haproxy服务器(DR) IP:192.168.235.135
httpd服务器(RS1) IP:192.168.235.155
httpd服务器(RS2) IP:192.168.235.158

关闭防火墙和selinux

[root@DR ~]#  systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# setenforce 0
setenforce: SELinux is disabled
[root@rs2 ~]# systemctl disable --now firewalld
[root@rs2 ~]# setenforce 0

haproxy安装:

//安装服务
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy[root@DR ~]# lshaproxy-2.4.7.tar.gz
[root@DR ~]# tar xf haproxy-2.4.7.tar.gz -C /usr/local/
[root@DR ~]# ls /usr/local/
haproxy-2.4.7
[root@DR ~]# cd /usr/local/
[root@DR local]# ln -sv haproxy-2.4.7 haproxy
'haproxy' -> 'haproxy-2.4.7'
[root@DR local]# ll
总用量 20
drwxr-xr-x. 14 root  root   164 9月  27 08:49 apache
drwxr-xr-x.  6 root  root    58 9月  27 08:43 apr
drwxr-xr-x. 28  1001  1001 4096 9月  27 08:43 apr-1.7.0
drwxr-xr-x.  5 root  root    43 9月  27 08:45 apr-util
drwxr-xr-x. 21  1001  1001 4096 9月  27 08:45 apr-util-1.6.1
drwxr-xr-x.  2 root  root     6 8月  12 2018 bin
drwxr-xr-x.  2 root  root     6 8月  12 2018 etc
drwxr-xr-x.  2 root  root     6 8月  12 2018 games
lrwxrwxrwx.  1 root  root    13 10月 17 11:28 haproxy -> haproxy-2.4.7
drwxrwxr-x. 13 root  root  4096 10月  4 08:56 haproxy-2.4.7//编译
[root@DR haproxy]#  make -j $(nproc) TARGET=linux-glibc \
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy]# make install
[root@DR haproxy]# ls /usr/local/sbin/
haproxy

配置各个负载的内核参数

[root@DR haproxy]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@DR haproxy]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR haproxy]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

提供配置文件

[root@DR ~]#  mkdir /etc/haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# touch haproxy.cfg
[root@DR haproxy]# vim haproxy.cfg
[root@DR haproxy]# cat haproxy.cfg
#--------------全局配置----------------
globallog 127.0.0.1 local0  info#log loghost local0 infomaxconn 20480
#chroot /usr/local/haproxypidfile /var/run/haproxy.pid#maxconn 4000user haproxygroup haproxydaemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaultsmode httplog globaloption dontlognulloption httpcloseoption httplog#option forwardforoption redispatchbalance roundrobintimeout connect 10stimeout client 10stimeout server 10stimeout check 10smaxconn 60000retries 3
#--------------统计页面配置------------------
listen admin_statsbind 0.0.0.0:8189stats enablemode httplog globalstats uri /haproxy_statsstats realm Haproxy\ Statisticsstats auth admin:admin#stats hide-versionstats admin if TRUEstats refresh 30s
#---------------web设置-----------------------
listen webclusterbind 0.0.0.0:80     访问https要修改为443mode http          访问https要修改为tcp#option httpchk GET /index.htmllog globalmaxconn 3000balance roundrobincookie SESSION_COOKIE insert indirect nocacheserver web01 192.168.235.155:80 check inter 2000 fall 5      修改为RS1的IP,如果访问https要修改为443server web02 192.168.235.158:80 check inter 2000 fall 5     修改为RS2的IP,如果访问https要修改为443

haproxy.service文件编写

[root@DR haproxy]# vim /usr/lib/systemd/system/haproxy.service
[root@DR haproxy]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg   -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg  -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 [Install]
WantedBy=multi-user.target
[root@DR ~]# systemctl daemon-reload
[root@DR ~]#  systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@DR ~]# systemctl status haproxy.service
● haproxy.service - HAProxy Load BalancerLoaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disab>Active: active (running) since Sun 2021-10-17 12:18:59 EDT; 4min 4s agoProcess: 1218 ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q (c>Main PID: 1227 (haproxy)Tasks: 3 (limit: 11159)Memory: 9.9MCGroup: /system.slice/haproxy.service├─1227 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>└─1230 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>

CA:

[root@DR ~]# yum -y install openssl
[root@DR ~]# openssl version -a
OpenSSL 1.1.1c FIPS  28 May 2019
built on: Thu Mar  5 10:03:36 2020 UTC
platform: linux-x86_64
options:  bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"   //查看openssl证书的存放路径
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines:  rdrand dynamic
//查看openssl的配置文件openssl.cnf,因为配置文件中对证书的名称和存放位置等相关信息都做了定义[root@DR ~]# cd /etc/pki/
[root@DR pki]# ls
ca-trust     fwupd           nssdb            rpm-gpg  tls
consumer     fwupd-metadata  product          rsyslog
entitlement  java            product-default  swid
[root@DR pki]# mkdir CA
[root@DR pki]# ls
CA        entitlement     java     product-default  swid
ca-trust  fwupd           nssdb    rpm-gpg          tls
consumer  fwupd-metadata  product  rsyslog
[root@DR pki]# cd CA/
[root@DR CA]# touch serial
[root@DR CA]#  touch index.txt
[root@DR CA]# ls
index.txt  serial
[root@DR CA]# echo 01 > serial
[root@DR CA]# cat serial
01//生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配
openssl genrsa -out private/cakey.pem 2048 #私钥默认是2048,去和根证书绑定[root@DR CA]# mkdir private
[root@DR CA]# ls
index.txt  private  serial
[root@DR CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
..........................................................+++++
e is 65537 (0x010001)
[root@DR CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:JXRT
Organizational Unit Name (eg, section) []:WW
Common Name (eg, your name or your server's hostname) []:WXY
Email Address []:1870648704@qq.com[root@DR CA]# ls
cacert.pem  index.txt  private  serial
[root@DR CA]# mkdir req

