环境说明:
主机名 | 角色 | IP地址 |
mylinux1.contoso.com |
Haproxy | eth0:192.168.100.121 eth1:172.16.100.121 |
mylinux3.contoso.com | ssh server(做tcp实验用) | eth0:192.168.100.181 |
mylinux4.contoso.com | ssh server(做tcp实验用) | eth1:192.168.100.182 |
一、环境准备
以下配置基本上是每一次都要提前准备的,所以准备的命令我就不详细列出了,前面有一个一键优化的脚本,可以使用脚本进行自动化的处理,避免多次重复操作的困扰。
# 检查防火墙 [root@mylinux1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # 检查SELinux [root@mylinux1 ~]# getenforce Disabled # 检查时间同步 [root@mylinux1 ~]# crontab -l 0 * * * * /usr/sbin/ntpdate 210.72.145.44 64.147.116.229 time.nist.gov # 设置yum源 mkdir -p /etc/yum.repos.d/bak mv /etc/yum.repos.d/*.* /etc/yum.repos.d/bak/ wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo yum clean all yum makecache # 设置主机名 sed -i '/^HOSTNAME/s/^/#/' /etc/sysconfig/network sed -i '/#HOSTNAME/aHOSTNAME=[主机名]' /etc/sysconfig/network hostname [主机名]
二、安装Haproxy
[root@mylinux1 ~]# mkdir -p /opt/tools [root@mylinux1 ~]# cd /opt/tools/ [root@mylinux1 tools]# ll total 2608 -rw-r--r-- 1 root root 1360582 Sep 30 11:02 haproxy-1.5.18.tar.gz [root@mylinux1 tools]# tar -zxf haproxy-1.5.18.tar.gz [root@mylinux1 tools]# cd haproxy-1.5.18 [root@mylinux1 haproxy-1.5.18]# ls CHANGELOG CONTRIBUTING ebtree include Makefile ROADMAP SUBVERS VERDATE contrib doc examples LICENSE README src tests VERSION [root@mylinux1 haproxy-1.5.18]# mkdir -p /usr/local/haproxy [root@mylinux1 haproxy-1.5.18]# make TARGET=linux26 ARCH=x86_64 PREFIX=/usr/local/haproxy/ [root@mylinux1 haproxy-1.5.18]# make install PREFIX=/usr/local/haproxy [root@mylinux1 haproxy-1.5.18]# cd /usr/local/haproxy/ [root@mylinux1 haproxy]# tree ├── doc │ └── haproxy │ ├── architecture.txt │ ├── configuration.txt │ ├── haproxy-en.txt │ └── haproxy-fr.txt ├── sbin │ └── haproxy └── share └── man └── man1 └── haproxy.1 6 directories, 6 files
三、修改haproxy相关系统配置
1、生成配置文件
[root@mylinux1 haproxy-1.5.18]# mkdir -p /usr/local/haproxy/conf [root@mylinux1 haproxy-1.5.18]# cp examples/haproxy.cfg /usr/local/haproxy/conf/
2、开启IPv4转发
[root@mylinux1 conf]# sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf [root@mylinux1 conf]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 fs.file-max = 2097152 fs.nr_open = 2097152 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.ip_local_port_range = 1024 65000 net.ipv4.tcp_max_syn_backlog = 81920
3、创建haproxy相关目录
[root@mylinux1 conf]# mkdir -p /usr/local/haproxy/logs [root@mylinux1 conf]# mkdir -p /usr/local/haproxy/var/{run,chroot}
4、创建haproxy用户
[root@mylinux1 conf]# id haproxy id: haproxy: No such user [root@mylinux1 conf]# useradd haproxy -s /sbin/nologin [root@mylinux1 conf]# id haproxy uid=606(haproxy) gid=606(haproxy) groups=606(haproxy)
5、配置rsyslog记录haproxy日志
在haproxy.cfg中global区域添加下面一行:
log 127.0.0.1 local0 warning
然后修改rsyslog配置文件rsyslog.conf:
[root@mylinux1 conf]# echo -e "# Haproxy log setting\nlocal0.* /usr/local/haproxy/logs/haproxy.log\n#End" >>/etc/rsyslog.conf [root@mylinux1 conf]# tail -3 /etc/rsyslog.conf # Haproxy log setting local0.* /usr/local/haproxy/logs/haproxy.log #End
再修改rsyslog的设置:
[root@mylinux1 conf]# cp /etc/sysconfig/rsyslog /etc/sysconfig/rsyslog.bak$(date +%F) [root@mylinux1 conf]# vi /etc/sysconfig/rsyslog [root@mylinux1 conf]# tail -2 /etc/sysconfig/rsyslog #SYSLOGD_OPTIONS="-c 5" SYSLOGD_OPTIONS="-c 2 -m 0 -r -x" [root@mylinux1 conf]# diff /etc/sysconfig/rsyslog.bak2016-09-30 /etc/sysconfig/rsyslog 5c5,6 < SYSLOGD_OPTIONS="-c 5" --- > #SYSLOGD_OPTIONS="-c 5" > SYSLOGD_OPTIONS="-c 2 -m 0 -r -x"
此时,我们发现在CentOS 6.5上使用netstat命令无法显示514端口的监听状态,而使用lsof命令也无法查看端口514上的服务,如下:
[root@mylinux1 ~]# netstat -lntup|grep 514 [root@mylinux1 ~]# lsof -i :514 [root@mylinux1 ~]#
然后还需要修改rsyslog.conf中的一个配置:
