LVS负载均衡

目录

一.负载均衡

二.LVS简介

三.LVS-DR部署

四.配置RS1上的httpd服务与虚拟主机

五.在RS1上配置证书

六.配置RS2上的httpd服务与虚拟主机

七.RS2的证书配置

八.在DR机上的操作

一.负载均衡

负载均衡集群是由多台服务器组成的集群，用于分发和处理客户端请求，以实现高可用性、性能扩展和负载均衡。

在负载均衡集群中，有一台或多台负载均衡器（Load Balancer）作为前端接收客户端请求，并根据预设的负载均衡算法将请求分发给后端的多台服务器（Backend Servers）。负载均衡器可以根据不同的算法，如轮询、加权轮询、最小连接数、源地址哈希等，选择合适的后端服务器来处理请求。

负载均衡集群的优势包括：

1. 高可用性：通过将负载分布到多台服务器上，即使其中一台服务器出现故障，其他服务器仍可以继续处理请求，提高了系统的可用性。
2. 性能扩展：负载均衡集群可以将请求分发到多台服务器上，从而实现请求的并行处理，提高了系统的性能和吞吐量。
3. 负载均衡：负载均衡器可以根据预设的算法将请求分发到后端服务器，平衡服务器的负载，避免单个服务器过载。
4. 可伸缩性：负载均衡集群可以根据需要增加或减少后端服务器，以适应不同的负载情况和业务需求。

常用的负载均衡集群解决方案：

1. LVS    4层负载
2. haproxy   4层/7层负载
3. nginx    7层负载
4. SLB    云资源负载，同时实现高可用，需要购买
5. F5    硬件负载设备，需要购买设备进行负载均衡

高可用集群HA(High Available)

高性能集群(预测地震、天气预报、安全加密算法研究)

二.LVS集群

1.LVS（Linux Virtual Server）集群是一种基于Linux操作系统的负载均衡解决方案。它通过将多台服务器组成一个集群，将客户端请求分发到不同的服务器上，以实现负载均衡和高可用性。

2.LVS集群的核心组件包括调度器（Load Balancer）、服务器池（Server Pool）和监控器（Monitor）。调度器是集群的前端，接收来自客户端的请求，并根据一定的负载均衡算法将请求分发给服务器池中的具体服务器。服务器池由多台实际的服务器组成，它们共享相同的服务和数据。监控器用于监控服务器的健康状态，及时发现故障并将故障服务器从集群中剔除。

3.LVS集群采用了多种负载均衡算法，包括轮询（Round Robin）、加权轮询（Weighted Round Robin）、最少连接（Least Connection）等。这些算法根据服务器的负载情况和性能指标，动态地分配客户端请求，以实现负载均衡。

通过使用LVS集群，可以提高系统的可扩展性和可靠性。当集群中的某个服务器发生故障时，调度器会自动将请求转发给其他正常工作的服务器，从而实现高可用性。此外，LVS集群还可以根据实际需求进行水平扩展，增加更多的服务器以应对更大的负载。

总结来说，LVS集群是一种基于Linux操作系统的负载均衡解决方案，通过将多台服务器组成集群，实现请求的负载均衡和高可用性。它能够提高系统的可扩展性和可靠性，是构建高性能网络应用的重要工具之一。

三.LVS-DR部署

使用DR模型:

1.实现http和https两种负载均衡集群

2.各RS都要提供同一个私钥和同一个证书

实验准备

实验机说明	实验机	ip地址	系统
DR调度机	DR.example.com	192.168.187.128	centos8
RS1	RS1.example.com	192.168.187.131	centos8
RS2	RS2.example.com	192.168.187.129	centos8

四.配置RS1上的httpd服务与虚拟主机

# 1.在RS1上安装httpd服务
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# ss -antl
State    Recv-Q   Send-Q     Local Address:Port       Peer Address:Port   Process   
LISTEN   0        128              0.0.0.0:22              0.0.0.0:*                             
LISTEN   0        128                 [::]:22                 [::]:*                
LISTEN   0        511                    *:80                    *:*    

# 2.配置httpd服务虚拟主机
[root@RS1 ~]# cd /etc/httpd
[root@RS1 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl  state
[root@RS1 httpd]# cd conf.d
[root@RS1 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@RS1 conf.d]# find / -name *vhosts.conf     --- 查找虚拟主机配置文件
/usr/share/doc/httpd/httpd-vhosts.conf
[root@RS1 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf vhosts.conf
[root@RS1 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  vhosts.conf  welcome.conf

