一、项目介绍
目的是模拟企业内部的web项目需求,构建一个高可用高性能的web集群系统。通过部署nginx负载均衡器+keepalive双VIP增加高可用性,同时搭建基于Prometheus+grafana的监控系统,使用ansible自动化运维部署集群系统。
项目拓扑结构图
二、项目步骤
1、准备服务器
准备2台LB服务器,2台web服务器,1台综合服务器,1台MySQL服务器,1台防火墙,1台测试服务器。
2、服务器命名及网络配置
给web集群服务器命名
[root@localhost ~]# hostnamectl set-hostname web-1
[root@localhost ~]# su
[root@web-1 ~]#
配置web集群服务器的网络并重启
[root@web-1 ~]#vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="0cf8c0bd-0fb5-4264-9f21-72a21a0bf13e"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.91.174
DNS1=114.114.114.114
GATEWAY=192.168.91.2
PREFIX=24
[root@web-1 ~]# service network restart
Restarting network (via systemctl): [ 确定 ]
永久关闭selinux和firewalld
[root@web-1 ~]# setenforce 0 #临时关闭
[root@web-1 ~]# vim /etc/selinux/config #永久关闭
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@web-1 ~]# service firewalld stop
Redirecting to /bin/systemctl stop firewalld.service
[root@web-1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
重启服务器
[root@web-1 ~]# reboot
3、配置nfs服务器(综合服务器,2台Web服务器)
安装nfs-utils软件包(综合服务器,2台Web服务器)
[root@all-service ~]# yum install nfs-utils -y
启动nfs服务,并且开机自启
[root@all-service ~]# service nfs start
Redirecting to /bin/systemctl start nfs.service
[root@all-service ~]# systemctl enable nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
[root@all-service ~]# ps -aux |egrep nfs
root 1511 0.0 0.0 0 0 ? S< 18:45 0:00 [nfsd4_callbacks]
root 1517 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1518 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1519 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1520 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1521 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1522 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1523 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1524 0.0 0.0 0 0 ? S 18:45 0:00 [nfsd]
root 1556 0.0 0.0 112824 976 pts/0 S+ 18:46 0:00 grep -E --color=auto nfs
设置共享目录
[root@all-service ~]# mkdir -p /web/data
[root@all-service ~]# cd /web/data
[root@all-service data]#
创建共享目录下的内容
[root@all-service data]# vim index.html
<html>
<title>welcome to sanchuang</title>
<body>
<p>welcome to hunan changsha sanchuang</p>
<img src=1.jpg width=300 height=200>
</body>
</html>
[root@all-service data]# ls #照片自己通过rz(yum install lrzsz -y)传输
1.jpg index.html
设置共享目录权限,创建 nfsnobody读写(可做可不做,只要给共享目录权限就可以了)
[root@all-service data]# useradd nfsnobody
[root@all-service data]# groupadd nfsnobody
[root@all-service data]# cat /etc/passwd|egrep nfsnobody
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
[root@all-service data]# chown nfsnobody:nfsnobody /web/ -R
[root@all-service data]# ll /web
总用量 0
drwxr-xr-x 2 nfsnobody nfsnobody 37 4月 13 18:53 data
输出共享目录
[root@all-service data]# vim /etc/exports
[root@all-service data]# cat /etc/exports
/web/data 192.168.91.0/24 (rw,sync,all_squash)
[root@all-service data]# service nfs restart
Redirecting to /bin/systemctl restart nfs.service
挂载测试nfs服务器的共享目录(2台web服务器)
[root@web-1 ~]# mkdir -p /test
[root@web-1 ~]# mount 192.168.91.178:/web/data /test
[root@web-1 ~]# df -Th |egrep test
192.168.91.178:/web/data nfs4 17G 1.6G 16G 9% /test
[root@web-1 ~]# umount /test
[root@web-1 ~]# df -Th |egrep test
[root@web-1 ~]#
设置开机自动挂载
[root@web-1 ~]# vim /etc/rc.local
touch /var/lock/subsys/local
mkdir -p /nfs_web_data
mount 192.168.91.178:/web/data /nfs_web_data
4、配置ansible服务器(综合服务器)
安装ansible
[root@all-service ~]# yum install epel-release -y
[root@all-service data]# yum install ansible -y
配置主机清单
[root@all-service data]# vim /etc/ansible/hosts
[web]
192.168.91.174
192.168.91.175
[lb]
192.168.91.176
192.168.91.177
[service]
192.168.91.178
[firewalld]
192.168.91.179
[mysql]
192.168.91.180
[al]
192.168.91.174
192.168.91.175
192.168.91.176
192.168.91.177
192.168.91.179
192.168.91.180
建立ansible服务器与其他服务器的ssh免密通道
[root@all-service data]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9Nh9hJ2FfbBkm64DH26/cnKmgG89BaGeqgYEWYNcI+k root@all-service
The key's randomart image is:
+---[RSA 2048]----+
| ..*= ++.|
| *. o .=.*o|
| . . . ...B .|
| E . . +...o |
| . S.+.o.o |
| . .o+ +. |
| . ....*. |
| . ...o=o+ |
| ... .. .Oo. |
+----[SHA256]-----+
[root@all-service data]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.91.174
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.91.174 (192.168.91.174)' can't be established.
ECDSA key fingerprint is SHA256:Eg3Kn79R/Vdb3os4cMGXX3YfX+GC2PGofCUys3C7BFU.
