keepalived+lvs
整体规划如下:
router 外网卡124.126.147.168 内网卡:192.168.0.254
lvs1调整器VIP地址:192.168.0.253 内网卡:192.168.0.200
lvs2调整器VIP地址:192.168.0.253 内网卡:192.168.0.201
下面是真实的2台web服务器:
web1服务器真实网卡192.168.0.1 虚拟网卡ifcfg-lo:0 192.168.0.253(VIP)
web2服务器真实网卡192.168.0.2 虚拟网卡ifcfg-lo:0 192.168.0.253(VIP)
--------------------------------------------------------------------------------
真实web1设置
真实网卡:
BOOTPROTO=static
DEVICE=eno1111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
新建立一个虚拟网卡
vim /etc/sysconfig/network-script/ifcfg-lo:0
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.255
GATEWAY=192.168.0.254
改arp相关参数:
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno1111.arp_ignore = 1
net.ipv4.conf.eno1111.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
sysctl -p 马上生效不用重启
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.1" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
-------------------------------------------------------
真实web2设置
真实网卡:
BOOTPROTO=static
DEVICE=eno2222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
新建立一个虚拟网卡
vim /etc/sysconfig/network-script/ifcfg-lo:0
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.255
GATEWAY=192.168.0.254
改arp相关参数:
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno2222.arp_ignore = 1
net.ipv4.conf.eno2222.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
sysctl -p 马上生效不用重启
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.2" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
----------------------------------------------------------
lvs1调度器:
LVS真实网卡设置:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.0.200
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
systemctl restart network
yum -y install keepalived ipvsadm 安装调试器和keepalived
modprobe ip_vs加载模块
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id_lvs_1
}
vrrp_instance LVS_HA {
state MASTER
interface eno4444
virtual_router_id 60
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.0.253/24
}
}
virtual_server 192.168.0.253 80 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
persistence_timeout 50
protocol TCP
real_server 192.168.0.1 80 {
weigth 1
TCP_CHECK {
connect_timeout 20
connect_port 80
nb_get_retry 3
}
}
real_sever 192.168.0.2 80 {
weight 1
TCP_CHECK {
connect_timeout 20
connect_port 80
nb_get_retry 3
}
}
}
systemctl start keepalived
systemctl enable keepablived
ip addr show 看虚拟ip
ipvsadm -Ln
firewall-cmd --set-default-zone=trusted
-----------------------------------------------------
lvs2调试器配置 :
LVS真实网卡设置:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno55555
ONBOOT=yes
IPADDR=192.168.0.201
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
systemctl restart network
yum -y install keepalived ipvsadm 安装调试器和keepalived
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
[email protected]
}
notification_email_from root@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id_lvs_2
}
vrrp_instance LVS_HA {
state MASTER
interface eno6666
virtual_router_id 60
priority 50
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.0.253/24
