1.环境需求所需软件
--------------------------------------
OS:Cent OS 6.4
Haproxy-1.4.24.tar.gz
Keepalived-1.1.15.tar.gz
HA01:192.168.1.11
HA02:192.168.1.12
VIP: 192.168.1.150
RealServer01: 192.168.1.12
RealServer02: 192.168.1.13
RealServer03: 192.168.1.14
2.修改日志文件
--------------------------------------
vim /etc/rsyslog.conf
#将以下参数开启
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
#加入参数:
*.info;mail.none;authpriv.none;cron.none;local2.none /var/log/messages local2.* /var/log/haproxy.log
#重启rsyslog
/etc/init.d/rsyslog restart
#开启转发功能
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
3.安装HA
-------------------------------
wget http://soft.local.com/haproxy-1.4.24.tar.gz tar zxvf haproxy-1.4.24.tar.gz cd haproxy-1.4.24 make install mkdir -p /usr/local/haproxy/etc mkdir -p /usr/local/haproxy/sbin cp examples/haproxy.cfg /usr/local/haproxy/etc ln -s /usr/local/sbin/haproxy /usr/local/haproxy/sbin/haproxy
4. HAproxy的配置
---------------------------------------
useradd haproxy -M -s /sbin/nologin mkdir -p /usr/local/haproxy/html echo "502 503 504" > /usr/local/haproxy/html/maintain.html cat > /usr/local/haproxy/etc/haproxy.cfg <<EOF global log 127.0.0.1 local2 maxconn 65535 chroot /usr/local/haproxy user haproxy group haproxy daemon nbproc 1 pidfile /usr/local/haproxy/haproxy.piddefaults log global option nolinger mode http option httplog option httpclose option dontlognull option forwardfor option redispatch retries 3 maxconn 32768 balance source contimeout 5000 clitimeout 50000 srvtimeout 50000 timeout check 2000 errorfile 403 /usr/local/haproxy/html/maintain.html errorfile 500 /usr/local/haproxy/html/maintain.html errorfile 502 /usr/local/haproxy/html/maintain.html errorfile 503 /usr/local/haproxy/html/maintain.html errorfile 504 /usr/local/haproxy/html/maintain.html listen status bind *:88 stats enable stats hide-version stats realm HAProxy\ Status stats auth admin:123456 stats admin if TRUE stats uri /hastatus stats refresh 30s frontend front_web01 bind *:80 ####judge hdr()#### acl www hdr_reg(host) -i ^www.local.com acl bbs hdr_reg(host) -i ^bbs.local.com acl blog hdr_reg(host) -i ^blog.local.com acl img01 hdr_reg(host) -i ^img01.local.com # acl web hdr_reg(host) -i ^(bbs.local.com|www.local.com|blog.local.com) # acl www hdr_dom(host) -i www.local.com # acl bbs hdr_dom(host) -i bbs.local.com # acl blog hdr_dom(host) -i blog.local.com # acl lvs2 hdr_end(host) -i lvs2.test.net:8080 # acl lvs3 hdr_beg(host) -i lvs3.test.net:8080 ####judge path || url#### acl php_web url_reg -i /*.php$ acl static_web url_reg -i /*.(css|jpg|png|jpeg|js|gif|html|htm)$ # acl 301 hdr_reg(host) -i www.local.com # redirect prefix http://www.tujia.com if 301 # acl php_web path_end -i .php # acl static_web path_end -i .gif .png .jpg .css .js .jpeg .html .htm # acl static_web path_beg -i /static /p_w_picpaths /javascript /stylesheets /vedios ####judge other#### # acl missing_cl hdr_cnt(Content-length) eq 0 # acl static_down nbsrv(static_server) lt 1 # acl invalid_req url_sub -i sip_apiname= # acl timetask_req url_dir -i timetask # acl spider_src src 10.0.28.0/24 # acl spider_src src 10.0.29.0/24 ####judge if#### use_backend web_server if www use_backend web_server if bbs use_backend web_server if blog use_backend img01_server if img01 use_backend php_server if php_web use_backend static_server if static_web # use_backend static_server if spider_src # block if missing_cl # block if !invalid_req || timetask_req # use_backend bbs_pool if bbs or bbs_path # use_backend php_server if static_down default_backend webservers backend web_server balance source cookie SERVERID option httpchk GET /check.html