LVS实战:DR模式搭建HTTP和HTTPS负载均衡集群
文章目录
- 项目环境
- 搭建HTTP负载均衡集群
-
- 1. 在Client上配置CIP
- 2. 在DR上配置DIP和VIP
- 3. 在RS上修改网卡内核参数
- 4. 在RS上配置VIP和RIP
- 5. 配置路由信息
- 6. 在DR上添加规则
- 7. 在DR上配置http
- 8. 在客户端访问验证
- 搭建HTTPS负载均衡集群
-
- 1. 生成证书
- 2. 配置HTTPS
- 3. 在DR上配置规则
- 4. 在客户端访问验证
项目环境
拓扑:
搭建HTTP负载均衡集群
1. 在Client上配置CIP
[root@Client ~]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:86:24:c1 brd ff:ff:ff:ff:ff:ff
inet 192.168.207.132/24 brd 192.168.207.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe86:24c1/64 scope link
valid_lft forever preferred_lft forever
2. 在DR上配置DIP和VIP
[root@DR ~]# ip addr add 192.168.207.200/32 dev lo
[root@DR ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.207.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:97:c3:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.207.129/24 brd 192.168.207.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe97:c366/64 scope link
valid_lft forever preferred_lft forever
3. 在RS上修改网卡内核参数
[root@RS1 ~]# vim /etc/sysctl.conf
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# vim /etc/sysctl.conf
//添加下面两行内容
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
4. 在RS上配置VIP和RIP
RS1
[root@RS1 ~]# ip addr add 192.168.207.200/32 dev lo
[root@RS1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.207.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2d:e0:d6 brd ff:ff:ff:ff:ff:ff
inet 192.168.207.130/24 brd 192.168.207.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2d:e0d6/64 scope link
valid_lft forever preferred_lft forever
RS2
[root@RS2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 192.168.207.200/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:9b:a5:b7 brd ff:ff:ff:ff:ff:ff
inet 192.168.207.131/24 brd 192.168.207.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe9b:a5b7/64 scope link
valid_lft forever preferred_lft forever
5. 配置路由信息
[root@DR ~]# route add -host 192.168.207.200 dev lo
[root@RS1 ~]# route add -host 192.168.207.200 dev lo
[root@RS2 ~]# route add -host 192.168.207.200 dev lo
6. 在DR上添加规则
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.207.200:80 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.207.200:80 -r 192.168.207.130:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.207.200:80 -r 192.168.207.131:80 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.207.200:80 wrr
-> 192.168.207.130:80 Route 1 0 0
-> 192.168.207.131:80 Route 1 0 0
7. 在DR上配置http
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo 'RS1' > /var/www/html/index.html
[root@RS1 ~]# systemctl start httpd
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo 'RS2' > /var/www/html/index.html
[root@RS2 ~]# systemctl start httpd
8. 在客户端访问验证
[root@Client ~]# for i in $(seq 10);do curl 192.168.207.200 ;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
搭建HTTPS负载均衡集群
1. 生成证书
生成一对秘钥
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
..+++
e is 65537 (0x10001)
生成自签署证书
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:aaa.com
Organizational Unit Name (eg, section) []:aaa.com
Common Name (eg, your name or your server's hostname) []:aaa.com
Email Address []:[email protected]
[root@DR CA]# touch index.txt && echo 01 > serial
在RS生成证书签署请求,并发送给CA
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
..................+++
...................................................................+++
e is 65537 (0x10001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:aaa.com
Organizational Unit Name (eg, section) []:aaa.com
Common Name (eg, your name or your server's hostname) []:aaa.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr httpd.key
[root@RS1 ssl]# scp httpd.csr [email protected]:/root
CA签署证书并发给客户端
[root@DR ~]# ls
httpd.csr
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 24 13:15:07 2020 GMT
Not After : Jul 24 13:15:07 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = aaa.com
organizationalUnitName = aaa.com
commonName = aaa.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:D7:DC:0C:4C:84:F9:7B:3D:B4:7C:10:CD:96:87:C8:87:56:47:FD
X509v3 Authority Key Identifier:
keyid:1B:FE:4E:5C:52:2F:11:4C:E2:66:73:9E:DD:77:8C:F1:8E:E3:9E:54
Certificate is to be certified until Jul 24 13:15:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
httpd.crt httpd.csr
CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@DR ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
2. 配置HTTPS
在RS1上将httpd.key传给RS2,并在RS上安装ssl模块
[root@RS1 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@RS1 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl
[root@RS1 ssl]# yum -y install mod_ssl
//RS2上查看是否拥有证书和秘钥
[root@RS2 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@RS2 ssl]# yum -y install mod_ssl
在RS上编辑配置文件
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd
//RS2上的配置和上面的一样,这里就不做演示了
3. 在DR上配置规则
[root@DR ~]# ipvsadm -A -t 192.168.207.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.207.200:443 -r 192.168.207.130 -g
[root@DR ~]# ipvsadm -a -t 192.168.207.200:443 -r 192.168.207.131 -g
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.207.200:80 wrr
-> 192.168.207.130:80 Route 1 0 0
-> 192.168.207.131:80 Route 1 0 0
TCP 192.168.207.200:443 wrr
-> 192.168.207.130:443 Route 1 0 0
-> 192.168.207.131:443 Route 1 0 0
4. 在客户端访问验证
[root@Client ~]# for i in $(seq 10);do curl -k https://192.168.207.200 ;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1