haproxy安装
haproxy软件包下载官网: haproxy.org
[root@haproxy ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
#创建haproxy用户
[root@haproxy ~]# useradd -r -M -s /sbin/nologin haproxy
[root@haproxy ~]# tar xf haproxy-2.4.0.tar.gz -C /usr/src/
[root@haproxy src]# ls
debug haproxy-2.4.0 kernels
[root@haproxy src]# cd haproxy-2.4.0/
[root@haproxy haproxy-2.4.0]# make clean
[root@haproxy haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc \
> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@haproxy haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy
配置内核参数
[root@haproxy ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@haproxy ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@haproxy ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
提供配置文件
[root@haproxy ~]# mkdir /etc/haproxy
[root@haproxy ~]# cat > /etc/haproxy/haproxy.cfg <<EOF
#--------------全局配置----------------
global
log 127.0.0.1 local0 info //记录本机日志到local0,info级别
#log loghost local0 info
maxconn 20480 //最大连接数
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon //守护进程
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults //后端RS
mode http //负载
log global
option dontlognull //不记录空日志
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin //负载算法rr
timeout connect 10s //超时时间10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.8.129:80 check inter 2000 fall 5
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
EOF
haproxy.service文件编写
cat > /usr/lib/systemd/system/haproxy.service <<EOF
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
EOF
[root@haproxy ~]# systemctl daemon-reload
[root@haproxy ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
启动日志
[root@haproxy ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log
[root@haproxy ~]# systemctl restart rsyslog.service
启动服务
[root@haproxy ~]# systemctl restart haproxy
[root@haproxy ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22
[root@haproxy ~]# ss -antlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:* users:(("haproxy",pid=25991,fd=8))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("haproxy",pid=25991,fd=9))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1019,fd=5))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1019,fd=7))
在RS上安装httpd服务
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo "RS-1" > /var/www/html/index.html
[root@RS1 ~]# systemctl restart httpd
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo "RS-2" > /var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
haproxy配置负载均衡(https)
证书生成
[root@RS1 ~]# yum -y install openssl
[root@RS1 ~]# mkdir ~/keys
[root@RS1 ~]# cd keys
[root@RS1 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................+++++
..........................................................+++++
e is 65537 (0x010001)
[root@RS1 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:passport
Common Name (eg, your name or your server's hostname) []:web01.com
Email Address []:passport@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1
string is too short, it needs to be at least 4 bytes long
A challenge password []:1@2.com
An optional company name []:
[root@RS1 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = CN, ST = HuBei, L = WuHan, O = test, OU = passport, CN = web01.com, emailAddress = passport@qq.com
Getting Private key
[root@RS1 keys]# ls
passport.com.crt passport.com.csr passport.com.key
[root@RS1 keys]# scp passport.com.crt passport.com.key 192.168.8.131:/root/
The authenticity of host '192.168.8.131 (192.168.8.131)' can't be established.
ECDSA key fingerprint is SHA256:WbxvLgdwExwRlMT4gaAC1bVyIovZnAwwX1DX8dv6Rs0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.8.131' (ECDSA) to the list of known hosts.
root@192.168.8.131's password:
passport.com.crt 100% 1294 940.0KB/s 00:00
passport.com.key
RS上配置https
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@RS2 ~]# mv passport.com.* /etc/httpd/ssl/
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
passport.com.crt passport.com.key
[root@RS2 ssl]# cd ..
[root@RS2 httpd]# ls
conf conf.d conf.modules.d logs modules run ssl state
[root@RS2 httpd]# cd conf.d/
[root@RS2 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@RS2 conf.d]# vim ssl.conf
#找到此两行,取消注释
DocumentRoot "/var/www/html"
ServerName www.example.com:443
#修改此两行路径
SSLCertificateFile /etc/httpd/ssl/passport.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443
#RS1同上操作
修改配置文件
[root@haproxy haproxy]# vim haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp //模式改为tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443 //端口改为443
mode tcp //模式改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.8.130:443 check inter 2000 fall 5 //端口改为443
server web02 192.168.8.131:443 check inter 2000 fall 5 //端口改为443
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
[root@haproxy haproxy]# systemctl restart haproxy.service
791
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