server web_server01 192.168.1.12:80 cookie web_server01 check inter 2000 rise 3 fall 1 server web_server02 192.168.1.13:80 cookie web_server02 check inter 2000 rise 3 fall 1 server web_server03 192.168.1.14:80 cookie web_server03 check inter 2000 rise 3 fall 1 backend img01_server balance source cookie SERVERID option httpchk GET /check.html server img01_server01 192.168.1.151:80 cookie img01_server01 check inter 2000 rise 3 fall 1 server img01_server02 192.168.1.152:80 cookie img01_server02 check inter 2000 rise 3 fall 1 backend php_server balance source cookie SERVERID option httpchk GET /check.html server php_server01 192.168.1.12:80 cookie php_server01 check inter 2000 rise 3 fall 1 weight 1 maxconn 1000 backup server php_server02 192.168.1.13:80 cookie php_server02 check inter 2000 rise 3 fall 1 weight 1 maxconn 1000 server php_server03 192.168.1.14:80 cookie php_server03 check inter 1500 rise 3 fall 1 maxconn 1000 backup backend static_server balance source cookie SERVERID server static_server01 192.168.1.12:80 cookie static_server01 check port 80 inter 2000 rise 3 fall 3 server static_server02 192.168.1.13:80 cookie static_server02 check port 80 inter 2000 rise 3 fall 3 backup server static_server03 192.168.1.14:80 cookie static_server03 check port 80 inter 2000 rise 3 fall 3 backup backend webservers mode http option forwardfor header ORIG_CLIENT_IP balance roundrobin server webservers01 192.168.1.14:80 redir http://www.163.com check port 80 inter 2000 rise 3 fall 3 weight 1 EOF
haproxy.cfg详解
=======================================
vim /usr/local/haproxy/etc/haproxy.cfg
global
log 127.0.0.1 local2
#通过syslog服务的local0输出日志信息
maxconn 65535
#单个进程的最大连接数
chroot /usr/local/haproxy
user haproxy
group haproxy
daemon
#后台运行
nbproc 1
#工作进程数量
pidfile /usr/local/haproxy/haproxy.pid
defaults
log global
#继承global参数
mode http
#工作模式在7层,tcp是4层
option nolinger
#在连接关闭时立即清理连接,减少处于FIN_WAIT1状态的连接
option httplog
#使用http日志类别,默认是不记录http请求的
option httpclose
#每次请求完毕后主动关闭http通道式,非常重要,不启用会直接影响acl是否生效
option dontlognull
# 启用该项,日志中将不会记录空连接
option forwardfor
#如果后端服务器需要获得客户端的真实IP需要配置次参数,将可以从Http Header中获得客户端IP
option redispatch
#当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
retries 3
#设置尝试次数,3次连接失败则认为服务器不可用
maxconn 32768
#最大连接数
balance source
contimeout 5000
#haproxy向后端服务器请求建立连接的超时时间
clitimeout 50000
#发起连接请求的前端客户端连接处于非活动态的最大超时时间,过时断开,相当于Apache的timeout keepalive
srvtimeout 50000
#服务器端连接处于非活动态的最大超时时间
timeout check 2000
#心跳检测超时
#errorfile 502 /usr/local/haproxy/html/maintain.html
#errorfile 503 /usr/local/haproxy/html/maintain.html
#errorfile 504 /usr/local/haproxy/html/maintain.html
listen status
bind *:88
stats enable
#启用状态管理
stats hide-version
#隐藏版本
stats realm HAProxy\ Status
#标题
stats auth admin:123456
#密码
stats admin if TRUE
#开启页面管理
stats uri /hastatus
#定义管理页面的访问地址
stats refresh 30s
#每30秒刷新一次状态页面
frontend web_server
bind *:80
acl static_down nbsrv(static_server) lt 1
#static_server指的是backend组,后面会定义
acl php_web url_reg /*.php$
#如果url以/*.php结尾,就匹配php_web,正则表达式
acl php_web path_end -i .php
#如果url以/*.php结尾,就匹配php_web
acl static_web url_reg /*.(css|jpg|png|jpeg|js|gif)$
acl static_web path_end -i .gif .png .jpg .css .js .jpeg
acl url_static path_beg -i /static /p_w_picpaths /javascript /stylesheets
acl url_static path_beg -i /p_w_picpaths /stylesheets /vedios /javascript
acl url_static path_end -i .jpg .html .css .js .png .gif
use_backend statics if url_static
acl is_lvs2 hdr_end(host) -i lvs2.test.net:8080
#使用hdr_end指令取request header中的host,如果host后缀部分匹配lvs2.test.net:8080,则匹配请求,
#然后把请求打到对应use_backend指定的后端server上
acl is_lvs3 hdr_beg(host) -i lvs3.test.net:8080
#用于测试request header中的host前缀部分是否匹配到lvs3.test.net:8080
