高可用nginx反向代理
nginx反向代理简介
代理服务器是位于客户端和原始服务器的一台中间服务器,为了从原始服务器获取到内容,客户端向代理服务器发送一个请求并带上目标服务器(原始服务器),代理服务器在接收到请求后就会将请求转发给原始服务器,并将从原始服务器上获取到的数据返回给客户端,代理服务器是代理的客户端,所以一般客户端是知道代理服务器的存在的,比如翻墙就用了代理服务器。
反向代理服务器是位于原始服务器端的服务器,反向代理服务器接受来自互联网的请求,然后将这些请求发送给内网的服务器,并将从内网的服务器获取结果返回给互联网上的客户端,反向代理服务器是代理的服务端,所以客户端是不知道反向代理服务器的存在的,服务端是知道反向代理服务器的。
代理服务器的作用
- 访问原来无法访问的资源
- 用作缓存,加速访问速度
- 对客户端访问授权,上网进行认证
- 代理可以记录用户访问记录(上网行为管理),对外隐藏用户信息
反向代理服务器的作用
- 保护内网安全
- 负载均衡
- 缓存,减少服务器的压力
nginx的作用
1.反向代理,将多台服务器代理成一台服务器
2.负载均衡,将多个请求均匀的分配到多台服务器上,减轻每台服务器的压力,提高服务的吞吐量
3.动静分离,nginx可以用作静态文件的缓存服务器,提高访问速度
nginx反向代理的配置
配置环境:
| 系统 | ip | 服务 | 主机名 |
|---|---|---|---|
| centos8 | 192.168.171.133 | nginx(负载均衡调度器) | localhost |
| centos8 | 192.168.171.142 | nginx(网站服务) | RS1 |
| centos8 | 192.168.171.141 | apache(网站服务) | RS2 |
RS1配置
//关闭防火墙和selinux
[root@RS1 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
//下载网页服务nginx
[root@RS1 ~]# dnf -y install nginx
//配置测试网站
[root@RS1 ~]# cd /usr/share/nginx/html/
[root@RS1 html]# ls
404.html 50x.html index.html nginx-logo.png poweredby.png
[root@RS1 html]# echo "nginx" >index.html
[root@RS1 html]# systemctl restart nginx.service
[root@RS1 html]# systemctl enable nginx.service
[root@RS1 html]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
RS2配置
//关闭防火墙selinux
[root@RS2 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
//下载网页服务apache
[root@RS2 ~]# dnf -y install httpd
//配置测试网页
[root@RS2 ~]# echo "apache" >/var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS2 ~]# ss -antl | grep 80
LISTEN 0 128 *:80 *:*
负载均衡调度器配置
//关闭防火墙和selinux
[root@localhost ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
//下载nginx服务,做反向代理。
[root@localhost ~]# dnf -y install nginx
[root@localhost ~]# cd /etc/nginx/
[root@localhost nginx]# vi nginx.conf
//配置反向代理
upstream webserver {
server 192.168.171.141; #这里写RS1的ip也就是提供服务那台主机的ip
server 192.168.171.142; #与上面同理,相当于RS2的ip
}
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
location / {
proxy_pass http://webserver; #代理转发到这里。这里的webserver就相当于(192.168.171.141,或者192.168.171.142).