}
}
virtual_server 192.168.0.253 80 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
persistence_timeout 50
protocol TCP
real_server 192.168.0.1 80 {
weigth 1
TCP_CHECK {
connect_timeout 20
connect_port 80
nb_get_retry 3
}
}
real_sever 192.168.0.2 80 {
weight 1
TCP_CHECK {
connect_timeout 20
connect_port 80
nb_get_retry 3
}
}
}
systemctl start keepalived
systemctl enable keepablived
ip addr show 看虚拟ip
ipvsadm -Ln
firewall-cmd --set-default-zone=trusted
-------------------------------------------------------------
router路由设置,生产环境用真路由器,现在linux做路由器
router用linux充当:
第一块网卡对内:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno7777
ONBOOT=yes
IPADDR=192.168.0.254
NETMASK=255.255.255.0
DNS=202.96.134.133
第二块对外:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno8888
ONBOOT=yes
IPADDR=124.126.147.168
NETMASK=255.0.0.0
DNS=202.96.134.133
systemctl restart network
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t nat -I PREROUTING -d 124.126.147.168 -p tcp -dport 80 \
-j DNAT --to-destination 192.168.0.253:80
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -p tcp -j SNAT \
--to-source 124.126.147.168
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
关于kvm网络的配置:
终端下把本机实际网卡改成这下面这样
vim ifcfg-eno16777736
BOOTPROTO="none"
DEVICE="eno16777736"
ONBOOT="yes"
BRIDGE=br0
vimt ifcfg-br0
DEVICE=br0
ONBOOT="yes"
TYPE=Bridge
BOOTPROTO=static
IPADDR="192.168.1.110"
PREFIX="24"
GATEWAY="192.168.1.253"
DNS1="192.168.1.253"
lvm
首先所有的命令pv、vg、lv都是一样的格式,添加为pvcreate,查看pvdisplay ,删除pvremove ,
以下虚拟盘lvm创建完后,如果想删除不用了,记得从最后往上操作,先取消挂载、lvremore删除逻辑虚拟盘
再vg删除虚拟组,再pvremore删除物理虚拟盘
创建循序:pv----vg-----lv
1、先对硬盘分区,记得硬盘为gpt的要xfs,或msdos的要是lvm格式(不用格式化,最后创建完lv分区后再格)
2、首先创建物理虚拟盘例:pvcreage /dev/sdb1 /dev/sdb2 (这两分区是上面第一步创建的)
3、创建虚拟盘分组例:vgcreate test_vg /dev/sdb1 /dev/sdb2 (test_vg为组名)
4、创建逻辑虚拟盘也就是最终要挂的盘lvcreate -n test_web -L 20G test_vg (test_web为逻辑盘名)
5、格式化mkfs.xfs /dev/test_vg/test_web
6、挂载,和普通分区一样的操作不说了
7、增加容量lvextend -L +50G /dev/test_vg/test_web
8、增加完更新 xfs_growfs /dev/test_vg/test_web
基于nat模式的lvs:
------------------------------服务端----------------------------------------
前端服务器设置:
对外网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.1.110
PREFIX=255.255.255.0
GATEWAY=192.168.1.253
DNS1="192.168.1.253"
对应网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.17.138
NETMASK=255.255.255.0
DNS1=192.168.1.253
systemctl restart network
yum -y install ipvsadm
ipvsadm -A -t 192.168.1.110:80 -s rr (rr代表轮训)
ipvsadm -a -t 192.168.1.110:80 -r 192.168.17.130:80 -m 后端服务器有几台就加几台
ipvsadm -a -t 192.168.1.110:80 -r 192.168.17.131:80 -m
ipvsadm -Sn > /etc/sysconfig/ipvsadm 保存调度规则
打开/etc/sysctl.conf文件加入:net.ipv4.ip_forward=1 打开路由转发
打开防火墙systemctrl start wirealld
firewall-cmd --set-default-zone=trusted
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
systemctl start ipvsadm
ipvsadm -Ln 查看配置
ipvsadm -Lnc 看连接情况
ipvsadm -D -t 192.168.1.110:80 删除虚拟服务
ipvsadm -d -t 192.168.1.110:80 -r 192.168.17.130 删除后端服务器130邦
ipvsadm -Sn > /tmp/ipvs.back 备份规则
ipvsadm -C 清空规则
ipvsadm -R /etc/sysconfig/ipvsadm 保存调试器
