1.1. 增加网关,可访问外网,下载资源
route add default gw 网关(*.*.*.255)
1.2. 下载上传下载工具
yum -y install lrzsz
1.3. 安装编译工具及库文件
1.3.1. 使用:
① yum -y install gcc automake autoconf libtool make
② yum install gcc gcc-c++
zlib
③ cd /usr/local/src
④ wget http://zlib.net/zlib-1.2.11.tar.gz
⑤ tar zlib-1.2.11.tar.gz
⑥ tar xvf zlib-1.2.11.tar.gz
⑦ cd zlib-1.2.11
⑧ ./configure
⑨ make
⑩ make install
Openssl
⑪ cd /usr/local/src
⑫ wget https://www.openssl.org/source/openssl-1.0.1t.tar.gz
⑬ tar xvf openssl-1.0.1t.tar.gz
1.3.2. 未使用:
yum -y install make zlib zlib-devel gcc-c++ libtool openssl openssl-devel
1.4. 安装 PCRE
① cd /usr/local/src
② wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.gz
③ tar xvf pcre-8.39.tar.gz
④ cd pcre-8.39
⑤ ./configure
⑥ make
⑦ make install
1.5. 安装Nginx
① cd /usr/local/src
② wget http://nginx.org/download/nginx-1.1.10.tar.gz
③ tar xvf nginx-1.1.10.tar.gz
④ cd nginx-1.1.10
⑤ ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.39
⑥ make
⑦ make install
⑧ cd ..
⑨ ls
⑩ cd nginx/conf
⑪ ls
⑫ nginx
⑬ /usr/local/nginx/sbin/nginx
1.6. 安装Keepalived
① cd /usr/local/src
② wget http://www.keepalived.org/software/keepalived-1.2.24.tar.gz
③ tar xvf keepalived-1.2.24.tar.gz
④ cd keepalived-1.2.24
⑤ cd ..
⑥ mkdir keepalived
⑦ cd src/keepalived-1.2.24
⑧ ls
⑨ ./configure --prefix=/usr/local/keepalived
⑩ make && make install
1.7. 将Keepalived设置为server并开机启动
① cd /etc
② ls
③ mkdir keepalived
④ cp /usr/local/keepalived/etc/keepalived.conf /etc/keepalived/keepalived.conf
⑤ cp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf
⑥ cp /usr/local/keepalived/etc/rc.d/init.d/keepalived /etc/rc.d/init.d/keepalived
⑦ cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/keepalived
⑧ cp /usr/local/keepalived/sbin/keepalived /usr/sbin
⑨ chkconfig keepalived on
⑩ chmod a+x /etc/init.d/keepalived
⑪ service keepalived start
1.8. Keepalived 配置
① cd /etc/keepalived/
② ls
③ vi keepalived.conf
主:
/bin/bash: Configuration: command not found
bal_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER//设置为主
interface eth0
virtual_router_id 51
priority 101//设置权重
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
*.*.*.83//虚拟IP
}
}
备:
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state BACKUP//设置为备
interface eth0
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
*.*.*.83//虚拟IP
}
}
1.9. 将Nginx设置为server并开机启动
① vim /etc/init.d/nginx
将nginx设置为"/usr/local/nginx/sbin/nginx"
将NGINX_CONF_FILE设置为"/usr/local/nginx/conf/nginx.conf"
② chkconfig nginx on
③ chmod a+x /etc/init.d/nginx
④ chkconfig --add /etc/init.d/nginx
⑤ service nginx stop
⑥ service nginx start
⑦ chkconfig nginx on
1.10. Nginx配置
user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
upstream app{
ip_hash;
server 127.0.0.1:8080;
server *.*.*.16:8080;
}
upstream wechat{
ip_hash;
server 127.0.0.1:18080;
server *.*.*.16:18080;
}
upstream web{
ip_hash;
server 127.0.0.1:28080;
server *.*.*.16:28080;
}
server {
listen 9090 ;
server_name app 二级域名;
location /
{
proxy_pass http://app;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 19090;
server_name wechat 二级域名;
location /
{
proxy_pass http://wechat;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 29090;
server_name web 域名;
location /
{
proxy_pass http://web;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#配置SSL证书
server {
listen 443;
ssl on;
server_name app 二级域名 *.*.*.83;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
location / {
#传送代理请求头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://app;
}
}
server {
listen 443;
ssl on;
server_name web 域名;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://web;
}
}
#http请求转为https
server {
listen 80;
server_name 域名;
return 301 https://www.ifsage.com$request_uri; #?<D6><C6><CC><F8>?443<B6>?<DA>
}
server {
listen 80;
ssl on;
server_name 二级域名;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
location / {
#传送代理请求头
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 240;
proxy_send_timeout 240;
proxy_read_timeout 240;
proxy_pass http://wechat;
}
}
}