全站 https搭建discuz并实现lb01和lb02keepalived高可用故障转移

作业 – 05.8

• 实现整站https
• 部署discuz
• 实现lb01和lb02故障转移

实现整站https

一、多台HTTPS配置 — 假证书

1.检查nginx

[root@web01 ~]# nginx -V
--with-http_ssl_module    ---有这个模块是支持

2.创建证书存放目录

[root@web01 ~]# mkdir /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key/

3.造假证书

# 1、生成私钥
#使用openssl命令充当CA权威机构创建证书（生产不使用此方式生成证书，不被互联网认可的黑户证书）

[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048 # 最少密码4位
Generating RSA private key, 2048 bit long modulus
...............................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 123456   # 密码6位
Verifying - Enter pass phrase for server.key: 123456

[root@web01 ssl_key]# ll
total 4
-rw-r--r--. 1 root root 1739 Dec  9 11:27 server.key

# 2、生成公钥
#生成自签证书(公钥)，同时去掉私钥的密码
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
........................+++
...............................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:riben
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:skz
Organizational Unit Name (eg, section) []:mm
Common Name (eg, your name or your server's hostname) []:mm
Email Address []:1234@qq.com

# req  --> 用于创建新的证书
# new  --> 表示创建的是新证书    
# x509 --> 表示定义证书的格式为标准格式
# key  --> 表示调用的私钥文件信息
# out  --> 表示输出证书文件信息
# days --> 表示证书的有效期
# sha256 --> 加密方式

# 3、查看生成的证书
[root@web01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1342 Apr  8 15:00 server.crt
-rw-r--r-- 1 root root 1708 Apr  8 15:00 server.key

全站HTTPS

1、环境准备

主机	内网IP	外网IP	身份
web01	172.16.1.7		web服务器
web02	172.16.1.8		web服务器
lb01	172.16.1.5	192.168.15.5	负载均衡
lb02	172.16.1.6	192.168.15.6	负载均衡

2.配置web服务器

# web01与web02都提前安装好nginx官方源与php

二、部署discuz

1、web01搭建discuz论坛

1、创建站点目录
[root@web01 ~]# mkdir /mm/discuz
2、上传并解压代码包
[root@web01 ~]# rz
-rw-r--r--. 1 root root 10829853 Dec  7 12:04 Discuz_X3.3_SC_GBK.zip
[root@web01 ~]# unzip Discuz_X3.3_SC_GBK.zip -d /mm/discuz/
[root@web01 ~]# chown -R www.www /mm/discuz/

2、配置discuz论坛的nginx配置文件

## HTTPS访问的话以下这2个文件必须有
[root@pingweb01 nginx]# cd ssl_key/
[root@pingweb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May  8 19:18 server.crt
-rw-r--r-- 1 root root 1704 May  8 19:18 server.key 

1、配置nginx
[root@pingweb01 conf.d]# cat linux12mm.discuz.https.com.conf 
server {
    listen 80;
    server_name linux12mm.discuz.com;
    root /mm/discuz/upload;

    location / {
        index index.php;
    }

    location ~* \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;  #开启https模式
        include fastcgi_params;
    }
}
## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx	php-fpm 

3.必须保证web01单台HTTPS可以访问 —了解

[root@pingweb01 conf.d]# cat linux12mm.discuz.https.com.conf 
server {
    listen 80;
    server_name linux12mm.discuz.com;
    root /mm/discuz/upload;

    location / {
        index index.php;
    }

    location ~* \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;  #开启https模式
        include fastcgi_params;
    }
}

# 必须保证web01单台HTTPS可以访问,否则负载均衡就不能实现

4、web02机器与web01机器相同

## web01服务端推送都web02

# 1、上传配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.8:/etc/nginx/
# 2.web02查看证书
[root@pingweb02 mm]# cd /etc/nginx/ssl_key/
[root@pingweb02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May  8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May  8 19:25 server.key

# 2、上传配置文件

[root@pingweb01 conf.d]# scp -r /mm/discuz/ 172.16.1.8:/mm
[root@pingweb01 conf.d]# scp -r linux12mm.discuz.https.com.conf 172.16.1.8:/etc/nginx/conf.d/

## web02服务端
[root@pingweb02 conf.d]# cd /mm/
[root@pingweb02 mm]# ll
drwxr-xr-x  5 www www  100 May  8 18:22 discuz
[root@pingweb02 conf.d]# ll
total 4
drwxr-xr-x 2 root root 182 May  8 19:27 backup
-rw-r--r-- 1 root root 348 May  8 19:55 linux12mm.discuz.https.com.conf

