haproxy配置负载均衡
haproxy服务器(DR) | IP:192.168.235.135 |
---|---|
httpd服务器(RS1) | IP:192.168.235.155 |
httpd服务器(RS2) | IP:192.168.235.158 |
关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# setenforce 0
setenforce: SELinux is disabled
[root@rs2 ~]# systemctl disable --now firewalld
[root@rs2 ~]# setenforce 0
haproxy安装:
//安装服务
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy[root@DR ~]# lshaproxy-2.4.7.tar.gz
[root@DR ~]# tar xf haproxy-2.4.7.tar.gz -C /usr/local/
[root@DR ~]# ls /usr/local/
haproxy-2.4.7
[root@DR ~]# cd /usr/local/
[root@DR local]# ln -sv haproxy-2.4.7 haproxy
'haproxy' -> 'haproxy-2.4.7'
[root@DR local]# ll
总用量 20
drwxr-xr-x. 14 root root 164 9月 27 08:49 apache
drwxr-xr-x. 6 root root 58 9月 27 08:43 apr
drwxr-xr-x. 28 1001 1001 4096 9月 27 08:43 apr-1.7.0
drwxr-xr-x. 5 root root 43 9月 27 08:45 apr-util
drwxr-xr-x. 21 1001 1001 4096 9月 27 08:45 apr-util-1.6.1
drwxr-xr-x. 2 root root 6 8月 12 2018 bin
drwxr-xr-x. 2 root root 6 8月 12 2018 etc
drwxr-xr-x. 2 root root 6 8月 12 2018 games
lrwxrwxrwx. 1 root root 13 10月 17 11:28 haproxy -> haproxy-2.4.7
drwxrwxr-x. 13 root root 4096 10月 4 08:56 haproxy-2.4.7//编译
[root@DR haproxy]# make -j $(nproc) TARGET=linux-glibc \
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy]# make install
[root@DR haproxy]# ls /usr/local/sbin/
haproxy
配置各个负载的内核参数
[root@DR haproxy]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR haproxy]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR haproxy]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# touch haproxy.cfg
[root@DR haproxy]# vim haproxy.cfg
[root@DR haproxy]# cat haproxy.cfg
#--------------全局配置----------------
globallog 127.0.0.1 local0 info#log loghost local0 infomaxconn 20480
#chroot /usr/local/haproxypidfile /var/run/haproxy.pid#maxconn 4000user haproxygroup haproxydaemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaultsmode httplog globaloption dontlognulloption httpcloseoption httplog#option forwardforoption redispatchbalance roundrobintimeout connect 10stimeout client 10stimeout server 10stimeout check 10smaxconn 60000retries 3
#--------------统计页面配置------------------
listen admin_statsbind 0.0.0.0:8189stats enablemode httplog globalstats uri /haproxy_statsstats realm Haproxy\ Statisticsstats auth admin:admin#stats hide-versionstats admin if TRUEstats refresh 30s
#---------------web设置-----------------------
listen webclusterbind 0.0.0.0:80 访问https要修改为443mode http 访问https要修改为tcp#option httpchk GET /index.htmllog globalmaxconn 3000balance roundrobincookie SESSION_COOKIE insert indirect nocacheserver web01 192.168.235.155:80 check inter 2000 fall 5 修改为RS1的IP,如果访问https要修改为443server web02 192.168.235.158:80 check inter 2000 fall 5 修改为RS2的IP,如果访问https要修改为443
haproxy.service文件编写
[root@DR haproxy]# vim /usr/lib/systemd/system/haproxy.service
[root@DR haproxy]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 [Install]
WantedBy=multi-user.target
[root@DR ~]# systemctl daemon-reload
[root@DR ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@DR ~]# systemctl status haproxy.service
● haproxy.service - HAProxy Load BalancerLoaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disab>Active: active (running) since Sun 2021-10-17 12:18:59 EDT; 4min 4s agoProcess: 1218 ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q (c>Main PID: 1227 (haproxy)Tasks: 3 (limit: 11159)Memory: 9.9MCGroup: /system.slice/haproxy.service├─1227 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>└─1230 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>
CA:
[root@DR ~]# yum -y install openssl
[root@DR ~]# openssl version -a
OpenSSL 1.1.1c FIPS 28 May 2019
built on: Thu Mar 5 10:03:36 2020 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls" //查看openssl证书的存放路径
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic
