集群&haproxy
软件:haproxy---主要是做负载均衡的7层,也可以做4层负载均衡
apache也可以做7层负载均衡,但是很麻烦。实际工作中没有人用。
负载均衡是通过OSI协议对应的
7层负载均衡:用的7层http协议,
4层负载均衡:用的是tcp协议加端口号做的负载均衡
haproxy概述:
ha-proxy是一款高性能的负载均衡软件。因为其专注于负载均衡这一些事情,因此与nginx比起来在负载均衡这件事情上做更好,更专业。
ha-proxy的特点:
•支持tcp / http 两种协议层的负载均衡,使得其负载均衡功能非常丰富。
•支持8种左右的负载均衡算法,尤其是在http模式时,有许多非常实在的负载均衡算法,适用各种需求。
•性能非常优秀,基于单进程处理模式(和Nginx类似)让其性能卓越。
•拥有一个功能出色的监控页面,实时了解系统的当前状况。
•功能强大的ACL支持,给用户极大的方便。
haproxy算法:
1.roundrobin
基于权重进行轮询,在服务器的处理时间保持均匀分布时,这是最平衡,最公平的算法.此算法是动态的,这表示其权重可以在运行时进行调整.
2.static-rr
基于权重进行轮询,与roundrobin类似,但是为静态方法,在运行时调整其服务器权重不会生效.不过,其在后端服务器连接数上没有限制
3.leastconn
新的连接请求被派发至具有最少连接数目的后端服务器.
环境准备:
centos8 master | 192.168.1.5 |
---|---|
centos8 node01 | 192.169.1.6 |
centos8 node02 | 192.168.1.7 |
配置yum源(3台)
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# rm -rf * #删除原有yum源
[root@localhost yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-8.5.2111.repo #配置阿里源
[root@localhost yum.repos.d]# yum clean all #清理缓存
关闭防火墙和SElinux(3台)
[root@localhost yum.repos.d]# systemctl stop firewalld.service #临时关闭防火墙
[root@localhost yum.repos.d]# systemctl disable firewalld.service #永久关闭防火墙
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost yum.repos.d]# setenforce 0 #临时关闭selinux
[root@localhost yum.repos.d]# vim /etc/selinux/config #修改配置文件,永久关闭
SELINUX=disabled
在两台(node)服务器上安装apache:
# node01(192.168.1.6)
[root@localhost ~]# yum -y install httpd #安装apache
[root@localhost ~]# systemctl start httpd.service #开启服务
[root@localhost ~]# echo "whd rs1" > /var/www/html/index.html #测试页面
# node02(192.168.1.7)
~~~1
[root@localhost yum.repos.d]# yum -y install httpd
[root@localhost yum.repos.d]# systemctl start httpd.service
[root@localhost yum.repos.d]# echo "whd rs2" > /var/www/html/index.html
生成证书
创建一个目录
[root@localhost certs]# mkdir whd
[root@localhost certs]# cd whd
第一步:生成私钥
[root@localhost certs]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................................................+++++
...........................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
第二步:生成CSR(证书签名请求)
[root@localhost whd]# openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Zhejiang/L=Hangzhou/O=mofei/OU=mofei/CN=whd"
Enter pass phrase for server.key:
subj参数说明如下:
字段 字段含义 示例
/C= Country 国家 CN
/ST= State or Province 省 Zhejiang
/L= Location or City 城市 Hangzhou
/O= Organization 组织或企业 mofei
/OU= Organization Unit 部门 mofei
/CN= Common Name 域名或IP whd
第三步:去除私钥中的密码
[root@localhost whd]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
第四步:生成自签名SSL证书
[root@localhost whd]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = Zhejiang, L = Hangzhou, O = mofei, OU = mofei, CN = whd
Getting Private key
第五步 创建一个文件夹
[root@localhost private]# vim /etc/httpd/conf.d/192.168.1.6.conf
# 配置内容
发现报错:
[root@localhost private]# systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@localhost private]# vim /etc/httpd/conf.d/192.168.1.6.conf
[root@localhost private]# journalctl -xe
-- Subject: httpd.service 单元已结束停止操作
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- httpd.service 单元已结束停止操作。
10月 09 11:09:10 node01 systemd[1]: Starting The Apache HTTP Server...
-- Subject: httpd.service 单元已开始启动
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
--
-- httpd.service 单元已开始启动。
10月 09 11:09:10 node01 httpd[42121]: AH00526: Syntax error on line 6 of /etc/httpd/conf.d/192.16>
10月 09 11:09:10 node01 httpd[42121]: Invalid command 'SSLCertificateFile', perhaps misspelled or>
10月 09 11:09:10 node01 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAI>
10月 09 11:09:10 node01 systemd[1]: httpd.service: Failed with result 'exit-code'.
解决办法 安装mod_ssl模块
[root@localhost private]# yum -y install mod_ssl
[root@localhost private]# systemctl restart httpd.service #服务启动
验证
node02服务器配置证书
将node01上生成和创建的文件上传到node02上
安装haproxy (master)
安装依赖包
[root@localhost ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
useradd -r -M -s /sbin/nologin haproxy # 创建用户
下载软件包
[root@localhost ~]# wget https://www.haproxy.org/download/2.8/src/haproxy-2.8.3.tar.gz
解压
[root@localhost ~]# tar -xf haproxy-2.7.10.tar.gz
[root@master ~]# cd haproxy-2.7.10/
[root@master haproxy-2.7.10]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1 USE_SYSTEMD=1 #编译
CC src/ev_poll.o
CC src/ev_epoll.o
CC src/cpuset.o
CC src/ssl_sock.o
CC src/ssl_ckch.o
CC src/ssl_sample.o
CC src/ssl_crtlist.o
CC src/cfgparse-ssl.o
CC src/ssl_utils.o
CC src/jwt.o
CC src/namespace.o
CC src/mux_h2.o
CC src/mux_fcgi.o
CC src/mux_h1.o
.....................................
[root@master haproxy-2.7.10]# echo $? #验证结果
0
[root@master haproxy-2.7.10]# make install PREFIX=/usr/local/haproxy #安装路径
[root@master haproxy-2.7.10]# ls /usr/local/
bin etc games haproxy include lib lib64 libexec sbin share src
[root@master haproxy-2.7.10]# cd /usr/local/haproxy/ #查看文件是否生成
[root@master haproxy]# ls
doc sbin share
[root@master haproxy-2.7.10]# cp -a /usr/local/haproxy/sbin/* /usr/sbin/ #cp一份到/usr/sbin
# 配置各个负载的内核参数
[root@master haproxy-2.7.10]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@master haproxy-2.7.10]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@master haproxy-2.7.10]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
#提供配置文件
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 191.168.1.6:80 check inter 2000 fall 5
server web02 191.168.1.7:80 check inter 2000 fall 5
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
~~~
### haproxy.service文件编写
cat > /usr/lib/systemd/system/haproxy.service <<EOF
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
# 启用日志
# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log
systemctl restart rsyslog
# 启动服务
systemctl restart haproxy
[root@localhost sbin]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
验证