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload
--------------------------------------------------------
真实web1设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno1111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
新建立一个虚拟网卡
vim /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno1111.arp_ignore = 1
net.ipv4.conf.eno1111.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.1" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
---------------------------------------------------------
真实web2设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno2222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
新建立一个虚拟网卡
vim /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno2222.arp_ignore = 1
net.ipv4.conf.eno2222.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.2" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
--------------------------------------------------------
真实web3设置
真实网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno3333
ONBOOT=yes
IPADDR=192.168.0.3
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
新建立一个虚拟网卡
vim /etc/sysconfig/network-script/ifcfg-lo:0
TYPE=Ethernet
BOOTPROTO=static
DEVICE=lo:0
ONBOOT=yes
IPADDR=124.126.147.168
NETMASK=255.255.255.0
GATEWAY=192.168.0.253
要禁止对VIP地址ARP响应:
vim /etc/sysctl.conf
net.ipv4.conf.eno3333.arp_ignore = 1
net.ipv4.conf.eno3333.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
sysctl -p
yum install httpd
systemctl start httpd
systemctl restart network
echo "192.168.0.3" > /var/www/html/index.html
firwall-cmd --permanent --add-port=80/tcp
firwall-cmd --reload
-----------------------------------------
router用linux充当:
第一块网卡对内:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno4444
ONBOOT=yes
IPADDR=192.168.0.253
NETMASK=255.255.255.0
第二块对外:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno5555
ONBOOT=yes
IPADDR=124.126.147.169
NETMASK=255.0.0.0
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
systemctl restart network
Mysql主从复制
yum 源安装:wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
安装依赖包
yum -y install gcc make cmake ncurses-devel libxm12-devel libtool-ltdl-devel gcc-c++
autoconf automake bison zlib-devel bison-devel perl perl-devel
1、建议选择“Server with GUI”,并选择“Development Tools”和“Compatibility Libraries”
两项附加软件。确保gcc、libgcc、gcc-c++等编译器已经正确安装
下载mysql-5.6版本 wget http://cdn.mysql.com/archives/mysql-5.6/mysql-5.6.11.tar.gz
groupadd mysql
useradd -r -s /sbin/nologin -g mysql mysql
tar -xvf mysql-5.6.tar.gz -C /usr/src/
cd /usr/src/mysql-5.6/
cmake . -DENABLE_DOWNLOADS=1
make && make install
chown -R mysql.mysql /usr/local/mysql
装完后使用mysql_install_db脚本初始化数据库,用user定义数据库存名称,用basedir定义软件主目录,
用datadir定义数据库存存放目录,初始化完后复制主配置文件my.cnf到/etc/my.cnf一份
/usr/local/mysql/scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql/ --datadir=/usr/local/mysql/data
cp /usr/local/mysql/my.cnf /etc/my.cnf
vim /etc/my.cnf
[mysqld]
[mysqld_safe]
log-error=/var/log/mysqld.log //错误日志路径
pid-file=/var/lib/mysql/mysql.pid
以上步骤可完成安装
---------------------------设备服务管理-------------------------------------
