目录
一.负载均衡
负载均衡集群是由多台服务器组成的集群,用于分发和处理客户端请求,以实现高可用性、性能扩展和负载均衡。
在负载均衡集群中,有一台或多台负载均衡器(Load Balancer)作为前端接收客户端请求,并根据预设的负载均衡算法将请求分发给后端的多台服务器(Backend Servers)。负载均衡器可以根据不同的算法,如轮询、加权轮询、最小连接数、源地址哈希等,选择合适的后端服务器来处理请求。
负载均衡集群的优势包括:
1. 高可用性:通过将负载分布到多台服务器上,即使其中一台服务器出现故障,其他服务器仍可以继续处理请求,提高了系统的可用性。
2. 性能扩展:负载均衡集群可以将请求分发到多台服务器上,从而实现请求的并行处理,提高了系统的性能和吞吐量。
3. 负载均衡:负载均衡器可以根据预设的算法将请求分发到后端服务器,平衡服务器的负载,避免单个服务器过载。
4. 可伸缩性:负载均衡集群可以根据需要增加或减少后端服务器,以适应不同的负载情况和业务需求。
常用的负载均衡集群解决方案:
1. LVS 4层负载
2. haproxy 4层/7层负载
3. nginx 7层负载
4. SLB 云资源负载,同时实现高可用,需要购买
5. F5 硬件负载设备,需要购买设备进行负载均衡
高可用集群HA(High Available)
高性能集群(预测地震、天气预报、安全加密算法研究)
二.LVS集群
1.LVS(Linux Virtual Server)集群是一种基于Linux操作系统的负载均衡解决方案。它通过将多台服务器组成一个集群,将客户端请求分发到不同的服务器上,以实现负载均衡和高可用性。
2.LVS集群的核心组件包括调度器(Load Balancer)、服务器池(Server Pool)和监控器(Monitor)。调度器是集群的前端,接收来自客户端的请求,并根据一定的负载均衡算法将请求分发给服务器池中的具体服务器。服务器池由多台实际的服务器组成,它们共享相同的服务和数据。监控器用于监控服务器的健康状态,及时发现故障并将故障服务器从集群中剔除。
3.LVS集群采用了多种负载均衡算法,包括轮询(Round Robin)、加权轮询(Weighted Round Robin)、最少连接(Least Connection)等。这些算法根据服务器的负载情况和性能指标,动态地分配客户端请求,以实现负载均衡。
通过使用LVS集群,可以提高系统的可扩展性和可靠性。当集群中的某个服务器发生故障时,调度器会自动将请求转发给其他正常工作的服务器,从而实现高可用性。此外,LVS集群还可以根据实际需求进行水平扩展,增加更多的服务器以应对更大的负载。
总结来说,LVS集群是一种基于Linux操作系统的负载均衡解决方案,通过将多台服务器组成集群,实现请求的负载均衡和高可用性。它能够提高系统的可扩展性和可靠性,是构建高性能网络应用的重要工具之一。
三.LVS-DR部署
使用DR模型:
1.实现http和https两种负载均衡集群
2.各RS都要提供同一个私钥和同一个证书
实验准备
实验机说明 | 实验机 | ip地址 | 系统 |
DR调度机 | DR.example.com | 192.168.187.128 | centos8 |
RS1 | RS1.example.com | 192.168.187.131 | centos8 |
RS2 | RS2.example.com | 192.168.187.129 | centos8 |
四.配置RS1上的httpd服务与虚拟主机
# 1.在RS1上安装httpd服务
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:80 *:*
# 2.配置httpd服务虚拟主机
[root@RS1 ~]# cd /etc/httpd
[root@RS1 httpd]# ls
conf conf.d conf.modules.d logs modules run ssl state
[root@RS1 httpd]# cd conf.d
[root@RS1 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@RS1 conf.d]# find / -name *vhosts.conf --- 查找虚拟主机配置文件
/usr/share/doc/httpd/httpd-vhosts.conf
[root@RS1 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf vhosts.conf
[root@RS1 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf vhosts.conf welcome.conf
# 2.编辑配置虚拟主机文件
[root@RS1 conf.d]# vim vhosts.conf
[root@RS1 conf.d]# cat vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/www.pupu.com" # 自定义域名为www.pupu.com
ServerName www.pupu.com
ErrorLog "/var/log/httpd/www.pupu.com-error_log"
CustomLog "/var/log/httpd/www.pupu.com-access_log" common
</VirtualHost>
# 3.创建虚拟主机文档根目录
[root@RS1 conf.d]# mkdir -p /var/www/html/www.pupu.com
[root@RS1 conf.d]# cd /var/www/html
[root@RS1 html]# ls
www.pupu.com
# 4.随便echo一点内容到虚拟主机家目录里面去
[root@RS1 html]# echo "忘情天尊" > /var/www/html/www.pupu.com/index.html
# 5.重启httpd服务
[root@RS1 html]# systemctl restart httpd
# 6.关闭防火墙与selinux
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# setenforce 0
# 7.在主机上的C:\Windows\System32\drivers\etc下的hosts文件中讲RS1主机的ip和域名添加上去
192.168.187.131 www.pupu.com
# 这时我们可以用ip和域名访问httpd页面
五.在RS1上配置证书
# 1.配置RS1证书
# 只需要在一台RS机上配置证书,然后将证书文件复制到另外的主机上即可使用
# 2.首先创建一个名为/etc/pki/CA的目录
[root@RS1 ~]# mkdir -p /etc/pki/CA
[root@RS1 ~]# cd /etc/pki/CA
# 3.创建一个名为private目录
[root@RS1 CA]# mkdir private
[root@RS1 CA]# ls
