文章目录
HAproxy
1. HAproxy简介
HAProxy是一种高性能的开源负载均衡和代理服务器软件。它主要用于将传入的网络流量分发到多个后端服务器,以实现负载均衡和提高系统的可用性和性能。
HAProxy具有以下特点:
- 高性能:HAProxy采用事件驱动的架构和多线程模型,能够处理大量并发连接并实现高吞吐量。
- 负载均衡:HAProxy可以根据预定义的负载均衡算法(如轮询、最小连接数等)将流量分发到多个后端服务器上,实现负载均衡,避免单一服务器过载。
- 健康检查:HAProxy支持对后端服务器进行健康检查,以确保只有正常可用的服务器接收到流量。
- 会话保持:HAProxy支持会话保持,可以将同一客户端的请求路由到同一后端服务器上,确保会话的连续性。
- SSL终止:HAProxy可以对传入的SSL/TLS连接进行解密,并将流量转发给后端服务器,减轻服务器负担。
- 动态配置:HAProxy支持动态配置,可以根据需要添加、删除或修改后端服务器,而无需重启服务。
- 可扩展性:HAProxy可以水平扩展,通过在多个机器上部署实例实现高可用和负载均衡。
- 统计和监控:HAProxy提供了丰富的统计和监控功能,可以实时监控流量、连接数、服务器状态等指标,并生成报告和日志。
2. HAproxy部署
主机名 | ip | 系统版本 | haproxy版本 |
---|---|---|---|
DR | 192.168.234.123 | CentOS8 | 2.7.10 |
RS1 | 192.168.234.22 | CentOS8 | 2.7.10 |
RS2 | 192.168.234.33 | CentOS8 | 2.7.10 |
负载均衡http
2.1 关闭防火墙以及在RS上安装httpd并且写入网页内容
## RS1
[root@RS1 ~]# yum install -y httpd
[root@RS1 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@RS1 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS1 ~]#
[root@RS1 ~]# echo 'This is RS1' > /var/www/html/index.html
## RS2
[root@RS2 ~]# yum install -y httpd
[root@RS2 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@RS2 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS2 ~]# echo 'This is RS2' > /var/www/html/index.html
## 将RS2的http访问端口改为8080,在haproxy中可以直接监听8080端口
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:80 *:*
[root@RS2 ~]# vim /etc/httpd/conf/httpd.conf
·····················略
#Listen 12.34.56.78:80
Listen 8080 ## 改为8080
·····················略
## 重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:8080 *:*
## DR
[root@DR ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
[root@DR ~]# sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.2 获取haproxy包
[root@DR ~]# wget https://www.haproxy.org/download/2.7/src/haproxy-2.7.10.tar.gz
2.3 安装依赖包
[root@DR ~]# yum install -y make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
2.4 添加haproxy系统用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
2.5 安装haproxy
## 解压下载的包
[root@DR ~]# tar xf haproxy-2.7.10.tar.gz
## 开始安装
[root@DR ~]# cd haproxy-2.7.10
[root@DR haproxy-2.7.10]# make clean
[root@DR haproxy-2.7.10]# make -j $(nproc) TARGET=linux-glibc \
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy-2.7.10]# make install PREFIX=/usr/local/haproxy
2.6 做软连接
[root@DR haproxy]# ln -s /usr/local/haproxy/sbin/* /usr/sbin/
[root@DR haproxy]# cd
[root@DR ~]# which haproxy
/usr/sbin/haproxy
[root@DR ~]#
2.7 配置各个负载的内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
[root@DR ~]#
2.8 提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# cat > /etc/haproxy/haproxy.cfg <<EOF
> #--------------全局配置----------------
> global
> log 127.0.0.1 local0 info
> #log loghost local0 info
> maxconn 20480
> #chroot /usr/local/haproxy
> pidfile /var/run/haproxy.pid
> #maxconn 4000
> user haproxy
> group haproxy
> daemon
> #---------------------------------------------------------------------
> #common defaults that all the 'listen' and 'backend' sections will
> #use if not designated in their block
> #---------------------------------------------------------------------
> defaults
> mode http
> log global
> option dontlognull
> option httpclose
> option httplog
> #option forwardfor
> option redispatch
> balance roundrobin
> timeout connect 10s
> timeout client 10s
> timeout server 10s
> timeout check 10s
> maxconn 60000
> retries 3
> #--------------统计页面配置------------------
> listen admin_stats
> bind 0.0.0.0:8189 ## 控制台页面
> stats enable
> mode http
> log global
> stats uri /haproxy_stats
> stats realm Haproxy\ Statistics
> stats auth admin:admin ## 用户密码
> #stats hide-version
> stats admin if TRUE
> stats refresh 30s
> #---------------web设置-----------------------
> listen webcluster
> bind 0.0.0.0:80
> mode http
> #option httpchk GET /index.html
> log global
> maxconn 3000
> balance roundrobin
> cookie SESSION_COOKIE insert indirect nocache
> server web01 172.16.103.130:80 check inter 2000 fall 5