/usr/local/mysql/bin/mysqld_safe --user=mysql &
cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
chkconfig --add mysqld
chkconfig mysqld on
PATH=$PATH:/usr/local/mysql/bin/
echo "export PATH=$PATH:/usr/local/mysql/bin/" >> /etc/profile 开机启动
mysql -uroot -e "select User, Host, password from mysql.user" 看默认创建的用户和密码
清除默认用户为了安全(下面进行回答一般全选yes)
/usr/local/mysql/bin/mysql_secure_installation
由于root没有密码,当打完这个命令提示要输入密码,直接回车进行选择Y或n
--------------------------------------主从复制---------------------------------------
主报务器设置:
创建一个测试用的数据库存及表
mysql -uroot -p
create database hr;
use hr;
create table employees(employee_id int not null auto_increment, name char(20) not null, e_mail varchar(55), primary key(employee_id));
insert into employees values (1,'tom','[email protected]'),
(2,'ydaxia','[email protected]');
exit
vim /etc/my.cnf
[mysqld]
log-bin=mysql-bin
binlog_format=mixed
server-id = 254
[mysqld_safe]
log-error=/var/log/mysqld.log //错误日志路径
pid-file=/var/lib/mysql/mysql.pid
配置中不可以用skip-networking参数
service mysqld restart
firewall-cmd --set-default-zone=trusted
设备一个xiaowang用于从服务器连接过来,必须有replcation slave权限
账户:slave 密码;admin
mysql -u root -p
GRANT replication slave ON *.* TO 'slave'@'%' IDENTIFIED BY 'admin';
exit
查看主服务器日志服务信息:
mysql -uroot -p
flush tables with read lock; 对所有数据库表只读锁定
show master status; 查看输出:mysql-bin.000001 319
unlock tables;对全局锁结束
其中File为二进制日志文件名,Position为日志记录位置
对原有的数据进行备份一下:
/usr/local/mysql/bin/mysqldump -uroot -p --all-databases --lock-all-tables >/db/back.sql
拷贝到从服务器上
scp /db/back.sql 192.168.17.130:/tmp/
-------------------------从服务器配置---------------------------
vim /etc/my.cnf
[mysqld]
log-bin=mysql-bin
binlog_format=mixed
server-id = 100
[mysqld_safe]
log-error=/var/log/mysqld.log //错误日志路径
pid-file=/var/lib/mysql/mysql.pid
配置中不可以用skip-networking参数
service mysqld restart
firewall-cmd --set-default-zone=trusted
mysql -u root -p CHANGE MASTER TO MASTER_HOST="192.168.17.130",
-> MASTER_USER="mysql130",
-> MASTER_PASSWORD='admin',
-> MASTER_LOG_FILE="mysql-bin.000004",
-> MASTER_LOG_POS=120;
然后在两台mysql主机都看下是否不yes
show slave status\G;
show master status\G;
NFS
nfs工作在2049端口,rpcbind工作在111端口,两个服务都要启动
exports命令:-r重新读取/etc/exportfs配置文件 nfsstat查看共享状态信息,rpcinfo查看客户端注册信息
如果开启了防火墙要调协端口配置文件/etc/sysconfig/nfs
-------------------------server配置-----------------------------------------
yum install nfs-utils rpcbind -y
useradd -u 1005 test_nfs
mkdir /var/web
chmod 222 /var/web/
vim /etc/exports 编辑:
/var/web/ 192.168.17.130(rw,async,no_root_squash) #130客户机挂上nfs后,切换用户test_nfs具有可写的权限
#如果这样配置/var/web/ 192.168.17.130(ro,sync) 就是客户机挂上后只读
systemctl start rpcbind
systemctl start nfs
---------------------------------client配置--------------------------------------
ort list for 192.168.17.131 先查看server端情况有没有nfs共享
mkdir /mnt/nfs_test
chmod 777 /mnt/nfs_test
useradd -u 1005 test_nfs 创建和服务器一样的用户和id
mount 192.168.17.131:/var/web /mnt/nfs_test 挂载nfs共享
su test_nfs用户进行测试写入操作
rsync
1、系统光盘yum源安装:yum install rsync
2、创建需要同步的文件夹/common
/home : 表示将整个 /home 目录复制到目标目录
/home/ : 表示将 /home 目录中的所有内容复制到目标目录
