环境
主机名 | 网卡信息ens33为NAT,ens36为仅主机 |
---|---|
client | 192.168.159.100(ens33) |
DR | 192.168.159.139(ens33),192.168.220.139(ens36) |
RS1 | 192.168.159.200(ens33) ,GW:192.168.159.139 |
RS2 | 192.168.159.201(ens33) ,GW:192.168.159.139 |
http协议
关闭防火墙
DR
[root@DR ~]# systemctl stop firewalld.service
[root@DR ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# cat /etc/selinux/config
SELINUX=disabled
RS1
[root@RS1 ~]# systemctl stop firewalld.service
[root@RS1 ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# vim /etc/selinux/config
SELINUX=disabled
[root@RS1 ~]# setenforce 0
RS2
[root@RS2 ~]# systemctl stop firewalld.service
[root@RS2 ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# vim /etc/selinux/config
SELINUX=disabled
配置IP
DR
[root@DR ~]# nmcli connection add con-name ens36 ifname ens36 type ethernet
Connection 'ens36' (ac1d9825-9b99-4ce8-8577-2606dccf30cc) successfully added.
[root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.139
NETMASK=255.255.255.0
GATEWAY=192.168.159.2
DNS1=8.8.8.8
[root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens36
IPADDR=192.168.220.139
NETMASK=255.255.255.0
DNS1=8.8.8.8
[root@DR ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@DR ~]# nmcli connection up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
RS1
[root@RS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.200
NETMASK=255.255.255.0
GATEWAY=192.168.159.139
DNS1=8.8.8.8
[root@RS1 ~]# systemctl restart NetworkManager
[root@RS1 ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
RS2
[root@RS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.201
NETMASK=255.255.255.0
GATEWAY=192.168.159.139
DNS2=8.8.8.8
[root@RS2 ~]# systemctl restart NetworkManager
[root@RS2 ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
后端部署Web服务器
RS1
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo "rs1" >/var/www/html/index.html
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
RS2
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo "rs2" >/var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
DR配置
//开启IP转发
[root@DR ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@DR ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.220.139:80 -s rr
[root@DR ~]# ipvsadm -a -t 192.168.220.139:80 -r 192.168.159.200:80 -m
[root@DR ~]# ipvsadm -a -t 192.168.220.139:80 -r 192.168.159.201:80 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.220.139:80 rr
-> 192.168.159.200:80 Masq 1 0 0
-> 192.168.159.201:80 Masq 1 0 0
[root@DR ~]# systemctl restart ipvsadm.service
[root@DR ~]# systemctl enable ipvsadm.service
Created symlink /etc/systemd/system/multi-user.target.wants/ipvsadm.service → /usr/lib/systemd/system/ipvsadm.service.
客户端测试
[root@client ~]# curl http://192.168.220.139
rs2
[root@client ~]# curl http://192.168.220.139
rs1
[root@client ~]# curl http://192.168.220.139
rs2
[root@client ~]# curl http://192.168.220.139
rs1
https协议
DR生成密钥
[root@DR ~]# mkdir -p /etc/pki/CA/private
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................+++++
.............................................................+++++
e is 65537 (0x010001)
[root@DR CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxnBcLM7U8ky2RV1CzsiX
wdg0Zxyoy4lWFFZm/UpYJTc+J1KZ4GnVlGuWFCesIWc/qiM9jZmdjZehGEsFC5m/
lLnKKW3seObWHSTk7udV7b9izcrqeHgLkZr9b6Stdso3bfUoeV/q2DsGBEVFsXic
Qxw9WRDYmNDGqogS6QJxQMcJSCr6pZ3qIy/rQAUHasm3iEmQvv+OIi/zYm7yjxTw
iwOV6ZGHubUwx/cJABaGWFrHPYfED1v7KK1frIOMoN+pD0QiGnSApnQuZBpFYo9+
FMtxg9Z0z4Nd/CNQ+a+khZVAFm0piUUQY/AzfjSMSnTtnTfI+av9tyq4d81p62Yq
rwIDAQAB
-----END PUBLIC KEY-----
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:liyan
Email Address []:liyan@example.com
[root@DR CA]# touch index.txt && echo 01 > serial
RS1生成证书签署请求
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....................................................................................................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:liyan
Email Address []:liyan@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr httpd.key
[root@RS1 ssl]# scp httpd.csr root@192.168.159.139:/root/
The authenticity of host '192.168.159.139 (192.168.159.139)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.139' (ECDSA) to the list of known hosts.
root@192.168.159.139's password:
httpd.csr 100% 1029 1.6MB/s 00:00
DR查看
[root@DR ~]# ls
httpd.csr
CA签署证书
[root@DR ~]# mkdir /etc/pki/CA/newcerts
[root@DR ~]# touch /etc/pki/CA/index.txt
[root@DR ~]# echo "01" > /etc/pki/CA/serial
[root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 26 10:41:04 2022 GMT
Not After : Jul 16 10:41:04 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = linux
commonName = liyan
emailAddress = liyan@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B4:D8:B6:11:0D:EE:25:9E:09:C8:13:8F:E4:E1:D0:0A:5B:CE:7F:5B
X509v3 Authority Key Identifier:
keyid:A2:3E:0D:2A:FC:2D:5B:89:EE:F7:6A:48:FD:4E:DE:C2:8C:46:10:60
Certificate is to be certified until Jul 16 10:41:04 2025 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
httpd.crt httpd.csr
将证书发送给RS1
[root@DR ~]# scp httpd.crt root@192.168.159.200:/etc/httpd/ssl
The authenticity of host '192.168.159.200 (192.168.159.200)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.200' (ECDSA) to the list of known hosts.
root@192.168.159.200's password:
httpd.crt 100% 4559 4.2MB/s 00:00
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.159.200:/etc/httpd/ssl
root@192.168.159.200's password:
cacert.pem 100% 1391 2.1MB/s 00:00
RS2配置https
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
RS1的证书和密钥发送给RS2
[root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.159.201:/etc/httpd/ssl
The authenticity of host '192.168.159.201 (192.168.159.201)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.201' (ECDSA) to the list of known hosts.
root@192.168.159.201's password:
cacert.pem 100% 1391 1.7MB/s 00:00
httpd.crt 100% 4559 8.3MB/s 00:00
httpd.key 100% 1675 1.5MB/s 00:00
RS1中修改https的配置文件
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# ss -antl |grep 443
LISTEN 0 128 *:443 *:*
RS2中修改https的配置文件
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl |grep 443
LISTEN 0 128 *:443 *:*
DR中添加规则
[root@DR ~]# ipvsadm -A -t 192.168.220.139:443 -s rr
[root@DR ~]# ipvsadm -a -t 192.168.220.139:443 -r 192.168.159.200 -m
[root@DR ~]# ipvsadm -a -t 192.168.220.139:443 -r 192.168.159.201 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.220.139:80 rr
-> 192.168.159.200:80 Masq 1 0 0
-> 192.168.159.201:80 Masq 1 0 0
TCP 192.168.220.139:443 rr
-> 192.168.159.200:443 Masq 1 0 0
-> 192.168.159.201:443 Masq 1 0 0
[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
客户端测试
[root@client ~]# curl -k https://192.168.220.139
rs1
[root@client ~]# curl -k https://192.168.220.139
rs2
[root@client ~]# curl -k https://192.168.220.139
rs1
[root@client ~]# curl -k https://192.168.220.139
rs2