Haproxy 多域名证书配置 | 泽泽运维 (linuxhub.cn)
Haproxy实现多域名证书HTTPS
yum install 没有可用软件包 nginx。_大鱼的博客-CSDN博客
CentOS 7安装 PHP7.3_唐传林的博客-CSDN博客
rsync 用法教程 - 阮一峰的网络日志 (ruanyifeng.com)
HAProxy详解_ITPUB博客
haproxy详解
lvs/haproxy/nginx对比
lvs/haproxy/nginx/F5对比
在 TCP Mode 下,从 Haproxy 向 Nginx 传递客户端真实网络地址
proxy1: 192.168.3.18 keepalived+haproxy
proxy2: 192.168.3.23 keepalived+haproxy
web1: 192.168.3.15 nginx+php
web2: 192.168.3.20 nginx+php
vip1: 192.168.3.230
vip2: 192.168.3.232
-
注:所有主机要关闭防火墙
systemctl stop firewalld systemctl disable firewalld
-
proxy1和proxy2安装keepalived/haproxy/psmisc
yum install keepalived haproxy psmisc -y
-
proxy1主机:keepalived.conf
[root@proxy1 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { } notification_email_from Alexandre.Cassen@firewall.loc smtp_server 192.168.200.1 smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr #vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 } vrrp_instance VI_1 { state MASTER interface enp0s3 #更改 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.3.230/24 #更改 } track_script { chk_haproxy #更改 } } vrrp_instance VI_2 { state MASTER interface enp0s3 #更改 virtual_router_id 52 #更改 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.3.232/24 #更改 } track_script { chk_haproxy #更改 } }
-
proxy2主机:keepalived.conf
[root@proxy2 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { } notification_email_from Alexandre.Cassen@firewall.loc smtp_server 192.168.200.1 smtp_connect_timeout 30 router_id LVS_DEVEL vrrp_skip_check_adv_addr #vrrp_strict vrrp_garp_interval 0 vrrp_gna_interval 0 } # 检查haproxy进程是否正常 vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 } #佛山地区、app接口 vrrp_instance VI_1 { state BACKUP interface enp0s3 #更改 virtual_router_id 51 #更改 priority 99 #更改 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.3.230/24 #更改 } track_script { chk_haproxy #更改 } } # 其他地区的VIP vrrp_instance VI_2 { state BACKUP #更改 interface enp0s3 #更改 virtual_router_id 52 #更改 priority 99 #更改 advert_int 1 authentication { auth_type PASS auth_pass 1111 } virtual_ipaddress { 192.168.3.232/24 #更改 } track_script { chk_haproxy #更改 } }
-
proxy1和proxy2主机:haproxy.conf
[root@proxy1 ~]# cat /etc/haproxy/haproxy.cfg #--------------------------------------------------------------------- # Example configuration for a possible web application. See the # full configuration options online. # # http://haproxy.1wt.eu/download/1.4/doc/configuration.txt # #--------------------------------------------------------------------- #--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 tune.ssl.default-dh-param 2048 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 #listen stats # mode http # bind 0.0.0.0:8888 # stats refresh 30s # stats enable # stats uri /stats # stats auth haproxy:123456 #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- #frontend main *:80 # acl url_static path_beg -i /static /images /javascript /stylesheets # acl url_static path_end -i .jpg .gif .png .css .js # # use_backend static if url_static # default_backend app frontend http_server bind *:80 bind :443 ssl crt /etc/haproxy/ssl/aaa.com/server.pem crt /etc/haproxy/ssl/bbb.com/server.pem #按照如上规则如果多个站点就可以使用同样的规则 bind :443 ssl crt $filepath crt $file2path crt $file3path mode http acl ssl hdr_reg(host) -i ^(aaa.com|bbb.com)$ redirect scheme https code 301 if !