[root@DR ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# vim /etc/selinux/config
SELINUX=disabled
# 3台主机都需要关闭防火墙和selinux
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
//安装mod_ssl模块实现https加密认证
[root@RS1 ~]# yum install mod_ssl
[root@RS2 ~]# yum install mod_ssl
ssl配置
两台虚拟机都需要操作
/生成秘钥(私钥)
[root@RS1 ~]# mkdir ssl
[root@RS1 ~]# cd ssl/
[root@RS1 ssl]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...+++++
e is 65537 (0x010001)
//生成证书请求文件
[root@RS1 ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn //国家代码
State or Province Name (full name) []:hubei //省份
Locality Name (eg, city) [Default City]:wuhan //城市
Organization Name (eg, company) [Default Company Ltd]:ysd // 公司
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: //域名
Email Address []: //邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //可选密码
An optional company name []: //不填
//生成证书crt
[root@RS1 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = cn, ST = hubei, L = wuhan, O = ysd
//复制证书到指定位置
[root@RS1 ssl]# cd /etc/httpd/
[root@RS1 httpd]# cp -r /root/ssl/ /etc/httpd/
[root@RS1 httpd]# ll | grep ssl
drwxr-xr-x 2 root root 60 10月 18 2:49 ssl
//ssl.conf配置文件导入证书,默认站点使用此配置文件
[root@RS1 httpd]# vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html" 取消这两个注释
ServerName www.example.com:443
# 更改证书路径
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
//重启服务
[root@localhost ssl]# systemctl restart httpd
网页访问
部署haproxy
//下载软件包
[root@DR ~]# wget https://github.com/haproxy/haproxy/archive/refs/tags/v2.4.0.tar.gz
//安装依赖包
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建haproxy用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
//解压压缩包
[root@DR ~]# tar xf v2.4.0.tar.gz
[root@DR ~]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# ls
addons CONTRIBUTING include Makefile scripts VERDATE
admin dev INSTALL README src VERSION
BRANCHES doc LICENSE reg-tests SUBVERS
CHANGELOG examples MAINTAINERS ROADMAP tests
# 应为里面已经有Makefile,也就是说conf那边已经做过了后面直接make编译安装即可
//编译安装
[root@DR haproxy-2.4.0]# make clean
[root@DR haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) \
TARGET=linux-glibc \
USE_OPENSSL=1 \
USE_ZLIB=1 \
USE_PCRE=1 \
USE_SYSTEMD=1
//安装到/usr/local/haproxy
[root@DR haproxy-2.4.0]# make install PREFIX=/usr/local/haproxy
[root@DR local]# ls
bin games include lib64 sbin src
etc haproxy lib libexec share
//把haproxy添加到环境变量让系统能找haproxy
[root@DR ~]# vim /etc/profile.d/haproxy.sh
export PATH=/usr/local/haproxy/sbin:$PATH
[root@DR ~]# source /etc/profile.d/haproxy.sh # 读取配置文件
[root@DR ~]# which haproxy
/usr/local/haproxy/sbin/haproxy //这样就能找到haproxy了
//配置各个负载的内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1 //IP绑定,绑定一个非本地的IP,此IP没有在网卡中配置,但是可以用。安装haproxy时自动创建的
net.ipv4.ip_forward = 1 //IP转发功能打开
//提供配置文件
[root@DR ~]# mkdir /etc/haproxy
[root@DR ~]# cat > /etc/haproxy/haproxy.cfg <<EOF
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480 //最大连接数
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon //后台运行
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults //默认的设置
mode tcp
log global //日志记录方式
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin //轮询算法
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3 //链接次数3 链接3此如果还是失败就报错
#--------------统计页面配置------------------ //后台界面
listen admin_stats
bind 0.0.0.0:8189 //端口号
stats enable
mode http
log global
stats uri /haproxy_stats //
stats realm Haproxy\ Statistics
stats auth admin:admin //网站的用户名和密码
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置----------------------- //前台界面
listen webcluster
bind 0.0.0.0:443
mode tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.57.131:443 check inter 2000 fall 5
server web02 192.168.57.135:443 check inter 2000 fall 5
#server web01 192.168.57.60:443 cookie web01 check inter 2000 fall 5
EOF
编写一个service文件,设置开机自启
[root@DR ~]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2
[Install]
WantedBy=multi-user.target
//重新加载配置文件
[root@DR ~]# systemctl daemon-reload
[root@DR ~]# systemctl enable --now haproxy
//启动日志
[root@DR ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log //加入这行
//重启服务
[root@DR ~]# systemctl restart rsyslog.service
[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
此时去访问调度器IP就可以负载到两台机器
//绿色代表运行正常,如果是红色说明这个主机宕机了