ECDSA key fingerprint is MD5:2e:d5:d6:98:95:a6:21:11:d9:43:7c:0a:51:8f:ff:0d.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.91.174's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.91.174'"
and check to make sure that only the key(s) you wanted were added.
[root@all-service data]# ssh root@192.168.91.174
Last login: Sat Apr 13 19:11:13 2024 from 192.168.91.1
[root@web-1 ~]#
测试通道效果
[root@all-service data]# ansible web -m shell -a"ip add"
192.168.91.174 | CHANGED | rc=0 >>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:29:3f:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.91.174/24 brd 192.168.91.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::bb81:5e35:d308:1979/64 scope link tentative noprefixroute dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::1c77:b432:635:83a8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
5、部署MySQL服务器(MySQL服务器)
一键部署MySQL(密码为Sanchuang123#,可以去bash脚本里面自定义)
[root@mysql ~]# ls
anaconda-ks.cfg onekey_install_mysql_binary_v3.sh
mysql-5.7.37-linux-glibc2.12-x86_64.tar.gz
[root@mysql ~]# bash onekey_install_mysql_binary_v3.sh
完毕!
Redirecting to /bin/systemctl stop firewalld.service
setenforce: SELinux is disabled
Starting MySQL.Logging to '/data/mysql/mysql.err'.
SUCCESS!
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
重新登陆,让脚本修改的PATH变量生效
[root@mysql ~]# su
[root@mysql ~]# mysql -uroot -p"Sanchuang123#"
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.37 MySQL Community Server (GPL)
Copyright (c) 2000, 2022, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
root@(none) 19:58 mysql>show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.00 sec)
6、部署Prometheus监控所有服务器(综合服务器)
一键安装Prometheus+grafana+node_export+altermanager
[root@all-service ~]# mkdir -p /prom
[root@all-service ~]# cd /prom
[root@all-service prom]# ls
alertmanager-0.23.0-rc.0.linux-amd64.tar.gz node_exporter-1.4.0-rc.0.linux-amd64.tar.gz
?Fd???=I? prometheus-2.43.0.linux-amd64.tar.gz
grafana-enterprise-9.1.2-1.x86_64.rpm
安装Prometheus
[root@all-service prom]# tar xf prometheus-2.43.0.linux-amd64.tar.gz
[root@all-service prom]# ls
alertmanager-0.23.0-rc.0.linux-amd64.tar.gz node_exporter-1.4.0-rc.0.linux-amd64.tar.gz prometheus-2.43.0.linux-amd64 grafana-enterprise-9.1.2-1.x86_64.rpm prometheus-2.43.0.linux-amd64.tar.gz
[root@all-service prom]# mv prometheus-2.43.0.linux-amd64 prometheus
[root@all-service prom]# PATH=/prom/prometheus:$PATH
[root@all-service prom]# echo 'PATH=/prom/prometheus:$PATH' >>/etc/profile
[root@all-service prom]# which prometheus
/prom/prometheus/prometheus
将Prometheus做成一个服务进行管理
[root@all-service prom]# vim /usr/lib/systemd/system/prometheus.service
[Unit]
Description=prometheus
[Service]
ExecStart=/prom/prometheus/prometheus --config.file=/prom/prometheus/prometheus.yml #注意路径要写对
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
重启Prometheus
[root@all-service prom]# systemctl daemon-reload
[root@all-service prom]# systemctl start prometheus
[root@all-service prom]# systemctl enable prometheus
Created symlink from /etc/systemd/system/multi-user.target.wants/prometheus.service to /usr/lib/systemd/system/prometheus.service.
[root@all-service prom]# ps -aux |egrep prometheus
root 1858 1.7 3.7 798956 37764 ? Ssl 20:14 0:00 /prom/prometheus/prometheus --config.file=/prom/prometheus/prometheus.yml
root 1886 0.0 0.0 112824 988 pts/0 S+ 20:14 0:00 grep -E --color=auto prometheus
测试,登录Prometheus服务器的9090端口
7、安装export(整个web集群)和grafana(综合服务器)
安装node_exporter
[root@all-service ~]# ls
anaconda-ks.cfg node_exporter-1.4.0-rc.0.linux-amd64.tar.gz
[root@all-service ~]# ansible al -m copy -a"src=node_exporter-1.4.0-rc.0.linux-amd64.tar.gz dest=/root"
192.168.91.174 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "47cf6dcfa33d46afe456dc6cf679efee32c5195b",
"dest": "/root/node_exporter-1.4.0-rc.0.linux-amd64.tar.gz",
"gid": 0,
"group": "root",
"md5sum": "7ba0551da4ff22a0ee53e1eecf00985e",
"mode": "0644",
"owner": "root",
"size": 9735268,
"src": "/root/.ansible/tmp/ansible-tmp-1713011417.1-12527-115181471079838/source",
"state": "file",
"uid": 0
}
[root@all-service ~]# vim install_node_exporter.sh
#!/bin/bash
tar xf /root/node_exporter-1.4.0-rc.0.linux-amd64.tar.gz -C /
cd /
mv node_exporter-1.4.0-rc.0.linux-amd64/ node_exporter
cd /node_exporter/
echo 'PATH=/node_exporter/:$PATH' >>/etc/profile
#生成nodeexporter.service文件
cat >/usr/lib/systemd/system/node_exporter.service <<EOF
[Unit]
Description=node_exporter
[Service]
ExecStart=/node_exporter/node_exporter --web.listen-address 0.0.0.0:9090
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#让systemd进程识别node_exporter服务
systemctl daemon-reload
#设置开机启动
systemctl enable node_exporter
#启动node_exporter
systemctl start node_exporter
[root@all-service ~]# ansible all -m script -a"~/install_node_exporter.sh"
192.168.91.175 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.91.175 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.91.175 closed."