RS1:

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]#  cd /etc/httpd
[root@RS1 httpd]# mkdir ssl
[root@RS1 httpd]# cd ssl
[root@RS1 ssl]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...+++++
..................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# ls
test.key
[root@RS1 ssl]#
[root@RS1 ssl]# openssl req -new -key test.key -out test.csr -days 365
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:JXRT
Organizational Unit Name (eg, section) []:WW
Common Name (eg, your name or your server's hostname) []:WXY
Email Address []:1870648704@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.yy.com
An optional company name []:    [root@RS1 ssl]# cd /etc/httpd/ssl
[root@RS1 ssl]# ls
test.csr  test.key
[root@RS1 ssl]# scp test.csr 192.168.235.145:/etc/pki/CA/req     //传到CA端的req文件夹
The authenticity of host '192.168.235.135 (192.168.235.145)' can't be established.
ECDSA key fingerprint is SHA256:YxxHZSMXHuRY/4l06pblVsAeyFwn87FXIP+3EXE+VNs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.145' (ECDSA) to the list of known hosts.
root@192.168.235.135's password:
test.csr                             100% 1058   865.3KB/s   00:00

在DR上查看

[root@DR ~]# ls /etc/pki/CA/req/
test.csr//httpd端传过来的csr请求文件给CA服务器来颁发
[root@DR CA]# mkdir newcerts
[root@DR CA]# cd req/
[root@DR req]# openssl ca -in /etc/pki/CA/req/test.csr -out /etc/pki/CA/req/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Oct 17 14:47:27 2021 GMTNot After : Oct 17 14:47:27 2022 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = JXRTorganizationalUnitName    = WWcommonName                = WXYemailAddress              = 1870648704@qq.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: CF:E2:A0:78:4C:F9:3C:FA:1E:6F:4C:81:B0:1B:32:75:75:B4:C3:A4X509v3 Authority Key Identifier: keyid:73:D3:74:56:06:3C:49:07:25:06:00:B8:A4:EB:BE:1B:67:ED:78:98Certificate is to be certified until Oct 17 14:47:27 2022 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated//把CA上面的crt证书文件传送给httpd端下面的/etc/httpd/ssl文件
[root@DR req]# scp test.crt 192.168.235.155:/etc/httpd/ssl/
The authenticity of host '192.168.235.155 (192.168.235.155)' can't be established.
ECDSA key fingerprint is SHA256:SYE4sY5pR2aCmZV6JqXCtCbMFPNKU1R9ID9zX9AvPr4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.235.155' (ECDSA) to the list of known hosts.
root@192.168.235.155's password:
test.crt                             100% 4523   492.5KB/s   00:00

RS1和RS2上配置https:

[root@RS1 ~]#  yum -y install mod_ssl
[root@RS1 ~]#  vim /etc/httpd/conf.d/ssl.conf
43 DocumentRoot "/var/www/html"
44 ServerName www.example.com:443   //取消掉这两汉的注释
85 SSLCertificateFile /etc/httpd/ssl/test.crt   //修改为证书存放文件位置
94 SSLCertificateKeyFile /etc/httpd/ssl/test.key   //修改为密钥文件存放位置
[root@RS1 ~]# echo "hello yaya 192.168.235.155" > /var/www/html/index.html[root@rs2 ~]#  yum -y install mod_ssl
[root@rs2 ssl]# scp root@192.168.235.155:/etc/httpd/ssl/* .
root@192.168.235.155's password:
test.crt                             100% 4523     3.2MB/s   00:00
test.csr                             100% 1058   318.8KB/s   00:00
test.key                             100% 1679     1.0MB/s   00:00
//重启
[root@rs2 ssl]# systemctl restart httpd

测试:

//日志启用

[root@DR ~]# vim /etc/rsyslog.conf
64 # Save boot messages also to boot.log65 local0.*                   /var/log/haproxy.log66 local7.*                                                /var/log/bo    ot.log[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -antl
State      Recv-Q     Send-Q           Local Address:Port           Peer Address:Port
LISTEN     0          128                    0.0.0.0:111                 0.0.0.0:*
LISTEN     0          128                    0.0.0.0:80                  0.0.0.0:*
LISTEN     0          32               192.168.122.1:53                  0.0.0.0:*
LISTEN     0          128                    0.0.0.0:22                  0.0.0.0:*
LISTEN     0          5                    127.0.0.1:631                 0.0.0.0:*
LISTEN     0          128                    0.0.0.0:8189                0.0.0.0:*
LISTEN     0          128                       [::]:111                    [::]:*
LISTEN     0          128                       [::]:22                     [::]:*
LISTEN     0          5                        [::1]:631                    [::]:*