}
[root@localhost ~]# systemctl enable --now nginx.service
访问测试
[root@localhost ~]# curl 192.168.171.133
apache
[root@localhost ~]# curl 192.168.171.133
nginx
[root@localhost ~]# curl 192.168.171.133
apache
[root@localhost ~]# curl 192.168.171.133
nginx
[root@localhost ~]# curl 192.168.171.133
apache
高可用nginx反向代理
配置环境:
| 系统 | ip | 服务 | 主机名 |
|---|---|---|---|
| centos8 | 192.168.171.133 | nginx(负载均衡调度器 keepalived) | KD1 |
| centos8 | 192.168.171.142 | nginx(网站服务) | RS1 |
| centos8 | 192.168.171.141 | apache(网站服务) | RS2 |
| centos8 | 192.168.171.150 | nginx(负载均衡调度器 keepalived) | KD2 |
RS1、RS2和上面配置一样保持不变
虚拟vip:192.168.171.250
配置KD1
//下载高可用的服务。
[root@KD1 ~]# dnf -y install keepalived
//配置keepalived的配置文件
[root@KD1 ~]# cd /etc/keepalived/
[root@KD1 keepalived]# ls
keepalived.conf
[root@KD1 keepalived]# mv keepalived.conf keepalived.conf-bek
[root@KD1 keepalived]# ls
keepalived.conf-bek
[root@KD1 keepalived]# vi keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state MASTER
interface ens33 #这里的网课名称一定要和主机的网卡名称一致
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass nuanchun #两台主机的keepalived服务的密码要一致
}
virtual_ipaddress {
192.168.171.250 #虚拟IP也要一致
}
}
virtual_server 192.168.171.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.171.133 80 { #这里需要写你负载均衡调度器的ip
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.171.150 80 { #这里要写你高可用的另外一台主机的ip
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
//重启服务,查看ip
[root@KD1 keepalived]# systemctl restart keepalived.service
[root@KD1 keepalived]# systemctl enable keepalived.service
[root@KD1 keepalived]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33
inet 192.168.171.250/32 scope global ens33
配置KD2
//关闭防火墙和selinux
[root@KD2 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@KD2 ~]# setenforce 0
[root@KD2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
//KD2必须要和KD1的内容保持一致才能做高可用
[root@KD2 ~]# dnf -y install nginx
//在KD1上面把nginx.conf的配置文件cp到KD2上
[root@KD1 nginx]# scp nginx.conf 192.168.171.150:/etc/nginx/
The authenticity of host '192.168.171.150 (192.168.171.150)' can't be established.
ECDSA key fingerprint is SHA256:b2+ErORHLlANCY23XTlkC8uzQ6KKscSXnc5aIAK80dI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.171.150' (ECDSA) to the list of known hosts.
root@192.168.171.150's password:
nginx.conf 100% 2529 1.5MB/s 00:00
[root@KD1 nginx]#
//看配置文件
[root@KD2 ~]# cat /etc/nginx/nginx.conf
upstream webserver {
server 192.168.171.141;
server 192.168.171.142;
}
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
location / {
proxy_pass http://webserver;
}
//下载keepalived高可用服务
[root@KD2 ~]# dnf -y install keepalived
//再把keepalived的配置文件备份一下
[root@KD2 ~]# cd /etc/keepalived/
[root@KD2 keepalived]# ls
keepalived.conf
[root@KD2 keepalived]# mv keepalived.conf keepalived.conf-bek
[root@KD2 keepalived]# ls
keepalived.conf-bek
//然后在把KD1上面的keepalived的配置文件scp过来
[root@KD1 keepalived]# scp keepalived.conf 192.168.171.150:/etc/keepalived/
root@192.168.171.150's password:
keepalived.conf 100% 870 556.4KB/s 00:00
[root@KD2 keepalived]# cat keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb02 #全局唯一的路由id
}
vrrp_instance VI_1 {
state BACKUP
interface ens33 #自己做高可用那台主机的ip
virtual_router_id 51
priority 90 #权重值90,需要比前面拿一台主机低.
advert_int 1
authentication {
auth_type PASS
auth_pass nuanchun #密码需要一致
}
virtual_ipaddress {
192.168.171.250 #虚拟ip
}
}
virtual_server 192.168.171.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.171.133 80 { #kD1服务器ip
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.171.150 80 { #kD2服务器ip
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
[root@KD2 keepalived]# systemctl restart keepalived
[root@KD2 keepalived]# systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability Monitor
Loaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-10-17 04:54:18 EDT; 1min 26s ago
Process: 79776 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 79777 (keepalived)
Tasks: 3 (limit: 23460)
Memory: 2.0M
CGroup: /system.slice/keepalived.service
访问测试
//用虚拟ip访问
[root@KD1 nginx]# cd /etc/keepalived/
[root@KD1 keepalived]# ls
[root@KD1 keepalived]# curl 192.168.171.250
nginx
[root@KD1 keepalived]# curl 192.168.171.250
apache
[root@KD1 keepalived]# curl 192.168.171.250
nginx
[root@KD1 keepalived]# curl 192.168.171.250
apache
//模拟KD1主机寄掉了,看会不会把从负载均衡调度器变成主
[root@KD1 keepalived]# systemctl stop nginx
[root@KD1 keepalived]# systemctl stop keepalived.service
