为了安全,nginx只监听高可用(keepalived)的VIP地址,不允许通过负载均衡的外网地址进行网站的访问.
LB: 10.0.0.5 10.0.0.6
VIP : 10.0.0.3 10.0.0.4
修改nginx负载均衡文件
upstream web {
server 10.0.0.7:80;
server 10.0.0.8:80;
server 10.0.0.9:80;
}
server {
listen 10.0.0.3:80;
server_name www.aaa.com;
location / {
proxy_pass http://web;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_next_upstream error timeout http_404 http_502 http_403;
}
}
server {
listen 10.0.0.4:80;
server_name bbs.aaa.com;
location / {
proxy_pass http://web;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
注:这样配置后会存在一个问题,前面keepalived上是主主模式,会有两个VIP,每一台负载均衡上面只有一个VIP,另一个VIP不存在的问题,这造成了启动Nginx报错的问题,监听网卡上没有的地址
解决: 需要修改内核信息
echo 'net.ipv4.ip_nonlocal_bind = 1' >>/etc/sysctl.conf
sysctl -p
重启nginx
systemctl restart nginx
注:nginx配置文件只要涉及到ip地址的改变,reload重新加载时不会生效的