],
"stdout": "Created symlink from /etc/systemd/system/multi-user.target.wants/node_exporter.service to /usr/lib/systemd/system/node_exporter.service.\r\n",
"stdout_lines": [
"Created symlink from /etc/systemd/system/multi-user.target.wants/node_exporter.service to /usr/lib/systemd/system/node_exporter.service."
]
}
192.168.91.174 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.91.174 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.91.174 closed."
],
"stdout": "Created symlink from /etc/systemd/system/multi-user.target.wants/node_exporter.service to /usr/lib/systemd/system/node_exporter.service.\r\n",
"stdout_lines": [
"Created symlink from /etc/systemd/system/multi-user.target.wants/node_exporter.service to /usr/lib/systemd/system/node_exporter.service."
]
}
查看node_exporter进程
[root@all-service ~]# ansible all -m shell -a"ps -aux|egrep node"
[root@all-service ~]# ansible all -m shell -a"ps -aux|egrep node"
192.168.91.175 | CHANGED | rc=0 >>
root 11966 0.0 1.1 716288 11084 ? Ssl 20:44 0:00 /node_exporter/node_exporter --web.listen-address 0.0.0.0:9090
root 12039 0.0 0.1 113280 1200 pts/1 S+ 20:53 0:00 /bin/sh -c ps -aux|egrep node
root 12041 0.0 0.0 112824 960 pts/1 S+ 20:53 0:00 grep -E node
192.168.91.174 | CHANGED | rc=0 >>
root 1920 0.0 1.3 716288 13120 ? Ssl 20:44 0:00 /node_exporter/node_exporter --web.listen-address 0.0.0.0:9090
root 1994 0.0 0.1 113280 1200 pts/2 S+ 20:53 0:00 /bin/sh -c ps -aux|egrep node
root 1996 0.0 0.0 112824 960 pts/2 S+ 20:53 0:00 grep -E node
安装grafana
[root@all-service prom]# ls
alertmanager-0.23.0-rc.0.linux-amd64.tar.gz node_exporter-1.4.0-rc.0.linux-amd64.tar.gz prometheus grafana-enterprise-9.1.2-1.x86_64.rpm prometheus-2.43.0.linux-amd64.tar.gz
install_node_exporter.sh
[root@all-service prom]# yum install grafana-enterprise-9.1.2-1.x86_64.rpm -y
查看grafana进程 (监听3000端口)
[root@all-service prom]# systemctl grafana start
Unknown operation 'grafana'.
[root@all-service prom]# systemctl grafana-server start
Unknown operation 'grafana-server'.
[root@all-service prom]# systemctl start grafana-server
[root@all-service prom]# systemctl enable grafana-server
Created symlink from /etc/systemd/system/multi-user.target.wants/grafana-server.service to /usr/lib/systemd/system/grafana-server.service.
[root@all-service prom]# ps -aux|egrep grafana
grafana 14834 5.9 6.8 1129792 68104 ? Ssl 21:51 0:03 /usr/sbin/grafana-server --config=/etc/grafana/grafana.ini --pidfile=/var/run/grafana/grafana-server.pid --packaging=rpm cfg:default.paths.logs=/var/log/grafana cfg:default.paths.data=/var/lib/grafana cfg:default.paths.plugins=/var/lib/grafana/plugins cfg:default.paths.provisioning=/etc/grafana/provisioning
root 14907 0.0 0.0 112824 976 pts/0 S+ 21:52 0:00 grep -E --color=auto grafan
[root@all-service prom]# netstat -anplut |egrep grafana
tcp6 0 0 :::3000 :::* LISTEN 14834/grafana-serve
登录综合服务器的3000端口查看(账号:admin,密码:admin)
8、添加被监控的服务器(综合服务器)
修改prometheus.yaml文件
[root@all-service prometheus]# pwd
/prom/prometheus
[root@all-service prometheus]# ls
console_libraries consoles LICENSE NOTICE prometheus prometheus.yml promtool
[root@all-service prometheus]# vim prometheus.yml
[root@all-service prometheus]# cat prometheus.yml
# my global config
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
# Alertmanager configuration
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: "prometheus"
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
static_configs:
- targets: ["localhost:9090"]
#添加下面的配置
- job_name: "web-1"
static_configs:
- targets: ["192.168.91.174:9090"]
- job_name: "web-2"
static_configs:
- targets: ["192.168.91.175:9090"]
- job_name: "lb-1"
static_configs:
- targets: ["192.168.91.176:9090"]
- job_name: "lb-2"
static_configs:
- targets: ["192.168.91.177:9090"]
- job_name: "mysql"
static_configs:
- targets: ["192.168.91.180:9090"]
- job_name: "firewalld"
static_configs:
- targets: ["192.168.91.179:9090"]
