使用lvs-nat模式部署httpd负载集群

最新推荐文章于 2024-09-18 10:25:00 发布
最新推荐文章于 2024-09-18 10:25:00 发布
阅读量242 收藏
点赞数
文章标签: lvs linux centos
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mw5258/article/details/127058985
版权

文章目录

环境

主机名网卡信息ens33为NAT,ens36为仅主机
client192.168.159.100(ens33)
DR192.168.159.139(ens33),192.168.220.139(ens36)
RS1192.168.159.200(ens33) ,GW:192.168.159.139
RS2192.168.159.201(ens33) ,GW:192.168.159.139

http协议

关闭防火墙
DR

[root@DR ~]# systemctl stop firewalld.service
[root@DR ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# cat /etc/selinux/config
SELINUX=disabled

RS1

[root@RS1 ~]# systemctl stop firewalld.service
[root@RS1 ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# vim /etc/selinux/config
SELINUX=disabled
[root@RS1 ~]# setenforce 0

RS2

[root@RS2 ~]# systemctl stop firewalld.service
[root@RS2 ~]# systemctl disable firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# vim /etc/selinux/config
SELINUX=disabled

配置IP
DR

[root@DR ~]# nmcli connection add con-name ens36 ifname ens36 type ethernet
Connection 'ens36' (ac1d9825-9b99-4ce8-8577-2606dccf30cc) successfully added.
[root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.139
NETMASK=255.255.255.0
GATEWAY=192.168.159.2
DNS1=8.8.8.8

[root@DR ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens36
IPADDR=192.168.220.139
NETMASK=255.255.255.0
DNS1=8.8.8.8

[root@DR ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@DR ~]# nmcli connection up ens36
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)

RS1

[root@RS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.200
NETMASK=255.255.255.0
GATEWAY=192.168.159.139
DNS1=8.8.8.8

[root@RS1 ~]# systemctl restart NetworkManager
[root@RS1 ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

RS2

[root@RS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
IPADDR=192.168.159.201
NETMASK=255.255.255.0
GATEWAY=192.168.159.139
DNS2=8.8.8.8

[root@RS2 ~]# systemctl restart NetworkManager
[root@RS2 ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

后端部署Web服务器
RS1

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo "rs1" >/var/www/html/index.html
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

RS2

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo "rs2" >/var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

DR配置

//开启IP转发
[root@DR ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@DR ~]# sysctl -p
net.ipv4.ip_forward = 1

[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.220.139:80 -s rr
[root@DR ~]# ipvsadm -a -t 192.168.220.139:80 -r 192.168.159.200:80 -m
[root@DR ~]# ipvsadm -a -t 192.168.220.139:80 -r 192.168.159.201:80 -m

[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.220.139:80 rr
  -> 192.168.159.200:80           Masq    1      0          0
  -> 192.168.159.201:80           Masq    1      0          0

[root@DR ~]# systemctl restart ipvsadm.service
[root@DR ~]# systemctl enable ipvsadm.service
Created symlink /etc/systemd/system/multi-user.target.wants/ipvsadm.service → /usr/lib/systemd/system/ipvsadm.service.

客户端测试

[root@client ~]# curl http://192.168.220.139
rs2
[root@client ~]# curl http://192.168.220.139
rs1
[root@client ~]# curl http://192.168.220.139
rs2
[root@client ~]# curl http://192.168.220.139
rs1

https协议

DR生成密钥

[root@DR ~]# mkdir -p /etc/pki/CA/private
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................+++++
.............................................................+++++
e is 65537 (0x010001)

[root@DR CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxnBcLM7U8ky2RV1CzsiX
wdg0Zxyoy4lWFFZm/UpYJTc+J1KZ4GnVlGuWFCesIWc/qiM9jZmdjZehGEsFC5m/
lLnKKW3seObWHSTk7udV7b9izcrqeHgLkZr9b6Stdso3bfUoeV/q2DsGBEVFsXic
Qxw9WRDYmNDGqogS6QJxQMcJSCr6pZ3qIy/rQAUHasm3iEmQvv+OIi/zYm7yjxTw
iwOV6ZGHubUwx/cJABaGWFrHPYfED1v7KK1frIOMoN+pD0QiGnSApnQuZBpFYo9+
FMtxg9Z0z4Nd/CNQ+a+khZVAFm0piUUQY/AzfjSMSnTtnTfI+av9tyq4d81p62Yq
rwIDAQAB
-----END PUBLIC KEY-----

[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:liyan
Email Address []:liyan@example.com

[root@DR CA]# touch index.txt && echo 01 > serial

RS1生成证书签署请求

[root@RS1 ~]# yum -y install mod_ssl

[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]#  (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................+++++
.....................................................................................................................................+++++
e is 65537 (0x010001)

