LVS负载均衡
负载均衡
负载均衡集群是由多台服务器组成的集群,用于分发和处理客户端请求,以实现高可用性、性能扩展和负载均衡。
在负载均衡集群中,有一台或多台负载均衡器(Load Balancer)作为前端接收客户端请求,并根据预设的负载均衡算法将请求分发给后端的多台服务器(Backend Servers)。负载均衡器可以根据不同的算法,如轮询、加权轮询、最小连接数、源地址哈希等,选择合适的后端服务器来处理请求。
负载均衡集群的优势包括:
- 高可用性:通过将负载分布到多台服务器上,即使其中一台服务器出现故障,其他服务器仍可以继续处理请求,提高了系统的可用性。
- 性能扩展:负载均衡集群可以将请求分发到多台服务器上,从而实现请求的并行处理,提高了系统的性能和吞吐量。
- 负载均衡:负载均衡器可以根据预设的算法将请求分发到后端服务器,平衡服务器的负载,避免单个服务器过载。
- 可伸缩性:负载均衡集群可以根据需要增加或减少后端服务器,以适应不同的负载情况和业务需求。
常用的负载均衡集群解决方案:
- LVS 4层负载
- haproxy 4层/7层负载
- nginx 7层负载
- SLB 云资源负载,同时实现高可用,需要购买
- F5 硬件负载设备,需要购买设备进行负载均衡
高可用集群HA(High Available)
高性能集群(预测地震、天气预报、安全加密算法研究)
LVS
LVS(Linux Virtual Server)支持三种负载均衡方式,分别是IP负载均衡器(IP Load Balancing)、网络地址转换(NAT)和直接路由(Direct Routing)。
1.NAT是LVS的另一种负载均衡方式,也称为NAT模式。在NAT模式下,负载均衡器将客户端请求的源地址和目标地址进行转换,将请求发送到后端服务器,并将响应返回给客户端。NAT模式可以实现透明的负载均衡,对客户端和后端服务器来说是透明的。
2.LVS-DR(Direct Routing),直接路由是LVS的第三种负载均衡方式。在直接路由模式下,负载均衡器和后端服务器位于同一个子网中,负载均衡器只负责将请求转发给后端服务器,不对请求的源地址和目标地址进行转换。直接路由模式可以实现更高的性能和可扩展性。
3.LVS的TUN模式:
不修改请求报文的IP首部(源IP为CIP,目标IP为VIP),而在原IP报文之外再封装一个IP首部(源IP是DIP,目标IP是RIP),将报文发往挑选出的目标RS;RS直接响应给客户端(源IP是VIP,目标IP是CIP)
4.FullNAT模式是LVS的一种负载均衡模式,也称为NAT模式。在FullNAT模式下,LVS通过在负载均衡器和后端服务器之间创建虚拟IP地址,将客户端请求分发到后端服务器。同时,LVS还会对请求的源地址和目标地址进行转换,将请求发送到后端服务器,并将响应返回给客户端。
LVS-DR的用法
实验环境:
IP | 主机名 | 环境 |
---|---|---|
192.168.37.120 | DR | centos8 |
192.168.37.130 | rs1 | centos8 |
192.168.37.140 | rs2 | centos8 |
首先先保证两个web服务器能够访问到页面,并配置了域名和证书
//这里直接用yum安装了一个httpd服务
[root@rs1 ~]# yum -y install httpd
[root@rs1 ~]# systemctl enable --now httpd
//配置虚拟主机
[root@rs1 ~]# cp /usr/share/doc/httpd/httpd-vhosts.conf /etc/httpd/conf.d/vhosts.conf
[root@rs1 ~]# cat /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/www.ayachinene.com"
ServerName www.ayachinene.com
ErrorLog "/var/log/httpd/www.ayachinene.com-error_log"
CustomLog "/var/log/httpd/www.ayachinene.com-access_log" common
</VirtualHost>
//重启服务
[root@rs1 ~]# systemctl restart httpd
//配置证书,生成证书文件
[root@rs1 ~]# mkdir -p /etc/pki/CA
[root@rs1 ~]# cd /etc/pki/CA
[root@rs1 CA]# mkdir private
[root@rs1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@rs1 CA]# ls private/cakey.pem
private/cakey.pem
[root@rs1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.ayachinene.com
Organizational Unit Name (eg, section) []:www.ayachinene.com
Common Name (eg, your name or your server's hostname) []:www.ayachinene.com
Email Address []:
[root@rs1 CA]# ls
cacert.pem private
[root@rs1 CA]# cd private/
[root@rs1 private]# ls
cakey.pem
[root@rs1 private]# cd ..