2、在/etc/下创建rsyncd.conf文件
添加以下内容:
#/etc/rsyncd.conf
motd file = /etc/rsyncd.motd
transfer logging = yes
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
port = 873
address = 192.168.17.130
uid = nobody
gid = nobody
use chroot = no
read only = yes
max connections = 10
[common]
comment = web content
path = /common
ignore errors
auth users = tom,jerry
secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.17.0/255.255.255.0
hosts deny = *
list = false
4、echo "tom:pass" > /etc/rsyncd.secrets
echo "jerry:111" >> /etc/rsyncd.secrets
5、chmod 600 /etc/rsyncd.secrets
6、 echo "welcome to access" > /etc/rsyncd.motd
7、rsync --daemon
8、echo "/usr/bin/rsync --daemon" >> /etc/rc.local
9、firewall-cmd --permanent --add-port=873/tcp
---------------------客户端--------------------------------
1、yum install rsycn
2、访问:rsync -vzrtopg --progress [email protected]::common /test
3、echo "pass" > /etc/rsync.pass 把密码定义这里下面访问不用输入密码了(这个文件的权限一下要600不然报错)
4、rsync -avz --delete --password-file=rsync.pass [email protected]::common /dest
所服务器上的common里的文件都弄过来test下面(以服务器common为准来变)
5、写个脚本自动处理
#!/bin/bash
SRC=common
DEST=/data
Server=192.168.17.130
User=tom
Passfile=/root/rsync.pass
[ ! -d $DEST ] && mkdir $DEST
[ ! -d $Passfile ] && exit 2
rsync -az --delete --password-file=$Passfile ${User}@${Server}::$SRC $DEST/$(date +%Y%m%d)
-----------------------rsync+inotify双剑合并时时同步----------------------------------------------
https://github.com/rvoicilas/inotify-tools.git 下载地址
yum install rsync
yum install automake libtool
下来解压文件完后进入文件夹,先bash autogen.sh运行出来configure文件
再运行configure再make 再make install
echo "pass" >/root/rsync.pass
chmod 600 rsync.pass
写个脚本实时监控:
#!/bin/bash
SRC=/web_data/
DESR=common
Client=192.168.17.130
User=tom
Passfile=/root/rsync.pass
[ ! -e $Passfile ] && exit 2
/local/src/inotifys/bin/inotifywait -mrq --timefmt '%y-%m-%d %H:%M' --format '%T %w%f %e' --event modify,create,move,delete,attrib \
$SRC|while read line
do
echo "$line" > /var/log/inotify_web 2>&1
/usr/bin/rsync -avz --delete --progress --password-file=/root/rsync.pass $SRC \
${User}@${Client}::$DESR >> /var/log/rsync_web 2>&1
done &
给脚 本755权限,并加入开机启动
-----------------------------------------------------------------------------------
被监控端(web前端)
yum install rsync
mkdir -p /common
chmod 755 /common
chown nobody.nobody /common
vim /etc/rsyncd.conf
#/etc/rsyncd.conf
transfer logging = yes
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
uid = nobody
gid = nobody
use chroot = no
read only = no
ignore errors
[common]
comment = web content
path = /common
auth users = tom
secrets file = /etc/rsyncd.secrets
hosts allow = 192.168.17.131
hosts deny = *
list = false
echo "tom:pass" > /etc/rsyncd.secrets
chmod 600 /etc/rsyncd.secrets
rsync --daemon
svn
1、svn常用两种访问模式:客户端软件(安装客户端软件),客户端网站(需要服务器搭配apache)
2、处一种客户端模式:先用本地光盘yum源安装:yum install subversion
3、svnadmin help 查看
create创建版本库,hotcopy热备库, lslocks打印所有锁描述
4、svnadmin hotcopy /var/project1 /var/project1_back 热备份
5、将opt下面的所有文件导入到刚创建的project1版本库中
svn import /opt/ file:///var/project1/ -m "install files.."