acl denali_policy hdr_reg(host) -i ^(www.51ou.com|p_w_picpath.51ou.com)
#如果请求的域名满足正则表达式返回true -i是忽略大小写
acl tm_policy hdr_dom(host) -i www.51ou.com
#如果请求域名满足www.51ou.com 返回 true -i是忽略大小写
acl invalid_req url_sub -i sip_apiname=
#在请求url中包含sip_apiname=,则此控制策略返回true,否则为false
acl timetask_req url_dir -i timetask
#在请求url中存在timetask作为部分地址路径,则此控制策略返回true,否则返回false
acl missing_cl hdr_cnt(Content-length) eq 0
#当请求的header中Content-length等于0时返回 true
acl spider_src src 10.0.28.0/24
acl spider_src src 10.0.29.0/24
#定义蜘蛛的源IP地址
acl clear dst_port 80
acl secure dst_port 8080
acl login_page url_beg /login
acl logout url_beg /logout
acl uid_given url_reg /login?userid=[^&]+
acl cookie_set hdr_sub(cookie) SEEN=1
redirect prefix https://mysite.com set-cookie SEEN=1 if !cookie_set
redirect prefix https://mysite.com if login_page !secure
redirect prefix http://mysite.com drop-query if login_page !uid_given
redirect location http://mysite.com/ if !login_page secure
redirect location / clear-cookie USERID= if logout
#重定向相关
block if missing_cl
#当请求中header中Content-length等于0 阻止请求返回403
block if !invalid_req || timetask_req
use_backend bbs_pool if bbs or bbs_path
#block表示阻止请求,返回403错误,
#当前表示如果不满足策略invalid_req,或者满足策略timetask_req,则阻止请求。
use_backend php_server if static_down
#如果static_server静态文件服务器数量小于1,则转发数据到php_server
use_backend php_server if php_web
use_backend static_server if static_web
default_backend webservers
backend webservers
balance source
server web1 10.0.10.82:80 check
server web2 10.0.10.83:80 check
backend php_server
balance source
#负载均衡算法
cookie SERVERID
#允许向cookie插入SERVERID,每台服务器的SERVERID可在下面使用cookie关键字定义
option httpchk GET test/index.html
#健康检测,get方式
server php_server_1 192.168.14:80 cookie 1 check inter 2000 rise 3 fall 1 weight 2 maxconn 1000
server php_server_2 192.168.15:80 cookie 2 check inter 2000 rise 3 fall 1 weight 1 maxconn 1000
server php_server_2 192.168.16:80 cookie 3 check inter 1500 rise 3 fall 1 backup
backend static_server
balance source
cookie SERVERID
server static_server_1 192.168.2:80 cookie 1 check port 80 inter 2000 rise 3 fall 3
server static_server_2 192.168.3:80 cookie 2 check port 80 inter 2000 rise 3 fall 3
acl web-client path_beg -i /vsphere-client
#haproxy 重定向url (301)
use_backend vsphere-client if web-client
backend vsphere-client
mode http
option forwardfor header ORIG_CLIENT_IP
balance roundrobin
option httpchk HEAD /check.html
##健康检测,HEAD方式,更高效,建议使用
server server1 10.0.100.81:80 redir https://192.168.57.81:443 check inter 2000 rise 3 fall 3 weight 3
============================
使用[server]关键字来设置后端服务器
为后端服务器所设置的内部名称[php_server_1],该名称将会呈现在日志或警报中
后端服务器的IP地址,支持端口映射[192.168.14:80]
指定该服务器的SERVERID为1[cookie 1]
接受健康监测[check]
监测的间隔时长,单位毫秒[inter 2000]
监测正常多少次后被认为后端服务器是可用的[rise 3]
监测失败多少次后被认为后端服务器是不可用的[fall 1]
分发的权重[weight 2]
最后为备份用的后端服务器,当正常的服务器全部都宕机后,才会启用备份服务器[backup]
============================
haproxy实现持久连接
可以根据balance source,也可以根据cookie(name),hdr(name),都可以实现
============================
haproxy官方手册:http://cbonte.github.io/haproxy-dconv/configuration-1.4.html
6.web服务器日志格式修改,显示实际用户IP
-----------------------------------------------------------
vim /etc/httpd/conf/httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
7.haproxy服务脚本
------------------------------------
cat > /etc/init.d/haproxy << EOF
#!/bin/bash
. /etc/init.d/functions
DIR=/usr/local/haproxy
PIDFILE=/usr/local/haproxy/haproxy.pid
start()
{
$DIR/sbin/haproxy -f $DIR/etc/haproxy.cfg
action "Starting Haproxy ..." /bin/true
}
stop()
{
kill $(cat $PIDFILE)
action "Stopping Haproxy ..." /bin/true
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo "Usage: start|stop|restart"