# 2.编辑配置虚拟主机文件
[root@RS1 conf.d]# vim vhosts.conf 
[root@RS1 conf.d]# cat vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/www.pupu.com"      # 自定义域名为www.pupu.com
    ServerName www.pupu.com
    ErrorLog "/var/log/httpd/www.pupu.com-error_log"
    CustomLog "/var/log/httpd/www.pupu.com-access_log" common
</VirtualHost>

# 3.创建虚拟主机文档根目录
[root@RS1 conf.d]# mkdir -p /var/www/html/www.pupu.com
[root@RS1 conf.d]# cd /var/www/html
[root@RS1 html]# ls
www.pupu.com

# 4.随便echo一点内容到虚拟主机家目录里面去
[root@RS1 html]#  echo "忘情天尊" > /var/www/html/www.pupu.com/index.html

# 5.重启httpd服务
[root@RS1 html]# systemctl restart httpd

# 6.关闭防火墙与selinux
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# setenforce 0

# 7.在主机上的C:\Windows\System32\drivers\etc下的hosts文件中讲RS1主机的ip和域名添加上去
192.168.187.131   www.pupu.com

# 这时我们可以用ip和域名访问httpd页面

五.在RS1上配置证书

# 1.配置RS1证书
# 只需要在一台RS机上配置证书，然后将证书文件复制到另外的主机上即可使用

# 2.首先创建一个名为/etc/pki/CA的目录
[root@RS1 ~]# mkdir -p /etc/pki/CA
[root@RS1 ~]# cd /etc/pki/CA

# 3.创建一个名为private目录
[root@RS1 CA]# mkdir private
[root@RS1 CA]# ls
private

# 4.在private目录中生成一堆密钥
[root@RS1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
.........................+++++
e is 65537 (0x010001)
[root@RS1 CA]#  ls private/
cakey.pem

# 5.CA生成自签签署证书
[root@RS1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     --------- 国家
State or Province Name (full name) []:HB   ------- 省份
Locality Name (eg, city) [Default City]:WH   ------ 城市
Organization Name (eg, company) [Default Company Ltd]:www.pupu.com   --- 都填虚拟主机域名
Organizational Unit Name (eg, section) []:www.pupu.com
Common Name (eg, your name or your server's hostname) []:www.pupu.com
Email Address []:   ----- 不填，回车
[root@RS1 CA]# 

# 6.创建目录
[root@RS1 CA]# mkdir certs newcerts crl
[root@RS1 CA]# touch index.txt && echo 01 > serial
[root@RS1 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

# 7.生成密钥
[root@RS1 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
..........................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# ls
httpd.key

# 8.生成证书签署请求
[root@RS1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    ------ 国家
State or Province Name (full name) []:HB   ------- 省份
Locality Name (eg, city) [Default City]:WH  ---------城市
Organization Name (eg, company) [Default Company Ltd]:www.pupu.com  --- 虚拟主机域名
Organizational Unit Name (eg, section) []:www.pupu.com
Common Name (eg, your name or your server's hostname) []:www.pupu.com  --- 虚拟主机域名
Email Address []:     ---- 直接回车

Please enter the following 'extra' attributes
to be sent with your certificate request   ---- 一直回车
A challenge password []:
An optional company name []:
[root@RS1 ssl]# 
[root@RS1 ssl]# ls
httpd.csr  httpd.key

# 9.将httpd.csr发送给CA，CA根据httpd.csr签发证书
-in，指定证书签发请求文件；
-out, 指定生成的证书文件；
-days, 指定证书的有效期；

[root@RS1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  8 06:42:48 2023 GMT
            Not After : Oct  7 06:42:48 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = www.pupu.com
            organizationalUnitName    = www.pupu.com
            commonName                = www.pupu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                FA:6F:AA:96:58:95:DE:0E:05:89:F9:64:FE:97:E8:47:22:45:E8:45
            X509v3 Authority Key Identifier: 
                keyid:8A:A8:14:D8:5F:14:CD:1A:AB:43:16:9C:D2:4F:75:C9:DE:52:8A:E4

Certificate is to be certified until Oct  7 06:42:48 2024 GMT (365 days)
Sign the certificate? [y/n]:y
                                    ------ 都填y

1 out of 1 certificate requests certified, commit? [y/n]y   
Write out database with 1 new entries
Data Base Updated
[root@RS1 ssl]# ls
httpd.csr  httpd.key httpd.crt          #  这样证书配置文件就齐全了 httpd.csr可以删除

