负载均衡技术对于一个网站尤其是大型网站的web服务器集群来说是至关重要的!做好负载均衡架构,可以实现故障转移和高可用环境,避免单点故障,保证网站健康持续运行。
由于业务扩展,网站的访问量不断加大,负载越来越高。现需要在web前端放置nginx负载均衡,同时结合keepalived对前端nginx实现HA高可用。
1、关闭selinux
临时关闭:
[root@localhost ~]# getenforce Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
永久关闭:
[root@localhost ~]# vim /etc/sysconfig/selinux
SELINUX=enforcing 改为 SELINUX=disabled
2、安装依赖包
[root@nginx-test01 ~]# yum -y install make zlib zlib-devel gcc-c++ libtool openssl openssl-devel
[root@nginx-test01 ~]# yum -y install wget
[root@nginx-test01 ~]# wget http://downloads.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz
[root@nginx-test01 ~]# tar -zxf pcre-8.35.tar.gz
[root@nginx-test01 ~]# cd pcre-8.35
[root@nginx-test01 ~]# ./configure
[root@nginx-test01 ~]# make
[root@nginx-test01 ~]# make install
3、查看pcre版本验证是否安装成功
[root@nginx-test01 ~]# pcre-config --version
8.35
4、安装Nginx-1.19.8
[root@nginx-test01 ~]# wget http://nginx.org/download/nginx-1.19.8.tar.gz
[root@nginx-test01 ~]# tar -zxf nginx-1.19.8.tar.gz
[root@nginx-test01 ~]# cd nginx-1.19.8
[root@nginx-test01 ~]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module #此参数为加载SSL模块。配置https必须安装此模块。
[root@nginx-test01 ~]# make&& make install
5、测试Nginx
[root@nginx-test01 ~]# cd /usr/local/nginx/sbin/
[root@nginx-test01 sbin]# ./nginx #启动nginx
[root@nginx-test01 sbin]# ps -aux | grep nginx #查看nginx进程
nobody 5648 0.0 0.1 52864 8484 ? S 5月14 0:00 nginx: worker process
nobody 5649 0.0 0.1 52864 8724 ? S 5月14 0:00 nginx: worker process
nobody 5650 0.0 0.1 52864 8540 ? S 5月14 0:00 nginx: worker process
nobody 5651 0.0 0.1 52864 8592 ? S 5月14 0:00 nginx: worker process
nobody 5652 0.0 0.1 52864 8604 ? S 5月14 0:00 nginx: worker process
nobody 5653 0.0 0.1 52864 8544 ? S 5月14 0:00 nginx: worker process
nobody 5654 0.0 0.1 52864 8504 ? S 5月14 0:00 nginx: worker process
nobody 5655 0.0 0.1 52864 8540 ? S 5月14 0:00 nginx: worker process
root 7773 0.0 0.0 48692 3748 ? Ss 4月05 0:00 nginx: master process /usr/local/nginx/sbin/nginx
root 29918 0.0 0.0 112824 980 pts/0 S+ 10:31 0:00 grep --color=auto nginx
通过网页访问http://10.12.243.1也可以进行验证
6、安装keepalived
[root@nginx-test01 sbin]# yum -y install keepalived
[root@nginx-test01 sbin]# systemctl start keepalived.service #启动服务
[root@nginx-test01 keepalived]# ps -aux | grep keepalived #验证
root 7509 0.0 0.0 118712 1380 ? Ss 4月05 2:39 /usr/sbin/keepalived -D
root 7510 0.0 0.0 118712 2600 ? S 4月05 2:35 /usr/sbin/keepalived -D
root 7511 0.0 0.0 120836 2504 ? S 4月05 32:06 /usr/sbin/keepalived -D
root 31508 0.0 0.0 112824 988 pts/0 S+ 10:41 0:00 grep --color=auto keepalived
7、配置防火墙策略
firewall-cmd --permanent --add-port=80/tcp #添加端口
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT #防止keepalived发生脑裂现象
firewall-cmd --reload #重新加载防火墙策略
firewall-cmd --list-all 查看策略
8、根据上述1-7的操作步骤配置nginx-2服务器
1、配置两台主机keepalived
[root@nginx-test01 ~]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_01 #机器标识
vrrp_script nginx {
script "/etc/keepalived/nginx.sh" #脚本路径
