1、环境配置:
| 环境配置 | 版本 |
|---|---|
| OS | CentOS Linux release 7.9.2009 (Core) |
| opentresty | 1.19.3.2 |
| OpenSSL | 1.1.1k |
| Lua | 5.1 |
| LuaRocks | 2.3.0 |
| etcd | 3.4.13 |
| APISIX | 2.6.0 |
| APISIX Dashboard | 2.7.0 |
2、克隆版本库
实际上,在官方的git版本库中已自带了许多自动化部署脚本,在 apisix/utils/中,可以使用其进行自动化部署。
# 使用码云(国内版本库)加速下载
cd /data/softwares && \
git clone [email protected]:iresty/apisix.git
image.png
3、安装依赖
1)安装 openresty
1. 安装依赖库
yum install -y curl git gcc glibc gcc-c++ openssl-devel pcre-devel yum-utils
2. 安装openresty以及openssl 依赖
yum-config-manager --add-repo https://openresty.org/package/fedora/openresty.repo && \
yum install -y openresty openresty-openssl111-devel
3. 软链至标准目录
使用yum安装,默认安装路径在/usr/local/openresty ,将其软链到标准目录 /data/applications,方便统一管理
ln -s /usr/local/openresty /data/applications
2)安装 ETCD
1. 下载二进制包
注意 2.6 版本的apisix只支持 3.4x 的 etcd
cd /data/softwares && \
wget -c https://github.com/etcd-io/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz && \
tar xf etcd-v3.4.13-linux-amd64.tar.gz && \
cd etcd-v3.4.13-linux-amd64 && \
cp etcd* /usr/local/bin && \
mkdir -p /data/etcd/{conf,data,log}
2. 配置文件
编辑文件,路径: /data/etcd/conf/etcd.conf ,文件内容如下:
#[Member]
#ETCD_CORS=""
ETCD_DATA_DIR="/data/etcd/data"
#ETCD_WAL_DIR=""
ETCD_LISTEN_PEER_URLS="http://192.168.3.224:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.3.224:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="node1"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.3.224:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.3.224:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
ETCD_INITIAL_CLUSTER="node1=http://192.168.3.224:2380"
#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_STRICT_RECONFIG_CHECK="true"
#ETCD_ENABLE_V2="true"
#
#[Proxy]
#ETCD_PROXY="off"
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
#
#[Security]
#ETCD_CERT_FILE=""
#ETCD_KEY_FILE=""
#ETCD_CLIENT_CERT_AUTH="false"
#ETCD_TRUSTED_CA_FILE=""
#ETCD_AUTO_TLS="false"
#ETCD_PEER_CERT_FILE=""
#ETCD_PEER_KEY_FILE=""
#ETCD_PEER_CLIENT_CERT_AUTH="false"
#ETCD_PEER_TRUSTED_CA_FILE=""
#ETCD_PEER_AUTO_TLS="false"
#
#[Logging]
#ETCD_DEBUG="false"
#ETCD_LOG_PACKAGE_LEVELS=""
#ETCD_LOG_OUTPUT="default"
#
#[Unsafe]
#ETCD_FORCE_NEW_CLUSTER="false"
#
#[Version]
#ETCD_VERSION="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
#
#[Profiling]
#ETCD_ENABLE_PPROF="false"
#ETCD_METRICS="basic"
#
#[Auth]
#ETCD_AUTH_TOKEN="simple"
3.配置日志
文件路径: /etc/rsyslog.d/etcd.conf , 新增文件,编辑以下内容
if $programname == 'etcd' then /data/etcd/log/etcd.log
& stop
重启 rsyslog
systemctl restart rsyslog.service
4. 注册systemd
文件路径: /usr/lib/systemd/system/etcd.service, 新增文件,编译以下内容
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data/etcd
EnvironmentFile=/data/etcd/conf/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd"
Restart=on-failure
LimitNOFILE=65536
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=etcd # without any quote
[Install]
WantedBy=multi-user.target
注意:ETCD3.4x 版本会自动读取环境变量的参数,所以EnvironmentFile文件中有的参数,不需要再次在ExecStart启动参数中添加,二选一,如同时配置,会触发以下类似报错是因。
image-20210616164807096.png
启动服务
systemctl daemon-reload && \
systemctl enable etcd.service && \
systemctl start etcd.service
3)安装 LuaRocks
apisix 自带了一键安装LuaRocks脚本linux-install-luarocks.sh,可以直接使用,但是需要配合yum安装或者apisix自带的自动安装 openresty 脚本linux-install-openresty.sh使用,其默认识别openresty安装路径为 /usr/local/openresty
1. 自动脚本安装
curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
脚本内容:
#!/usr/bin/env bash