private
# 4.在private目录中生成一堆密钥
[root@RS1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
.........................+++++
e is 65537 (0x010001)
[root@RS1 CA]# ls private/
cakey.pem
# 5.CA生成自签签署证书
[root@RS1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN --------- 国家
State or Province Name (full name) []:HB ------- 省份
Locality Name (eg, city) [Default City]:WH ------ 城市
Organization Name (eg, company) [Default Company Ltd]:www.pupu.com --- 都填虚拟主机域名
Organizational Unit Name (eg, section) []:www.pupu.com
Common Name (eg, your name or your server's hostname) []:www.pupu.com
Email Address []: ----- 不填,回车
[root@RS1 CA]#
# 6.创建目录
[root@RS1 CA]# mkdir certs newcerts crl
[root@RS1 CA]# touch index.txt && echo 01 > serial
[root@RS1 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
# 7.生成密钥
[root@RS1 CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
..........................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# ls
httpd.key
# 8.生成证书签署请求
[root@RS1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN ------ 国家
State or Province Name (full name) []:HB ------- 省份
Locality Name (eg, city) [Default City]:WH ---------城市
Organization Name (eg, company) [Default Company Ltd]:www.pupu.com --- 虚拟主机域名
Organizational Unit Name (eg, section) []:www.pupu.com
Common Name (eg, your name or your server's hostname) []:www.pupu.com --- 虚拟主机域名
Email Address []: ---- 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request ---- 一直回车
A challenge password []:
An optional company name []:
[root@RS1 ssl]#
[root@RS1 ssl]# ls
httpd.csr httpd.key
# 9.将httpd.csr发送给CA,CA根据httpd.csr签发证书
-in,指定证书签发请求文件;
-out, 指定生成的证书文件;
-days, 指定证书的有效期;
[root@RS1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 8 06:42:48 2023 GMT
Not After : Oct 7 06:42:48 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.pupu.com
organizationalUnitName = www.pupu.com
commonName = www.pupu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FA:6F:AA:96:58:95:DE:0E:05:89:F9:64:FE:97:E8:47:22:45:E8:45
X509v3 Authority Key Identifier:
keyid:8A:A8:14:D8:5F:14:CD:1A:AB:43:16:9C:D2:4F:75:C9:DE:52:8A:E4
Certificate is to be certified until Oct 7 06:42:48 2024 GMT (365 days)
Sign the certificate? [y/n]:y
------ 都填y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@RS1 ssl]# ls
httpd.csr httpd.key httpd.crt # 这样证书配置文件就齐全了 httpd.csr可以删除
# 10.查看httpd软件包,发现有一个名为httpd-devel包没装
[root@RS1 ssl]# rpm -qa | grep httpd
centos-logos-httpd-85.8-2.el8.noarch
httpd-filesystem-2.4.37-62.module_el8+657+88b2113f.noarch
httpd-2.4.37-62.module_el8+657+88b2113f.x86_64
httpd-tools-2.4.37-62.module_el8+657+88b2113f.x86_64
# 11.安装httpd-devel
[root@RS1 ssl]# yum -y install httpd-devel
# 12.安装mod_ssl模块
[root@RS1 ssl]# yum list all | grep mod_ssl
mod_ssl.x86_64 1:2.4.37-62.module_el8+657+88b2113f appstream
[root@RS1 ssl]# yum -y install mod_ssl
# 13.查询文件ssl.conf已生成
[root@RS1 ssl]# ls /etc/httpd/conf.d/
autoindex.conf README ssl.conf userdir.conf welcome.conf
# 14.编辑文件
[root@RS1 ssl]# ls /etc/httpd/conf.modules.d/
00-base.conf 00-mpm.conf 00-ssl.conf 10-h2.conf
