一. 在172.17.60.39主机上部署haproxy+keepalived:
1. 安装haproxy环境
[root@myhost ~]#yum -y install libnl libnl-devel libnfnetlink libnfnetlink-devel kernel-devel popt-devel openssl-devel gcc
[root@myhost ~]#systemctl stop firewalld
[root@myhost ~]#systemctl disable firewalld
[root@myhost ~]#setenforce 0
[root@myhost ~]#mkdir -pv /services/current_apps[root@myhost ~]#mkdir -pv /services/download_soft_v
[root@myhost ~]#cd /services/download_soft_v
2.下载haproxy-1.8.13版本并解压
[root@myhost download_soft_v]#wget -c http://10.10.9.250/Linux-SYS/haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#tar zxvf haproxy-1.8.13.tar.gz
[root@myhost download_soft_v]#cd haproxy-1.8.13
3. 用uname -a 确认好系统版本信息(改×××部分)
[[email protected]]make TARGET=linux310 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/services/current_apps/haproxy-1.8.13
4. 用make install安装到指定目录
[[email protected]]make install PREFIX=/services/current_apps/haproxy-1.8.13
5. 创建haproxy用户和相关目录
[[email protected]]useradd -s /sbin/nologin haproxy
[[email protected]]mkdir -pv /var/lib/haproxy
[[email protected]]mkdir -pv /services/current_apps/haproxy-1.8.13/ssl
[[email protected]]chown -R haproxy:haproxy /var/lib/haproxy
[[email protected]]cp /services/download_soft_v/haproxy-1.8.13/examples/haproxy.init /etc/init.d/haproxy
[[email protected]]chmod +x /etc/init.d/haproxy
[[email protected]]ln -sf /services/current_apps/haproxy-1.8.13 /etc/haproxy
[[email protected]]ln -s /etc/haproxy/sbin/haproxy /usr/sbin/
6. 设定haproxy日志目录
[[email protected]]mkdir -pv /services/haproxy_logs
[[email protected]]echo 'local0.* /services/haproxy_logs/haproxy.log'>>/etc/rsyslog.conf
7. 编辑rsyslog开启UDP(去掉下面两行前面的#号),并添加local0.none
[[email protected]]vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
*.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages8. 改完重启rsyslog
[[email protected]]systemctl restart rsyslog
9. 设置haproxy日志切割,清空这个文件并黏贴以下代码
[[email protected]]vi /etc/logrotate.d/haproxy
/services/haproxy_logs/haproxy.log {
daily
rotate 30
missingok
notifempty
dateext
compress
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
service haproxy reload
endscript
}10. 设置内核优化和ip转发
[[email protected]]echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf
[[email protected]]echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
[[email protected]]sysctl -p
11. 配置haproxy.cfg,复制以下代码
[[email protected]]vi /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 75535
ulimit-n 655350
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
nbproc 8 #按照实际CPU核数设置
#-----------------------------------
# status page.
#-----------------------------------
defaults
log global
mode http
option httplog
retries 3
maxconn 75535
balance leastconn
timeout connect 30s
timeout client 60s
timeout server 60s
timeout http-request 30s
timeout http-keep-alive 30s
timeout queue 1m
timeout check 30s
frontend web_in
bind *:80
no option http-server-close
option forwardfor
acl mzj_web_zxft_acl path_beg -i /zxft
acl mzj_web_jzcx_acl path_beg -i /jzcx
acl mzj_web_login_acl path_beg -i /login
acl mzj_web_welfare_acl path_beg -i /welfare
acl mzj_web_xzsp-web_acl path_beg -i /xzsp-web
acl mzj_web_volunteer_acl path_beg -i /volunteer
acl mzj_web_edu_acl path_beg -i /edu
acl mzj_web_shsw_acl path_beg -i /shsw
acl mzj_web_acl hdr_reg(host) -i mzj.sh.gov.cn
use_backend mzj_web_zxft if mzj_web_zxft_acl
use_backend mzj_web_login if mzj_web_login_acl
use_backend mzj_web_jzcx if mzj_web_jzcx_acl
use_backend mzj_web_welfare if mzj_web_welfare_acl
use_backend mzj_web_xzsp-web if mzj_web_xzsp-web_acl
use_backend mzj_web_volunteer if mzj_web_volunteer_acl
use_backend mzj_web_edu if mzj_web_edu_acl
use_backend mzj_web_shsw if mzj_web_shsw_acl
use_backend mzj_web if mzj_web_acl
default_backend refuse-url
#((
capture request header Host len 64
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture request header Referer len 200
capture response header Server len 40
capture response header Server-ID len 40
\#capture捕获信息
log-format %ci:%cp\ %si:%sp\ %B\ %U\ %ST\ %r\ %b\ %f\ %bi\ %hrl\ %hsl\
#))
#
backend refuse-url
mode http
balance source
server refuse-url 192.168.3.55:80 check rise 2 inter 5000 fall 3
backend mzj_web
mode http
balance roundrobin
cookie SERVERID
server 60.66_80 172.17.60.66:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_login
mode http
balance roundrobin
cookie SERVERID
server 181.45_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_jzcx
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_welfare
mode http
balance roundrobin
cookie SERVERID
server 60.15_80 172.17.60.15:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_xzsp-web
mode http
balance roundrobin
cookie SERVERID
server 60.12_80 172.17.60.12:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_zxft
mode http
balance roundrobin
cookie SERVERID
server 60.5_80 172.17.60.5:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_volunteer
mode http
balance roundrobin
cookie SERVERID
server 60.9_80 172.17.60.9:80 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_edu
