keepalived+haproxy(SSL)实现web高可用(双主模式)
编译安装pcre1234#tar xvf pcre-8.33.tar.gz#cd pcre-8.33#./configure#make && make install
编译安装haproxy
1234#tar xvf haproxy-ss-20130912.tar.gz#cd haproxy-ss-20130912# make TARGET=linux2628 ARCH=i686 USE_STATIC_PCRE=1 USE_OPENSSL=1#make PREFIX=/usr/local install
添加用户和组
12#groupadd -r haproxy#useradd -r -g haproxy haproxy
复制配置文件样例
12#mkdir /etc/haproxy#cp examples/haproxy.cfg /etc/haproxy
复制启动脚本使用chkconfig管理
1234567891011121314#cp examples/haproxy.init /etc/init.d/haproxy#chmod +x /etc/init.d/haproxy#ln -sv /usr/local/sbin/haproxy /usr/sbin/haproxy`/usr/sbin/haproxy'-> `/usr/local/sbin/haproxy'#chkconfig --add haproxy#chkconfig haproxy on#vim /etc/sysconfig/rsyslog#SYSLOGD_OPTIONS="-c4"SYSLOGD_OPTIONS="-c2 -r"#vim /etc/rsyslog.conflocal2.* /var/log/haproxy.log#service rsyslog restartShuttingdown system logger: Startingsystem logger:
编辑配置文件
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556#cat /etc/haproxy/haproxy.cfg#this config needs haproxy-1.1.28 or haproxy-1.2.1global log127.0.0.1 local2 maxconn4096 chroot /usr/local user haproxy group haproxy daemondefaults mode http log global option redispatch retries 3 timeouthttp-request 10s timeoutqueue 1m timeoutconnect 10s timeoutclient 1m timeoutserver 1m timeouthttp-keep-alive 10s timeoutcheck 10s maxconn 30000listenstats modehttp bind0.0.0.0:1080 stats enable statshide-version statsuri /haproxyadmin?stats statsrealm Haproxy\ Statistics statsauth admin:admin statsadmin if TRUEfrontendhttp-in bind*:80 modehttp logglobal optionhttpclose optionlogasap optiondontlognull optionhttplog optionhttp-server-close optionforwardfor except 127.0.0.0/8 capturerequestheader Host len 20 capturerequestheader Referer len 60 default_backendhttp-serversbackendhttp-servers balanceroundrobin serverweb3 172.16.100.42:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000 serverweb4 172.16.100.44:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000frontendhttps-in bind*:443 ssl crt /etc/haproxy/server.pem modehttp logglobal default_backendhttps-serversbackendhttps-servers balance source serverweb4 172.16.100.44:80 check port 80 inter 1500 rise 3 fall 3 maxconn 2000
准备好pem格式的证书(crt格式的证书会报错)
123456789101112131415161718192021222324252627282930313233343536373839#cat /etc/haproxy/server.pem-----BEGINCERTIFICATE-----MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTEOMAwGA1UECgwFU2FuWXUxDTALBgNVBAsMBFRlY2gxFTATBgNVBAMMDGNhLnNhbnl1LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5Ac2FueXUuY29tMB4XDTEzMDgyMjE0MDEyOVoXDTE0MDgyMjE0MDEyOVoweDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMQ4wDAYDVQQKDAVTYW5ZdTENMAsGA1UECwwEVGVjaDEXMBUGA1UEAwwOc2hvcC5zYW55dS5jb20xHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNhbnl1LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwih83eAjuU25k3VRvvPnHBWy6H1R8pQUyLOWURM2QxDLaoQg2iZIsVgsRYszYnCqY9gqes+yI2lZ4b7dnF7x6Ds2feFPYNibC3kwZNAFGXdtoEFdhSPY65YBezVAbatrA4Y6vdxrNhjTpr2xKKuk4LKjEjYjUNgUwMGP7cz832UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHAP9yGUn3hmFIoryyBx1D3Tqhu2MB8GA1UdIwQYMBaAFJ+67OvJ4fT00IH9aL7tYOKcoIr1MA0GCSqGSIb3DQEBBQUAA4IBAQCXSWPWrYmU4fAk8neVVcHj17HiN4IGzOuGPk4aa0sMrNSMaYJ4LtAQmuaPpChWlfMv+hVVCjaGbeRSiuGRwjYxh+FfsQK7uYKps6266jPfexYbY2jZFcdgWuppqm6UsfrzDRJfYzGJfY5PcRGlzmCnjibhfzcBZb6NL1bYAoCWzXdsxfiXU6BergnzjpsJ4uOdBBikSlgwHHLOAEd6OKS78V6pldJEjMJjUWSfXEeQpJtO2W+rJvuGvY467CWYpAzCgeeLWYuo+TBxW5ke/PMkBNRZ/uE7aPhVDtlMvg9wTtXG2NMg22ymka7872zADQQ1V03Ip6WVCmp7l7zfAaQQ-----ENDCERTIFICATE----------BEGINRSA