论坛 › keepalived › keepalived+haproxy(SSL)实现web高可用(双主模式)

zhoujun.g 发表于 2018-12-29 10:52:42

keepalived+haproxy(SSL)实现web高可用(双主模式)

　　
编译安装pcre
　　
# tar xvf pcre-8.33.tar.gz
# cd pcre-8.33
# ./configure
# make && make install　　
编译安装haproxy
　　
# tar xvf haproxy-ss-20130912.tar.gz
# cd haproxy-ss-20130912
#make TARGET=linux2628 ARCH=i686 USE_STATIC_PCRE=1 USE_OPENSSL=1
# make PREFIX=/usr/local install　　
添加用户和组
　　
# groupadd -r haproxy
# useradd -r -g haproxy haproxy　　
复制配置文件样例
　　
# mkdir /etc/haproxy
# cp examples/haproxy.cfg /etc/haproxy　　
复制启动脚本使用chkconfig管理
　　
# cp examples/haproxy.init /etc/init.d/haproxy
# chmod +x /etc/init.d/haproxy
# ln -sv /usr/local/sbin/haproxy /usr/sbin/haproxy
`/usr/sbin/haproxy' -> `/usr/local/sbin/haproxy'
# chkconfig --add haproxy
# chkconfig haproxy on
# vim /etc/sysconfig/rsyslog
#SYSLOGD_OPTIONS="-c 4"
SYSLOGD_OPTIONS="-c 2 -r"
# vim /etc/rsyslog.conf
local2.*                                                /var/log/haproxy.log
# service rsyslog restart
Shutting down system logger:                              
Starting system logger:                                    　　
编辑配置文件
　　
# cat /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
log 127.0.0.1   local2
maxconn 4096
chroot /usr/local
user      haproxy
group       haproxy
daemon
defaults
mode                  http
log                     global
option                  redispatch
retries               3
timeout http-request    10s
timeout queue         1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout http-keep-alive 10s
timeout check         10s
maxconn               30000
listen stats
mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri   /haproxyadmin?stats
stats realm   Haproxy\ Statistics
stats auth    admin:admin
stats admin if TRUE
frontend http-in
bind *:80
mode http
log global
option httpclose
option logasap
option dontlognull
option httplog
option http-server-close
option forwardfor       except 127.0.0.0/8
capture requestheader Host len 20
capture requestheader Referer len 60
default_backend http-servers
backend http-servers
balance roundrobin
server web3 172.16.100.42:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000
server web4 172.16.100.44:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000
frontend https-in
bind *:443 ssl crt /etc/haproxy/server.pem
mode http
log global
default_backend https-servers
backend https-servers
balance source
server web4 172.16.100.44:80 check port 80 inter 1500 rise 3 fall 3 maxconn 2000　　
准备好pem格式的证书（crt格式的证书会报错）
　　
# cat /etc/haproxy/server.pem
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTEOMAwGA1UECgwF
U2FuWXUxDTALBgNVBAsMBFRlY2gxFTATBgNVBAMMDGNhLnNhbnl1LmNvbTEeMBwG
CSqGSIb3DQEJARYPYWRtaW5Ac2FueXUuY29tMB4XDTEzMDgyMjE0MDEyOVoXDTE0
MDgyMjE0MDEyOVoweDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMQ4w
DAYDVQQKDAVTYW5ZdTENMAsGA1UECwwEVGVjaDEXMBUGA1UEAwwOc2hvcC5zYW55
dS5jb20xHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNhbnl1LmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwih83eAjuU25k3VRv***HBWy6H1R8pQUyLOWURM2
QxDLaoQg2iZIsVgsRYszYnCqY9gqes+yI2lZ4b7dnF7x6Ds2feFPYNibC3kwZNAF
GXdtoEFdhSPY65YBezVAbatrA4Y6vdxrNhjTpr2xKKuk4LKjEjYjUNgUwMGP7cz8
32UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHAP9yGUn3hmFIoryyBx1D3T
qhu2MB8GA1UdIwQYMBaAFJ+67OvJ4fT00IH9aL7tYOKcoIr1MA0GCSqGSIb3DQEB
BQUAA4IBAQCXSWPWrYmU4fAk8neVVcHj17HiN4IGzOuGPk4aa0sMrNSMaYJ4LtAQ
muaPpChWlfMv+hVVCjaGbeRSiuGRwjYxh+FfsQK7uYKps6266jPfexYbY2jZFcdg
Wuppqm6UsfrzDRJfYzGJfY5PcRGlzmCnjibhfzcBZb6NL1bYAoCWzXdsxfiXU6Be
rgnzjpsJ4uOdBBikSlgwHHLOAEd6OKS78V6pldJEjMJjUWSfXEeQpJtO2W+rJvuG
vY467CWYpAzCgeeLWYuo+TBxW5ke/PMkBNRZ/uE7aPhVDtlMvg9wTtXG2NMg22ym
ka7872zADQQ1V03Ip6WVCmp7l7zfAaQQ
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDCKHzd4CO5TbmTdVG+8+ccFbLofVHylBTIs5ZREzZDEMtqhCDa
JkixWCxFizNicKpj2Cp6z7IjaVnhvt2cXvHoOzZ94U9g2JsLeTBk0AUZd22gQV2F
I9jrlgF7NUBtq2sDhjq93Gs2GNOmvbEoq6TgsqMSNiNQ2BTAwY/tzPzfZQIDAQAB
AoGAcehxAXbLXp6j/kf5Eo9jik2MretAFZIc83aw/JXJ4uTKgo5L+9A0G5+AMbiu
B9XTkUoz+eM6Pp5DNjbVKzVks/WrK//LxRFLveKkj7wG3p2CMxckRqQDwFI6aAWy
fztzOBYDcTZ8mTDgJRPPsHVMB0HHioT29RctrcQ318a63cECQQDnS4rav/5LjFE3
Tbqw/Pv0evdfWMQMcstdv82lsbZcvXEesq/hZgicTgJFPkVwJoAOFQRg2YTz4/QK
190qSIR1AkEA1uV8NEG0erctlm8+HXg8DoLTOEyjJ4JT37zs+qn9BoAc7RWNc6Jd
rNMoPh473bXIem4UWtP5HN3TbroP/hjRMQJAEStxblWsSe1rpgBWKIdPKNHsBR7w
xr/KyvXPDUrI7898UzwOhFvvrbK4xm0d+HpTLThwL8RV80jrt9ZYa6ggdQJAGh+1
tKiUJyLjkNkfJPf73Qu8X6i5YNEwHw/ZgzNtBgBHA+9NzdPcLWlSCBMm1fIGWBPP
t6bzLrYswNYvoYUk0QJBANXdSSLPNV9lxK7qfv24xlQWbhzTQ/J0uHwqz8Qkge1U
0zcowzJstqTclr7LWd0ePm79GfJcP/fzxo+s3uLqxQM=
-----END RSA PRIVATE KEY-----
# service haproxy start
Starting haproxy:                                          　　
测试：
http://blog.运维网.com/attachment/201310/205650767.png
web4上停止httpd服务：
　　
# service httpd stop
Stopping httpd:                                          　　