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# you might need sudo to run this script
if [ -z ${OPENRESTY_PREFIX} ]; then
OPENRESTY_PREFIX="/usr/local/openresty"
fi
wget https://github.com/luarocks/luarocks/archive/v3.4.0.tar.gz
tar -xf v3.4.0.tar.gz
cd luarocks-3.4.0 || exit
OR_BIN="$OPENRESTY_PREFIX/bin/openresty"
OR_VER=$($OR_BIN -v 2>&1 | awk -F '/' '{print $2}' | awk -F '.' '{print $1"."$2}')
if [[ -e $OR_BIN && "$OR_VER" == 1.19 ]]; then
WITH_LUA_OPT="--with-lua=${OPENRESTY_PREFIX}/luajit"
else
# For old version OpenResty, we still need to install LuaRocks with Lua
WITH_LUA_OPT=
fi
./configure $WITH_LUA_OPT \
> build.log 2>&1 || (cat build.log && exit 1)
make build > build.log 2>&1 || (cat build.log && exit 1)
sudo make install > build.log 2>&1 || (cat build.log && exit 1)
cd .. || exit
rm -rf luarocks-3.4.0
mkdir ~/.luarocks || true
# OpenResty 1.17.8 or higher version uses openssl111 as the openssl dirname.
OPENSSL_PREFIX=${OPENRESTY_PREFIX}/openssl
if [ -d ${OPENRESTY_PREFIX}/openssl111 ]; then
OPENSSL_PREFIX=${OPENRESTY_PREFIX}/openssl111
fi
luarocks config variables.OPENSSL_LIBDIR ${OPENSSL_PREFIX}/lib
luarocks config variables.OPENSSL_INCDIR ${OPENSSL_PREFIX}/include
2.编译安装LuaRocks
由于也会存在已经安装有openresty的情况,比如我们已事先安装有 openresty 1.15.8.3 版本,下面介绍下使用自定义安装LuaRocks的方法。
1.19新版本的 openresty 已可以直接集成 luarocks,而之前的旧版本仍需要手动安装luarocks。
1⃣️ 下载解压 LuaRocks 源码包
cd /data/softwares/ && \
wget -c https://github.com/luarocks/luarocks/archive/v3.4.0.tar.gz && \
tar xf v3.4.0.tar.gz
2⃣️ 集成openresty的luajit
cd /data/softwares/luarocks-3.4.0 && \
./configure --prefix=/data/applications/openresty/luajit --with-lua=/data/applications/openresty/luajit --lua-suffix=jit --with-lua-include=/data/applications/openresty/luajit/include/luajit-2.1
3⃣️ 编译安装
make build && \
make install
4⃣️ 添加环境变量
vim /etc/profile.d/luarocks.sh
# 添加以下内容
export LUAROCK_HOME=/data/applications/openresty/luajit/bin
export PATH=${PATH}:${LUAROCK_HOME}
source /etc/profile.d/luarocks.sh
5⃣️ 验证安装
luarocks
image-20210615142621225.png
3. luarocks 加载 openssl(升级openssl)
1⃣️ 编译zlib 1.2.11
cd /data/softwares && \
wget -c http://www.zlib.net/fossils/zlib-1.2.11.tar.gz && \
tar xf zlib-1.2.11.tar.gz && \
cd zlib-1.2.11 && \
./configure --prefix=/usr/local/zlib && \
make && make install
2⃣️ 安装 OpenSSL 1.1.1
只用 openresty 官方提供的repo源可以直接安装
yum install yum-utils && \
yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo && \
yum install -y openresty-openssl111-devel && \
ln -s /usr/local/openresty/openssl111 /usr/local/openssl && \
make && make install
3⃣️ 修改openssl编译文件
vim /data/softwares/openresty-1.15.8.3/bundle/nginx-1.15.8/auto/lib/openssl/conf
# 将里面的所有“.openssl”删除,在删之前你可以看到其所在行表示的是一个路径,记得将“/”也删掉
4⃣️ 重新编译 openresty 并加载最新openssl
添加 --with-zlib=/data/softwares/zlib-1.2.8 --with-openssl=--with-openssl=/usr/local/openssl
mkdir -p /data/conf/nginx/bak && \
cp /data/applications/openresty/nginx/conf/nginx.conf /data/conf/nginx/bak && \
cd /data/softwares/openresty-1.15.8.3 && \
./configure -j2 --prefix=/data/applications/openresty --with-pcre-jit --with-ipv6 --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-pcre --with-stream=dynamic --with-http_flv_module --add-module=/data/softwares/ngx_http_geoip2_module --add-module=/data/softwares/nginx_upstream_check_module --with-zlib=/data/softwares/zlib-1.2.11 --with-openssl=/usr/local/openssl && \
make -j2 && \
make install
image-20210615184153826.png
5⃣️ luarocks 加载 openssl