> #server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
> EOF
2.9 修改配置文件
[root@DR haproxy]# vim /etc/haproxy/haproxy.cfg
··········································略
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server RS1 192.168.234.22:80 check inter 2000 fall 5 ## 修改此行
server RS2 192.168.234.33:8080 check inter 2000 fall 5 ## 修改此行
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
2.10 编写haproxy.service文件
[root@DR haproxy]# cat > /usr/lib/systemd/system/haproxy.service <<EOF
> [Unit]
> Description=HAProxy Load Balancer
> After=syslog.target network.target
>
> [Service]
> ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
> ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
> ExecReload=/bin/kill -USR2 $MAINPID
>
> [Install]
> WantedBy=multi-user.target
> EOF
[root@DR haproxy]# systemctl daemon-reload
2.11 启用日志
[root@DR ~]# vim /etc/rsyslog.conf
·······································略
# Save boot messages also to boot.log
local0.* /var/log/haproxy.log ## 添加此行
local7.* /var/log/boot.log
// 重启服务
[root@DR ~]# systemctl restart rsyslog
2.12 启动haproxy
[root@DR haproxy]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@DR ~]# systemctl enable --now haproxy
[root@DR ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 2048 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 2048 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
## 启动成功
2.13 haproxy控制台
## 在配置文件的这一段
[root@kiwi123 ~]# vim /etc/haproxy/haproxy.cfg
·····································略
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189 ## 控制台页面
stats enable
mode http
log global
stats uri /haproxy_stats ## 端口后要带上/haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin ## 用户密码
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
····································略
负载均衡https
在RS上生成密钥和证书
## 在RS1上生成CA密钥
[root@RS1 ~]# mkdir /etc/pki/CA
[root@RS1 ~]# cd /etc/pki/CA/
[root@RS1 CA]# mkdir private
[root@RS1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@RS1 CA]#
## 生成自签署证书
[root@RS1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[root@RS1 CA]# touch index.txt && echo 01 > serial
## 生成证书
[root@RS1 CA]# mkdir certs newcerts crl
[root@RS1 CA]# cd /etc/httpd/ && mkdir ssl && cd ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
[root@RS1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
## 安装证书服务
[root@RS1 ssl]# yum install -y httpd-devel mod_ssl
[root@RS1 ssl]# grep -Ev '^$|^#' /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/www.kiwi.com" ## 修改为挂证书的网站
ServerName www.kiwi.com:443 ## 修改为挂证书的网站
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/ssl/httpd.crt ## 修改为相应的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ## 修改为相应的位置
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
## 重启服务
[root@RS1 ssl]# systemctl restart httpd
## 将证书复制到RS2
[root@RS2 ~]# cd /etc/httpd/ && mkdir ssl && cd ssl
[root@RS2 ssl]# scp root@192.168.234.22:/etc/httpd/ssl/httpd.crt /etc/httpd/ssl/
[root@RS2 ssl]# scp root@192.168.234.22:/etc/httpd/ssl/httpd.key /etc/httpd/ssl/
[root@RS2 ssl]# yum -y install httpd-devel mod_ssl
## 这与RS1一致
[root@RS2 ssl]# grep -Ev '^$|^#' /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/www.kiwi.com" ## 修改为挂证书的网站
ServerName www.kiwi.com:443 ## 修改为挂证书的网站
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/ssl/httpd.crt ## 修改为相应的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ## 修改为相应的位置
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@RS2 ssl]#
在DR上修改配置文件
[root@DR haproxy]# vim /etc/haproxy/haproxy.cfg
································略
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443
mode tcp ## 注意:这里要改为tcp模式
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server RS1 192.168.234.22:443 check inter 2000 fall 5 ## 修改这行
server RS2 192.168.234.33:443 check inter 2000 fall 5 ## 修改这行
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
## 重启服务
[root@DR ~]# systemctl restart haproxy
ip地址后面接8189端口则是haproxy控制台