[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:liyan
Email Address []:liyan@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@RS1 ssl]# ls
httpd.csr  httpd.key
[root@RS1 ssl]# scp httpd.csr root@192.168.159.139:/root/
The authenticity of host '192.168.159.139 (192.168.159.139)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.139' (ECDSA) to the list of known hosts.
root@192.168.159.139's password:
httpd.csr                                                                                                                                                                     100% 1029     1.6MB/s   00:00

DR查看

[root@DR ~]# ls
httpd.csr

CA签署证书

[root@DR ~]# mkdir /etc/pki/CA/newcerts
[root@DR ~]# touch /etc/pki/CA/index.txt
[root@DR ~]# echo "01" > /etc/pki/CA/serial
[root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 26 10:41:04 2022 GMT
            Not After : Jul 16 10:41:04 2025 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = runtime
            organizationalUnitName    = linux
            commonName                = liyan
            emailAddress              = liyan@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B4:D8:B6:11:0D:EE:25:9E:09:C8:13:8F:E4:E1:D0:0A:5B:CE:7F:5B
            X509v3 Authority Key Identifier:
                keyid:A2:3E:0D:2A:FC:2D:5B:89:EE:F7:6A:48:FD:4E:DE:C2:8C:46:10:60

Certificate is to be certified until Jul 16 10:41:04 2025 GMT (1024 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@DR ~]# ls
httpd.crt  httpd.csr

将证书发送给RS1

[root@DR ~]# scp httpd.crt root@192.168.159.200:/etc/httpd/ssl
The authenticity of host '192.168.159.200 (192.168.159.200)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.200' (ECDSA) to the list of known hosts.
root@192.168.159.200's password:
httpd.crt                                                                                                                                                                     100% 4559     4.2MB/s   00:00
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.159.200:/etc/httpd/ssl
root@192.168.159.200's password:
cacert.pem                                                                                                                                                                    100% 1391     2.1MB/s   00:00

RS2配置https

[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl

RS1的证书和密钥发送给RS2

[root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.159.201:/etc/httpd/ssl
The authenticity of host '192.168.159.201 (192.168.159.201)' can't be established.
ECDSA key fingerprint is SHA256:aZNpG9Fp8mJ53ekwPlBXfyoPkqy8jpWA2cmN0V+CcVQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.159.201' (ECDSA) to the list of known hosts.
root@192.168.159.201's password:
cacert.pem                                                                                                                                                                    100% 1391     1.7MB/s   00:00
httpd.crt                                                                                                                                                                     100% 4559     8.3MB/s   00:00
httpd.key                                                                                                                                                                     100% 1675     1.5MB/s   00:00

RS1中修改https的配置文件

[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem

[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# ss -antl |grep 443
LISTEN 0      128                *:443             *:*

RS2中修改https的配置文件

[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem

[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl |grep 443
LISTEN 0      128                *:443              *:*

DR中添加规则

[root@DR ~]# ipvsadm -A -t 192.168.220.139:443 -s rr
[root@DR ~]# ipvsadm -a -t 192.168.220.139:443 -r 192.168.159.200 -m
[root@DR ~]# ipvsadm -a -t 192.168.220.139:443 -r 192.168.159.201 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.220.139:80 rr
  -> 192.168.159.200:80           Masq    1      0          0
  -> 192.168.159.201:80           Masq    1      0          0
TCP  192.168.220.139:443 rr
  -> 192.168.159.200:443          Masq    1      0          0
  -> 192.168.159.201:443          Masq    1      0          0

