一、实验环境
操作系统:CentOS7.2 Mininal
serverA:192.168.1.104
serverB:192.168.1.109
VIP: 192.168.1.110
test: 192.168.1.120
二、软件安装
在serverA 和 serverB 上
# yum -y install nginx bind ntp keepalived
# systemctl enable named ntpd nginx keepalived
三、特殊配置
在serverA 和 serverB 上
# sysctl -w net.ipv4.ip_nonlocal_bind=1
# echo "net.ipv4.ip_nonlocal_bind=1" >> /etc/sysctl.conf
注:更改Linux系统控制文件,使得端口即使监听在不存在的IP上,也不报错
# setenforce 0
# sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
# systemctl stop firewalld
# systemctl diable firewalld
三、serverA服务配置
# vim /etc/keepalived/keepalived.conf
##############################
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script check {
script "/etc/keepalived/check.sh"
interval 5
}
vrrp_instance VI_1 {
state BACKUP
interface eno16777736
virtual_router_id 100
priority 100
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
check
}
virtual_ipaddress {
192.168.1.110
}
}
##############################
注意: vrrp_script{}中的interval时间需大于脚本中的sleep时间!
# vim /etc/keepalived/check.sh
##############################
#!/bin/bash
nginx_status1=$(ps -C nginx --no-heading|wc -l)
if [ "${nginx_status1}" = "0" ]; then
systemctl start nginx.service
sleep 3
nginx_status2=$(ps -C nginx --no-heading|wc -l)
if [ "${nginx_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
named_status1=$(ps -C named --no-heading|wc -l)
if [ "${named_status1}" = "0" ]; then
systemctl start named.service
sleep 3
named_status2=$(ps -C named --no-heading|wc -l)
if [ "${named_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
ntpd_status1=$(ps -C ntpd --no-heading|wc -l)
if [ "${ntpd_status1}" = "0" ]; then
systemctl start ntpd.service
sleep 3
ntpd_status2=$(ps -C ntpd --no-heading|wc -l)
if [ "${ntpd_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
#######################################
# chmod +x /etc/keepalived/check.sh
# vim /etc/ntp.conf
########################################
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 192.168.1.0 mask 255..255.255.0 nomodify notrap
server 192.168.1.110 iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10
interface ignore wildcard
interface listen 192.168.1.110
interface listen 127.0.0.1
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
##########################################
# vim /etc/named.conf
##########################################
options {
listen-on port 53 { 192.168.1.110; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
pid-file "/run/named/named.pid";
};
zone "test.com" IN {
type master;
file "test.com.zone";
};
###############################################
# cp -p /var/named/named.localhost /var/named/test.com.zone
# vim /var/named/test.com.zone
# vim /etc/nginx/nginx.conf
#########################################
# For more information on configuration, see:
# * Official English Documentation:http://nginx.org/en/docs/
# * Official Russian Documentation:http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
# stream转发
stream {
# hash $remote_addr consistent;
proxy_connect_timeout 3s;
include /etc/nginx/conf.d/stream_proxy.conf;
}
# http转发
http {
client_max_body_size 500M;
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/http_proxy.conf;
}
############################################
# vim /etc/nginx/conf.d/stream_proxy.conf
#############################################
upstream stream_service {
hash $remote_addr consistent;
server192.168.1.103:12345 max_fails=1 fail_timeout=180s;
server 192.168.1.104:12345 max_fails=1 fail_timeout=180s;
}
server {
listen 192.168.1.110:54321;
proxy_pass stream_service;
}
#####################################################
# vim /etc/nginx/conf.d/http_proxy.conf
#####################################################
upstream http_service {
server 192.168.1.107:443 max_fails=1 fail_timeout=180s;
server 192.168.1.108:443 max_fails=1 fail_timeout=180s;
}
server {
listen 192.168.1.110:443 ssl;
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
location / {
proxy_connect_timeout 3;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://http_service;
}
}
#################################################################
# mkdir /etc/nginx/ssl
# openssl req -x509 -nodes \
-newkey rsa:2048 \
-days 365 \
-subj "/C=CN/ST=Gunagdong/L=Shenzhen/O=TEST/OU=TEST/CN=www.test.com" \
-keyout /etc/nginx/ssl/nginx-selfsigned.key \
-out /etc/nginx/ssl/nginx-selfsigned.crt
四、serverB服务配置
# vim /etc/keepalived/keepalived.conf
##########################
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script check {
script "/etc/keepalived/check.sh"
interval 5
}
vrrp_instance VI_1 {
state BACKUP
interface eno16777736
virtual_router_id 100
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
check
}
virtual_ipaddress {
192.168.1.110
}
}
##############################
注意: vrrp_script{}中的interval时间需大于脚本中的sleep时间!
