NAT模型实现http和https两种负载均衡集群
环境说明:
| 环境 | IP | 主机名 |
|---|---|---|
| DR | 192.168.25.131 172.25.0.100 | node01-Linux.example.com |
| RS1 | 192.168.25.132 | node02-Linux.example.com |
| RS2 | 192.168.25.133 | node03-Linux.example.com |
| Client | 172.25.0.200 | node04-Linux.example.com |
NAT模式的HTTP负载集群
#配置DRip地址
[root@node01-Linux ~]# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:8d:04:cf brd ff:ff:ff:ff:ff:ff
inet 192.168.25.128/24 brd 192.168.25.255 scope global noprefixroute dynamic eth0
valid_lft 1616sec preferred_lft 1616sec
inet 192.168.25.131/24 brd 192.168.25.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::df5d:976d:133d:ec61/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:8d:04:d9 brd ff:ff:ff:ff:ff:ff
inet 172.25.0.100/24 brd 172.25.0.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe8d:4d9/64 scope link
valid_lft forever preferred_lft forever
#配置RS网关指向DIP
[root@node02-linux network-scripts]# vi ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="static"
NAME="eth0"
UUID="fd876bb3-6b9b-4a47-abfa-c6c49e562b0e"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=192.168.25.132
NETMASK=255.255.255.0
GATEWAY=192.168.25.131
DNS1=114.114.114.114
[root@node02-linux ~]# systemctl restart network
[root@node03-Linux network-scripts]# vi ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="static"
NAME="eth0"
UUID="a8c74df3-b297-4705-b641-836a42a0613e"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=192.168.25.133
NETMASK=255.255.255.0
GATEWAY=192.168.25.131
DNS1=114.114.114.114
[root@node03-Linux ~]# systemctl restart network
#开启ip转发功能
[root@node01-Linux ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@node01-Linux ~]# sysctl -p
net.ipv4.ip_forward = 1
#添加并保存规则
[root@node01-Linux ~]# ipvsadm -A -t 172.25.0.100:80 -s rr
[root@node01-Linux ~]# ipvsadm -a -t 172.25.0.100:80 -r 192.168.25.132:80 -m
[root@node01-Linux ~]# ipvsadm -a -t 172.25.0.100:80 -r 192.168.25.133:80 -m
[root@node01-Linux ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
#查看规则
[root@node01-Linux ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.25.0.100:80 rr
-> 192.168.25.132:80 Masq 1 0 0
-> 192.168.25.133:80 Masq 1 0 0
#在RS上部署HTTP
[root@node02-linux ~]# yum -y install httpd
[root@node02-linux ~]# echo 'RS1' > /var/www/html/index.html
[root@node02-linux ~]# systemctl enable --now httpd
[root@node03-Linux ~]# yum -y install httpd
[root@node03-Linux ~]# echo 'RS2' > /var/www/html/index.html
[root@node03-Linux ~]# systemctl enable --now httpd
#客户端访问验证
[root@node04-Linux ~]# for i in $(seq 8);do curl 172.25.0.100;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
NAT模式的HTTPS负载集群
#生成一对密钥
[root@node01-Linux ~]# cd /etc/pki/CA/
[root@node01-Linux CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@node01-Linux CA]# openssl rsa -in private/cakey.pem -pubout
#生成自签署证书
[root@node01-Linux CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
[root@node01-Linux CA]# touch index.txt && echo 01 > serial
#发送给CA
[root@node02-Linux ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
#RS-1(httpd服务器)生成证书签署请求
[root@node02-Linux ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
[root@node02-Linux ssl]# ls
httpd.csr httpd.key
#把证书签署请求文件发送给CA
[root@node02-Linux ssl]# scp httpd.csr root@192.168.25.131:/root
#CA签署证书并发给客户端
[root@node01-Linux ~]# ls
anaconda-ks.cfg httpd.csr
[root@node01-Linux ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 1024
[root@node01-Linux ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
#CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端
[root@node01-Linux ~]# scp httpd.crt root@192.168.25.132:/etc/httpd/ssl
[root@node01-Linux ~]# scp cacert.pem root@192.168.25.132:/etc/httpd/ssl
#配置https
[root@node03-Linux ~]# yum -y install mod_ssl
[root@node03-Linux ~]# mkdir /etc/httpd/ssl
[root@node03-Linux ~]# yum -y install mod_ssl
[root@node03-Linux ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.25.133:/etc/httpd/ssl
root@192.168.25.133's password:
cacert.pem 100% 1294 1.4MB/s 00:00
httpd.crt 100% 4416 5.4MB/s 00:00
httpd.key
#RS-2上查看
[root@node03-Linux ~]# ls /etc/httpd/ssl/
cacert.pem httpd.crt httpd.key
#修改https配置文件
[root@node02-Linux ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
#重启服务
[root@node02-Linux ~]# systemctl restart httpd
[root@node02-Linux ~]# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 [::1]:25 [::]:*
LISTEN 0 128 [::]:443 [::]:*
LISTEN 0 128 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
RS2上也要做如上配置
#LVS上配置规则
[root@node01-Linux ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.25.0.100:80 rr
-> 192.168.25.132:80 Masq 1 0 0
-> 192.168.25.133:80 Masq 1 0 0
[root@node01-Linux ~]# ipvsadm -A -t 172.25.0.100:443 -s rr
[root@node01-Linux ~]# ipvsadm -a -t 172.25.0.100:443 -r 192.168.25.132 -m
[root@node01-Linux ~]# ipvsadm -a -t 172.25.0.100:443 -r 192.168.25.133 -m
[root@node01-Linux ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 172.25.0.100:80 rr
-> 192.168.25.132:80 Masq 1 0 0
-> 192.168.25.133:80 Masq 1 0 0
TCP 172.25.0.100:443 rr
-> 192.168.25.132:443 Masq 1 0 0
-> 192.168.25.133:443 Masq 1 0 0
#访问
[root@node04-Linux ~]# for i in $(seq 8);do curl http://172.25.0.100;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
[root@node04-Linux ~]# for i in $(seq 8);do curl -k https://172.25.0.100;done
RS2
RS1
RS2
RS1
RS2
RS1
RS2
RS1
307
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