[root@rs1 CA]# mkdir certs newcerts crl
[root@rs1 CA]# touch index.txt && echo 01 > serial
[root@rs1 CA]# cd /etc/httpd/ && mkdir ssl && cd ssl
[root@rs1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
........+++++
e is 65537 (0x010001)
[root@rs1 ssl]# ls
httpd.key
[root@rs1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.ayachinene.com
Organizational Unit Name (eg, section) []:www.ayachinene.com
Common Name (eg, your name or your server's hostname) []:www.ayachinene.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@rs1 ssl]# ls
httpd.csr httpd.key
[root@rs1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 8 07:07:26 2023 GMT
Not After : Oct 7 07:07:26 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.ayachinene.com
organizationalUnitName = www.ayachinene.com
commonName = www.ayachinene.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:24:38:E9:C1:44:F0:FC:42:6E:DE:FB:0C:87:5D:04:88:D9:85:C4
X509v3 Authority Key Identifier:
keyid:E8:0A:E2:E1:6E:F8:2E:2C:A3:40:7E:EE:32:33:00:4D:62:A9:A1:A3
Certificate is to be certified until Oct 7 07:07:26 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@rs1 ssl]# ls
httpd.crt httpd.csr httpd.key
//安装证书
[root@rs1 ssl]# yum -y install httpd-devel
[root@rs1 ssl]# yum -y install mod_ssl
[root@rs1 ~]# grep -Ev '^$|^#' /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html/www.ayachinene.com" //修改为挂证书的网站
ServerName www.ayachinene.com:443 //修改
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/httpd/ssl/httpd.crt //修改为相应位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //修改为相应位置
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
//重启服务
[root@rs1 ~]# systemctl restart httpd
[root@rs1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:443 *:*
LISTEN 0 511 *:80 *:*
//在rs2上挂证书
[root@rs2 ~]# cd /etc/httpd/ && mkdir ssl && cd ssl
[root@rs2 ssl]# scp root@192.168.37.130:/etc/httpd/ssl/httpd.crt /etc/httpd/ssl/
root@192.168.37.130's password:
httpd.crt 100% 4579 3.3MB/s 00:00
[root@rs2 ssl]# scp root@192.168.37.130:/etc/httpd/ssl/httpd.key /etc/httpd/ssl/
root@192.168.37.130's password:
httpd.key 100% 1679 1.5MB/s 00:00
[root@rs2 ssl]# cd /etc/httpd/ssl/
[root@rs2 ssl]# ls
httpd.crt httpd.key
//更改配置文件,和上面的操作一样
[root@rs2 ~]# vi /etc/httpd/conf.d/ssl.conf
[root@rs2 ~]# systemctl restart httpd
[root@rs2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 511 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 511 *:443 *:*
开始做负载均衡,在DR机上进行操作
//安装net-tools
[root@DR ~]# yum -y install net-tools
[root@DR ~]# ifconfig ens160:0 192.168.37.200/32 broadcast 192.168.37.200 up
[root@DR ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:29:4c:24 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.37.120/24 brd 192.168.37.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet 192.168.37.200/0 brd 192.168.37.200 scope global ens160:0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe29:4c24/64 scope link noprefixroute
valid_lft forever preferred_lft forever
//在两个RS上进行操作
修改网卡内核参数:编辑/etc/sysctl.conf文件,添加如下内容:
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@rs1 ~]# sysctl -p //重载配置文件
//配置vip,两台rs机上都要进行操作
[root@rs1 ~]# ifconfig lo:0 192.168.37.200/32 broadcast 192.168.37.200 up
//配置路由信息,在director和所有RS上进行如下配置:
[root@DR ~]# route add -host 192.168.37.200 dev ens160:0
[root@rs1 ~]# route add -host 192.168.37.200 dev lo:0
[root@rs2 ~]# route add -host 192.168.37.200 dev lo:0
//在director上添加并保存规则:
[root@DR ~]# ipvsadm -A -t 192.168.37.200:80 -s wrr
[root@DR ~]# ipvsadm -A -t 192.168.37.200:443 -s wrr
[root@DR ~]# ipvsadm -a -t 192.168.37.200:80 -r 192.168.37.130:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.37.200:443 -r 192.168.37.130:443 -g
[root@DR ~]# ipvsadm -a -t 192.168.37.200:80 -r 192.168.37.140:80 -g
[root@DR ~]# ipvsadm -a -t 192.168.37.200:443 -r 192.168.37.140:443 -g
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
刷新两次发现获取的内容不一样,这说明负载均衡已经配置好了
使用curl命令访问更加直观一点