重启Prometheus服务
[root@all-service prometheus]# service prometheus restart
Redirecting to /bin/systemctl restart prometheus.service
访问Prometheus服务器的9090端口
9、grafana出图
先配置prometheus的数据源
点击添加数据源(add data source)
选择Prometheus数据库
填写好配置
点击Dashboards 进入仪表盘设置
点击import直接导入模板
输入8919模板,点击load(需要知道哪些模板可以使用,可以去官方找,也可以百度)
给模板起一个名字,然后选择Prometheus数据库,最后点击import
进入dashboard界面,看到非常漂亮的监控效果图
10.部署DNS服务器(综合服务器)
安装bind软件
[root@all-service prom]# yum install bind* -y
启动named服务
[root@all-service prom]# service named start
Redirecting to /bin/systemctl start named.service
[root@all-service prom]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
查看named进程和端口
[root@all-service prom]# ps -aux |egrep named
named 16157 1.2 5.7 242032 57632 ? Ssl 22:14 0:00 /usr/sbin/named -u named -c /etc/named.conf
root 16218 0.0 0.0 112824 980 pts/0 S+ 22:14 0:00 grep -E --color=auto named
[root@all-service prom]# netstat -anplut |egrep named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 16157/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 16157/named
tcp6 0 0 ::1:953 :::* LISTEN 16157/named
tcp6 0 0 ::1:53 :::* LISTEN 16157/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 16157/named
udp6 0 0 ::1:53 :::* 16157/named
修改配置文件,重启服务(允许其他电脑能过来查询dns域名)
[root@all-service prom]# vim /etc/named.conf
options {
listen-on port 53 { any; }; #修改
listen-on-v6 port 53 { any; }; #修改
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #修改
[root@all-service prom]# service named restart
Redirecting to /bin/systemctl restart named.service
[root@all-service prom]# netstat -anplut |egrep named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 16425/named
tcp 0 0 192.168.91.178:53 0.0.0.0:* LISTEN 16425/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 16425/named
tcp6 0 0 ::1:953 :::* LISTEN 16425/named
tcp6 0 0 :::53 :::* LISTEN 16425/named
udp 0 0 192.168.91.178:53 0.0.0.0:* 16425/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 16425/named
udp6 0 0 :::53 :::* 16425/named
修改本机和其他服务器上的DNS服务器地址
[root@all-service ~]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.91.178
#nameserver 114.114.114.114
[root@web-1 ~]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.91.178
#nameserver 114.114.114.114
测试DNS服务器
[root@web-1 ~]# yum install bind-utils -y #获取nslookdup和dig命令
[root@web-1 ~]# nslookup www.baidu.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 183.2.172.42
Name: www.a.shifen.com
Address: 183.2.172.185
Name: www.a.shifen.com
Address: 240e:ff:e020:966:0:ff:b042:f296
Name: www.a.shifen.com
Address: 240e:ff:e020:9ae:0:ff:b014:8e8b
[root@web-1 ~]# nslookup www.qq.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Non-authoritative answer:
www.qq.com canonical name = ins-r23tsuuf.ias.tencent-cloud.net.
Name: ins-r23tsuuf.ias.tencent-cloud.net
Address: 121.14.77.221
Name: ins-r23tsuuf.ias.tencent-cloud.net
Address: 121.14.77.201
Name: ins-r23tsuuf.ias.tencent-cloud.net
Address: 240e:97c:2f:2::4c
Name: ins-r23tsuuf.ias.tencent-cloud.net
Address: 240e:97c:2f:1::5c
增加web集群项目的域名解析(sc.com)
[root@all-service ~]# vim /etc/named.rfc1912.zones
#添加下面的配置,增加一个sc.com的域名
zone "sc.com" IN {
type master;
file "sc.com.zone";
allow-update { none; };
};
创建sc.com的数据文件
[root@all-service ~]# cd /var/named/
[root@all-service named]# ls
chroot data dyndb-ldap named.empty named.loopback
chroot_sdb dynamic named.ca named.localhost slaves
[root@all-service named]# cp -a named.localhost sc.com.zone
[root@all-service named]# ls
chroot dynamic named.empty sc.com.zone
chroot_sdb dyndb-ldap named.localhost slaves
data named.ca named.loopback
[root@all-service named]# vim sc.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.91.178 #综合服务器
AAAA ::1
www A 192.168.91.174 #www开头的跳转到web-1
db A 192.168.91.180 #db开头的跳转到MySQL
web CNAME www
* A 192.168.91.174 #任意开头的跳转到web-1
重启服务
[root@all-service named]# service named restart
Redirecting to /bin/systemctl restart named.service
当服务启动不了的时候,如何排错?
