需求
搭建一个高可用负载均衡集群架构出来,并运行三个站点,具体需求如下。
1 搭建lnmp、tomcat+jdk环境
2 三个站点分别为:discuz论坛、dedecms企业网站以及zrlog博客
3 把三个站点放到同一台服务器上,然后做负载均衡集群,要求所有站点域名解析到一个ip上,
4 需要共享静态文件,
5 设计合理的目录、文件权限,比如discuz的data目录需要给php-fpm进程用户可写权限,其他目录不用写的就不要给写权限(目录755,文件644,属主属组root)
6 所有服务器要求只能普通用户登录,而且只能密钥登录,root只能普通用户sudo
7 给所有服务器做一个简单的命令审计功能
8 php-fpm服务要求设置慢执行日志,超时时间为2s,并做日志切割,日志保留一月
9 给三个站点的后台访问做二次认证,增加安全性
一、配置主从MySQL
192.168.1.150 主 192.168.1.151 从 安装数据库
cd /usr/local/src/
wget http://mirrors.163.com/mysql/Downloads/MySQL-5.6/mysql-5.6.43-linux-glibc2.12-x86_64.tar.gz
tar zxvf mysql-5.6.43-linux-glibc2.12-x86_64.tar.gz
mv mysql-5.6.43-linux-glibc2.12-x86_64 /usr/local/mysql
cd /usr/local/mysql
useradd mysql
mkdir data #可能会已经创建
./scripts/mysql_install_db --user=mysql --datadir=/data/mysql
启动脚本
cp support-files/mysql.server /etc/init.d/mysqld #拷贝启动脚本到/etc/init.d/目录下
编辑启动脚本
vim /etc/init.d/mysqld
basedir=/usr/local/mysql #定义软件安装目录
datadir=/data/mysql #定义数据目录
chown 755 /etc/init.d/mysqld #设置权限为755 默认就是755
chkconfig --add mysqld #加入到系统启动服务里面去(开机启动)
同样可以使用启动
/etc/init.d/mysqld resart
service mysqld start
/usr/local/mysql/bin/mysqld_safe --defaults-file=/etc/my.cnf --use=mysql --datadir=/data/mysql &
#--defaults-file=/etc/my.cnf 指定配置文件
#--use=mysql 指定启动用户
#--datadir=/data/mysql 指定数据文件
ps aux |grep mysql #查看进程
netstat -lntp #查看监听端口
mysql配置文件
#使用本机自带的配置文件/etc/my.cnf更改为以下内容
[root@test mysql]# cat /etc/my.cnf
[mysqld]
datadir=/data/mysql
socket=/tmp/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
#log-error=/var/log/mariadb/mariadb.log
#pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
#!includedir /etc/my.cnf.d
配置主
修改my.cnf,增加server-id=150和log_bin=aminglinux1
创建用作同步数据的用户
grant replication slave on *.* to 'repl'@192.168.1.151 identified by '123456';
flush tables with read lock;
show master status;
配置从
查看my.cnf,配置server-id=151,要求和主不一样
修改完配置文件后,启动或者重启mysqld服务
mysql -uroot
stop slave;
change master to master_host='192.168.1.150', master_user='repl', master_password='123456', master_log_file='master-bin.000001', master_log_pos=120,
start slave;
验证主从同步
show slave status\G
mysql> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.200.146
Master_User: repl
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: master-bin.000002
Read_Master_Log_Pos: 120
Relay_Log_File: localhost-relay-bin.000003
Relay_Log_Pos: 284
Relay_Master_Log_File: master-bin.000002
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
IO/SQL两个yes
测试主从同步
回到主上
mysql> unlock tables;
mysql> create database dedecms; # 创建dedecms数据库备用
mysql> create database zrlog; # 创建zrlog数据库备用
mysql> create database discuz; # 创建discuz数据库备用
二、LNMP环境搭建
安装mysql,这是因为php需要用到mysql的驱动库,所以只需要安装即可,不需要进行配置
cd /usr/local/src/
yum install -y epel-release wget perl-Module-Install.noarch libaio*
wget http://mirrors.sohu.com/mysql/MySQL-5.6/mysql-5.6.35-linux-glibc2.5-x86_64.tar.gz
tar -zxvf mysql-5.6.35-linux-glibc2.5-x86_64.tar.gz
mv mysql-5.6.35-linux-glibc2.5-x86_64 ../mysql
cd /usr/local/mysql
mkdir /data/
useradd mysql
./scripts/mysql_install_db --user=mysql --datadir=/data/mysql
cp support-files/mysql.server /etc/init.d/mysqld
编辑启动脚本
vim /etc/init.d/mysqld
basedir=/usr/local/mysql #定义软件安装目录
datadir=/data/mysql #定义数据目录
chown 755 /etc/init.d/mysqld #设置权限为755 默认就是755
chkconfig --add mysqld #加入到系统启动服务里面去(开机启动)
同样可以使用启动
/etc/init.d/mysqld resart
service mysqld start
/usr/local/mysql/bin/mysqld_safe --defaults-file=/etc/my.cnf --use=mysql --datadir=/data/mysql &
#--defaults-file=/etc/my.cnf 指定配置文件
