haproxy 负载均衡

haproxy部署

• 环境

主机名	IP
DR	192.168.218.130
SR1	192.168.218.132
SR2	192.168.218.133

• 关闭防火墙

//三台主机均需要做
[root@DR ~]# systemctl disable --now firewalld
[root@DR ~]# setenforce 0
[root@DR ~]# vi /etc/selinux/config 
SELINUX=disabled

• 部署网站服务

//安装服务
[root@SR1 ~]# yum -y install httpd 
[root@SR2 ~]# yum -y install httpd 

//配置页面
[root@SR1 ~]# cd /var/www/html/
[root@SR1 html]# echo 'test rs1' > index.html
[root@SR2 ~]# cd /var/www/html/
[root@SR2 html]# echo 'test rs2' > index.html

//启动服务
[root@SR1 html]# systemctl enable --now httpd
[root@SR2 html]# systemctl enable --now httpd

//修改配置文件
[root@SR1 html]# vi /etc/httpd/conf/httpd.conf
取消前面的#号
ServerName www.example.com:80
[root@SR2 ~]# vi /etc/httpd/conf/httpd.conf 
取消前面的#号
ServerName www.example.com:80

//重启服务
[root@SR1 ~]# systemctl restart httpd
[root@SR2 ~]# systemctl restart httpd

• 安装haproxy

//安装依赖包
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel

//解压压缩包
[root@DR ~]# tar xf haproxy-2.4.0.tar.gz

//创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
[root@DR ~]# id haproxy
uid=995(haproxy) gid=992(haproxy) groups=992(haproxy)

//编译
[root@DR ~]# cd haproxy-2.4.0
[root@DR ~]# make clean
[root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l)  \
> TARGET=linux-glibc  \
> USE_OPENSSL=1  \
> USE_ZLIB=1  \
> USE_PCRE=1  \
> USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy
[root@DR ~]# ls /usr/local/
bin  etc  games  haproxy  include  lib  lib64  libexec  sbin  share  src

//因为我们指定了安装路径，需要添加环境变量
[root@DR ~]# vi /etc/profile.d/haproxy.sh
export PATH=/usr/local/haproxy/sbin:$PATH
[root@DR ~]# source /etc/profile.d/haproxy.sh 

• 配置各个负载的内核参数

[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl  -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

• 提供配置文件

[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# vim /etc/haproxy/haproxy.cfg

    #--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode http
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------统计页面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 10s
#---------------web设置-----------------------
listen webcluster
    bind 0.0.0.0:80
    mode http
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    server web01 192.168.218.132:80 cookie web01 check inter 2000 fall 5
    server web01 192.168.218.133:80 cookie web01 check inter 2000 fall 5

• 设置开机自启，haproxy.service文件编写

[root@DR ~]# vim /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target

[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg   -c  -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg  -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target
[root@DR ~]# systemctl daemon-reload

//开启haproxy
[root@192 ~]# systemctl enable --now haproxy 
[root@192 ~]# systemctl status haproxy 
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabl>
   Active: active (running) since Sun 2021-10-17 23:03:01 CST; 1min 50s ago
  Process: 16953 ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg >
 Main PID: 16956 (haproxy)
    Tasks: 5 (limit: 12322)
   Memory: 8.5M
   CGroup: /system.slice/haproxy.service
           ├─16956 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var>
           └─16958 /usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var>

Oct 17 23:03:01 192.168.218.130 systemd[1]: Starting HAProxy Load Balancer...
Oct 17 23:03:01 192.168.218.130 systemd[1]: Started HAProxy Load Balancer.
Oct 17 23:03:01 192.168.218.130 haproxy[16956]: [NOTICE]   (16956) : New worker #1 (16958)>

• 网站访问
  
  
  
  
  图中绿色代表正在运行的主机服务，红色则表示该主机宕机

https负载均衡

• ssl模块开启

[root@SR1 ~]# yum -y install mod_ssl
[root@SR2 ~]# yum -y install mod_ssl

• 配置密钥

//生成密钥
[root@SR1 ~]# mkdir ssl
[root@SR1 ~]# cd ssl/
[root@SR1 ssl]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................+++++
.....................+++++
e is 65537 (0x010001)

//生成证书请求文件
[root@SR1 ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn     //国家
State or Province Name (full name) []:hubei    //省份
Locality Name (eg, city) [Default City]:wuhan    //城市
Organization Name (eg, company) [Default Company Ltd]:wa   // 公司
Organizational Unit Name (eg, section) []:    
Common Name (eg, your name or your server's hostname) []:web01.example.com    //域名
Email Address []:          //邮箱地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//生成证书crt
[root@SR1 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = cn, ST = hubei, L = wuhan, O = wa, CN = web01.example.com
Getting Private key

//复制证书到指定位置
[root@SR1 ssl]# cd 
[root@SR1 ~]# cd /etc/httpd/
[root@SR1 httpd]# cp -r /root/ssl/ /etc/httpd/
[root@SR1 httpd]# ll |grep ssl
drwxr-xr-x  2 root root  60 Oct 18 09:39 ssl      //此处大小不能为0

//ssl.conf配置文件导入证书，默认站点使用此配置文件
[root@SR1 httpd]# vi /etc/httpd/conf.d/ssl.conf 
DocumentRoot "/var/www/html"      //取消此行注释
ServerName www.example.com:443    //取消此行注释
SSLCertificateFile /etc/httpd/ssl/server.crt     //修改此行路径
SSLCertificateKeyFile /etc/httpd/ssl/server.key    //修改此行路径

//将文件传输到RS2上面去
[root@SR2 ~]# mkdir /etc/httpd/ssl
[root@SR1 ssl]# scp server.crt server.key 192.168.218.133:/etc/httpd/s
ssl/   state/ 
[root@SR1 ssl]# scp server.crt server.key 192.168.218.133:/etc/httpd/ssl/
The authenticity of host '192.168.218.133 (192.168.218.133)' can't be established.
ECDSA key fingerprint is SHA256:R2vMn4cw3OiR2qHPNLGGvDqsJHfs36bHDGVkOUX7pqU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.218.133' (ECDSA) to the list of known hosts.
root@192.168.218.133's password: 
server.crt                                   100% 1172     1.5MB/s   00:00    
server.key                                   100% 1675     2.8MB/s   00:00  

//
DocumentRoot "/var/www/html"    //取消此行注释
ServerName www.example.com:443    //取消此行注释
SSLCertificateFile /etc/httpd/ssl/server.crt     //修改此行路径
SSLCertificateKeyFile /etc/httpd/ssl/server.key    //修改此行路径

//重启服务
[root@SR1 ~]# systemctl restart httpd 
[root@SR2 ~]# systemctl restart httpd 

• 修改配置文件

[root@DR ~]# vi /etc/haproxy/haproxy.cfg 
#--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480    
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon    
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults   
    mode tcp      //模式改为tcp
    log global   
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin  
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3   
#--------------统计页面配置------------------   
listen admin_stats
    bind 0.0.0.0:8189   
    stats enable
    mode http
    log global
    stats uri /haproxy_stats     
    stats realm Haproxy\ Statistics
    stats auth admin:admin       
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web设置-----------------------   
listen webcluster
    bind 0.0.0.0:443     //端口改为443
    mode tcp             //模式改为tcp
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    server web01 192.168.218.132:443 check inter 2000 fall 5        //端口改为443
    server web02 192.168.218.133:443 check inter 2000 fall 5        //端口改为443
    #server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5

//重启服务
[root@DR ~]# systemctl restart haproxy.service

• 网页访问测试