svn list file:///var/project1 查看版本库的资料内容
服务启动:svnserve -d -r /var 如重启服务先把之前的killall杀掉再启动
6、每个版本库的配置文件在版本库conf文件夹下:
svnserve.conf
passwd
authz
三个文件设置
7、svnserve.conf开启如果几行注释:
[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
8、passwd中添加用户密码:
[users]
admin = admin
xiaowang = admin
9、authz
[/]
admin = rw 可读写的用户
xiaowang = r 只读用户
以上设备就可以完成客户端软件访问模式了
客户端下载svn并安装,随便一个文件夹检出输入
svn://ip地址/project1 确定输入admin 就可以了
vsftp
1、yum install vsftpd
systemctl start vsftpd
2、主配置文件/etc/vsftpd/vsftpd.con
3、三种模式登陆(匿名、本地xiaowang、虚拟xiaowang)
4、以虚拟账户为例:
5、yum install libdb-utils
6、新建文件:vim /etc/vsftpd/vslogin 输入用户和密码例:
tomcat
123456
jerry
123456
7、生成哈希文件:db_load -T -t hash -f /etc/vsftpd/vslogin /etc/vsftpd/vslogin.db
8、chm 600 {vslogin,vslogin.db}
9、vim /etc/pam.d/vsftpd.pam
在里面输入两行:
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vslogin
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vslogin
10、创建一个新用户:useradd -s /sbin/nologin -d /home/ftp virtual
11、打开主配置文件改(只要这19行其它全部注释):
anonymous_enable=NO
local_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
listen=YES
listen_port=21
pam_service_name=vsftpd.pam
guest_enable=YES
guest_username=virtual
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30099
user_config_dir=/etc/vsftpd_user_conf
user_sub_token=$USER
xferlog_enable=yes
xferlog_std_format=yes
13、mkdir /etc/vsftpd_user_conf
14、mkdir -p /home/ftp/tomcat
15、在/home/ftp/tomcat里面放个测试文件最后重启完服务试
16、vim /etc/vsftpd_user_conf/tomcat
写入:local_root=/home/ftp/$USER
17、重启服务systemctl restart vsftpd
firewall
zone大全:
trusted:允许所有
public ;允许其它主机访问本机ssh,本机访问其它主机后,那台主机才可以进来,否则拒绝
external:通过这个zone来的数据都将nat后再转发出去,不管来源是什么地址全转发,并且
改成本机防火墙的出站ip地址(当路由器用的)
1、查当前用的zone
firewall-cmd --get-default-zone
3、firewall-cmd --list-all-zone 查看所有的zone
2、设置当前的zone为home
firewall-cmd --set-default-zone=public
3、显示预定义的服务名称:firewall-cmd --get-services
意思是在针对服务来限制时这里面有的名字才可以
4、firewall-cmd --add-service=ftp --zone=public
允许ftp 服务访问
firewall-cmd --list-all --zone=public查看一下刚才添加的
5、删除ftp服务firewall-cmd --remove-service=ftp --zone=public
6、允许端口firewall-cmd --add-port=3306/tcp --zone=public
(一般常用是这样的:firewall-cmd --add-port=3306/tcp 添加到默认当前的zone中 )
7、删除端口firewall-cmd --remove-port=3306/tcp --zone=public
8、把zone和规则邦定网卡
firewall-cmd --add-interface=eno16777736 --zone=public
9、解除邦定网卡
firewall-cmd --remove-interface=eno16777736 --zone=public
10、看当前正使用的zone信息
firewall-cmd --list-all
11、添加永久生效的规则访问3306
firewall-cmd --permanent --add-port=3306/tcp --zone=public
12、重新加载防火墙规则(前面不是永久的人丢失)
firewall-cmd --reload
haproxy
-----------------------------后端web1-------------------
服务器名称:web1.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno11111
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno11111
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
systemctl restart network
yum -y install httpd
echo "192.1680.1" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
------------------------------后端web2-------------------
服务器名称:web2.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno22222
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno22222
ONBOOT=yes
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
systemctl restart network
yum -y install httpd
echo "192.1680.2" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
------------------------------后端web3-------------------
服务器名称:web3.exmple.com
vim /etc/sysconfig/network-script/ifcfg-eno22222
