LVS实战:DR模式搭建HTTP和HTTPS负载均衡集群

文章目录

  • 项目环境
  • 搭建HTTP负载均衡集群
    • 1. 在Client上配置CIP
    • 2. 在DR上配置DIP和VIP
    • 3. 在RS上修改网卡内核参数
    • 4. 在RS上配置VIP和RIP
    • 5. 配置路由信息
    • 6. 在DR上添加规则
    • 7. 在DR上配置http
    • 8. 在客户端访问验证
  • 搭建HTTPS负载均衡集群
    • 1. 生成证书
    • 2. 配置HTTPS
    • 3. 在DR上配置规则
    • 4. 在客户端访问验证

项目环境


拓扑:
LVS实战:DR模式搭建HTTP和HTTPS负载均衡集群_第1张图片



搭建HTTP负载均衡集群


1. 在Client上配置CIP

[root@Client ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:86:24:c1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.132/24 brd 192.168.207.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe86:24c1/64 scope link 
       valid_lft forever preferred_lft forever

2. 在DR上配置DIP和VIP

[root@DR ~]# ip addr add 192.168.207.200/32 dev lo
[root@DR ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.207.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:97:c3:66 brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.129/24 brd 192.168.207.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe97:c366/64 scope link 
       valid_lft forever preferred_lft forever

3. 在RS上修改网卡内核参数

[root@RS1 ~]# vim /etc/sysctl.conf 
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root@RS2 ~]# vim /etc/sysctl.conf 
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

4. 在RS上配置VIP和RIP

RS1

[root@RS1 ~]# ip addr add 192.168.207.200/32 dev lo
[root@RS1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.207.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:2d:e0:d6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.130/24 brd 192.168.207.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe2d:e0d6/64 scope link 
       valid_lft forever preferred_lft forever

RS2

[root@RS2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 192.168.207.200/32 scope global lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:9b:a5:b7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.207.131/24 brd 192.168.207.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe9b:a5b7/64 scope link 
       valid_lft forever preferred_lft forever

5. 配置路由信息

[root@DR ~]# route add -host 192.168.207.200 dev lo
[root@RS1 ~]# route add -host 192.168.207.200 dev lo
[root@RS2 ~]# route add -host 192.168.207.200 dev lo

6. 在DR上添加规则

[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.207.200:80 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.207.200:80 -r 192.168.207.130:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.207.200:80 -r 192.168.207.131:80 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.207.200:80 wrr
  -> 192.168.207.130:80           Route   1      0          0         
  -> 192.168.207.131:80           Route   1      0          0 

7. 在DR上配置http

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo 'RS1' > /var/www/html/index.html
[root@RS1 ~]# systemctl start httpd

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo 'RS2' > /var/www/html/index.html
[root@RS2 ~]# systemctl start httpd

8. 在客户端访问验证

[root@Client ~]# for i in $(seq 10);do curl 192.168.207.200 ;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1


搭建HTTPS负载均衡集群


1. 生成证书

生成一对秘钥

[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)

生成自签署证书

[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:aaa.com
Organizational Unit Name (eg, section) []:aaa.com
Common Name (eg, your name or your server's hostname) []:aaa.com
Email Address []:[email protected]
[root@DR CA]# touch index.txt && echo 01 > serial

在RS生成证书签署请求,并发送给CA

[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
...................................................................+++
e is 65537 (0x10001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:aaa.com
Organizational Unit Name (eg, section) []:aaa.com
Common Name (eg, your name or your server's hostname) []:aaa.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr  httpd.key
[root@RS1 ssl]# scp httpd.csr [email protected]:/root

CA签署证书并发给客户端

[root@DR ~]# ls
httpd.csr
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 24 13:15:07 2020 GMT
            Not After : Jul 24 13:15:07 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = aaa.com
            organizationalUnitName    = aaa.com
            commonName                = aaa.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B5:D7:DC:0C:4C:84:F9:7B:3D:B4:7C:10:CD:96:87:C8:87:56:47:FD
            X509v3 Authority Key Identifier: 
                keyid:1B:FE:4E:5C:52:2F:11:4C:E2:66:73:9E:DD:77:8C:F1:8E:E3:9E:54

Certificate is to be certified until Jul 24 13:15:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@DR ~]# ls
httpd.crt  httpd.csr

CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端

[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl

2. 配置HTTPS

在RS1上将httpd.key传给RS2,并在RS上安装ssl模块

[root@RS1 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS1 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl
[root@RS1 ssl]# yum -y install mod_ssl

//RS2上查看是否拥有证书和秘钥
[root@RS2 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS2 ssl]# yum -y install mod_ssl

在RS上编辑配置文件

[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf 
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd

//RS2上的配置和上面的一样,这里就不做演示了

3. 在DR上配置规则

[root@DR ~]# ipvsadm -A -t 192.168.207.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.207.200:443 -r 192.168.207.130 -g
[root@DR ~]# ipvsadm -a -t 192.168.207.200:443 -r 192.168.207.131 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.207.200:80 wrr
  -> 192.168.207.130:80           Route   1      0          0         
  -> 192.168.207.131:80           Route   1      0          0         
TCP  192.168.207.200:443 wrr
  -> 192.168.207.130:443          Route   1      0          0         
  -> 192.168.207.131:443          Route   1      0          0 

4. 在客户端访问验证

[root@Client ~]# for i in $(seq 10);do curl -k https://192.168.207.200 ;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1

你可能感兴趣的:(负载均衡(LB),lvs)