haproxy
haproxy安装
[root@haproxy haproxy-2.4.0]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
[root@haproxy haproxy-2.4.0]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) \
> TARGET=linux-glibc \
> USE_OPENSSL=1 \
> USE_ZLIB=1 \
> USE_PCRE=1 \
> USE_SYSTEMD=1
CC src/ev_poll.o
CC src/ev_epoll.o
CC src/cpuset.o
[root@haproxy opt]# cd /usr/local/
[root@haproxy local]# ls
bin games include lib64 sbin src
etc haproxy lib libexec share
[root@haproxy local]# cd haproxy/
[root@haproxy haproxy]# ls
doc sbin share
[root@haproxy haproxy]# cd sbin/
[root@haproxy sbin]# ls
haproxy
配置各个负载的内核参数
[root@haproxy sbin]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@haproxy sbin]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@haproxy sbin]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
提供配置文件
[root@haproxy haproxy]# cat haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.72.135:80 check inter 2000 fall 5
server web01 192.168.72.138:80 check inter 2000 fall 5
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
haproxy.service文件编写
[root@haproxy ~]# cat /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2
[Install]
WantedBy=multi-user.target
[root@haproxy ~]#
[root@haproxy ~]# systemctl daemon-reload
启用日志
[root@haproxy ~]# vim /etc/rsyslog.conf
local7.* /var/log/haproxy.log
[root@haproxy ~]# systemctl restart rsyslog
[root@haproxy ~]# systemctl restart haproxy
[root@haproxy ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@haproxy ~]#
测试
[root@haproxy ~]# for i in $(seq 10);do curl 192.168.72.131;done
web01
web02
web01
web02
web01
web02
web01
web02
web01
web02
Haproxy负载均衡https
在上面的基础上
在RS1和RS2
生成证书
[root@RS1 //]# cd
[root@RS1 ~]# cd /etc/httpd/
[root@RS1 httpd]# ls
conf conf.modules.d modules state
conf.d logs run
[root@RS1 httpd]# mkdir ssl
[root@RS1 httpd]# cd ssl/
[root@RS1 ssl]# openssl genrsa -des3 -out serv
er.key 2048
Generating RSA private key, 2048 bit long modu
lus (2 primes)
..........................................++++
+
..............................................
..........................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
139940908242752:error:28078065:UI routines:UI_
set_result_ex:result too small:crypto/ui/ui_li
b.c:905:You must type in 4 to 1023 characters
Enter pass phrase for server.key:
139940908242752:error:2807106B:UI routines:UI_
process:processing error:crypto/ui/ui_lib.c:54
5:while reading strings
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Verify failure
User interface error
139940908242752:error:28078065:UI routines:UI_
set_result_ex:result too small:crypto/ui/ui_li
b.c:905:You must type in 4 to 1023 characters
139940908242752:error:2807106B:UI routines:UI_
process:processing error:crypto/ui/ui_lib.c:54
5:while reading strings
139940908242752:error:2807106B:UI routines:UI_
process:processing error:crypto/ui/ui_lib.c:54
5:while reading strings
139940908242752:error:0906906F:PEM routines:PE
M_ASN1_write_bio:read key:crypto/pem/pem_lib.c
:357:
[root@RS1 ssl]# ls
server.key
[root@RS1 ssl]# openssl rsa -in server.key -out server.key
unable to load Private Key
139742531700544:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY
[root@RS1 ssl]# openssl genrsa 1024 > server.key
Generating RSA private key, 1024 bit long modulus (2 primes)
.+++++
.......................................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:RS1
string is too long, it needs to be no more than 2 bytes long
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@RS1 ssl]#
[root@RS1 ssl]# ls
ca.crt server.csr server.key
[root@RS1 ssl]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
Signature ok
subject=C = XX, L = Default City, O = Default Company Ltd
Getting CA Private Key
[root@RS1 ssl]# ls
ca.crt ca.srl server.crt server.csr server.key
[root@RS1 ssl]#
修改配置文件
DocumentRoot "/var/www/html"
ServerName www.example.com:443
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.k
ey
[root@RS1 ~]# yum -y install mod_ssl
Updating Subscription Management repositories.
Unable to read consumer identity
[root@RS1 conf.d]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.72.135:9000 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
[root@RS1 conf.d]#
修改配置文件
[root@haproxy ~]# cat /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2 info
maxconn 20480
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
user haproxy
group haproxy
daemon
nbproc 1
nbthread 4
spread-checks 5
defaults
mode http
log global
option dontlognull
option httpclose
option http-keep-alive
option redispatch
balance roundrobin
timeout connect 60s
timeout client 30s
timeout server 30s
timeout check 10s
maxconn 60000
retries 3
listen https
bind 0.0.0.0:443
log global
mode tcp
balance roundrobin
server web01 192.168.72.138:443 check inter 2s fall 3 rise 5
server web02 192.168.72.135:443 check inter 2s fall 3 rise 5
[root@haproxy ~]#
[root@haproxy ~]# mkdir /var/lib/haproxy
[root@haproxy ~]# systemctl restart haproxy
[root@haproxy ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@haproxy ~]#
访问