[root@DR ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm

客户端测试

[root@client ~]# curl -k https://192.168.220.139
rs1
[root@client ~]# curl -k https://192.168.220.139
rs2
[root@client ~]# curl -k https://192.168.220.139
rs1
[root@client ~]# curl -k https://192.168.220.139
rs2
时羽天
关注
部署LVS-NAT集群
孟远的博客
12-04 112
部署LVS-NAT集群 使用LVS实现NAT模式集群调度服务器,为用户提供Web服务 要求: 集群对外公网IP地址为192.168.4.5 调度器内网IP地址为192.168.2.5 真实Web服务器地址分别为192.168.2.100、192.168.2.200 使用加权轮询调度算法,真实服务器权重任意 配置网络参数 将web1和web2的网关设置为192.168.2.5 web1 ens33ip:192.168.2.100 ens34ip:192.168.4.100 nmcli
LVS负载均衡群集部署之——NAT模式部署
shanjun12的博客
03-26 433
LVS负载均衡群集部署之——NAT模式部署
LVS-NAT模式部署
桂安俊@KylinOS
11-19 1616
(下图IP并非本次实验实际IP,仅供模式介绍参考)NAT模式实际是将LVS当成路由器(linux系统本身也是软路由),将外网IP请求转换成内网IP,并按照指定算法(比如轮询),将请求转发给Real Server。其中web服务器收到请求的source源地址和destination目的地址不是一个网段,所以要配网关,web服务器的网关就是LVS服务器的地址,LVS有两个网段地址,web网关地址应选择与自己同网段的那个IP。
lvs负载均衡之配置lvs-tun模式httpd负载集群
哭的博客
09-28 710
LVSLinux Virtual Server)即Linux虚拟服务器,是由章文嵩博士主导的开源负载均衡项目,目前LVS已经被集成到Linux内核模块中。
lvs负载均衡之配置lvs-nat模式httpd负载集群---httphttps
哭的博客
09-26 1069
LVSLinux Virtual Server)即Linux虚拟服务器,是由章文嵩博士主导的开源负载均衡项目,目前LVS已经被集成到Linux内核模块中。
LVS介绍和配置lvs-nat模式httpd负载集群lvs-nat模式httpd负载集群---https、lvs-dr模式httpd负载集群--https协议、配置lvs-tun模式负载均衡
m0_52091913的博客
09-28 531
LVS介绍和配置lvs-nat模式httpd负载集群lvs-nat模式httpd负载集群---https、lvs-dr模式httpd负载集群--https协议、配置lvs-tun模式负载均衡--httpd协议
使用LVS-NAT搭建HTTPS负载均衡集群
LVS-NAT是一种常用的负载均衡方案,通过将客户端请求发送到后端服务器集群来平衡服务负载,提高系统的可用性和性能。 ## 1.2 LVS-NAT负载均衡原理解析 这一小节将详细解释LVS-NAT负载均衡的工作原理,包括客户端...
lvs负载均衡之配置lvs-dr模式httpd负载集群
哭的博客
09-28 555
LVSLinux Virtual Server)即Linux虚拟服务器,是由章文嵩博士主导的开源负载均衡项目,目前LVS已经被集成到Linux内核模块中。
LVS-NAT模式
d__fyy的博客
09-27 1007
一、LVS/NAT原理 1. 当用户请求到达Director Server,此时请求的数据报文会先到内核空间的PREROUTING链。 此时报文的源IP为CIP,目标IP为VIP 2. PREROUTING检查发现数据包的目标IP是本机,将数据包送至INPUT链 3.IPVS比对数据包请求的服务是否为集群服务,若是,修改数据包的目标IP地址为后端服务器IP,然后将数据包发至POSTROUTI...
lvs命令介绍
huaz_md的博客
09-13 537
lvs
LVS-DR
2201_75444658的博客
09-13 1171
LVS-DR工作模式的数据包流向;常见的问题;实验搭建
lvs-nat模式实验详解
huaz_md的博客
09-14 899
lvs-nat
LVS+Keepalived高可用集群
2201_75444658的博客
09-14 811
什么是Keepalived;工作原理以及它的重要模块;Keepalived脑裂的场景以及应对策略
Linux】:信号与信号产生
Yikefore的博客
09-12 988
信号的基本概念、对信号的理解、信号的多种产生方式以及核心转储的详细介绍!
Linux】uImage头部信息详细解析
W__winter的博客
09-16 1477
【代码】【Linux】uImage头部信息详细解析。
Linux Kernel Makefiles 编译标志详解
最新发布
m0_66404702的博客
09-18 366
ccflags-yccflags-y用于定义C编译器的编译选项,这些选项仅对当前Makefile文件有效。例如,如果你需要为特定的源文件添加宏定义,可以在Makefile中使用ccflags-y。asflags-y类似于ccflags-y,但asflags-y是为汇编器定义的选项。这些选项仅影响汇编过程,适用于需要特殊汇编指令或宏定义的场景。ldflags-yldflags-y用于定义链接器的选项,控制链接过程中的行为,如指定库文件的路径或链接时使用的特殊选项。
linux-进程管理-进程查看与控制
Flying_Fish_roe的博客
09-18 390
进程是操作系统中执行中的程序。Linux 将每个运行的程序看作是一个进程,每个进程都有唯一的进程ID (PID)。在 Linux 系统中,进程管理是非常重要的,它能够帮助系统管理员和用户查看、管理、优化系统资源的使用情况。Linux 提供了丰富的命令来查看和控制进程,例如pstophtopkill等等。这些命令允许用户监控和控制系统中运行的进程,以确保系统资源的合理使用,并避免进程阻塞或占用过多资源。在 Linux 系统中,进程管理是非常关键的操作。通过使用pstophtop。
Linux如何使用sed命令进行文本替换
yang295242361的博客
09-12 564
Linux中,sed(Stream Editor)是一个用于处理文本流的命令行工具,它非常适合用于执行基本的文本转换。sed可以读取输入的文本文件,根据指定的指令对文本进行处理,并将结果输出到标准输出设备。
LVS-NAT模式负载均衡实验详解
"该资源是一个关于LVS集群实验的文档,主要介绍了LVS-NAT模式的设置和实验流程。在LVS-NAT模式下,负载均衡器通过改变请求报文的目标IP地址,使得客户端的请求可以被导向到不同的后台服务器。实验中涉及到四台机器的...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值