luarocks config variables.OPENSSL_LIBDIR /usr/local/openssl/lib && \
luarocks config variables.OPENSSL_LIBDIR /usr/local/openssl/include
4、部署apisix
1)安装
1. 下载rpm包
cd /data/softwares && \
wget -c https://github.com/apache/apisix/releases/download/2.6/apisix-2.6-0.x86_64.rpm
2. 安装apisix
yum localinstall -y apisix-2.6-0.x86_64.rpm
3. 软链至标准目录
使用yum安装,默认安装路径在/usr/local/apisix,将其软链到标准目录 /data/applications,方便统一管理
ln -s /usr/local/apisix /data/applications
2)配置
1. 配置etcd地址
文件地址: /data/applications/apisix/conf/config.yaml,修改etcd 配置
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# If you want to set the specified configuration value, you can set the new
# in this file. For example if you want to specify the etcd address:
#
etcd:
host:
- "http://192.168.3.224:2379"
# To configure via environment variables, you can use `${{VAR}}` syntax. For instance:
#
# etcd:
# host:
# - "http://${{ETCD_HOST}}:2379"
#
# And then run `export ETCD_HOST=$your_host` before `make init`.
#
# If the configured environment variable can't be found, an error will be thrown.
apisix:
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1 # using fixed API token has security risk, please update it when you deploy to production environment
role: admin
2. 修改 apisix内置 nginx.conf(选项)
文件路径: /data/applications/apisix/conf/nginx.conf,目的在于开放外部访问限制,生产环境不推荐
sed -i '/deny/d' /data/applications/apisix/conf/nginx.conf && \
sed -i '/allow/d' /data/applications/apisix/conf/nginx.conf
3. 修改启动服务
文件路径: /data/applications/apisix/apisix/cli/ops.lua, 取消 reload 方法中的init(初始化 nginx.conf)
local function reload(env)
-- reinit nginx.conf
-- init(env) 注释掉该行
local test_cmd = env.openresty_args .. [[ -t -q ]]
-- When success,
-- On linux, os.execute returns 0,
-- On macos, os.execute returns 3 values: true, exit, 0, and we need the first.
local test_ret = execute((test_cmd))
if (test_ret == 0 or test_ret == true) then
local cmd = env.openresty_args .. [[ -s reload]]
execute(cmd)
return
end
print("test openresty failed")
end
3)启动
1. 修改systemd
文件路径: /usr/lib/systemd/system/apisix.service,增加 Restart 选项
[Unit]
Description=apisix
Conflicts=apisix.service
After=network-online.target
[Service]
Type=forking
WorkingDirectory=/usr/local/apisix
ExecStart=/usr/bin/apisix start
ExecStop=/usr/bin/apisix stop
ExecReload=/usr/bin/apisix reload
Restart=always
2. 启动服务
systemctl daemon-reload && \
systemctl enable apisix.service && \
systemctl start apisix.service
4)验证
1. get请求调用 restful_api
鉴权key位于文件/data/applications/apisix/conf/config.yaml中,apisix ==> admin_key
curl -s "http://127.0.0.1:9080/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' | jq .
正常返回如下:
{
"count":"1",
"action":"get",
"node":{
"key":"/apisix/services",
"nodes":{},
"dir":true
}
}
5、安装 apisix dashboard
1)安装
1. 下载rpm包
cd /data/softwares && \
wget -c https://github.com/apache/apisix-dashboard/releases/download/v2.7/apisix-dashboard-2.7-0.x86_64.rpm
2. 安装 dashboard
使用yum安装,默认安装路径在/usr/local/apisix/dashboard
yum localinstall -y apisix-dashboard-2.7-0.x86_64.rpm
2)配置
1. 修改 allow_list 和 etcd 配置
- allow_list 添加
0.0.0.0/0(白名单,按需添加) - etcd 修改
192.168.3.224:2379
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# yamllint disable rule:comments-indentation
conf:
listen:
# host: 127.0.0.1 # the address on which the `Manager API` should listen.
# The default value is 0.0.0.0, if want to specify, please enable it.
# This value accepts IPv4, IPv6, and hostname.
port: 9000 # The port on which the `Manager API` should listen.