{ ssl_fc } ssl acl aaa_project hdr_reg(host) -i ^(aaa.com)$ use_backend aaa_com if aaa_project { ssl_fc_sni aaa.com } #这里就是证书的对应部分,如 acl bbb_project hdr_dom(host) -i bbb.com use_backend bbb_com if bbb_project { ssl_fc_sni bbb.com } backend aaa_com server test2 192.168.10.2:80 check port 80 inter 5000 rise 2 fall 3 weight 1 backend bbb_com server test4 192.168.10.4:80 check port 80 inter 5000 rise 2 fall 3 weight 1 frontend http_proxy bind *:80 ######## https 域名证书配置 ############# # pem文件=私钥+公钥 bind *:443 ssl crt /etc/haproxy/ssl/api.linuxhub.cn.pem crt /etc/haproxy/ssl/www.linuxhub.cn.pem option httpclose option forwardfor reqadd X-Forwarded-Proto:\ https # 多域名配置,佛山地区和其他地区是同一套代码 # web.cn 网站 # qtweb.cn 其他 # app.cn app接口 acl WEB_PROJECT hdr_beg(host) web.cn acl QTWEB_PROJECT hdr_beg(host) qtweb.cn acl APP_PROJECT hdr_beg(host) app.cn use_backend webproject if WEB_PROJECT use_backend webproject if QTWEB_PROJECT use_backend appproject if APP_PROJECT #--------------------------------------------------------------------- # static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- backend static balance roundrobin server static 127.0.0.1:4331 check #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app balance roundrobin stats hide-version server web1 192.168.3.15:80 check server web2 192.168.3.20:80 check backend webproject mode http option forwardfor stats hide-version balance roundrobin server web1 192.168.3.15:81 check server web2 192.168.3.20:81 check backend appproject mode http option forwardfor stats hide-version balance roundrobin server web1 192.168.3.15:82 check server web2 192.168.3.20:82 check
-
scp命令同步文件
scp /etc/haproxy/haproxy.cfg username@proxy2_host:/etc/haproxy/haproxy.cfg
-
也可以用rsync命令同步
rsync -r /etc/haproxy/haproxy.cfg username@proxy2_host:/etc/haproxy/haproxy.cfg
-
重启haproxy
systemctl restart haproxy
-
解决haproxy - unable to load SSL private key from PEM file
haproxy启动会报如上错误 1、一般我们会有私钥key,公钥crt文件,把这两个文件合并下就可以 -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
-
web1与web2主机的nginx服务
[root@web1 html]# cat /etc/nginx/conf.d/vhost.conf server { listen 81; root /usr/share/nginx/html/webproject; location / { index index.php index.html index.htm; } location ~ \.php$ { # 设置监听端口 fastcgi_pass 127.0.0.1:9000; # 设置nginx的默认首页文件(上面已经设置过了,可以删除) fastcgi_index index.php; # 设置脚本文件请求的路径 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # 引入fastcgi的配置文件 include fastcgi_params; } } server { listen 82; root /usr/share/nginx/html/appproject; location / { index index.php index.html index.htm; } location ~ \.php$ { # 设置监听端口 fastcgi_pass 127.0.0.1:9000; # 设置nginx的默认首页文件(上面已经设置过了,可以删除) fastcgi_index index.php; # 设置脚本文件请求的路径 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # 引入fastcgi的配置文件 include fastcgi_params; } }
-
scp命令同步vhost.conf文件
scp /etc/nginx/conf.d/vhost.conf username@web2_host:/etc/nginx/conf.d/vhost.conf
-
Nginx 启动报 [emerg] bind() to 0.0.0.0:XXXX failed (13: Permission denied)错误处理[Nginx 启动报 emerg] bind() to 0.0.0.0:XXXX failed (13: Permission denied)错误处理_RunSnail的博客-CSDN博客
[root@web1 html]# semanage port -l | grep http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 [root@web1 html]# semanage port -a -t http_port_t -p tcp 82
-
开放端口CentOS7 中 semanage命令的安装_RunSnail的博客-CSDN博客
yum install semanage #如果提示No package semanage available. yum provides semanage yum -y install policycoreutils-python.x86_64
-
重启nginx
systemctl restart nginx
CentOS 7安装 PHP7.3_唐传林的博客-CSDN博客
-
安装PHP
yum install -y php73-php-fpm php73-php-cli php73-php-bcmath php73-php-gd php73-php-json php73-php-mbstring php73-php-mcrypt php73-php-mysqlnd php73-php-opcache php73-php-pdo php73-php-pecl-crypto php73-php-pecl-mcrypt php73-php-pecl-geoip php73-php-recode php73-php-snmp php73-php-soap php73-php-xmll php73-php-curl php73-php-redis php73-php-soap php73-php-openssl php73-php-zip php73-php-socket php73-php-swoole
-
部署代码
cd /var/www/html git clone git@***.git composer update