00-dav.conf 00-optional.conf 00-systemd.conf 10-proxy_h2.conf
00-lua.conf 00-proxy.conf 01-cgi.conf README
[root@RS1 ssl]# vim /etc/httpd/conf.modules.d/00-ssl.conf
[root@RS1 ssl]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
# 15.修改DocumentRoot,ServerName,SSLCertificateFile,SSLCertificateKeyFile
# 43 #DocumentRoot "/var/www/html" 取消注释并改为 DocumentRoot "/var/www/html/www.pupu.com"
# 44 ServerName www.pupu.com:443 取消注释
# 85 SSLCertificateFile /etc/pki/tls/certs/localhost.crt 改为 SSLCertificateFile /etc/httpd/ssl/httpd.crt
# 93 SSLCertificateFile /etc/pki/tls/certs/localhost.key 改为 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# 这时我们可以用ip和域名访问https界面
六.配置RS2上的httpd服务与虚拟主机
# 1.在RS1和RS1上安装httpd服务
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:80 *:*
# 2.配置httpd服务虚拟主机
[root@RS2 ~]# cd /etc/httpd
[root@RS2 httpd]# ls
conf conf.d conf.modules.d logs modules run ssl state
[root@RS2 httpd]# cd conf.d
[root@RS2 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf welcome.conf
[root@RS2 conf.d]# find / -name *vhosts.conf --- 查找虚拟主机配置文件
/usr/share/doc/httpd/httpd-vhosts.conf
[root@RS2 conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf vhosts.conf
[root@RS2 conf.d]# ls
autoindex.conf README ssl.conf userdir.conf vhosts.conf welcome.conf
# 2.编辑配置虚拟主机文件
[root@RS2 conf.d]# vim vhosts.conf
[root@RS2 conf.d]# cat vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/www.daozhang.com" # 自定义域名为www.daozhang.com
ServerName www.daozhang.com
ErrorLog "/var/log/httpd/www.daozhang.com-error_log"
CustomLog "/var/log/httpd/www.daozhang.com-access_log" common
</VirtualHost>
# 3.创建虚拟主机文档根目录
[root@RS2 conf.d]# mkdir -p /var/www/html/www.daozhang.com
[root@RS2 conf.d]# cd /var/www/html
[root@RS2 html]# ls
www.daozhang.com
# 4.随便echo一点内容到虚拟主机家目录里面去
[root@RS2 html]# echo "忘情天尊" > /var/www/html/www.daozhang.com/index.html
# 5.重启httpd服务
[root@RS1 html]# systemctl restart httpd
# 6.关闭防火墙与selinux
[root@RS2 ~]# systemctl disable --now firewalld
[root@RS2 ~]# setenforce 0
# 7.在主机上的C:\Windows\System32\drivers\etc下的hosts文件中讲RS1主机的ip和域名添加上去
192.168.187.129 www.daozhang.com
# 这时我们可以用ip和域名访问httpd页面
七.RS2的证书配置
# 1.将RS1上配置证书的2个配置文件复制过来
[root@RS2 httpd ]# mkdir ssl
[root@RS2 httpd ]# cd ssl
[root@RS2 ssl]# pwd
/etc/httpd/ssl
# 将密钥文件拉到当前目录下
[root@RS2 ssl]# ls
httpd.crt httpd.key
[root@RS2 httpd]# mkdir ssl
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
httpd.crt httpd.key
# 2.安装httpd-devel
[root@RS2 ssl]# yum -y install httpd-devel
# 3.安装mod_ssl模块
[root@RS2 ssl]# yum list all | grep mod_ssl
mod_ssl.x86_64 1:2.4.37-62.module_el8+657+88b2113f appstream
[root@RS1 ssl]# yum -y install mod_ssl
# 4.查询文件ssl.conf已生成
[root@RS2 ssl]# ls /etc/httpd/conf.d/
autoindex.conf README ssl.conf userdir.conf welcome.conf
# 5.编辑文件
[root@RS2 ssl]# ls /etc/httpd/conf.modules.d/
00-base.conf 00-mpm.conf 00-ssl.conf 10-h2.conf
00-dav.conf 00-optional.conf 00-systemd.conf 10-proxy_h2.conf
00-lua.conf 00-proxy.conf 01-cgi.conf README
[root@RS1 ssl]# vim /etc/httpd/conf.modules.d/00-ssl.conf
[root@RS1 ssl]# cat /etc/httpd/conf.modules.d/00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
