环境要求:
kernel大于2.6.25
iptables大于1.4.0
系统:rhel 6.3 x86_64
Linux puppetmaster.info.com 2.6.32-279.el6.x86_64
iptables v1.4.7
拓扑:
客户端:192.168.1.101---------haproxy节点:192.168.1.102-------------后端服务器节点:192.168.1.103
1.安装支持透明代理的haproxy
版本:HA-Proxy version 1.4.21
tar -xvf haproxy-1.4.21.tar.gz
cd haproxy-1.4.21
make TARGET=linux26 USE_LINUX_TPROXY=1
make install target=linux26 prefix=/usr/local/haproxy
2.添加haproxy节点防火墙条目
#!/bin/bash
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 222
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 222 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
3.haproxy配置文件
我这里设置了一个7层代理和四层代理
# HAProxy configuration file
global
# uid 99
# gid 99
daemon
stats socket /var/run/haproxy.stat mode 600
log 127.0.0.1 local4
maxconn 40
ulimit-n 80013
pidfile /var/run/haproxy.pid
defaults
log global
mode http
contimeout 4000
clitimeout 42000
srvtimeout 43000
balance roundrobin
listen VIP_Name 192.168.1.102:80
mode http
option forwardfor
source 0.0.0.0 usesrc clientip
cookie SERVERID insert nocache indirect
server server1 192.168.1.103:80 weight 1 cookie server1 check
server backup 127.0.0.1:80 backup
option redispatch
listen VIP_mysql 192.168.1.102:3306
mode tcp
source 0.0.0.0 usesrc clientip
server server1 192.168.1.103:3306
server backup 127.0.0.1:3306 backup
option redispatch
在客户机上需要把默认路由和网关都只想haproxy的节点
[root@client1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 192.168.1.102 255.255.255.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
0.0.0.0 192.168.1.102 0.0.0.0 UG 0 0 0 eth0
[root@client1 ~]# route add default gw 192.168.1.102
[root@client1 ~]# route add -net 192.168.1.0/24 gw 192.168.1.102
[root@client1 ~]# route del default gw 192.168.1.1
4.添加转发和重定向
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
5.验证
访问
[root@client1 ~]# netstat -anutlp|grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1231/nginx
tcp 0 0 192.168.1.103:80 192.168.1.101:39349 ESTABLISHED 1245/nginx
我们看到获取到为客户端ip地址
访问 192.168.1.102:3306端口
[root@client1 ~]# netstat -anutlp|grep :3306
tcp 0 0 :::3306 :::* LISTEN 1584/mysqld
tcp 0 0 ::ffff:192.168.1.103:3306 ::ffff:192.168.1.101:47909 ESTABLISHED 1584/mysqld
也是获取客户端ip地址
转载于:https://my.oschina.net/eddylinux/blog/535043