[root@KD1 keepalived]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@KD1 keepalived]#
//在从主机上查看vip是否过去,可以看到vip已经起来了。
[root@KD2 keepalived]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.171.150/24 brd 192.168.171.255 scope global noprefixroute ens33
inet 192.168.171.250/32 scope global ens33
[root@KD2 keepalived]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//在KD2上访问一下看看
[root@KD2 keepalived]# curl 192.168.171.250
apache
[root@KD2 keepalived]# curl 192.168.171.250
nginx
[root@KD2 keepalived]# curl 192.168.171.250
apache
[root@KD2 keepalived]# curl 192.168.171.250
nginx
高可用自动化转换主备节点
keepalived通过脚本来监控nginx负载均衡机的状态
在KD1上编写脚本
//创建一个放置脚本的目录用来写监控脚本的状态
[root@KD1 ~]# mkdir scripts
[root@KD1 ~]# ls
anaconda-ks.cfg scripts
[root@KD1 ~]# cd scripts/
[root@KD1 scripts]# ls
[root@KD1 scripts]# vi check_n.sh
#!/bin/bash
nginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)
if [ $nginx_status -lt 1 ];then
systemctl stop keepalived
fi
[root@KD1 scripts]# chmod +x check_n.sh
[root@KD1 scripts]# ls
[root@KD1 scripts]# vi notify.sh
#!/bin/bash
VIP=$2
case "$1" in
master)
nginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)
if [ $nginx_status -lt 1 ];then
systemctl start nginx
fi
sendmail
;;
backup)
nginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)
if [ $nginx_status -gt 0 ];then
systemctl stop nginx
fi
;;
*)
echo "Usage:$0 master|backup VIP"
;;
esac
[root@KD1 scripts]# chmod +x notify.sh
//在配置文件里面引用脚本
! Configuration File for keepalived
global_defs {
router_id lb01
}
vrrp_script nginx_check {
script "/scripts/check_n.sh" #这里是引用脚本的函数
interval 1
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass nuanchun
}
virtual_ipaddress {
192.168.171.250
}
track_script {
nginx_check #引用检查nginx状态的脚本
}
notify_master "/scripts/notify.sh master 192.168.171.250"
notify_backup "/scripts/notify.sh backup 192.168.171.250"
}
} #引用切换主备节点的脚本
virtual_server 192.168.171.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.171.133 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.171.150 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
[root@KD1 scripts]# systemctl restart keepalived.service
[root@KD1 scripts]# ip a| grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33
inet 192.168.171.250/32 scope global ens33
配置KD2
//先创建一个防止脚本的目录
[root@KD2 ~]# mkdir srcipts
[root@KD2 ~]# cd srcipts/
//把脚本从KD1上面scp过来
[root@KD1 scripts]# scp notify.sh 192.168.171.150:srcipts
root@192.168.171.150's password:
notify.sh 100% 451 247.4KB/s 00:00
[root@KD2 srcipts]# ls
notify.sh
[root@KD2 srcipts]#
//在备KD2上配置引用脚本的配置文件。
[root@KD2 srcipts]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass nuanchun
}
virtual_ipaddress {
192.168.171.250
}
notify_master "/scripts/notify.sh master 192.168.171.250"
notify_backup "/scripts/notify.sh backup 192.168.171.250"
} #这里就是引用刚刚传过来的脚本
virtual_server 192.168.171.250 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP
real_server 192.168.171.133 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.171.150 80 {
weight 1
TCP_CHECK {
connect_port 80
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
[root@KD2 srcipts]# systemctl restart keepalived
测试访问
//此时可以看到KD1的vip和80端口都是起来的,把KD1的nginx停掉模拟出故障
[root@KD1 ~]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33
inet 192.168.171.250/32 scope global ens33
[root@KD1 ~]#
[root@KD1 ~]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
[root@KD1 ~]#
[root@KD1 ~]# systemctl stop nginx
[root@KD1 ~]# systemctl status keepalived.service
● keepalived.service - LVS and VRRP High Availability Monitor
Loaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Tue 2022-10-18 05:11:21 EDT; 943ms ago
Process: 112308 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 238678 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 238682 (code=exited, status=0/SUCCESS)
//去KD2上看vip和80端口起来没
[root@KD2 srcipts]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.171.150/24 brd 192.168.171.255 scope global noprefixroute ens33
inet 192.168.171.250/32 scope global ens33
[root@KD2 srcipts]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
[root@KD2 srcipts]#
[root@KD2 srcipts]# curl 192.168.171.250
apache
[root@KD2 srcipts]# curl 192.168.171.250
nginx
[root@KD2 srcipts]# curl 192.168.171.250
apache
[root@KD2 srcipts]# curl 192.168.171.250
nginx
[root@KD2 srcipts]#
872
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