输入本机IP刷新测试负载均衡



haproxy配置负载均衡相关推荐

  1. Haproxy实现负载均衡及相关配置(添加日志、设定自动刷新时间、控制访问、动静分离、读写分离)

    1.HAProxy简介 (1)HAProxy 是一款提供高可用性.负载均衡以及基于TCP(第四层)和HTTP(第七层)应用的代理软件,支持虚拟主机,它是免费.快速并且可靠的一种解决方案. HAProx ...

  2. saltstack实现haproxy+keepalived负载均衡+高可用(二)

    一键部署haproxy+keepalived实现负载均衡+高可用 实验环境: !!!!    特别注意: www.westos.org为test1的minion名字 test1: 172.25.1.1 ...

  3. 架构师课程之-haproxy专业级负载均衡软件权威讲解

    老男孩培训顶级架构师课程[企业场景haproxy专业负载均衡架构方案]教学大纲 2014/4/12日激情开讲! 伙伴们,既然选择了远方,就只顾风雨兼程! 老男孩老师已经做好了自断筋脉,把全部功力都传给 ...

  4. RabbitMQ + 镜像队列 + HAProxy 实现负载均衡的集群

    RabbitMQ + 镜像队列 + HAProxy 实现负载均衡的集群 一.集群管理(RabbitMQ扩容) 1. 环境介绍 hostname ip mq1 192.168.80.16 mq2 192 ...

  5. nginx配置 负载均衡_如何配置NGINX负载平衡

    nginx配置 负载均衡 The load balancing is the process of distributing traffic to multiple instances of an a ...

  6. 架构测试:HAproxy实现负载均衡,前端为nginx+php,数据库实现读写分离和高可用...

    环境: • 202.106.0.6: as client • 202.106.0.17:as firewall • 202.106.0.147: as powerDNS • 192.168.205.2 ...

  7. 如何为 Django 服务配置负载均衡

    现在的 Web 服务有一个很重要的性能指标叫 QPS,QPS 的全称是 Queries Per Second 意思是"每秒查询率",是一台服务器每秒能够相应的查询次数,是对一个特定 ...

  8. docker nginx 配置负载均衡

    在上篇的文章中我们介绍了docker nginx配置简单的代理 在这篇文章我们介绍docker 利用nginx配置负载均衡 所谓的负载均衡是两台服务器,或者是多台服务器上面部署项目,但是访问的方式是通 ...

  9. APACHE 2.2.8+TOMCAT6.0.14配置负载均衡

    作者: jiake0504  链接:http://jiake0504.javaeye.com/blog/265000  发表时间: 2008年11月10日 声明:本文系JavaEye网站发布的原创博客 ...

最新文章

  1. MIDP2.0引入了Push注册机制
  2. Python Multiprocessing with PyCUDA
  3. PowerDesigner中设置数据库类型,设置default value,Comment,自增属性,以及数据库设计中的需要考虑的示项,带有小数点的数据显示
  4. 汇编 --- EXE文件 的程序的加载过程
  5. mess系统可以读取opc服务器,C3. Messages
  6. RSS、Atom和Feed概念与实现(django)
  7. 【算法大赛直播周】如何让人人都可以使用AI技术?北大崔斌教授亲解自动化机器学习
  8. Proteus8.9 下载与安装 以及大多数问题
  9. AutoCAD实用功能之查看xdata扩展属性
  10. JAVA实现成绩统计之及格率和优秀率
  11. c 语言 农历,C++算法系列之中国农历的算法
  12. 华硕主板的网络唤醒(Wake-on-LAN)
  13. R语言--Apriori关联分析
  14. 你的电脑/设备需要恢复 错误码0xc000014c
  15. docker相关的文件配置
  16. 基于STM32单片机的密码锁(Proteus仿真+程序+报告)
  17. 打印系统开发(63)——C# 实现虚拟打印机 HP Color LaserJet 4500 (2) True Type Font字体显示
  18. Python 1. 如何选择python版本,以及如何选择开发环境(IDE)
  19. 随机句子我在人间凑数的日子V1.2成品源码+API
  20. 上海高校计算机等级考试c语言真题,2017年上海市高等学校计算机等级考试试题「有答案」...

热门文章

  1. (附源码)springboot公选课在线选课系统 毕业设计 142011
  2. iis服务器.webp文件无法访问的解决办法
  3. uniapp 调用 android 原生sdk
  4. 排球比赛计分程序功能说明书
  5. WIN10 注册.dll regsvr32.exe错误 VC6添加插件
  6. 门面设计模式(Facade Pattern)
  7. CPU是如何制造出来的(附高清全程图解)
  8. PacBio三代测序专业术语解读
  9. 逆向破解_iOS_学习笔记_1
  10. 表单提交后跳转指定链接