mode http
balance roundrobin
cookie SERVERID
server 60.29_3001 172.17.60.29:3001 cookie web1 inter 3000 rise 3 fall 3 check
backend mzj_web_shsw
mode http
balance roundrobin
cookie SERVERID
server 60.29_80 172.17.60.29:80 cookie web1 inter 3000 rise 3 fall 3 check
#-----------------------------------
# monitor status page.
#-----------------------------------
listen stats
bind 0.0.0.0:8011
mode http
stats enable
stats refresh 60s
stats hide-version
stats uri / hastats
stats realm Haproxy \ statistic
stats auth admin:wdit2017
timeout connect 10000
timeout client 50000
timeout server 50000
bind-process 112. 设置开机自启动和目录权限
[[email protected]]chown -R haproxy:haproxy /etc/haproxy
[[email protected]]chkconfig haproxy on
13. 下载keepalived
[root@myhost haproxy-1.8.13]cd /services/download_soft_v
[root@myhost download_soft_v]wget -c http://104.225.234.20/keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]tar -zxvf keepalived-2.0.11.tar.gz
[root@myhost download_soft_v]cd keepalived-2.0.11
14. 编译安装
[root@myhost keepalived-2.0.11]./configure --prefix=/services/current_apps/keepalived-2.0.11
[root@myhost keepalived-2.0.11]make && make install
15. 设置一些keepalived环境
[root@myhost keepalived-2.0.11]cp /services/download_soft_v/keepalived-2.0.11/keepalived/etc/init.d/keepalived /etc/init.d/
[root@myhost keepalived-2.0.11]ln -sf /services/current_apps/keepalived-2.0.11 /etc/keepalived
[root@myhost keepalived-2.0.11]ln -s /etc/keepalived/sbin/keepalived /usr/sbin/
[root@myhost keepalived-2.0.11]chkconfig keepalived on
[root@myhost keepalived-2.0.11]mkdir -pv /etc/keepalived/script
16. 编辑检测ha脚本文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/check_haproxy_process.sh
#!/bin/bash
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/init.d/haproxy start
fi
sleep 5
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/init.d/keepalived stop
fi
17. 编辑notify-master.sh脚本
[root@myhost keepalived-2.0.11]vi /etc/keepalived/script/notify-master.sh
#!/bin/bash
HOST_IP="/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'"
echo "uptime; ip addr show eth0; echo" | mail -s "${HOST_IP}-HA change to master." [email protected]
18. 添加两个脚本权限
[root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/check_haproxy_process.sh
[root@myhost keepalived-2.0.11]chmod +x /etc/keepalived/script/notify-master.sh
19.编辑 /usr/lib/systemd/system/keepalived.service,把unit替换成下面这段
root@myhost keepalived-2.0.11]vi /usr/lib/systemd/system/keepalived.service
[Unit]
Description=LVS and VRRP High Availability Monitor
After=syslog.target network-online.target haproxy.service
Requires=haproxy.service
20. 编辑vi /root/ulimit.sh,黏贴以下代码
[root@myhost keepalived-2.0.11]vi /root/ulimit.sh
#!/bin/bash
DATE=`date +%F`
### Limits.conf
cp -f /etc/security/limits.conf /etc/security/limits.conf_$(date +%F)
if [ $? -eq 0 ];then
cat >/etc/security/limits.conf</etc/security/limits.d/90-nproc.conf</etc/sysctl.conf< 21. 执行ulimit脚本
[root@myhost keepalived-2.0.11]sh /root/ulimit.sh
22. 编辑policy.sh
[root@myhost keepalived-2.0.11]vi /root/policy.sh
#!/bin/bash
sed -i '25c PASS_MAX_DAYS 90' /etc/login.defs
sed -i '27c PASS_MIN_LEN 7' /etc/login.defs
sed -i '$a\TMOUT=600' /etc/profile
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
useradd mzj
echo "wdit@123"|passwd --stdin mzj
sed -i '91a mzj ALL=(ALL) NOPASSWD:ALL' /etc/sudoers
for i in adm lp sync shutdown halt mail uucp operator games gopher;do usermod -L $i;done
service sshd restart
23.执行policy.sh
[root@myhost keepalived-2.0.11]sh /root/policy.sh
24. 编辑keepalived主配置文件
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
router_id HAProxy_CIIE_Slave
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 36.1 {
state BACKUP
interface eth0
virtual_router_id 202
priority 90
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}25. 开启服务并自启动
[root@myhost keepalived-2.0.11]service keepalived restart
[root@myhost keepalived-2.0.11]systemctl enable haproxy
二. 在172.17.60.41主机上部署haproxy+keepalived:
1.从1-23步骤一模一样重复做一遍
2. 编辑 /etc/keepalived/keepalived.conf文件黏贴以下代码
[root@myhost keepalived-2.0.11]vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server mail.wdit.com.cn
smtp_connect_timeout 60
#router_id MUST BE different in the same network
router_id HAProxy_CIIE_Master
}
vrrp_script chk_haproxy_process {
script "/etc/keepalived/script/check_haproxy_process.sh"
interval 10
weight 2
}
vrrp_instance 60.77 {
state MASTER
interface eth0
#ID MUST BE different in the same network
virtual_router_id 202
priority 100
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy_process
}
virtual_ipaddress {
172.17.60.77/32 dev eth0 scope global
}
notify_master "/etc/keepalived/script/notify-master.sh"
}3. 开启服务并自启动
[root@myhost keepalived-2.0.11]service keepalived restart
[root@myhost keepalived-2.0.11]systemctl enable haproxy