# 6.修改DocumentRoot,ServerName,SSLCertificateFile,SSLCertificateKeyFile
[root@RS2 ssl]# vi /etc/httpd/conf.d/ssl.conf
# 43 #DocumentRoot "/var/www/html" 取消注释并改为 DocumentRoot "/var/www/html/www.daozhang.com"
# 44 ServerName www.daozhang.com:443 取消注释
# 85 SSLCertificateFile /etc/pki/tls/certs/localhost.crt 改为 SSLCertificateFile /etc/httpd/ssl/httpd.crt
# 93 SSLCertificateFile /etc/pki/tls/certs/localhost.key 改为 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
# 这时我们可以用ip和域名访问https界面
八.在DR机上的操作
# 1.安装ifconfig命令
[root@DR ~]# yum -y install net-tools
# 2.配置vip
[root@DR ~]# ifconfig ens160:0 192.168.187.200/32 broadcast 192.168.187.200 up
[root@DR ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.187.128 netmask 255.255.255.0 broadcast 192.168.187.255
inet6 fe80::20c:29ff:fed8:60da prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d8:60:da txqueuelen 1000 (Ethernet)
RX packets 221936 bytes 185122638 (176.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 173415 bytes 43223179 (41.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens160:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.187.200 netmask 0.0.0.0 broadcast 192.168.187.200
ether 00:0c:29:d8:60:da txqueuelen 1000 (Ethernet)
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 6 bytes 1408 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 1408 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# 3.配置RIP
[root@RS1 ~]# yum -y install net-tools
[root@RS1 ~]# vim /etc/sysctl.conf
[root@RS1 etc]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS1 ~]# ifconfig lo:0 192.168.187.200/32 broadcast 192.168.187.200 up
[root@RS1 etc]# ifconfig
lo:0: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 192.168.187.200 netmask 0.0.0.0
loop txqueuelen 1000 (Local Loopback)
[root@RS2 ~]# yum -y install net-tools
[root@RS2 ~]# vim /etc/sysctl.conf
[root@RS2 etc]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@RS2 conf.d]# ifconfig lo:0 192.168.187.200/32 broadcast 192.168.187.200 up
[root@RS1 etc]# ifconfig
lo:0: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 192.168.187.200 netmask 0.0.0.0
loop txqueuelen 1000 (Local Loopback)
# 4.配置路由信息,在DR和SR上都要做
[root@DR ~]# route add -host 192.168.187.200 dev ens160:0
[root@RS1 etc]# route add -host 192.168.187.200 dev lo:0
[root@RS2 etc]# route add -host 192.168.187.200 dev lo:0
# 5.在DR上设置规则
[root@DR ~]# yum -y install ipvsadm
[root@DR ~]# ipvsadm -A -t 192.168.187.200:80 -s wrr
[root@DR ~]# ipvsadm -A -t 192.168.187.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.187.200:80 -r 192.168.187.131:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:443 -r 192.168.187.131:443 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:80 -r 192.168.187.129:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.187.200:443 -r 192.168.187.129:443 -g
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
# 6.关闭防火墙与selinux
[root@DR ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
这时我们可以用vip的ip地址来访问RS1和RS2的80与443端口的界面
因为浏览器缓存的原因,不能做到刷新负载均衡到另外的服务器上
所以我们在主机的命令行上操作
但是访问433端口因为证书不是正版的证书,所以443端口在命令行界面访问不了