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno333333
ONBOOT=yes
IPADDR=192.168.0.3
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
systemctl restart network
yum -y install httpd
echo "192.1680.3" >/var/www/html/index.html
systemctl start httpd
firewall-cmd --set-default-zone=trusted
---------------------------------------------------------
前端服务器设置:
服务器名称:haproxy.example.com
对外网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno16777736
ONBOOT=yes
IPADDR=10.10.10.10
PREFIX=255.0.0.0
对应网卡:
TYPE=Ethernet
BOOTPROTO=static
DEVICE=eno33554960
ONBOOT=yes
IPADDR=192.168.0.254
NETMASK=255.255.255.0
systecmctl restart network
firewall-cmd --set-default-zone=trusted
vim /etc/security/limits.conf 内核调优,插入两行
* soft nofile 65535
* hard nofile 65535
yum -y install haproxy
vim /etc/haproxy/haproxy.cfg
global
maxconn 4096 #最大连接数
log 127.0.0.1 local3 info
# log语法:log [max_level_1] # 全局的日志配置,使用log关键字,
指定使用127.0.0.1
上的syslog服务中的local0日志设备,记录日志等级为info的日志
chroot /var/haproxy #改变当前工作目录
uid 99
gid 99
daemon #以守护进程方式运行haproxy
nbproc 1
pidfile /var/run/haproxy.pid #当前进程id文件
ulimit-n 65535
stats socket /var/tmp/stats
defaults
mode http #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
log global #应用全局的日志配置
maxconn 20480 #每个进程可用的最大连接数
option httplog # 启用日志记录HTTP请求,默认haproxy日志记录是不记录HTTP请求日志
option httpclose option dontlognull
# 启用该项,日志中将不会记录空连接。所谓空连接就是在上游的负载均衡器
或者监控系统为了探测该 服务是否存活可用时,需要定期的连接或者获取某
一固定的组件或页面,或者探测扫描端口是否在监听或开放等动作被称为空连接;
官方文档中标注,如果该服务上游没有其他的负载均衡器的话,建议不要使用
该参数,因为互联网上的恶意扫描或其他动作就不会被记录下来
option forwardfor #如果服务器上的应用程序想记录发起请求的客户端的IP地址,需要在HAProxy
上 配置此选项, 这样 HAProxy会把客户端的IP信息发送给服务器,在HTTP
请求中添加"X-Forwarded-For"字段。
启用 X-Forwarded-For,在requests头部插入客户端IP发送给后端的server,使后端server获取到客户端的真实IP。
option redispatch # 当使用了cookie时,haproxy将会将其请求的后端服务器的serverID插入到
cookie中,以保证会话的SESSION持久性;而此时,如果后端的服务器宕掉
了, 但是客户端的cookie是不会刷新的,如果设置此参数,将会将客户的请
求强制定向到另外一个后端server上,以保证服务的正常。
option abortonclose
starts refresh 30
retries 3 # 定义连接后端服务器的失败重连次数,连接失败次数超过此值后将会将对应后端
服务器标记为不可用
balance roundrobin #负载均衡算法
cookie SRV
timeout connect 5000s #连接超时
timeout client 5000m #客户端超时
timeout server 5000m #服务器端超时
timeout check 2000s #检测超时
listen admin_status
bind 0.0.0.0:6553
mode http
log 127.0.0.1 local3 info
stats enable
stats refresh 5s
stats realm Haproxy\ Statistics
stats uri /admin?stats
stats auth admin1:AdMiN123
stats hide-version
frontend web_serivce
bind 0.0.0.0:80
mode http
log global
option httplog
option httpclose
option forwardfor
acl inside_src src 192.168.0.0/24
use_backend inside_servers if inside_src
default_backend external_servers
backend external_servers
mode http
balance roundrobin
option httpchk GET /index.html
server web01 192.168.0.1:80 ookie web1 check inter 2000 rise 2 fall 3 weight 1 #定义的多个后端
server web01 192.168.0.2:80 ookie web2 check inter 2000 rise 2 fall 3 weight 1 #定义的多个后端
backend inside_servers
mode http
balance roundrobin
option httpchk GET /index.html
server web01 192.168.0.3:80 ookie web3 check inter 1500 rise 3 fall 3 weight 1 #定义的多个后端
vim /etc/rsyslog.onf 插入以下三行
$ModLoad imudp
$UDPServerRun 514
local13.*
systemctl restat syslog
haproxy -f /etc/haproxy/haproxy.cfg
echo "/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg" >>/etc/rc.local 加入开机启动
------------------------------------------------------------------------------------------------
外部机进行测试:
http://10.10.10.10:6553/admin?stats打开查看,刷新网页分别轮流出现web1各web2两台服务器的页面
如果客户机是局域网电脑就http://192.168.0.254 打开永远显示web3的页面