxy

//配置内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1		//IP绑定，绑定一个非本地的IP，此IP没有在网卡中配置，但是可以用。安装haproxy时自动创建的
net.ipv4.ip_forward = 1		//IP转发功能打开

//提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cat > /etc/haproxy/haproxy.cfg <
 Main PID: 201857 (haproxy)
    Tasks: 3 (limit: 11300)
   Memory: 7.9M
   CGroup: /system.slice/haproxy.service
           ├─201857 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy>
           └─201859 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy>

10月 17 23:53:54 DR systemd[1]: Starting HAProxy Load Balancer...
10月 17 23:53:54 DR systemd[1]: Started HAProxy Load Balancer.
10月 17 23:53:54 DR haproxy[201857]: [NOTICE]   (201857) : New worker #1 (201859) forked

[root@DR ~]# ss -anltu
Netid      State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port      
tcp        LISTEN      0           128                    0.0.0.0:80                  0.0.0.0:*         
tcp        LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*         
tcp        LISTEN      0           128                    0.0.0.0:8189                0.0.0.0:*         
tcp        LISTEN      0           128                       [::]:22                     [::]:*

此时web访问调度器IP就可以调度到RS1和RS2

登陆到后台查看负载均衡集群状态

3.配置https负载均衡

修改配置文件

[root@DR ~]# cat /etc/haproxy/haproxy.cfg
#--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode tcp	//将此处改成tcp协议
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------统计页面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 10s
#---------------web设置-----------------------
listen webcluster
    bind 0.0.0.0:443	//将端口改成443
    mode tcp		//使用tcp协议
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    server web01 192.168.237.167:443 check inter 2000 fall 5	//将端口改成443
    server web02 192.168.237.170:443 check inter 2000 fall 5	//将端口改成443
[root@DR ~]# systemctl restart haproxy.service

用https://调度器IP访问

haproxy负载均衡

Linux相关栏目本月热门文章