1.看日志
[root@all-service named]# tail -f /var/log/messages Apr 14 12:55:35 all-service named[18820]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53 Apr 14 12:55:35 all-service named[18820]: network unreachable resolving './NS/IN': 2001:7fe::53#53 Apr 14 12:55:35 all-service named[18820]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53 Apr 14 12:55:35 all-service named[18820]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53 Apr 14 12:55:35 all-service named[18820]: resolver priming query complete
2.使用检测工具:检测配置文件和数据文件
检查数据文件
[root@all-service named]# named-checkzone sc.com /var/named/sc.com.zone zone sc.com/IN: loaded serial 0 OK
检查配置文件
[root@all-service named]# named-checkconf /etc/named.rfc1912.zones [root@all-service named]# echo $? 0
测试DNS服务器记录(其他服务器上)
[root@web-1 ~]# nslookup www.sc.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Name: www.sc.com
Address: 192.168.91.174
[root@web-1 ~]# nslookup db.sc.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Name: db.sc.com
Address: 192.168.91.180
[root@web-1 ~]# nslookup wb.sc.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Name: wb.sc.com
Address: 192.168.91.174
[root@web-1 ~]# nslookup sc.sc.com
Server: 192.168.91.178
Address: 192.168.91.178#53
Name: sc.sc.com
Address: 192.168.91.174
11、部署防火墙
查看防火墙服务器的防火墙和selinux是否关闭,没有关闭的就关闭
[root@firewalld ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@firewalld ~]# getenforce
Disabled
配置防火墙服务器的俩块网卡(确保有俩块网卡,关闭虚拟机去新加一块)
[root@firewalld ~]# yum install net-tools -y
[root@firewalld network-scripts]# pwd
/etc/sysconfig/network-scripts
[root@firewalld network-scripts]# cp ifcfg-ens33 ifcfg-ens37
[root@firewalld network-scripts]# ls
ifcfg-ens33 ifdown-post ifup-bnep ifup-routes
ifcfg-ens37 ifdown-ppp ifup-eth ifup-sit
ifcfg-lo ifdown-routes ifup-ippp ifup-Team
ifdown ifdown-sit ifup-ipv6 ifup-TeamPort
ifdown-bnep ifdown-Team ifup-isdn ifup-tunnel
ifdown-eth ifdown-TeamPort ifup-plip ifup-wireless
ifdown-ippp ifdown-tunnel ifup-plusb init.ipv6-global
ifdown-ipv6 ifup ifup-post network-functions
ifdown-isdn ifup-aliases ifup-ppp network-functions-ipv6
ens33作为WAN口,ens37作为LAN口
[root@all-service named]# ping 192.168.91.125
PING 192.168.91.125 (192.168.91.125) 56(84) bytes of data.
From 192.168.91.178 icmp_seq=1 Destination Host Unreachable
From 192.168.91.178 icmp_seq=2 Destination Host Unreachable
From 192.168.91.178 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.91.125 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4014ms
pipe 4
[root@firewalld network-scripts]# vim ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="ens33"
UUID="0cf8c0bd-0fb5-4264-9f21-72a21a0bf13e"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.1.125 #未被使用
DNS1=114.114.114.114
GATEWAY=192.168.1.1
PREFIX=24
[root@firewalld network-scripts]# vim ifcfg-ens37 #不配置网关和dns服务器地址,因为WAN口ens33里有配置
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="ens37"
UUID="0cf8c0bd-0fb5-4264-9f21-72a21a0bf13e"
DEVICE="ens37"
ONBOOT="yes"
IPADDR=192.168.110.2 #web集群内部的网关地址
PREFIX=24
[root@firewalld network-scripts]# service network restart
Restarting network (via systemctl): [ 确定 ]
[root@firewalld network-scripts]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2f:99:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.125/24 brd 192.168.1.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2f:99:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.110.2/24 brd 192.168.91.255 scope global ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe2f:99fb/64 scope link
valid_lft forever preferred_lft forever
DMZ区(web集群内部的服务器:web,LB,综合服务器,MySQL,防火墙ens37端口)里的所有服务器网卡类型调整为hostonly模式,即跟vmnet1在同一个网段,网关配置为 LAN口的地址
[root@web-1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="ens33"
UUID="0cf8c0bd-0fb5-4264-9f21-72a21a0bf13e"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=192.168.110.174
DNS1=114.114.114.114
GATEWAY=192.168.110.2
PREFIX=24
[root@web-1 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:29:3f:0b brd ff:ff:ff:ff:ff:ff
inet 192.168.110.174/24 brd 192.168.110.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
[root@web-1 ~]# ip route
default via 192.168.110.2 dev ens33 proto static metric 100
192.168.110.0/24 dev ens33 proto kernel scope link src 192.168.110.174 metric 100
[root@web-1 ~]# ping 192.168.110.2
PING 192.168.110.2 (192.168.110.2) 56(84) bytes of data.
64 bytes from 192.168.110.2: icmp_seq=1 ttl=64 time=0.900 ms
64 bytes from 192.168.110.2: icmp_seq=2 ttl=64 time=0.348 ms
^C
--- 192.168.110.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.348/0.624/0.900/0.276 ms
#防火墙可以访问外网
[root@firewalld ~]# ping www.baidu.com
PING www.a.shifen.com (183.2.172.42) 56(84) bytes of data.
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=1 ttl=52 time=30.6 ms
64 bytes from 183.2.172.42 (183.2.172.42): icmp_seq=2 ttl=52 time=30.5 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 30.520/30.594/30.668/0.074 ms
#web集群不可以
[root@web-1 ~]# ping www.baidu.com
ping: www.baidu.com: 未知的名称或服务
12、配置SNAT和DNAT功能(防火墙服务器)
开启路由功能
[root@firewalld ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@firewalld ~]# sysctl -p #让内核读取配置文件,开启路由功能
net.ipv4.ip_forward = 1
[root@firewalld ~]#
编写snat_dnat脚本
[root@firewalld ~]# mkdir -p /SNAT_DNAT
[root@firewalld ~]# cd /SNAT_DNAT/
[root@firewalld SNAT_DNAT]# vim set_snat_dnat.sh
#!/bin/bash
#开启路由功能
echo 1 >/proc/sys/net/ipv4/ip_forward
#修改/etc/sysctl.conf里添加下面的配置
#net.ipv4.ip_forward = 1
#清除防火墙规则
iptables=/usr/sbin/iptables
$iptables -F
$iptables -t nat -F
#set snat policy
$iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o ens33 -j MASQUERADE
#set dnat policy 发布web-1出去,提供web服务
$iptables -t nat -A PREROUTING -d 192.168.1.125 -i ens33 -p tcp --dport 80 -j DNAT --to-destination 192.168.110.174
#发布堡垒机,访问防火墙的2233端口转发到堡垒机的22端口
$iptables -t nat -A PREROUTING -d 192.168.1.125 -i ens33 -p tcp --dport 2233 -j DNAT --to-destination 192.168.110.178:22
查看效果
[root@firewalld SNAT_DNAT]# bash set_snat_dnat.sh
[root@firewalld SNAT_DNAT]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 192.168.1.125 tcp dpt:80 to:192.168.110.174
DNAT tcp -- 0.0.0.0/0 192.168.1.125 tcp dpt:2233 to:192.168.110.178:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.110.0/24 0.0.0.0/0
保存规则,开机自动开启SNAT和DNAT功能(以下可以用执行bash文件代替)
[root@firewalld SNAT_DNAT]# iptables-save >/etc/sysconfig/iptables_rules
[root@firewalld SNAT_DNAT]# vim /etc/rc.local
iptables-restore </etc/sysconfig/iptables_rules
touch /var/lock/subsys/local
[root@firewalld SNAT_DNAT]# chmod +x /etc/rc.d/rc.local
在其他机器上测试SNAT功能
[root@web-1 ~]# ping www.baidu.com
PING www.a.shifen.com (183.2.172.185) 56(84) bytes of data.
