lvs与haproxy区别
HAProxy的优点
- HAProxy也是支持虚拟主机的。
- HAProxy的优点能够补充Nginx的一些缺点,比如支持Session的保持,Cookie的引导,同时支持通过获取指定的url来检测后端服务器的状态。
- HAProxy跟LVS类似,本身就只是一款负载均衡软件,单纯从效率上来讲HAProxy会比Nginx有更出色的负载均衡速度,在并发处理上也是优于Nginx。
- HAProxy支持TCP协议的负载均衡转发,可以对MySQL读进行负载均衡对后端的MySQL节点进行检测和负载均衡,也可以用LVS+Keepalived对MySQL主从做负载均衡。
LVS的优点
- 使用Linux内核集群实现一个高性能、高可用的负载均衡服务器。
- 它具有很好的可伸缩性(Scalability)、可靠性(Reliability)和可管理性(Manageability)。
- 抗负载能力最强、是工作在网络第4层仅作分发之用,对内存和cpu资源消耗极低。
- 性能稳定,自身有完整的双机热备方案,比如LVS/DR+Keepalived。
- 无流量,LVS只分发请求,而流量并不从它本身出去,这点保证了均衡器IO的性能不会收到大流量的影响。
- 应用范围较广,因为LVS工作在4层,所以它几乎可对所有应用做负载均衡,包括http、数据库、在线聊天室等。
LVS的缺点
- 软件本身不支持正则表达式处理,不能做动静分离,这个就是Nginx/HAProxy+Keepalived的优势所在。
- 如果是网站应用比较庞大的话,LVS/DR+Keepalived实施起来就比较复杂了。
haproxy 负载均衡 http
环境说明
服务 | IP |
---|---|
haproxy服务器(DR)(CA) | 192.168.129.250 |
httpd服务器(RS1) | 192.168.129.134 |
httpd服务器(RS2) | 192.168.129.135 |
关闭所有防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
[root@DR ~]# setenforce 0
[root@RS1 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
[root@RS1 ~]# setenforce 0
[root@RS2 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config
[root@RS2 ~]# setenforce 0
在RS上安装httpd服务
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# echo "hello " > /var/www/html/index.html
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# curl 192.168.129.134
world
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# echo "hhr " > /var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# curl 192.168.129.135
hello
安装haproxy
haproxy官网
//安装服务
[root@DR ~]# yum -y install openssl make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
//下载haproxy包
[root@DR ~]# cd /usr/src/
[root@DR src]# wget https://github.com/haproxy/haproxy/archive/refs/tags/v2.4.0.tar.gz
[root@DR src]# tar xf v2.4.0.tar.gz
[root@DR src]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# make clean
[root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) \
TARGET=linux-glibc \
USE_OPENSSL=1 \
USE_ZLIB=1 \
USE_PCRE=1 \
USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy
//设置环境变量
[root@DR haproxy-2.4.0]# echo "export PATH=/usr/local/haproxy/sbin:$PATH">/etc/profile.d/haproxy.sh
[root@DR haproxy-2.4.0]# . /etc/profile.d/haproxy.sh
[root@DR haproxy-2.4.0]# which haproxy
/usr/local/haproxy/sbin/haproxy
//配置内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
//提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cat > /etc/haproxy/haproxy.cfg <<EOF
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.129.134:80 check inter 2000 fall 5
server web02 192.168.129.135:80 check inter 2000 fall 5
#server web01 192.168.129.250:80 cookie web01 check inter 2000 fall 5
EOF
//haproxy.service文件编写
[root@DR ~]# cat > /usr/lib/systemd/system/haproxy.service <<EOF
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
EOF
[root@DR ~]# systemctl daemon-reload
//启动日志
[root@DR ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log //加入这行
//重启服务
[root@DR ~]# systemctl restart rsyslog.service
//启动服务
[root@DR ~]# systemctl enable --now haproxy
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@DR ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
图中绿色代表正在运行的主机服务,红色则表示该主机宕机
haproxy 负载均衡 https
证书生成
[root@RS1 ~]# mkdir ~/ssl
[root@RS1 ~]# cd ssl/
[root@RS1 ssl]# openssl genrsa -out pass.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
.+++++
e is 65537 (0x010001)
[root@RS1 ssl]# openssl req -new -key pass.key -out pass.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:pass
Common Name (eg, your name or your server's hostname) []:123.com
Email Address []:123@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
//生成证书crt
[root@RS1 ssl]# openssl x509 -req -days 3650 -in pass.csr -signkey pass.key -out pass.crtSignature ok
subject=C = cn, ST = hubei, L = wuhan, O = test, OU = pass, CN = 123.com, emailAddress = 123@qq.com
Getting Private key
[root@RS1 ssl]# ls
pass.crt pass.csr pass.key
//复制证书到指定位置
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl && mv /root/keys/pass.* /etc/httpd/ssl/
[root@RS1 ~]# ls /etc/httpd/ssl/
pass.crt pass.csr pass.key
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html" #注释取消
ServerName www.example.com:443 #注释取消
SSLCertificateFile /etc/httpd/ssl/pass.crt #修改此行路径
SSLCertificateKeyFile /etc/httpd/ssl/pass.key #修改此行路径
[root@RS1 ~]# systemctl restart httpd #重启服务
[root@RS1 ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
[root@RS2 ~]# mkdir ~/ssl
[root@RS2 ~]# cd ssl/
[root@RS2 ssl]# openssl genrsa -out pass.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
.+++++
e is 65537 (0x010001)
[root@RS2 ssl]# openssl req -new -key pass.key -out pass.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:pass
Common Name (eg, your name or your server's hostname) []:123.com
Email Address []:123@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
//生成证书crt
[root@RS2 ssl]# openssl x509 -req -days 3650 -in pass.csr -signkey pass.key -out pass.crtSignature ok
subject=C = cn, ST = hubei, L = wuhan, O = test, OU = pass, CN = 123.com, emailAddress = 123@qq.com
Getting Private key
[root@RS1 ssl]# ls
pass.crt pass.csr pass.key
//复制证书到指定位置
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl && mv /root/keys/pass.* /etc/httpd/ssl/
[root@RS2 ~]# ls /etc/httpd/ssl/
pass.crt pass.csr pass.key
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html" #注释取消
ServerName www.example.com:443 #注释取消
SSLCertificateFile /etc/httpd/ssl/pass.crt #修改此行路径
SSLCertificateKeyFile /etc/httpd/ssl/pass.key #修改此行路径
[root@RS2 ~]# systemctl restart httpd #重启服务
[root@RS2 ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
//修改配置文件
[root@DR ~]# vim /etc/haproxy/haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp //模式改为tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443 //端口改为443
mode tcp //模式改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
server web01 192.168.129.134:443 check inter 2000 fall 5 //端口改为443
server web02 192.168.129.135:443 check inter 2000 fall 5 //端口改为443
#server web01 192.168.129.250:80 cookie web01 check inter 2000 fall 5
[root@DR ~]# systemctl restart haproxy.service
测试