# 10.查看httpd软件包，发现有一个名为httpd-devel包没装
[root@RS1 ssl]# rpm -qa | grep httpd
centos-logos-httpd-85.8-2.el8.noarch
httpd-filesystem-2.4.37-62.module_el8+657+88b2113f.noarch
httpd-2.4.37-62.module_el8+657+88b2113f.x86_64
httpd-tools-2.4.37-62.module_el8+657+88b2113f.x86_64

# 11.安装httpd-devel
[root@RS1 ssl]# yum -y install httpd-devel

# 12.安装mod_ssl模块
[root@RS1 ssl]# yum list all | grep mod_ssl
mod_ssl.x86_64                                         1:2.4.37-62.module_el8+657+88b2113f                   appstream 
[root@RS1 ssl]# yum -y install mod_ssl

# 13.查询文件ssl.conf已生成
[root@RS1 ssl]# ls /etc/httpd/conf.d/
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf

# 14.编辑文件
[root@RS1 ssl]# ls /etc/httpd/conf.modules.d/
00-base.conf  00-mpm.conf       00-ssl.conf      10-h2.conf
00-dav.conf   00-optional.conf  00-systemd.conf  10-proxy_h2.conf
00-lua.conf   00-proxy.conf     01-cgi.conf      README
[root@RS1 ssl]# vim /etc/httpd/conf.modules.d/00-ssl.conf
[root@RS1 ssl]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so

# 15.修改DocumentRoot，ServerName，SSLCertificateFile，SSLCertificateKeyFile

# 43 #DocumentRoot "/var/www/html"  取消注释并改为 DocumentRoot "/var/www/html/www.pupu.com"
# 44 ServerName www.pupu.com:443  取消注释
# 85 SSLCertificateFile /etc/pki/tls/certs/localhost.crt 改为 SSLCertificateFile /etc/httpd/ssl/httpd.crt
# 93 SSLCertificateFile /etc/pki/tls/certs/localhost.key 改为 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

# 这时我们可以用ip和域名访问https界面

六.配置RS2上的httpd服务与虚拟主机

# 1.在RS1和RS1上安装httpd服务
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# ss -antl
State    Recv-Q   Send-Q     Local Address:Port       Peer Address:Port   Process   
LISTEN   0        128              0.0.0.0:22              0.0.0.0:*                             
LISTEN   0        128                 [::]:22                 [::]:*                
LISTEN   0        511                    *:80                    *:*    

# 2.配置httpd服务虚拟主机
[root@RS2 ~]# cd /etc/httpd
[root@RS2 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl  state
[root@RS2 httpd]# cd conf.d
[root@RS2 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@RS2 conf.d]# find / -name *vhosts.conf     --- 查找虚拟主机配置文件
/usr/share/doc/httpd/httpd-vhosts.conf
[root@RS2 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf vhosts.conf
[root@RS2 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  vhosts.conf  welcome.conf

# 2.编辑配置虚拟主机文件
[root@RS2 conf.d]# vim vhosts.conf 
[root@RS2 conf.d]# cat vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/www.daozhang.com"      # 自定义域名为www.daozhang.com
    ServerName www.daozhang.com
    ErrorLog "/var/log/httpd/www.daozhang.com-error_log"
    CustomLog "/var/log/httpd/www.daozhang.com-access_log" common
</VirtualHost>

# 3.创建虚拟主机文档根目录
[root@RS2 conf.d]# mkdir -p /var/www/html/www.daozhang.com
[root@RS2 conf.d]# cd /var/www/html
[root@RS2 html]# ls
www.daozhang.com

# 4.随便echo一点内容到虚拟主机家目录里面去
[root@RS2 html]#  echo "忘情天尊" > /var/www/html/www.daozhang.com/index.html

# 5.重启httpd服务
[root@RS1 html]# systemctl restart httpd

# 6.关闭防火墙与selinux
[root@RS2 ~]# systemctl disable --now firewalld
[root@RS2 ~]# setenforce 0

# 7.在主机上的C:\Windows\System32\drivers\etc下的hosts文件中讲RS1主机的ip和域名添加上去
192.168.187.129   www.daozhang.com

# 这时我们可以用ip和域名访问httpd页面

七.RS2的证书配置

# 1.将RS1上配置证书的2个配置文件复制过来
[root@RS2 httpd ]# mkdir ssl
[root@RS2 httpd ]# cd ssl
[root@RS2 ssl]# pwd
/etc/httpd/ssl

# 将密钥文件拉到当前目录下
[root@RS2 ssl]# ls
httpd.crt  httpd.key

[root@RS2 httpd]# mkdir ssl
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
httpd.crt  httpd.key