64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=51 time=30.4 ms
64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=2 ttl=51 time=44.5 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1019ms
rtt min/avg/max/mdev = 30.460/37.511/44.562/7.051 ms
[root@mysql ~]# ping www.baidu.com
PING www.a.shifen.com (183.2.172.185) 56(84) bytes of data.
64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=1 ttl=51 time=28.1 ms
64 bytes from 183.2.172.185 (183.2.172.185): icmp_seq=2 ttl=51 time=33.9 ms
^C
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1022ms
rtt min/avg/max/mdev = 28.161/31.047/33.934/2.891 ms
在web-1部署nginx服务
[root@web-1 ~]# vim onekey_install_yingboshuyuan.sh
#!/bin/bash
#解决软件的依赖关系,需要安装的软件包
yum install epel-release -y
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc gcc-c++ autoconf automake make psmisc net-tools lsof vim wget -y
#新建wangguang用户和组
id wangguang|| useradd wangguang -s /sbin/nologin
#下载nginx软件
mkdir /wangguang -p
cd /wangguang
wget https://nginx.org/download/nginx-1.24.0.tar.gz
#解压软件
tar xf nginx-1.24.0.tar.gz
#进入解压后的文件夹
cd nginx-1.24.0
#编译前的配置
./configure --prefix=/usr/local/wangguang --user=wangguang --group=wangguang --with-http_ssl_module --with-threads --with-http_v2_module --with-http_stub_status_module --with-stream --with-http_gunzip_module
#如果上面的编译前的配置失败,直接退出脚本
if (( $? != 0));then
exit
fi
#编译,启动2个进程去编译,这样速度快
make -j 2
#编译安装
make install
#修改PATH变量
echo "PATH=$PATH:/usr/local/wangguang/sbin" >>/etc/bashrc
#firewalld and selinux
#stop firewall和设置下次开机不启动firewalld
service firewalld stop
systemctl disable firewalld
#临时停止selinux和永久停止selinux
setenforce 0
sed -i '/^SELINUX=/ s/enforcing/disabled/' /etc/selinux/config
#开机启动
chmod +x /etc/rc.d/rc.local
echo "/usr/local/wangguang/sbin/nginx" >>/etc/rc.local
#启动nginx
/usr/local/wangguang/sbin/nginx
[root@web-1 ~]# vim onekey_install_yingboshuyuan.sh
#!/bin/bash
#解决软件的依赖关系,需要安装的软件包
#yum install epel-release -y
yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel gcc gcc-c++ autoconf automake make psmisc net-tools lsof vim wget -y
#新建wangguang用户和组
id wangguang|| useradd wangguang -s /sbin/nologin
#下载nginx软件
mkdir /wangguang -p
cd /wangguang
wget https://nginx.org/download/nginx-1.24.0.tar.gz
#解压软件
tar xf nginx-1.24.0.tar.gz
#进入解压后的文件夹
cd nginx-1.24.0
#编译前的配置
./configure --prefix=/usr/local/wangguang --user=wangguang --group=wangguang --with-http_ssl_module --with-threads --with-http_v2_module --with-http_stub_status_module --with-stream --with-http_gunzip_module
#如果上面的编译前的配置失败,直接退出脚本
if (( $? != 0));then
exit
fi
#编译,启动2个进程去编译,这样速度快
make -j 2
#编译安装
make install
#修改PATH变量
echo "PATH=$PATH:/usr/local/wangguang/sbin" >>/etc/bashrc
#firewalld and selinux
#stop firewall和设置下次开机不启动firewalld
service firewalld stop
systemctl disable firewalld
#临时停止selinux和永久停止selinux
setenforce 0
sed -i '/^SELINUX=/ s/enforcing/disabled/' /etc/selinux/config
#开机启动
chmod +x /etc/rc.d/rc.local
echo "/usr/local/wangguang/sbin/nginx" >>/etc/rc.local
#启动nginx
/usr/local/wangguang/sbin/nginx
[root@web-1 ~]# bash onekey_install_yingboshuyuan_nginx_vts.sh
[root@web-1 ~]# bash onekey_install_yingboshuyuan.sh
[root@web-1 ~]# ps -aux|egrep nginx
root 7069 0.0 0.1 46240 1172 ? Ss 14:42 0:00 nginx: master process /usr/local/wangguang/sbin/nginx
wanggua+ 7070 0.0 0.1 46700 1920 ? S 14:42 0:00 nginx: worker process
root 8345 0.0 0.0 112824 988 pts/1 S+ 14:46 0:00 grep -E --color=auto nginx
在Windows上测试DNAT服务
13、部署堡垒机
连接2233端口
配置Tcp Wrappers,DMZ区所有的服务器只允许堡垒机ssh访问
[root@all-service ~]# vim set_tcp_wrappers.sh
#!/bin/bash
#set /etc/hosts.allow文件的内容,只允许堡垒机访问sshd服务
echo 'sshd:192.168.110.178' >>/etc/hosts.allow
#单独允许我的windows系统也可以访问
echo 'sshd:192.168.110.1' >>/etc/hosts.allow
#拒绝其他的所有的机器访问sshd
echo 'sshd:ALL' >>/etc/hosts.deny
[root@all-service ~]# vim /etc/ansible/hosts
[web]
192.168.110.174
192.168.110.175
[lb]
192.168.110.176
192.168.110.177
[service]
192.168.110.178
[firewalld]
192.168.110.2
[mysql]
192.168.110.180
[al]
192.168.110.174
192.168.110.175
192.168.110.176
192.168.110.177
192.168.110.2
192.168.110.180
[root@all-service ~]# ansible all -m script -a"set_tcp_wrappers.sh"
192.168.110.175 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.110.175 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.110.175 closed."
