lvs的配置我使用了lvs+keepalived,本文不讨论lvs的配置。lvs的real server的IP为Haproxy的实际IP。当然Haproxy上还需配置虚拟IP。
一、安装
http://blog.sina.com.cn/s/blog_704836f401011u3x.htmlIP:192.168.1.61
[root@haproxy_node1 ~]# wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.20.tar.gz
[root@haproxy_node1 ~]# tar xvzf haproxy-1.4.20.tar.gz
[root@haproxy_node1 ~]# yum install pcre-devel.x86_64 pcre-static.x86_64
[root@haproxy_node1 ~]# cd haproxy-1.4.20
[root@haproxy_node1 haproxy-1.4.20]# make TARGET=linux26 USE_LINUX_TPROXY=1 USE_STATIC_PCRE=1 ARCH=x86_64(我修改了Makefile中的PREFIX为/usr)
[root@haproxy_node1 haproxy-1.4.20]# make install
[root@haproxy_node1 haproxy-1.4.20]# cp examples/haproxy.init /etc/init.d/haproxy
[root@haproxy_node1 haproxy-1.4.20]# chmod +x /etc/init.d/haproxy
[root@haproxy_node1 haproxy-1.4.20]# chkconfig --add haproxy
[root@haproxy_node1 haproxy-1.4.20]# chkconfig haproxy on
添加组:groupadd haproxy ; useradd -g haproxy haproxy(如果使用全透明代理,直接使用root/root用户组)
二、配置
1、编辑配置文件/etc/haproxy/haproxy.cfg
global
maxconn 32768
#chroot /usr/share/haproxy
user root
group root
daemon
nbproc 1
#debug
#quiet
defaults
log global
log 127.0.0.1:514 local3 info #我的log配置好像还有点问题。
retries 3
option redispatch
maxconn 32768
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen demo_site1
bind *:80
mode http
option httplog
balance source
source 0.0.0.0 usesrc clientip #配置全透明代理
server web_node1 192.168.1.21:80 weight 3 check
server web_node2 192.168.1.22:80 weight 3 check
option httpchk GET /robots.txt
option forwardfor
listen demo_site2
bind *:5080
mode tcp #注意一定不能使mode http
option tcplog
balance source #session保持的一种方法
source 0.0.0.0 usesrc clientip
server vod_node1 192.168.1.21:5080 weight 3 check
server vod_node2 192.168.1.22:5080 weight 3 check
2、在lo接口上配置VIP地址,ARP隐藏。
http://fengzhilinux.blog.51cto.com/1343279/373716/(关于arp_ignore介绍的较清楚)
arp_announce:
Assume that a linux box X has three interfaces - eth0, eth1 and eth2. Each interface has an IP address IP0, IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2. Unfortunately, the target node’s mac address is not resolved. Thelinux box X will send the ARP request to know the mac address of the target(or the gateway). In this case what is the IP source address of the “ARP request message”? The IP0- the IP source address of the transmitting IP or IP2 - the outgoing interface? Until now(actually just 3 hours before) ARP request uses the IP address assigned to the outgoing interface(IP2 in the above example) However the linux’s behavior is a little bit different. Actually the selection of source address in ARP request is totally configurable bythe proc variable “arp_announce” .
http://jackyan.blog.51cto.com/2589874/1303760
4、关闭or打开防火墙(haproxy配置全透明代理时需要使用iptables,但是我的数据库使用是需要关闭防火墙的)
/etc/init.d/iptables stop
chkconfig iptables off(永久关闭)
三、session保持
http://lxsym.blog.51cto.com/1364623/852400:设置balance source
四、全透明代理——取到用户的真实IP
http://www.it165.net/admin/html/201405/3187.html
http://blog.sina.com.cn/s/blog_704836f401011e17.html(更详细)
方案实施工程中也发现了一些问题,最明显的就是用户通过Haproxy来访问邮件系统后真正达到邮件系统的地址都是Haproxy的地址,这就导致了一个问题,在垃圾邮件过滤的时候就无法实现基于IP的过滤,并且也无法记录IP地址信息。
注意:
1、务必参考:http://blog.sina.com.cn/s/blog_704836f401011e17.html将Haproxy配置的像个NAT:iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
2、需要将后台服务器的网关指向haproxy。
五、题外话
1、为了上网,设置域名服务器:vi /etc/resolv.conf 添加 nameserver 8.8.8.8 #google域名服务器