[root@DR ~]# systemctl disable --now firewalld.service Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@DR ~]# vim /etc/selinux/config SELINUX=disabled # 3台主机都需要关闭防火墙和selinux [root@RS1 ~]# yum -y install httpd [root@RS1 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. [root@RS2 ~]# yum -y install httpd [root@RS2 ~]# systemctl enable --now httpd Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service. //安装mod_ssl模块实现https加密认证 [root@RS1 ~]# yum install mod_ssl [root@RS2 ~]# yum install mod_ssl
ssl配置
两台虚拟机都需要操作
/生成秘钥(私钥) [root@RS1 ~]# mkdir ssl [root@RS1 ~]# cd ssl/ [root@RS1 ssl]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ...+++++ e is 65537 (0x010001) //生成证书请求文件 [root@RS1 ssl]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn //国家代码 State or Province Name (full name) []:hubei //省份 Locality Name (eg, city) [Default City]:wuhan //城市 Organization Name (eg, company) [Default Company Ltd]:ysd // 公司 Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: //域名 Email Address []: //邮箱地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: //可选密码 An optional company name []: //不填 //生成证书crt [root@RS1 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=C = cn, ST = hubei, L = wuhan, O = ysd //复制证书到指定位置 [root@RS1 ssl]# cd /etc/httpd/ [root@RS1 httpd]# cp -r /root/ssl/ /etc/httpd/ [root@RS1 httpd]# ll | grep ssl drwxr-xr-x 2 root root 60 10月 18 2:49 ssl //ssl.conf配置文件导入证书,默认站点使用此配置文件 [root@RS1 httpd]# vim /etc/httpd/conf.d/ssl.conf documentRoot "/var/www/html" 取消这两个注释 ServerName www.example.com:443 # 更改证书路径 SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key //重启服务 [root@localhost ssl]# systemctl restart httpd
网页访问
部署haproxy
//下载软件包 [root@DR ~]# wget https://github.com/haproxy/haproxy/archive/refs/tags/v2.4.0.tar.gz //安装依赖包 [root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel //创建haproxy用户 [root@DR ~]# useradd -r -M -s /sbin/nologin haproxy //解压压缩包 [root@DR ~]# tar xf v2.4.0.tar.gz [root@DR ~]# cd haproxy-2.4.0/ [root@DR haproxy-2.4.0]# ls addons ConTRIBUTING include Makefile scripts VERDATE admin dev INSTALL README src VERSION BRANCHES doc LICENSE reg-tests SUBVERS CHANGELOG examples MAINTAINERS ROADMAP tests # 应为里面已经有Makefile,也就是说conf那边已经做过了后面直接make编译安装即可 //编译安装 [root@DR haproxy-2.4.0]# make clean [root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_SYSTEMD=1 //安装到/usr/local/haproxy [root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy [root@DR local]# ls bin games include lib64 sbin src etc haproxy lib libexec share //把haproxy添加到环境变量让系统能找haproxy [root@DR ~]# vim /etc/profile.d/haproxy.sh export PATH=/usr/local/haproxy/sbin:$PATH [root@DR ~]# source /etc/profile.d/haproxy.sh # 读取配置文件 [root@DR ~]# which haproxy /usr/local/haproxy/sbin/haproxy //这样就能找到haproxy了 //配置各个负载的内核参数 [root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf [root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf [root@DR ~]# sysctl -p net.ipv4.ip_nonlocal_bind = 1 //IP绑定,绑定一个非本地的IP,此IP没有在网卡中配置,但是可以用。安装haproxy时自动创建的 net.ipv4.ip_forward = 1 //IP转发功能打开 //提供配置文件 [root@DR ~]# mkdir /etc/haproxy [root@DR ~]# cat > /etc/haproxy/haproxy.cfg <编写一个service文件,设置开机自启
[root@DR ~]# cat /usr/lib/systemd/system/haproxy.service [Unit] Description=HAProxy Load Balancer After=syslog.target network.target [Service] ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid ExecReload=/bin/kill -USR2 [Install] WantedBy=multi-user.target //重新加载配置文件 [root@DR ~]# systemctl daemon-reload [root@DR ~]# systemctl enable --now haproxy //启动日志 [root@DR ~]# vim /etc/rsyslog.conf local0.* /var/log/haproxy.log //加入这行 //重启服务 [root@DR ~]# systemctl restart rsyslog.service [root@DR ~]# systemctl restart haproxy [root@DR ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 0.0.0.0:8189 0.0.0.0:* LISTEN 0 128 0.0.0.0:80 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:*此时去访问调度器IP就可以负载到两台机器
//绿色代表运行正常,如果是红色说明这个主机宕机了