#--use=mysql 指定启动用户
#--datadir=/data/mysql 指定数据文件
#& 丢到后台启动
ps aux |grep mysql #查看进程
netstat -lntp #查看监听端口
mysql配置文件
#使用本机自带的配置文件/etc/my.cnf更改为以下内容
[root@test mysql]# cat /etc/my.cnf
[mysqld]
datadir=/data/mysql
socket=/tmp/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld_safe]
#log-error=/var/log/mariadb/mariadb.log
#pid-file=/var/run/mariadb/mariadb.pid
#
# include all files from the config directory
#
#!includedir /etc/my.cnf.d
安装PHP-fpm
cd /usr/local/src/
yum -y install epel-release wget gcc gcc-c++ libmcrypt-devel libmcrypt libcurl-devel libxml2-devel openssl-devel bzip2-devel libjpeg-devel libpng-devel freetype-devel libmcrypt-devel
wget http://cn2.php.net/distributions/php-5.6.30.tar.gz
tar -zxvf php-5.6.30.tar.gz
cd php-5.6.30/
./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-openssl
make && make install
cp php.ini-production /usr/local/php-fpm/etc/php.ini
vi /usr/local/php/etc/php-fpm.conf //写入如下内容
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
chmod 755 /etc/init.d/php-fpm
chkconfig --add php-fpm
chkconfig php-fpm on
service php-fpm start
ps aux |grep php-fpm
编辑配置文件php-fpm.conf
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
安装nginx
cd /usr/local/src
wget http://nginx.org/download/nginx-1.12.1.tar.gz
tar zxf nginx-1.12.1.tar.gz
./configure --prefix=/usr/local/nginx
make && make install
vim /etc/init.d/nginx
chmod 755 /etc/init.d/nginx
chkconfig --add nginx
chkconfig nginx on
cd /usr/local/nginx/conf/; mv nginx.conf nginx.conf.bak
vim nginx.conf //写入如下内容
/usr/local/nginx/sbin/nginx -t
/etc/init.d/nginx start
netstat -lntp |grep 80
nginx.conf
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}
开机启动脚本
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start()
{
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart()
{
stop
start
}
configtest()
{
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
最后检查一下nginx能否解析php,在nginx的html目录下创建一个php文件,写一句简单的php代码:
[root[@localhost]$ vim /usr/local/nginx/html/1.php
<?php
echo "11111"
?>
使用curl命令进行访问,正常输出就代表没问题:
[root@localhost ~]$ curl localhost/1.php
11111
配置nginx默认虚拟主机,方便以后可以直接使用: 首先把nginx配置文件里定义的虚拟主机删除:
vim /usr/local/nginx/conf/nginx.conf
删除后加上这一行,这是用来引用虚拟主机配置文件的:
include vhost/*.conf;`
创建vhost目录:
mkdir /usr/local/nginx/conf/vhost
进入到vhost目录下,创建一个default.conf文件:
cd /usr/local/nginx/conf/vhost
vim default.conf
添加以下内容:
server
{
listen 80 default_server;
server_name aaa.com;
index index.html index.htm index.php;
root /data/wwwroot/default;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/default$fastcgi_script_name;
}
}
创建默认站点目录:
mkdir -p /data/wwwroot/default/
重新启动nginx:
service nginx restart
三、搭建tomcat+jdk
安装jdk
jdk版本1.6,1.7,1.8
官网下载地址 http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
下载jdk8,放到/usr/local/src/目录下
tar zxvf jdk-8u144-linux-x64.tar.gz
mv jdk1.8.0_144 /usr/local/jdk1.8
vi /etc/profile //最后面增加
JAVA_HOME=/usr/local/jdk1.8/
JAVA_BIN=/usr/local/jdk1.8/bin
JRE_HOME=/usr/local/jdk1.8/jre
PATH=$PATH:/usr/local/jdk1.8/bin:/usr/local/jdk1.8/jre/bin
CLASSPATH=/usr/local/jdk1.8/jre/lib:/usr/local/jdk1.8/lib:/usr/local/jdk1.8/jre/lib/charsets.jar
source /etc/profile
java -version
显示下面版本则为安装成功
java -version
安装Tomcat
cd /usr/local/src
wget http://apache.fayea.com/tomcat/tomcat-8/v8.5.20/bin/apache-tomcat-8.5.20.tar.gz
tar zxvf apache-tomcat-8.5.20.tar.gz
mv apache-tomcat-8.5.20 /usr/local/tomcat
/usr/local/tomcat/bin/startup.sh
ps aux|grep tomcat
netstat -lntp |grep java