//查看openssl的配置文件openssl.cnf,因为配置文件中对证书的名称和存放位置等相关信息都做了定义[root@DR ~]# cd /etc/pki/
[root@DR pki]# ls
ca-trust fwupd nssdb rpm-gpg tls
consumer fwupd-metadata product rsyslog
entitlement java product-default swid
[root@DR pki]# mkdir CA
[root@DR pki]# ls
CA entitlement java product-default swid
ca-trust fwupd nssdb rpm-gpg tls
consumer fwupd-metadata product rsyslog
[root@DR pki]# cd CA/
[root@DR CA]# touch serial
[root@DR CA]# touch index.txt
[root@DR CA]# ls
index.txt serial
[root@DR CA]# echo 01 > serial
[root@DR CA]# cat serial
01//生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配
openssl genrsa -out private/cakey.pem 2048 #私钥默认是2048,去和根证书绑定[root@DR CA]# mkdir private
[root@DR CA]# ls
index.txt private serial
[root@DR CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
..........................................................+++++
e is 65537 (0x010001)
[root@DR CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:JXRT
Organizational Unit Name (eg, section) []:WW
Common Name (eg, your name or your server's hostname) []:WXY
Email Address []:1870648704@qq.com[root@DR CA]# ls
cacert.pem index.txt private serial
[root@DR CA]# mkdir req
RS1:
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# cd /etc/httpd
[root@RS1 httpd]# mkdir ssl
[root@RS1 httpd]# cd ssl
[root@RS1 ssl]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# ls
test.key
[root@RS1 ssl]#
[root@RS1 ssl]# openssl req -new -key test.key -out test.csr -days 365
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:JXRT
Organizational Unit Name (eg, section) []:WW
Common Name (eg, your name or your server's hostname) []:WXY
Email Address []:1870648704@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.yy.com
An optional company name []: [root@RS1 ssl]# cd /etc/httpd/ssl
[root@RS1 ssl]# ls
test.csr test.key
[root@RS1 ssl]# scp test.csr 192.168.235.145:/etc/pki/CA/req //传到CA端的req文件夹
The authenticity of host '192.168.235.135 (192.168.235.145)' can't be established.
ECDSA key fingerprint is SHA256:YxxHZSMXHuRY/4l06pblVsAeyFwn87FXIP+3EXE+VNs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.145' (ECDSA) to the list of known hosts.
root@192.168.235.135's password:
test.csr 100% 1058 865.3KB/s 00:00
在DR上查看
[root@DR ~]# ls /etc/pki/CA/req/
test.csr//httpd端传过来的csr请求文件给CA服务器来颁发
[root@DR CA]# mkdir newcerts
[root@DR CA]# cd req/
[root@DR req]# openssl ca -in /etc/pki/CA/req/test.csr -out /etc/pki/CA/req/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Oct 17 14:47:27 2021 GMTNot After : Oct 17 14:47:27 2022 GMTSubject:countryName = CNstateOrProvinceName = HBorganizationName = JXRTorganizationalUnitName = WWcommonName = WXYemailAddress = 1870648704@qq.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: CF:E2:A0:78:4C:F9:3C:FA:1E:6F:4C:81:B0:1B:32:75:75:B4:C3:A4X509v3 Authority Key Identifier: keyid:73:D3:74:56:06:3C:49:07:25:06:00:B8:A4:EB:BE:1B:67:ED:78:98Certificate is to be certified until Oct 17 14:47:27 2022 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated//把CA上面的crt证书文件传送给httpd端下面的/etc/httpd/ssl文件
[root@DR req]# scp test.crt 192.168.235.155:/etc/httpd/ssl/
The authenticity of host '192.168.235.155 (192.168.235.155)' can't be established.
ECDSA key fingerprint is SHA256:SYE4sY5pR2aCmZV6JqXCtCbMFPNKU1R9ID9zX9AvPr4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.155' (ECDSA) to the list of known hosts.
root@192.168.235.155's password:
test.crt 100% 4523 492.5KB/s 00:00
RS1和RS2上配置https:
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
43 DocumentRoot "/var/www/html"
44 ServerName www.example.com:443 //取消掉这两汉的注释
85 SSLCertificateFile /etc/httpd/ssl/test.crt //修改为证书存放文件位置
94 SSLCertificateKeyFile /etc/httpd/ssl/test.key //修改为密钥文件存放位置
[root@RS1 ~]# echo "hello yaya 192.168.235.155" > /var/www/html/index.html[root@rs2 ~]# yum -y install mod_ssl
[root@rs2 ssl]# scp root@192.168.235.155:/etc/httpd/ssl/* .