# vim /etc/keepalived/check.sh
##############################
#!/bin/bash
nginx_status1=$(ps -C nginx --no-heading|wc -l)
if [ "${nginx_status1}" = "0" ]; then
systemctl start nginx.service
sleep 3
nginx_status2=$(ps -C nginx --no-heading|wc -l)
if [ "${nginx_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
named_status1=$(ps -C named --no-heading|wc -l)
if [ "${named_status1}" = "0" ]; then
systemctl start named.service
sleep 3
named_status2=$(ps -C named --no-heading|wc -l)
if [ "${named_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
ntpd_status1=$(ps -C ntpd --no-heading|wc -l)
if [ "${ntpd_status1}" = "0" ]; then
systemctl start ntpd.service
sleep 3
ntpd_status2=$(ps -C ntpd --no-heading|wc -l)
if [ "${ntpd_status2}" = "0" ]; then
systemctl stop keepalived.service
fi
fi
#######################################
# chmod +x /etc/keepalived/check.sh
# vim /etc/ntp.conf
########################################
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 192.168.1.0 mask 255..255.255.0 nomodify notrap
server 192.168.1.110 iburst
server 127.127.1.0
fudge 127.127.1.0 stratum 10
interface ignore wildcard
interface listen 192.168.1.110
interface listen 127.0.0.1
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
##########################################
# vim /etc/named.conf
##########################################
options {
listen-on port 53 { 192.168.1.110; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
pid-file "/run/named/named.pid";
};
zone "test.com" IN {
type master;
file "test.com.zone";
};
###############################################
# cp -p /var/named/named.localhost /var/named/test.com.zone
# vim /var/named/test.com.zone
# vim /etc/nginx/nginx.conf
#########################################
# For more information on configuration, see:
# * Official English Documentation:http://nginx.org/en/docs/
# * Official Russian Documentation:http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
# stream转发
stream {
# hash $remote_addr consistent;
proxy_connect_timeout 3s;
include /etc/nginx/conf.d/stream_proxy.conf;
}
# http转发
http {
client_max_body_size 500M;
include mime.types;
default_type application/octet-stream;
server_tokens off;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/http_proxy.conf;
}
############################################
# vim /etc/nginx/conf.d/stream_proxy.conf
#############################################
upstream stream_service {
hash $remote_addr consistent;
server192.168.1.103:12345 max_fails=1 fail_timeout=180s;
server 192.168.1.104:12345 max_fails=1 fail_timeout=180s;
}
server {
listen 192.168.1.110:54321;
proxy_pass stream_service;
}
#####################################################
# vim /etc/nginx/conf.d/http_proxy.conf
#####################################################
upstream http_service {
server 192.168.1.107:443 max_fails=1 fail_timeout=180s;
server 192.168.1.108:443 max_fails=1 fail_timeout=180s;
}
server {
listen 192.168.1.110:443 ssl;
ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;
location / {
proxy_connect_timeout 3;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://http_service;
}
}
#################################################################
# mkdir /etc/nginx/ssl
# openssl req -x509 -nodes \
-newkey rsa:2048 \
-days 365 \
-subj "/C=CN/ST=Gunagdong/L=Shenzhen/O=TEST/OU=TEST/CN=www.test.com" \
-keyout /etc/nginx/ssl/nginx-selfsigned.key \
-out /etc/nginx/ssl/nginx-selfsigned.crt
五、启动服务
在serverA 和 serveB上
# systemctl start named ntpd nginx keepalived
六、查看服务状态
在serverA
在serverB
七、在test服务器上测试
反向代理测试:
https://192.168.1.110:443
DNS测试:
# vim /etc/resolv.conf
######################
nameserver 192.168.1.110
# Generated by NetworkManager
nameserver 202.96.128.166
nameserver 202.96.134.133
#####################
# ping www.test.com
# ping mysql.test.com
NTP测试:
# ntpdate 192.168.1.110
# vim /etc/ntp.conf
#########################
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server 192.168.1.110 iburst
restrict 192.168.1.110 nomodify notrap noquery
server 127.127.1.0
fudge 127.127.1.0 stratum 10
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
#########################
# systemctl start ntpd
# systemctl enable ntpd
八、前端的高可用性测试
在 serverA
# systemctl restart keepalived
# systemctl status keepalived
# ip addr list
在 serverB
# systemctl status keepalived
# ip addr list
可以看到,重启serverA的keepalived,VIP成功漂移了,实际上,VIP所在的服务器上的 nginx、named 、ntpd任何一个服务出问题,keepalived的检测脚本就会停其keepalived服务,使得VIP漂移,服务基本不受影响,实现高可用!