],
"stdout": "",
"stdout_lines": []
}
192.168.110.177 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.110.177 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.110.177 closed."
],
"stdout": "",
"stdout_lines": []
}
测试tcp wrappers
[root@mysql ~]# ssh root@192.168.110.174
ssh_exchange_identification: read: Connection reset by peer
[root@all-service ~]# ssh root@192.168.110.174
Last login: Sun Apr 14 15:06:44 2024 from 192.168.110.178
[root@web-1 ~]#
通过以上测试验证,DMZ区里的服务器只有堡垒机(跳板机)可以ssh到其他的服务器,其他服务器之间不能互相ssh连接,提高了服务器的安全性。
14、配置2台LB负载均衡器
安装keepalived和nginx
[root@lb-1 ~]# yum install keepalived -y
[root@lb-1 ~]# service keepalived start
Redirecting to /bin/systemctl start keepalived.service
[root@lb-1 ~]# systemctl enable keepalived
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.
[root@lb-1 ~]# systemctl enable ipvsadm
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.
[root@lb-1 ~]# bash onekey_install_yingboshuyuan.sh
[root@lb-1 ~]# bash onekey_install_yingboshuyuan_nginx_vts.sh
[root@lb-1 ~]# ps -aux|egrep nginx
root 5383 0.0 0.1 46240 1164 ? Ss 16:49 0:00 nginx: master process /usr/local/wangguang/sbin/nginx
wanggua+ 5384 0.0 0.1 46700 1916 ? S 16:49 0:00 nginx: worker process
root 6652 75.3 0.0 112824 984 pts/1 S+ 16:56 0:07 grep -E --color=auto nginx
配置双vip
[root@mysql ~]# ping 192.168.110.200
PING 192.168.110.200 (192.168.110.200) 56(84) bytes of data.
From 192.168.110.180 icmp_seq=1 Destination Host Unreachable
From 192.168.110.180 icmp_seq=2 Destination Host Unreachable
From 192.168.110.180 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.110.200 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4031ms
pipe 4
[root@mysql ~]# ping 192.168.110.201
PING 192.168.110.201 (192.168.110.201) 56(84) bytes of data.
From 192.168.110.180 icmp_seq=1 Destination Host Unreachable
From 192.168.110.180 icmp_seq=2 Destination Host Unreachable
From 192.168.110.180 icmp_seq=3 Destination Host Unreachable
From 192.168.110.180 icmp_seq=4 Destination Host Unreachable
^C
--- 192.168.110.201 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3003ms
pipe 4
[root@lb-1 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51 #不要冲突
priority 200 #优先级要有区分
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.110.200
}
}
vrrp_instance VI_2 {
state BACKUP
interface ens33
virtual_router_id 61
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.110.201
}
}
查看双vip效果
[root@lb-1 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ac:9e:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.110.176/24 brd 192.168.110.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.110.200/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:feac:9e18/64 scope link
valid_lft forever preferred_lft forever
[root@lb-2 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:c2:e7:7f brd ff:ff:ff:ff:ff:ff
inet 192.168.110.177/24 brd 192.168.110.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.110.201/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec2:e77f/64 scope link
valid_lft forever preferred_lft forever
配置负载均衡策略
[root@lb-1 conf]# pwd
/usr/local/wangguang/conf
[root@lb-1 conf]# vim nginx.conf
worker_processes 2;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#定义一个负载均衡器scapp
upstream scapp {
server 192.168.110.174;
server 192.168.110.175;
}
server {
listen 80;
server_name localhost;
location / {
#访问网页根目录直接转发到负载均衡器上进行处理
proxy_pass http://scapp;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
[root@lb-1 ~]# sudo nginx -c /usr/local/wangguang/conf/nginx.conf
[root@lb-1 conf]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb-1 ~]# nginx -s reload
[root@lb-1 ~]# ps -aux|egrep nginx
root 8156 0.0 0.1 39456 1944 ? Ss 18:49 0:00 nginx: master process nginx -c /usr/local/wangguang/conf/nginx.conf
nginx 8160 0.0 0.1 40336 2484 ? S 18:50 0:00 nginx: worker process
nginx 8161 0.0 0.1 40336 2472 ? S 18:50 0:00 nginx: worker process
root 8163 0.0 0.0 112824 988 pts/0 S+ 18:50 0:00 grep -E --color=auto nginx
测试
[root@web-1 conf]# curl 192.168.110.176
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Web-1和Web-2上修改nginx.conf配置文件
[root@web-1 conf]# vim nginx.conf
worker_processes 2;
events {
worker_connections 2048;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name www.sc.com;
access_log logs/www.access.log main;
location / {
root html/www;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 80;