三个端口8080为提供web服务的端口,8005为管理端口,8009端口为第三方服务调用的端口,比如httpd和Tomcat结合时会用到
tomcat不支持restart
启动命令:/usr/local/tomcat/bin/startup.sh
停止命令:/usr/local/tomcat/bin/shutdown.sh
配置虚拟主机
vim /usr/local/tomcat/conf/server.xml
<Host name="www.zrlog.com" appBase=""
unpackWARs= "true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/data/wwwroot/zrlog.com/" debug="0" reloadable="true" crossContext="true"/>
</Host>
四、搭建3个站点
搭建dedecms
创建并编辑虚拟主机配置文件
vim /usr/local/nginx/conf/vhost/dedecms.com.conf
server
{
listen 80;
server_name www.dedecms.com;
index index.html index.htm index.php;
root /data/wwwroot/dedecms.com;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/dedecms.com$fastcgi_script_name;
}
}
创建数据目录
mkdir /data/wwwroot/dedecms.com/
下载dedecms主程序
[root@localhost ~]# cd /usr/local/src/
[root@localhost /usr/local/src]# wget http://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7-UTF8-SP2.tar.gz
[root@localhost /usr/local/src]# tar -zxvf DedeCMS-V5.7-UTF8-SP2.tar.gz
[root@localhost /usr/local/src]# mv DedeCMS-V5.7-UTF8-SP2/uploads/* /data/wwwroot/dedecms.com/
[root@localhost /data/wwwroot/dedecms.com]# ls
a dede favicon.ico include install member robots.txt tags.php uploads
data images index.php m plus special templets
windows上的hosts文件
需要先解决权限数库ip地址 数据名 用户 密码
www.dedecms.com
搭建discuz
创建并编辑虚拟主机配置文件
vim /usr/local/nginx/conf/vhost/discuz.com.conf
server
{
listen 80;
server_name www.discuz.com;
index index.html index.htm index.php;
root /data/wwwroot/discuz.com;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/discuz.com$fastcgi_script_name;
}
}
创建数据目录
mkdir /data/wwwroot/discuz.com/
下载discuz主程序
[root@localhost ~]# cd /usr/local/src/
[root@localhost /usr/local/src]# wget http://download.comsenz.com/DiscuzX/3.3/Discuz_X3.3_SC_UTF8.zip
[root@localhost /usr/local/src]# unzip Discuz_X3.3_SC_UTF8.zip
[root@localhost /usr/local/src]# mv upload/* /data/wwwroot/discuz.com/
[root@localhost /usr/local/src]# ls /data/wwwroot/discuz.com/
admin.php config data home.php misc.php search.php uc_client
api connect.php favicon.ico index.php plugin.php source uc_server
api.php cp.php forum.php install portal.php static userapp.php
archiver crossdomain.xml group.php member.php robots.txt template
搭建zrlog
windows上的hosts文件
需要先解决权限数库ip地址 数据名 用户 密码
www.discuz.com
编辑虚拟主机配置文件
vim /usr/local/tomcat/conf/server.xml
<Host name="www.zrlog.com" appBase=""
unpackWARs= "true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/data/wwwroot/zrlog.com/" debug="0" reloadable="true" crossContext="true"/>
</Host>
创建数据目录
mkdir /data/wwwroot/zrlog.com/
下载zrlog主程序
[root@localhost ~]$ cd /usr/local/src/
[root@localhost /usr/local/src]$ wget http://dl.zrlog.com/release/zrlog-1.7.1-baaecb9-release.war
[root@localhost /usr/local/src]$ unzip zrlog-1.7.1-baaecb9-release.war
[root@localhost /usr/local/src]$ unzip zrlog-1.7.1-baaecb9-release.war -d /data/wwwroot/zrlog.com
[root@localhost /usr/local/src]$ cd /data/wwwroot/zrlog.com
[root@localhost /data/wwwroot/zrlog.com]$ ls
admin assets error favicon.ico include install META-INF WEB-INF
重启tomcat服务
/usr/local/tomcat/bin/shutdown.sh
/usr/local/tomcat/bin/startup.sh
Windows上的hosts文件
http://www.zrlog.com:8080
五、给站点的后台访问做二次认证 首先安装httpd:
yum install -y httpd
然后使用httpd里的htpasswd 命令去生成一个用户密码文件:
[root@localhost ~]$ htpasswd -c /usr/local/nginx/conf/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
生成完成后cat一下htpasswd 文件可以看到如下内容:
[root@localhost ~]$ cat /usr/local/nginx/conf/htpasswd
admin:$apr1$bwCvGuw9$71cc8LnzGEG0AEiSSB1uO.