PRIVATE KEY-----MIICXAIBAAKBgQDCKHzd4CO5TbmTdVG+8+ccFbLofVHylBTIs5ZREzZDEMtqhCDaJkixWCxFizNicKpj2Cp6z7IjaVnhvt2cXvHoOzZ94U9g2JsLeTBk0AUZd22gQV2FI9jrlgF7NUBtq2sDhjq93Gs2GNOmvbEoq6TgsqMSNiNQ2BTAwY/tzPzfZQIDAQABAoGAcehxAXbLXp6j/kf5Eo9jik2MretAFZIc83aw/JXJ4uTKgo5L+9A0G5+AMbiuB9XTkUoz+eM6Pp5DNjbVKzVks/WrK//LxRFLveKkj7wG3p2CMxckRqQDwFI6aAWyfztzOBYDcTZ8mTDgJRPPsHVMB0HHioT29RctrcQ318a63cECQQDnS4rav/5LjFE3Tbqw/Pv0evdfWMQMcstdv82lsbZcvXEesq/hZgicTgJFPkVwJoAOFQRg2YTz4/QK190qSIR1AkEA1uV8NEG0erctlm8+HXg8DoLTOEyjJ4JT37zs+qn9BoAc7RWNc6JdrNMoPh473bXIem4UWtP5HN3TbroP/hjRMQJAEStxblWsSe1rpgBWKIdPKNHsBR7wxr/KyvXPDUrI7898UzwOhFvvrbK4xm0d+HpTLThwL8RV80jrt9ZYa6ggdQJAGh+1tKiUJyLjkNkfJPf73Qu8X6i5YNEwHw/ZgzNtBgBHA+9NzdPcLWlSCBMm1fIGWBPPt6bzLrYswNYvoYUk0QJBANXdSSLPNV9lxK7qfv24xlQWbhzTQ/J0uHwqz8Qkge1U0zcowzJstqTclr7LWd0ePm79GfJcP/fzxo+s3uLqxQM=-----ENDRSA PRIVATE KEY-----#service haproxy startStartinghaproxy:
web4上停止httpd服务:
12#service httpd stopStoppinghttpd: https已不能访问(backend https-servers只定义了web4),但http仍能正常访问
ha2上haproxy安装完毕后
123#scp /etc/haproxy/{haproxy.cfg,server.pem} 172.16.100.72:/etc/haproxy/#service haproxy startStartinghaproxy: 测试
keepalived提供haproxy高可用
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566#cat keepalived.conf!Configuration File for keepalived global_defs{ notification_email{ root@sanyu.com } notification_email_fromkanotify@sanyu.com smtp_connect_timeout3 smtp_server127.0.0.1 router_idLVS_DEVEL}vrrp_scriptchk_haproxy { script "killall-0 haproxy" interval1 weight2}vrrp_scriptchk_mantaince_down { script "[[-f /etc/keepalived/down ]] && exit 1 || exit 0" interval1 weight2}vrrp_instanceVI_1 { interfaceeth0 stateMASTER#BACKUP for slave routers priority101#100 for BACKUP virtual_router_id70 garp_master_delay1 authentication{ auth_typePASS auth_passpassword } track_interface{ eth0 } virtual_ipaddress{ 172.16.100.70/16 deveth0 label eth0:0 } track_script{ chk_haproxy chk_mantaince_down }}vrrp_instanceVI_2 { interfaceeth0 stateBACKUP#BACKUP for slave routers priority100#100 for BACKUP virtual_router_id79 garp_master_delay1 authentication{ auth_typePASS auth_passpassword } track_interface{ eth0 } virtual_ipaddress{ 172.16.100.79/16 deveth0 label eth0:1 } track_script{ chk_haproxy chk_mantaince_down }}
123456789101112131415161718#diff keepalived.conf keepalived.conf.ha225,26c25,26< state MASTER#BACKUP for slave routers< priority 101#100 for BACKUP---> state BACKUP#BACKUP for slave routers> priority 100#100 for BACKUP48,49c48,49< state BACKUP#BACKUP for slave routers< priority 100#100 for BACKUP---> state MASTER#BACKUP for slave routers> priority 101#100 for BACKUP#scp /etc/keepalived/keepalived.conf.ha2 172.16.100.72:/etc/keepalived/keepalived.conf#service keepalived startStartingkeepalived: #service keepalived startStartingkeepalived:
故障转移:
12#service haproxy stopShuttingdown haproxy: vip漂到了ha1上
本文转载于出处http://sanyu.blog.iyunv.com/7339300/1306479
页:
[1]