interval 2 #每2秒检测一次nginx的运行状态
weight -20 #失败一次,将自己的优先级-20
}
vrrp_instance VI_1 {
state MASTER #主服务器
interface ens192 #网口名称,需和本机一致
virtual_router_id 52 #两台设备配置相同参数
priority 150 #优先级,数值越大优先级越高
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.12.243.3/24
}
track_script {
nginx # nginx存活状态检测脚本
}
}
[root@nginx-test02 ~]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_02
}
vrrp_script nginx {
script "/etc/keepalived/nginx.sh"
interval 2 #每2秒检测一次nginx的运行状态
weight -20 #失败一次,将自己的优先级-20
}
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 52
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.12.243.3/24
}
track_script {
nginx # nginx存活状态检测脚本
}
2、重启服务验证
#两台设备重启keepalived服务
systemctl restart keepalived.service
#验证keepalived服务
[root@nginx-test01 keepalived]# ps -aux | grep keepalived
#验证主备功能
[root@nginx-test01 ~]# ip add | grep 10.12.243.3
inet 10.12.243.3/24 scope global secondary ens192
[root@nginx-test02 ~]# ip add | grep 10.12.243.3
[root@nginx-test02 ~]#
关闭nginx1服务器中Keepalived再次执行命令查看
[root@nginx-test01 ~]# ip add | grep 10.12.243.3
[root@nginx-test01 ~]#
[root@nginx-test02 ~]# ip add | grep 10.12.243.3
inet 10.12.243.3/24 scope global secondary ens192
#发现VIP10.12.243.3只出现在一台设备上时,则表明keepalived双活配置成功
3、配置nginx检测脚本,实现主nginx挂掉后自动关闭keepalived实现切换功能
[root@nginx-test01 ~]# vi /etc/keepalived/nginx.sh
#!/bin/bash
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/usr/local/nginx/sbin/nginx
sleep 2
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
killall keepalived
fi
fi
[root@nginx-test01 ~]# chmod a+x /etc/keepalived/nginx.sh #添加执行权限
1、配置负载均衡
[root@nginx-test01 ~]# vi /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes 8;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid logs/nginx.pid;
events {
use epoll;
worker_connections 10240;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
server_names_hash_bucket_size 128;
client_max_body_size 300m;
sendfile on;
keepalive_timeout 65;
gzip on;
#隐藏版本号
server_tokens off;
upstream ceshi80 {
server 10.12.243.5.80;
server 10.12.243.6:80;
}
server {
listen 80;
server_name ceshi.com;
access_log /var/log/nginx/ceshi.access.log main;
rewrite ^ https://$http_host$request_uri? permanent; 访问80强制跳转443
location / {
root html;
proxy_pass http://ceshi80;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name ceshi.com;
access_log /var/log/nginx/ceshi.443.log main;
ssl_certificate /usr/local/nginx/ssl/XXX.pem; #ssl证书路径
ssl_certificate_key /usr/local/nginx/ssl/XXX.key; #ssl秘钥路径
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
proxy_pass http://ceshi80;
index index.html index.htm;
}
}
}
2、验证配置重启nginx服务
[root@nginx-test01 ~]# cd /usr/local/nginx/sbin/
[root@nginx-test01 sbin]# ./nginx -t #验证配置文件语法
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx-test01 sbin]# ./nginx -s reload 重启服务
3、验证负载均衡
[root@nginx-test01 ~]# cd /usr/local/nginx/conf/
[root@nginx-test01 conf]# scp nginx.conf [email protected]:/usr/local/nginx/conf/
[root@nginx-test02 sbin]# ./nginx -s reload 重启服务