[root@mylinux1 ~]# sed -i '/imudp/s/^#//' /etc/rsyslog.conf [root@mylinux1 ~]# sed -i '/UDPServerRun 514/s/^#//' /etc/rsyslog.conf [root@mylinux1 ~]# grep imudp /etc/rsyslog.conf $ModLoad imudp [root@mylinux1 ~]# grep UDPServerRun /etc/rsyslog.conf $UDPServerRun 514
最后重启rsyslog服务:
[root@mylinux1 conf]# /etc/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
再次尝试去看一下514端口的监听状态和服务:
[root@mylinux1 ~]# lsof -i :514 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 2436 root 3u IPv4 24957 0t0 UDP *:syslog rsyslogd 2436 root 4u IPv6 24958 0t0 UDP *:syslog [root@mylinux1 ~]# netstat -tunlp|grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* 2436/rsyslogd udp 0 0 :::514 :::* 2436/rsyslogd
四、编辑haproxy配置文件
下面给出基于tcp的haproxy代理的配置文件内容:
[root@mylinux1 conf]# cat haproxy.cfg # this config needs haproxy-1.1.28 or haproxy-1.2.1 global log 127.0.0.1 local0 #日志将记录在本机,通过local0设备输出 log 127.0.0.1:514 local0 warning #定义haproxy日志级别,这里是warning pidfile /usr/local/haproxy/var/run/haproxy.pid #定义PID文件位置 daemon #以守护进程(后台)方式运行 maxconn 20480 #默认的最大连接数,不能超过ulimit -n限制 chroot /usr/local/haproxy/var/chroot #设置chroot的运行路径,是一种安全策略 user haproxy #运行haproxy的用户 group haproxy #运行haproxy用户的组 spread-checks 3 nbproc 1 #设置进程数量 defaults logglobal retries3 #3次连接失败就认为是服务器不可用,也可以通过后面设置 option redispatch #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器 maxconn2000 #默认的最大连接数 timeout connect 5000 #连接超时时长,单位为ms timeout client 50000 #客户端超时时长 timeoutserver 50000 #服务器超时时长 listenssh bind 172.16.100.121:80 #绑定的IP和端口 mode tcp #haproxy工作在http的7层模式中的哪一层,这里是tcp balance roundrobin #轮询 timeout server 15s timeout connect 30s server mylinux3 192.168.100.181:22 check port 22 #后端服务器信息,IP和端口,还有检查端口 server mylinux4 192.168.100,182:22 check port 22
五、启动haproxy并测试
1、启动haproxy
使用以下命令测试haproxy的配置文件是否可用:
[root@mylinux1 conf]# /usr/local/haproxy/sbin/haproxy -f haproxy.cfg -c Configuration file is valid
然后使用如下命令启动haproxy:
[root@mylinux1 conf]# /usr/local/haproxy/sbin/haproxy -f haproxy.cfg -D
可以通过下面的方法检查haproxy是否启动:
[root@mylinux1 conf]# ps -ef|grep haproxy haproxy 1550 1 0 18:25 ? 00:00:00 /usr/local/haproxy/sbin/haproxy -f haproxy.cfg -D root 1553 1015 0 18:26 pts/1 00:00:00 grep haproxy [root@mylinux1 conf]# lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME haproxy 1550 haproxy 4u IPv4 12088 0t0 TCP 172.16.100.121:http (LISTEN)
2、测试haproxy代理ssh
上面的配置文件中,使用haproxy的eth1的地址172.16.100.121的80端口来代理后端mylinux3和mylinux4上的22端口,也就是ssh服务,这样只要客户端使用ssh 172.16.100.121的80端口就可以远程访问后端两台服务器的ssh服务了,下面来测试一下是否如预想的那样。
[root@mylinux1 conf]# ssh -p80 172.16.100.121 The authenticity of host '[172.16.100.121]:80 ([172.16.100.121]:80)' can't be established. RSA key fingerprint is ea:b0:45:d6:fa:48:60:41:a9:e4:f7:30:b9:ed:16:a4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[172.16.100.121]:80' (RSA) to the list of known hosts. [email protected]'s password: Last login: Fri Sep 30 12:42:12 2016 from 192.168.100.1 [root@mylinux4 ~]# hostname mylinux4.contoso.com [root@mylinux4 ~]# ip a|grep 192.168.100 inet 192.168.100.182/24 brd 192.168.100.255 scope global eth0
好的,成功的通过haproxy代理远程到了mylinux4这一台主机上。
再进行第二次测试之前,需要先清空known_hosts中的内容,不然会提示加密私钥改变,使用下面的命令处理一下:
[root@mylinux1 conf]# >/root/.ssh/known_hosts
然后再次ssh 172.16.100.121的80端口,结果如下:
[root@mylinux1 conf]# ssh -p80 172.16.100.121 The authenticity of host '[172.16.100.121]:80 ([172.16.100.121]:80)' can't be established. RSA key fingerprint is 99:05:e5:e4:d3:78:bd:cf:94:e9:80:36:b5:5d:cc:11. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[172.16.100.121]:80' (RSA) to the list of known hosts. [email protected]'s password: Last login: Fri Sep 30 18:29:10 2016 from 192.168.100.121 [root@mylinux3 ~]# hostname mylinux3.contoso.com [root@mylinux3 ~]# ip a |grep 192.168.100 inet 192.168.100.181/24 brd 192.168.100.255 scope global eth0
这次成功的远程到了mylinux3这台主机上,说明haproxy代理tcp服务成功。