https已不能访问（backend https-servers只定义了web4），但http仍能正常访问
http://blog.运维网.com/attachment/201310/205650205.png
　　

http://blog.运维网.com/attachment/201310/205651916.png
ha2上haproxy安装完毕后
　　
# scp /etc/haproxy/{haproxy.cfg,server.pem} 172.16.100.72:/etc/haproxy/
# service haproxy start
Starting haproxy:                                          　　测试,
http://blog.运维网.com/attachment/201310/205652293.png
keepalived提供haproxy高可用
　　
# cat keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@sanyu.com
}
notification_email_from kanotify@sanyu.com
smtp_connect_timeout 3
smtp_server 127.0.0.1
router_id LVS_DEVEL
}
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 1
weight 2
}
vrrp_script chk_mantaince_down {
script "[[ -f /etc/keepalived/down ]] && exit 1 || exit 0"
interval 1
weight 2
}
vrrp_instance VI_1 {
interface eth0
state MASTER# BACKUP for slave routers
priority 101# 100 for BACKUP
virtual_router_id 70
garp_master_delay 1
authentication {
auth_type PASS
auth_pass password
}
track_interface {
eth0   
}
virtual_ipaddress {
172.16.100.70/16 dev eth0 label eth0:0
}
track_script {
chk_haproxy
chk_mantaince_down
}
}
vrrp_instance VI_2 {
interface eth0
state BACKUP# BACKUP for slave routers
priority 100# 100 for BACKUP
virtual_router_id 79
garp_master_delay 1
authentication {
auth_type PASS
auth_pass password
}
track_interface {
eth0   
}
virtual_ipaddress {
172.16.100.79/16 dev eth0 label eth0:1
}
track_script {
chk_haproxy
chk_mantaince_down
}   
}　　
# diff keepalived.conf keepalived.conf.ha2
25,26c25,26
<   state MASTER# BACKUP for slave routers
<   priority 101# 100 for BACKUP
---
>   state BACKUP# BACKUP for slave routers
>   priority 100# 100 for BACKUP
48,49c48,49
<   state BACKUP# BACKUP for slave routers
<   priority 100# 100 for BACKUP
---
>   state MASTER# BACKUP for slave routers
>   priority 101# 100 for BACKUP
# scp /etc/keepalived/keepalived.conf.ha2 172.16.100.72:/etc/keepalived/keepalived.conf
# service keepalived start
Starting keepalived:                                       
# service keepalived start
Starting keepalived:                                       　　

http://blog.运维网.com/attachment/201310/205654179.png
http://blog.运维网.com/attachment/201310/205654561.png
故障转移：
　　
# service haproxy stop
Shutting down haproxy:                                     　　
vip漂到了ha1上
http://blog.运维网.com/attachment/201310/205655263.png
　　

　　

　　

　　

查看完整版本: keepalived+haproxy(SSL)实现web高可用(双主模式)