server_name software.sc.com;
access_log logs/software.access.log main;
location / {
root html/software;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@web-1 conf]# nginx -s reload
[root@web-1 conf]# ps -aux|egrep nginx
root 7069 0.0 0.2 46376 2056 ? Ss 14:42 0:01 nginx: master process /usr/local/wangguang/sbin/nginx
wanggua+ 17521 2.0 0.2 47280 2592 ? S 20:49 0:00 nginx: worker process
wanggua+ 17522 1.5 0.2 47280 2592 ? S 20:49 0:00 nginx: worker process
root 17524 28.0 0.0 112824 988 pts/0 S+ 20:49 0:00 grep -E --color=auto nginx
创建网页内容
[root@web-1 conf]# cd /usr/local/wangguang/
[root@web-1 wangguang]# ls
client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp uwsgi_temp
[root@web-1 wangguang]# cd html/
[root@web-1 html]# ls
50x.html index.html
[root@web-1 html]# mkdir software
[root@web-2 html]# mkdir www
[root@web-1 html]# cp index.html software/
[root@web-2 html]# cp index.html www/
[root@web-1 html]# cd software/
[root@web-1 software]# ls
index.html
[root@web-1 software]# vim index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to software!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to software!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@web-2 html]# cd www
[root@web-2 www]# ls
index.html
[root@web-2 www]# vim index.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome to www!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to www!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
修改windows机器里的hosts文件,添加域名解析记录(C:\Windows\System32\drivers\etc\hosts)
192.168.1.125 www.sc.com
192.168.1.125 software.sc.com
访问测试,属于http,不是https
测试负载均衡
[root@web-2 html]# curl 192.168.110.176
<!DOCTYPE html>
<html>
<head>
<title>Welcome to software!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to software!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@web-2 html]# curl 192.168.110.176
<!DOCTYPE html>
<html>
<head>
<title>Welcome to www!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to www!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using www.</em></p>
</body>
</html>
#修改防火墙的配SNAT和DNAT功能
[root@firewalld SNAT_DNAT]# vim set_snat_dnat.sh
#!/bin/bash
#开启路由功能
echo 1 >/proc/sys/net/ipv4/ip_forward
#修改/etc/sysctl.conf里添加下面的配置
#net.ipv4.ip_forward = 1
#清除防火墙规则
iptables=/usr/sbin/iptables
$iptables -F
$iptables -t nat -F
#set snat policy
$iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o ens33 -j MASQUERADE
$iptables -t nat -A PREROUTING -d 192.168.1.125 -i ens33 -p tcp --dport 80 -j DNAT --to-destination 192.168.110.176
#发布堡垒机,访问防火墙的2233端口转发到堡垒机的22端口
$iptables -t nat -A PREROUTING -d 192.168.1.125 -i ens33 -p tcp --dport 2233 -j DNAT --to-destination 192.168.110.178:22
[root@firewalld SNAT_DNAT]# bash set_snat_dnat.sh
15、压力测试
安装压力测试工具
[root@ab ~]# yum install httpd-tools -y
对网址进行检测
[root@ab ~]# ab -n 1000 -c 100 http://192.168.1.125/index.html
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.1.125 (be patient)
Completed 100 requests
Completed 200 requests
Completed 300 requests
Completed 400 requests
Completed 500 requests
Completed 600 requests
Completed 700 requests
Completed 800 requests
Completed 900 requests
Completed 1000 requests
Finished 1000 requests
Server Software: nginx/1.20.1
Server Hostname: 192.168.1.125
Server Port: 80
Document Path: /index.html
Document Length: 621 bytes
Concurrency Level: 100
Time taken for tests: 1.065 seconds
Complete requests: 1000
Failed requests: 0
Write errors: 0
Total transferred: 854000 bytes
HTML transferred: 621000 bytes
Requests per second: 938.59 [#/sec] (mean)
Time per request: 106.543 [ms] (mean)
Time per request: 1.065 [ms] (mean, across all concurrent requests)
Transfer rate: 782.77 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 2 19 13.6 15 66
Processing: 5 81 149.2 50 1034
Waiting: 4 78 149.7 47 1033
Total: 12 100 148.0 74 1040
Percentage of the requests served within a certain time (ms)
50% 74
66% 86
75% 96
80% 101
90% 110
95% 283
98% 1023
99% 1037
100% 1040 (longest request)
在防火墙上和web1服务器上都安装glances软件
[root@firewalld ~]# yum install epel-release -y
[root@firewalld ~]# yum install glances -y
[root@ab ~]# ab -n 100000 -c 1000 http://192.168.1.125/index.html
[root@firewalld SNAT_DNAT]# glances
[root@web-1 html]# glances
总结
1、实验中需注意配置文件的正确编写
2、防火墙和selinux要关闭
3、网关配置问题要多注意
4、本次实验中nginx还缺少监控流量的插件vst,http可以改为https,可以自行补上