Nginx反向代理-5-配合Keepalived服务实现前端服务器双机热备

特别申明：内容出自《跟老男孩学Linux：Web集群实战》

Nginx负载均衡器高可用逻辑图

软硬件准备

1.硬件准备

  准备4台VM虚拟机，两台做负载均衡（Keepalived服务器），两台做RS。

HOSTNAME	IP	说明
lb01	192.168.55.7	Nginx主负载均衡器（Keepalived主服务器）
lb02	192.168.55.8	Nginx辅负载均衡器（Keepalived备服务器）
web01	192.168.55.9	web01服务器
web02	192.168.55.10	web02服务器

2.软件准备

系统：CentOS 7
Nginx：Nginx-1.13.1，源码安装，/application/nginx
Keepalived：1.3.5，yum安装

3.Nginx配置
主负载均衡器lb01、备用负载均衡器lb02服务器上Nginx负载均衡环境一模一样。
参考：Nginx反向代理-1-实践简单的负载均衡[DB|OL]. https://blog.csdn.net/zhou16333/article/details/98094467

在lb01和lb02上配置Nginx负载均衡

lb01、lb02 Nginx配置
vim /application/nginx/conf/nginx.conf

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include            mime.types;
    default_type       application/octet-stream;
    sendfile           off;
    keepalive_timeout  65;

	upstream www_server_pools{
	    server  192.168.55.9:80     weight=1;
	    server  192.168.55.10:80    weight=1;
	}

    server {
        listen          192.168.55.12:80;
        server_name     www.etiantian.org;		
        location / {
            proxy_pass       http://www_server_pools;
            include          proxy.conf;
        }
    }
}

vim /application/nginx/conf/proxy.conf

proxy_set_header           Host            $host;
proxy_set_header           X-Forwarded-For $remote_addr;
proxy_connect_timeout      60;
proxy_send_timeout         60; 
proxy_read_timeout         60; 
proxy_buffer_size          4k;
proxy_buffers              4               32k;
proxy_busy_buffers_size    64k;
proxy_temp_file_write_size 64k;

提示：此配置仅代理了www.etiantian.org域名

在lb01和lb02上配置Keepalived服务

Keepalived yum安装，及相关配置，
参考 Keepalved高可用服务实例[DB|OL]. https://blog.csdn.net/zhou16333/article/details/98179341

说明：此处使用单实例为例进行配置说明。

lb01上Keepalived服务单实例主节点的配置如下：

[root@lb01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     123@qq.com
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id lb01
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state MASTER
    interface eth1
    virtual_router_id 55
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.55.12/24 dev eth1 label eth1:1
    }
}

提示：VIP为192.168.55.12，即工作时需要把Nginx负载均衡代理的www.etiantian.org解析到这个VIP。

lb02上Keepalived服务单实例备节点的配置如下：

[root@lb02 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
     1633307645@qq.com
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id lb02
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth1
    virtual_router_id 55
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.55.12/24 dev eth1 label eth1:1
    }
}

用户访问准备及模拟实际访问

1）在客户端hosts文件里把www.etiantian.org域名解析到VIP 192.168.55.12上，正式场景需通过DNS解析。
2）两台服务器配好Nginx负载均衡服务，并且确保后面代理的Web节点可以测试访问。

Nginx反向代理服务宕机实现IP漂移

默认情况下Keepalived软件仅仅在对方机器宕机或Keepalived停掉的时候才会接管业务。但在实际工作中，有业务服务停止而Keepalived服务还在工作的情况，这就会导致用户访问的VIP无法找到对应的服务，那么，如何解决业务服务宕机可以将IP漂移到备节点使之接管提供服务呢？

第一个方法：守护进程脚本来处理

当Nginx业务有问题时，就停掉本地的Keepalived服务，实现IP漂移到对端继续提供服务。实际工作中部署及开发的示例脚本如下：

[root@lb01 script]# cat /server/script/check_nginx.sh

# !/bin/bash
while true
do
	if [ `netstat -lntup|grep nginx|wc -l` -ne 1 ]; then
		systemctl stop keepalived
	fi
	sleep 5
done

此脚本的基本思想是若没有80端口存在，就停掉Keepalived服务实现释放本地的VIP。


在后台执行上述脚本并检查：

[root@lb01 script]# /bin/bash /server/script/check_nginx.sh &
[1] 7536
[root@lb01 script]# ps -ef|grep check_nginx|grep -v grep
root      7536  3527  0 16:48 pts/0    00:00:00 /bin/bash /server/script/check_nginx.sh

确认Nginx以及Keepalived服务是正常的：

[root@lb01 script]# netstat -lntup|grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3326/nginx: master  
[root@lb01 script]# systemctl status keepalived

然后模拟Nginx服务挂掉，看IP是否发生切换：

[root@lb01 script]# /application/nginx/sbin/nginx -s stop
[root@lb01 script]# netstat -lntup|grep nginx
[root@lb01 script]# systemctl status keepalived

[root@lb01 ~]# jobs
[1]+  Running                 /bin/bash /server/script/check_nginx.sh &  (wd: /server/script)
[root@lb01 ~]# ps -ef|grep check_nginx|grep -v grep
root      7536  3527  0 16:48 pts/0    00:00:00 /bin/bash /server/script/check_nginx.sh
[root@lb01 ~]# kill -9 7536
[root@lb01 ~]# ps -ef|grep check_nginx|grep -v grep
[1]+  Killed                  /bin/bash /server/script/check_nginx.sh  (wd: /server/script)
(wd now: ~)

注意：jobs命令只看当前终端生效的，关闭终端后，在另一个终端jobs已经无法看到后台跑得程序了，此时利用ps（进程查看命令）

第二个方法：Keepalived配置文件参数触发写好的监测服务脚本

注意：第二个方法，只需要在 Keepalived主服务器 上进行配置。

首先要开发监测服务脚本：
[root@lb01 ~]# vim /server/script/chk_nginx_proxy.sh

#! /bin/bash
if [ `netstat -lntup|grep nginx|wc -l` -ne 1 ]; then
	systemctl stop keepalived
fi

修改 Keepalived主服务器 配置：
[root@lb01 ~]# cat /etc/keepalived/keepalived.conf

! Configuration File for keepalived

global_defs {
   notification_email {
     123@qq.com
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id lb01
   vrrp_skip_check_adv_addr
   vrrp_strict
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}

vrrp_script chk_nginx_proxy {
    script "/server/script/chk_nginx_proxy.sh"
    interval 2
    weight 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth1
    virtual_router_id 55
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.55.12/24 dev eth1 label eth1:1
    }
    track_script {
        chk_nginx_proxy
    }
}

vrrp_script检测脚本不执行

检查一
脚本有问题吗？

检查二
vrrp_script 名称与{ 之间要有空格，或者{放在下一行顶行；
vrrp_script要放在vrrp_instance前面；
track_script名称与{ 之间要有空格；
track_script要放在virtual_ipaddress后面；

检查三
要关闭SELinux

查看SELinux状态

[root@lb01 ~]# getenforce 
Enforcing

[root@lb01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

临时关闭
setenforce 0

永久关闭
sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

查看状态

[root@lb01 ~]# getenforce 
Permissive
[root@lb01 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          disabled
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

参考文献

[1] 老男孩. 跟老男孩学Linux：Web集群实战[M]. 机械工业出版社，2016-03-01。
[2] [DB|OL]. http://nginx.org/en/docs/http/ngx_http_proxy_module.html
[3] 初涉CentOS 7，关闭缠人的selinux[DB|OL]. https://blog.51cto.com/hongdouzi555/2073445