# 2.安装httpd-devel
[root@RS2 ssl]# yum -y install httpd-devel

# 3.安装mod_ssl模块
[root@RS2 ssl]# yum list all | grep mod_ssl
mod_ssl.x86_64                                         1:2.4.37-62.module_el8+657+88b2113f                   appstream 
[root@RS1 ssl]# yum -y install mod_ssl

# 4.查询文件ssl.conf已生成
[root@RS2 ssl]# ls /etc/httpd/conf.d/
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf

# 5.编辑文件
[root@RS2 ssl]# ls /etc/httpd/conf.modules.d/
00-base.conf  00-mpm.conf       00-ssl.conf      10-h2.conf
00-dav.conf   00-optional.conf  00-systemd.conf  10-proxy_h2.conf
00-lua.conf   00-proxy.conf     01-cgi.conf      README
[root@RS1 ssl]# vim /etc/httpd/conf.modules.d/00-ssl.conf
[root@RS1 ssl]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so

# 6.修改DocumentRoot，ServerName，SSLCertificateFile，SSLCertificateKeyFile
[root@RS2 ssl]# vi /etc/httpd/conf.d/ssl.conf
# 43 #DocumentRoot "/var/www/html"  取消注释并改为 DocumentRoot "/var/www/html/www.daozhang.com"
# 44 ServerName www.daozhang.com:443  取消注释
# 85 SSLCertificateFile /etc/pki/tls/certs/localhost.crt 改为 SSLCertificateFile /etc/httpd/ssl/httpd.crt
# 93 SSLCertificateFile /etc/pki/tls/certs/localhost.key 改为 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

# 这时我们可以用ip和域名访问https界面

 

八.在DR机上的操作

# 1.安装ifconfig命令
[root@DR ~]# yum -y install net-tools

# 2.配置vip
[root@DR ~]# ifconfig ens160:0 192.168.187.200/32 broadcast 192.168.187.200 up

[root@DR ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.187.128  netmask 255.255.255.0  broadcast 192.168.187.255
        inet6 fe80::20c:29ff:fed8:60da  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d8:60:da  txqueuelen 1000  (Ethernet)
        RX packets 221936  bytes 185122638 (176.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 173415  bytes 43223179 (41.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens160:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.187.200  netmask 0.0.0.0  broadcast 192.168.187.200
        ether 00:0c:29:d8:60:da  txqueuelen 1000  (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 6  bytes 1408 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 1408 (1.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# 3.配置RIP
[root@RS1 ~]# yum -y install net-tools
[root@RS1 ~]# vim /etc/sysctl.conf 
[root@RS1 etc]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS1 ~]# ifconfig lo:0 192.168.187.200/32 broadcast 192.168.187.200 up
[root@RS1 etc]# ifconfig
lo:0: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 192.168.187.200  netmask 0.0.0.0
        loop  txqueuelen 1000  (Local Loopback)


[root@RS2 ~]# yum -y install net-tools
[root@RS2 ~]# vim /etc/sysctl.conf 
[root@RS2 etc]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 conf.d]# ifconfig lo:0 192.168.187.200/32 broadcast 192.168.187.200 up
[root@RS1 etc]# ifconfig
lo:0: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 192.168.187.200  netmask 0.0.0.0
        loop  txqueuelen 1000  (Local Loopback)

# 4.配置路由信息，在DR和SR上都要做
[root@DR ~]# route add -host 192.168.187.200 dev ens160:0

[root@RS1 etc]# route add -host 192.168.187.200 dev lo:0

[root@RS2 etc]# route add -host 192.168.187.200 dev lo:0

# 5.在DR上设置规则
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.187.200:80 -s wrr
[root@DR ~]# ipvsadm -A -t 192.168.187.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.187.200:80 -r 192.168.187.131:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:443 -r 192.168.187.131:443 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:80 -r 192.168.187.129:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:443 -r 192.168.187.129:443 -g
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm

# 6.关闭防火墙与selinux
[root@DR ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0

 这时我们可以用vip的ip地址来访问RS1和RS2的80与443端口的界面

因为浏览器缓存的原因，不能做到刷新负载均衡到另外的服务器上

所以我们在主机的命令行上操作 

但是访问433端口因为证书不是正版的证书，所以443端口在命令行界面访问不了