如果还需要再次添加用户的话就不需要加上-c选项了,加上-c选项会覆盖原来的htpasswd 文件。
编辑discuz的主机配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/discuz.com.conf
## 添加以下内容,要记得添加在 location ~ \.php$ 上面
location ~ admin.php
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd; # 密码文件路径
}
重新加载nginx的配置文件:
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
然后使用curl访问看看是否需要认证,结果如下则没问题:
[root@localhost ~]$ curl -x127.0.0.1:80 http://www.discuz.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date: Fri, 15 Dec 2017 10:33:55 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
最后指定用户名和密码访问看看是否成功,结果如下则没问题:
[root@localhost ~]$ curl -x127.0.0.1:80 -u admin:"123456" http://www.discuz.com/admin.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 15 Dec 2017 10:35:06 GMT
Content-Type: application/octet-stream
Content-Length: 2739
Last-Modified: Fri, 15 Dec 2017 04:09:01 GMT
Connection: keep-alive
ETag: "5a334add-ab3"
Accept-Ranges: bytes
接下来配置dedecms,同样的也是需要编辑主机配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/dedecms.com.conf
## 配置内容如下:
location /dede/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd; # 密码文件路径
}
然后重新加载nginx,同样的使用curl访问看看是否需要认证:
[root@localhost ~]$ curl -x127.0.0.1:80 http://www.dedecms.com/dede/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date: Fri, 15 Dec 2017 10:41:28 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
最后是zrlog,编辑nginx的反向代理配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/zrlog.com.conf
## 在location / 的上面添加以下这段内容:
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
proxy_pass http://zrlog_com/admin/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
重启
[root@localhost ~]$ service nginx restart
测试
[root@localhost ~]$ curl -x127.0.0.1:8080 http://www.zrlog.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date: Fri, 15 Dec 2017 12:20:24 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
六、配置3个站点web服务器的静态文件共享(NFS)
A服务器:192.168.1.141
B服务器:192.168.1.142
A服务器上操作
yum install -y nfs-utils rpcbind
vim /etc/exports //加入如下内容
/data/wwwroot/discuz.com/data/attachment 192.168.1.0/24(rw,sync,no_root_squash)
/data/wwwroot/dedecms.com/uploads 192.168.1.0/24(rw,sync,no_root_squash)
/data/wwwroot/zrlog.com/attached 192.168.1.0/24(rw,sync,no_root_squash)
chmod 777 /data/wwwroot/discuz.com
chmod 777 /data/wwwroot/dedecms.com
chmod 777 /data/wwwroot/zrlog.com
systemctl start rpcbind
systemctl start nfs
systemctl enable rpcbind
systemctl enable nfs
[root@localhost vhost]# showmount -e 192.168.1.141
Export list for 192.168.1.141:
/data/wwwroot/zrlog.com/attached 192.168.1.0/24
/data/wwwroot/dedecms.com/uploads 192.168.1.0/24
/data/wwwroot/discuz.com/data/attachment 192.168.1.0/24
B服务器上操作
[root@localhost ~]# showmount -e 192.168.1.141
Export list for 192.168.1.141:
/data/wwwroot/zrlog.com/attached 192.168.1.0/24
/data/wwwroot/dedecms.com/uploads 192.168.1.0/24
/data/wwwroot/discuz.com/data/attachment 192.168.1.0/24
mount -t nfs 192.168.1.141:/data/wwwroot/zrlog.com/attached /data/wwwroot/zrlog.com/attached
mount -t nfs 192.168.1.141:/data/wwwroot/dedecms.com/uploads /data/wwwroot/dedecms.com/uploads
mount -t nfs 192.168.1.141:/data/wwwroot/discuz.com/data/attachment /data/wwwroot/discuz.com/data/attachment
七、keepalived配置高可用
master:192.168.1.139
backup:192.168.1.140
两台上都安装nginx(安装方法略过)
masater上操作
yum install -y keepalived
vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
aming@aminglinux.com
}
notification_email_from root@aminglinux.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_nginx {
script "/usr/local/sbin/check_ng.sh"
interval 3
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass aminglinux>com
}
virtual_ipaddress {
192.168.1.100
}
track_script {
chk_nginx
}
}
监控脚本路径及配置(均为源码安装所有监控脚本一样)
vim /usr/local/sbin/check_ng.sh
#!/bin/bash
#时间变量,用于记录日志
d=`date --date today +%Y%m%d_%H:%M:%S`
#计算nginx进程数量
n=`ps -C nginx --no-heading|wc -l`
#如果进程为0,则启动nginx,并且再次检测nginx进程数量,
#如果还为0,说明nginx无法启动,此时需要关闭keepalived
if [ $n -eq "0" ]; then
/etc/init.d/nginx start
n2=`ps -C nginx --no-heading|wc -l`
if [ $n2 -eq "0" ]; then
echo "$d nginx down,keepalived will stop" >> /var/log/check_ng.log
systemctl stop keepalived
fi
fi
给脚本权限
chmod 755 /usr/local/sbin/check_ng.sh
启动 keepalived
systemctl start keepalived
backup上操作
yum install -y keepalived
vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
aming@aminglinux.com
}
notification_email_from root@aminglinux.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_nginx {
script "/usr/local/sbin/check_ng.sh"
interval 3
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass aminglinux>com
}
virtual_ipaddress {
192.168.1.100
}
track_script {
chk_nginx
}
}
监控脚本路径及配置(均为源码安装所有监控脚本一样)
vim /usr/local/sbin/check_ng.sh
#!/bin/bash
#时间变量,用于记录日志
d=`date --date today +%Y%m%d_%H:%M:%S`
#计算nginx进程数量
n=`ps -C nginx --no-heading|wc -l`
#如果进程为0,则启动nginx,并且再次检测nginx进程数量,
#如果还为0,说明nginx无法启动,此时需要关闭keepalived
if [ $n -eq "0" ]; then
/etc/init.d/nginx start
n2=`ps -C nginx --no-heading|wc -l`
if [ $n2 -eq "0" ]; then
echo "$d nginx down,keepalived will stop" >> /var/log/check_ng.log
systemctl stop keepalived
fi
fi
给脚本权限
chmod 755 /usr/local/sbin/check_ng.sh
启动 keepalived
systemctl start keepalived
测试
主或者从上使用/etc/init.d/nginx stop
均能将nginx给拉起来
主上systemctl stop keepalived
vip到从上
住上systemctl start keepalived
vip到主上
八、nginx实现负载均衡
zrlog.com
两台机器的vhost都创建一个zrlog.com.conf
vim /usr/local/nginx/conf/vhost/zrlog.com.conf # 写入如下内容
upstream zrlog
{
ip_hash;
server 192.168.1.141:8080; #多台服务器
server 192.168.1.142:8080; #多台服务器
}
server
{
listen 80;
server_name www.zrlog.com;
location /
{
proxy_pass http://zrlog;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
dedecms.com
两台机器的vhost都创建一个dedecms.com.conf
vim /usr/local/nginx/conf/vhost/dedecms.com.conf # 写入如下内容
upstream dedecms
{
ip_hash;
server 192.168.1.141:80; #多台服务器
server 192.168.1.142:80; #多台服务器
}
server
{
listen 80;
server_name www.dedecms.com;
location /
{
proxy_pass http://dedecms;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
discuz.com
两台机器的vhost都创建一个discuz.com.conf
vim /usr/local/nginx/conf/vhost/discuz.com.conf # 写入如下内容
upstream discuz
{
ip_hash;
server 192.168.1.141:80; #多台服务器
server 192.168.1.142:80; #多台服务器
}
server
{
listen 80;
server_name www.discuz.com;
location /
{
proxy_pass http://discuz;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
九、做个一个简单的命令审计(专业的有Jumpserver)
if [ ! -d /usr/local/domob/records/${LOGNAME} ]
then
mkdir -p /usr/local/domob/records/${LOGNAME}
chmod 300 /usr/local/domob/records/${LOGNAME}
fi
export HISTORY_FILE="/usr/local/domob/records/${LOGNAME}/bash_history"
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'