## nginx -t检查并重启
[root@web02 ~]# systemctl restart nginx php-fpm

# 必须保证web02单台HTTPS可以访问,否则负载均衡就不能实现
# 或者也可以提前挂载好，这样的话就不需要推送了！

3、配置负载均衡 lb01

# 1、配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.5:/etc/nginx/
# 2.lb01查看证书
[root@pinglb01 nginx]# cd ssl_key/
[root@pinglb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May  8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May  8 19:25 server.key
# 2、配置nginx优化文件
[root@pinglb01 ssl_key]# cat /etc/nginx/proxy_params 
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 20s;
proxy_read_timeout 20s;
proxy_send_timeout 20s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;

# 3、配置nginx文件
[root@pinglb01 conf.d]# cat linux12mm.discuz.https.com.conf 
upstream blog {
    server 172.16.1.7;
    server 172.16.1.8;
}

server {
    listen 80;
    server_name linux12mm.discuz.com;

    rewrite (.*) https://$server_name$1;
}

server {
    listen 443 ssl;
    server_name linux12mm.discuz.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://blog;
        include proxy_params;
    }
}

## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx	

3.配置本地hosts

192.168.15.5  linux12mm.discuz.com

4、配置负载均衡 lb02

# 1、推送配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.6:/etc/nginx/
# 2.lb02查看证书
[root@pinglb02 nginx]# cd ssl_key/
[root@pinglb02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May  8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May  8 19:25 server.key
# 3、推送配置文件
[root@pinglb01 conf.d]# scp linux12mm.discuz.https.com.conf 172.16.1.6:/etc/nginx/conf.d/
[root@pinglb02 ssl_key]# cat /etc/nginx/proxy_params 
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 20s;
proxy_read_timeout 20s;
proxy_send_timeout 20s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;

# 4、配置nginx文件
[root@pinglb02 conf.d]# cat linux12mm.discuz.https.com.conf 
upstream blog {
    server 172.16.1.7;
    server 172.16.1.8;
}

server {
    listen 80;
    server_name linux12mm.discuz.com;

    rewrite (.*) https://$server_name$1;
}

server {
    listen 443 ssl;
    server_name linux12mm.discuz.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://blog;
        include proxy_params;
    }
}

## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx	

3.配置本地hosts

192.168.15.5  linux12mm.discuz.com

# lb01和lb02相同.所以都可以访问，切记，切记   lb01,lb02相同才可以做keepalived 高可用

实现lb01和lb02故障转移

1.lb01和lb02负载均衡端安装keepalived

[root@pinglb01 conf.d]# yum -y install keepalived
[root@pinglb02 conf.d]# yum -y install keepalived

2.配置keepalived

# 1、查找配置文件
[root@lb01 conf.d]# rpm -qc keepalived
/etc/keepalived/keepalived.conf
/etc/sysconfig/keepalived

# 2、配置主节点的配置文件
[root@pinglb01 conf.d]# cat /etc/keepalived/keepalived.conf 
global_defs {
    router_id lb01
}
vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    nopreempt
    virtual_router_id 50
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111  
    }
    virtual_ipaddress {
        192.168.15.102
    }
}
# 3、配置从节点
[root@pinglb02 conf.d]# cat /etc/keepalived/keepalived.conf 
global_defs {
    router_id lb02
}
vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    nopreempt
    virtual_router_id 50
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111  
    }
    virtual_ipaddress {
        192.168.15.102
    }
}

# 配置的是keepalived非抢占式说明
1.两个节点的state都必须配置为BACKUP
2.两个节点都必须加上配置 nopreempt
3.其中一个节点的优先级必须要高于另外一个节点的优先级。
两台服务器都角色状态启用nopreempt后，必须修改角色状态统一为BACKUP，唯一的区分就是优先级。

3. 启动服务

[root@lb01 ~]# tail -f /var/log/messages
[root@lb01 ~]# systemctl restart keepalived

[root@lb02 ~]# tail -f /var/log/messages
[root@lb02 ~]# systemctl restart keepalived

4、keepalived的抢占式与非抢占式

1.两个节点都启动的情况

#两个节点都启动时，由于节点1优先级高于节点2，所以只有节点1上有VIP，节点2为空
[root@lb01 ~]# ip addr | grep 10.10.0.102
    inet 10.10.0.3/32 scope global eth0
    
[root@lb02 ~]# ip addr | grep 10.10.0.102

2.停止主节点

[root@lb01 ~]# systemctl stop keepalived.service 
[root@lb01 ~]# ip addr | grep 10.10.0.102

#由于节点1keepalived down掉，节点2会自动接管节点1的工作，即VIP

[root@lb02 ~]# ip addr | grep 10.10.0.102
    inet 10.10.0.102/32 scope global eth0

3.重新启动主节点

#启动主节点
[root@lb01 ~]# systemctl start keepalived
[root@lb01 ~]# ip addr | grep 10.10.0.102
    inet 10.10.0.102/32 scope global eth0

#由于节点1优先级高于节点2，所以当节点1恢复时，会将VIP抢占回来