root@192.168.235.155's password:
test.crt 100% 4523 3.2MB/s 00:00
test.csr 100% 1058 318.8KB/s 00:00
test.key 100% 1679 1.0MB/s 00:00
//重启
[root@rs2 ssl]# systemctl restart httpd
测试:
//日志启用
[root@DR ~]# vim /etc/rsyslog.conf
64 # Save boot messages also to boot.log65 local0.* /var/log/haproxy.log66 local7.* /var/log/bo ot.log[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
输入本机IP刷新测试负载均衡
haproxy配置负载均衡相关推荐
- Haproxy实现负载均衡及相关配置(添加日志、设定自动刷新时间、控制访问、动静分离、读写分离)
1.HAProxy简介 (1)HAProxy 是一款提供高可用性.负载均衡以及基于TCP(第四层)和HTTP(第七层)应用的代理软件,支持虚拟主机,它是免费.快速并且可靠的一种解决方案. HAProx ...
- saltstack实现haproxy+keepalived负载均衡+高可用(二)
一键部署haproxy+keepalived实现负载均衡+高可用 实验环境: !!!! 特别注意: www.westos.org为test1的minion名字 test1: 172.25.1.1 ...
- 架构师课程之-haproxy专业级负载均衡软件权威讲解
老男孩培训顶级架构师课程[企业场景haproxy专业负载均衡架构方案]教学大纲 2014/4/12日激情开讲! 伙伴们,既然选择了远方,就只顾风雨兼程! 老男孩老师已经做好了自断筋脉,把全部功力都传给 ...
- RabbitMQ + 镜像队列 + HAProxy 实现负载均衡的集群
RabbitMQ + 镜像队列 + HAProxy 实现负载均衡的集群 一.集群管理(RabbitMQ扩容) 1. 环境介绍 hostname ip mq1 192.168.80.16 mq2 192 ...
- nginx配置 负载均衡_如何配置NGINX负载平衡
nginx配置 负载均衡 The load balancing is the process of distributing traffic to multiple instances of an a ...
- 架构测试:HAproxy实现负载均衡,前端为nginx+php,数据库实现读写分离和高可用...
环境: • 202.106.0.6: as client • 202.106.0.17:as firewall • 202.106.0.147: as powerDNS • 192.168.205.2 ...
- 如何为 Django 服务配置负载均衡
现在的 Web 服务有一个很重要的性能指标叫 QPS,QPS 的全称是 Queries Per Second 意思是"每秒查询率",是一台服务器每秒能够相应的查询次数,是对一个特定 ...
- docker nginx 配置负载均衡
在上篇的文章中我们介绍了docker nginx配置简单的代理 在这篇文章我们介绍docker 利用nginx配置负载均衡 所谓的负载均衡是两台服务器,或者是多台服务器上面部署项目,但是访问的方式是通 ...
- APACHE 2.2.8+TOMCAT6.0.14配置负载均衡
作者: jiake0504 链接:http://jiake0504.javaeye.com/blog/265000 发表时间: 2008年11月10日 声明:本文系JavaEye网站发布的原创博客 ...
最新文章
- MIDP2.0引入了Push注册机制
- Python Multiprocessing with PyCUDA
- PowerDesigner中设置数据库类型,设置default value,Comment,自增属性,以及数据库设计中的需要考虑的示项,带有小数点的数据显示
- 汇编 --- EXE文件 的程序的加载过程
- mess系统可以读取opc服务器,C3. Messages
- RSS、Atom和Feed概念与实现(django)
- 【算法大赛直播周】如何让人人都可以使用AI技术?北大崔斌教授亲解自动化机器学习
- Proteus8.9 下载与安装 以及大多数问题
- AutoCAD实用功能之查看xdata扩展属性
- JAVA实现成绩统计之及格率和优秀率
- c 语言 农历,C++算法系列之中国农历的算法
- 华硕主板的网络唤醒(Wake-on-LAN)
- R语言--Apriori关联分析
- 你的电脑/设备需要恢复 错误码0xc000014c
- docker相关的文件配置
- 基于STM32单片机的密码锁(Proteus仿真+程序+报告)
- 打印系统开发(63)——C# 实现虚拟打印机 HP Color LaserJet 4500 (2) True Type Font字体显示
- Python 1. 如何选择python版本,以及如何选择开发环境(IDE)
- 随机句子我在人间凑数的日子V1.2成品源码+API
- 上海高校计算机等级考试c语言真题,2017年上海市高等学校计算机等级考试试题「有答案」...