# ssl:
# host: 127.0.0.1 # the address on which the `Manager API` should listen for HTTPS.
# The default value is 0.0.0.0, if want to specify, please enable it.
# port: 9001 # The port on which the `Manager API` should listen for HTTPS.
# cert: "/tmp/cert/example.crt" # Path of your SSL cert.
# key: "/tmp/cert/example.key" # Path of your SSL key.
allow_list: # If we don't set any IP list, then any IP access is allowed by default.
- 127.0.0.1 # The rules are checked in sequence until the first match is found.
- 0.0.0.0/0
- ::1 # In this example, access is allowed only for IPv4 network 127.0.0.1, and for IPv6 network ::1.
# It also support CIDR like 192.168.1.0/24 and 2001:0db8::/32
etcd:
endpoints: # supports defining multiple etcd host addresses for an etcd cluster
- 192.168.3.224:2379
# yamllint disable rule:comments-indentation
# etcd basic auth info
# username: "root" # ignore etcd username if not enable etcd auth
# password: "123456" # ignore etcd password if not enable etcd auth
mtls:
key_file: "" # Path of your self-signed client side key
cert_file: "" # Path of your self-signed client side cert
ca_file: "" # Path of your self-signed ca cert, the CA is used to sign callers' certificates
# prefix: /apisix # apisix config's prefix in etcd, /apisix by default
log:
error_log:
level: warn # supports levels, lower to higher: debug, info, warn, error, panic, fatal
file_path:
logs/error.log # supports relative path, absolute path, standard output
# such as: logs/error.log, /tmp/logs/error.log, /dev/stdout, /dev/stderr
access_log:
file_path:
logs/access.log # supports relative path, absolute path, standard output
# such as: logs/access.log, /tmp/logs/access.log, /dev/stdout, /dev/stderr
# log example: 2020-12-09T16:38:09.039+0800 INFO filter/logging.go:46 /apisix/admin/routes/r1 {"status": 401, "host": "127.0.0.1:9000", "query": "asdfsafd=adf&a=a", "requestId": "3d50ecb8-758c-46d1-af5b-cd9d1c820156", "latency": 0, "remoteIP": "127.0.0.1", "method": "PUT", "errs": []}
max_cpu: 0 # supports tweaking with the number of OS threads are going to be used for parallelism. Default value: 0 [will use max number of available cpu cores considering hyperthreading (if any)]. If the value is negative, is will not touch the existing parallelism profile.
authentication:
secret:
secret # secret for jwt token generation.
# NOTE: Highly recommended to modify this value to protect `manager api`.
# if it's default value, when `manager api` start, it will generate a random string to replace it.
expire_time: 3600 # jwt token expire time, in second
users: # yamllint enable rule:comments-indentation
- username: admin # username and password for login `manager api`
password: admin
- username: user
password: user
plugins: # plugin list (sorted in alphabetical order)
- api-breaker
- authz-keycloak
- basic-auth
- batch-requests
- consumer-restriction
- cors
# - dubbo-proxy
- echo
# - error-log-logger
# - example-plugin
- fault-injection
- grpc-transcode
- hmac-auth
- http-logger
- ip-restriction
- jwt-auth
- kafka-logger
- key-auth
- limit-conn
- limit-count
- limit-req
# - log-rotate
# - node-status
- openid-connect
- prometheus
- proxy-cache
- proxy-mirror
- proxy-rewrite
- redirect
- referer-restriction
- request-id
- request-validation
- response-rewrite
- serverless-post-function
- serverless-pre-function
# - skywalking
- sls-logger
- syslog
- tcp-logger
- udp-logger
- uri-blocker
- wolf-rbac
- zipkin
- server-info
- traffic-split
3)启动
1. 注册systemd
文件路径: /usr/lib/systemd/system/apisix.service, 新增文件,编译以下内容
[Unit]
Description=apisix dashboard
After=network-online.target
After=apisix.service
Wants=apisix.service
[Service]
Type=forking
WorkingDirectory=/usr/local/apisix/dashboard
ExecStart=/bin/bash -c "/usr/bin/manager-api start -p /usr/local/apisix/dashboard/"
ExecStop=/usr/bin/manager-api stop
Restart=always
2. 启动服务
systemctl daemon-reload && \
systemctl enable apisix-dashboard.service && \
systemctl start apisix-dashboard.service
4)验证
访问: http://192.168.3.224:9000,默认用户名密码都是admin ,可在配置文件 /data/applications/apisix/dashboard/conf/conf.yaml 中定义,authentication ==> users
image-20210616180044576.png