;;
esac
EOF
chmod 755 /etc/init.d/haproxy
echo "/usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/etc/haproxy.cfg" >> /etc/rc.local
/etc/init.d/haproxy start
4.Keeplived的安装与配置
----------------------------------------------------------------
cd /soft wget http://soft.local.com/keepalived-1.2.7.tar.gz tar -zxf keepalived-1.2.7.tar.gzcd keepalived-1.2.7./configure --prefix=/usr/local/keepalivedmakemake installcp /usr/local/keepalived/etc/rc.d/init.d/keepalived /etc/init.d/chmod +x /etc/init.d/keepalivedcp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/mkdir /etc/keepalivedcp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/cp /usr/local/keepalived/sbin/keepalived /usr/sbin/service keepalived start
-----------------------------
HA01(主服务器的配置)
cat > /etc/keepalived/keepalived.conf << EOF!Configuration File for keepalivedglobal_defs{router_id HA_01}vrrp_instance VI_1 {state MASTERinterface eth0lvs_sync_daemon_interface eth0virtual_router_id 51priority 150advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {
192.168.1.150
}}
EOF
-----------------------------
LVS02(备份服务器的配置)
cat > /etc/keepalived/keepalived.conf << EOF
!Configuration File for keepalived
global_defs{
router_id HA_02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
lvs_sync_daemon_interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.150
}
}
EOF
5.启动keeplived服务
------------------------------------------------------
/etc/init.d/keepalived restart
cat >> /etc/rc.local << EOF
/etc/init.d/keepalived restart
EOF
二、HAProxy的监控脚本我没有做,因为生产环境下HAProxy宕机的可能性微乎其乎,这个实施起来也简单,我们可以用如下命令来监控,判断是否返回了正常的200代码,命令下所示:
curl -s --head http://status.local.com/check.html | awk '/HTTP/ {print $2}'
#取状态码来验证
四、大家需要注意的几个地方是:
1)HAProyx采用的是balance source机制,它跟Nginx的ip_hash机制原理类似,是让客户机访问时始终访问后端的某一台真实的web服务器,这样让session就固定下来了;
2)option httpchk HEAD /index.jsp HTTP/1.0 是网页监控,如果HAProxy检测不到Web的根目录下没有index.jsp,就会产生503报错。
3)有网友说HAProxy必须采用listen 203.93.236.141:80这样类似的格式,这样其实不好,做集群时会导致从机启动不了,我们可以用bind *:80的方式代替。
4)HAProxy的并发监控和日志收集分析是下一步考虑的事情
网卡冗余配置
设定网卡绑定类型方法:
-----------------------------------------
vi /etc/modprobe.conf
alias bond0 bonding
alias bond1 bonding
options bond0 miimon=100 mode=1 max_bonds=2
-------------------------------------
vi /etc/rc.local
modprobe bonding miimon=100 mode=1
查看bond工作状况
netstat -i #@ Receive 查看收到的流量有无丢包现象等
cat /proc/net/bonding/bond0 查看bond0的工作状态
tcpdump
Lvs01:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond1
SLAVE=yes
TYPE=Ethernet
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
DEVICE=eth2
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
DEVICE=eth3
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond1
SLAVE=yes
TYPE=Ethernet
DEVICE=bond0
BOOTPROTO=static
BROADCAST=172.16.200.255
IPADDR=172.16.200.31
NETMASK=255.255.255.0
NETWORK=172.16.200.0
ONBOOT=yes
GATEWAY=172.16.200.1
TYPE=Ethernet
DEVICE=bond1
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet
Lvs02:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond1
SLAVE=yes
TYPE=Ethernet
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
DEVICE=eth2
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond0
SLAVE=yes
TYPE=Ethernet
DEVICE=eth3
BOOTPROTO=none
ONBOOT=yes
USERCLI=no
MASTER=bond1
SLAVE=yes
TYPE=Ethernet
DEVICE=bond0
BOOTPROTO=static
BROADCAST=172.16.200.255
IPADDR=172.16.200.32
NETMASK=255.255.255.0
NETWORK=172.16.200.0
ONBOOT=yes
GATEWAY=172.16.200.1
TYPE=Ethernet
DEVICE=bond1
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.2
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet
转载于:https://blog.51cto.com/yjb007/1563858
1837
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
