论坛 › haproxy › keepalived+haproxy(SSL)实现web高可用(双主模式)

frtd 发表于 2013-10-10 09:07:39

keepalived+haproxy(SSL)实现web高可用(双主模式)

编译安装pcre


# tar xvf pcre-8.33.tar.gz
# cd pcre-8.33
# ./configure
# make && make install
编译安装haproxy


# tar xvf haproxy-ss-20130912.tar.gz
# cd haproxy-ss-20130912
#make TARGET=linux2628 ARCH=i686 USE_STATIC_PCRE=1 USE_OPENSSL=1
# make PREFIX=/usr/local install
添加用户和组


# groupadd -r haproxy
# useradd -r -g haproxy haproxy
复制配置文件样例


# mkdir /etc/haproxy
# cp examples/haproxy.cfg /etc/haproxy
复制启动脚本使用chkconfig管理


# cp examples/haproxy.init /etc/init.d/haproxy
# chmod +x /etc/init.d/haproxy
# ln -sv /usr/local/sbin/haproxy /usr/sbin/haproxy
`/usr/sbin/haproxy' -> `/usr/local/sbin/haproxy'
# chkconfig --add haproxy
# chkconfig haproxy on
# vim /etc/sysconfig/rsyslog
#SYSLOGD_OPTIONS="-c 4"
SYSLOGD_OPTIONS="-c 2 -r"
# vim /etc/rsyslog.conf
local2.*                                                /var/log/haproxy.log
# service rsyslog restart
Shutting down system logger:                              
Starting system logger:                                    
编辑配置文件


# cat /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
    log 127.0.0.1   local2
    maxconn 4096
    chroot /usr/local
    user      haproxy
      group       haproxy
    daemon
defaults
    mode                  http
    log                     global
    option                  redispatch
    retries               3
    timeout http-request    10s
    timeout queue         1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check         10s
    maxconn               30000
listen stats
    mode http
    bind 0.0.0.0:1080
    stats enable
    stats hide-version
    stats uri   /haproxyadmin?stats
    stats realm   Haproxy Statistics
    stats auth    admin:admin
    stats admin if TRUE
frontend http-in
    bind *:80
    mode http
    log global
    option httpclose
    option logasap
    option dontlognull
    option httplog
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    capture requestheader Host len 20
    capture requestheader Referer len 60
    default_backend http-servers
backend http-servers
    balance roundrobin
      server web3 172.16.100.42:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000
      server web4 172.16.100.44:80 check port 80inter 1500 rise 3 fall 3 maxconn 2000
frontend https-in
    bind *:443 ssl crt /etc/haproxy/server.pem
    mode http
    log global
    default_backend https-servers
backend https-servers
    balance source
      server web4 172.16.100.44:80 check port 80 inter 1500 rise 3 fall 3 maxconn 2000
准备好pem格式的证书（crt格式的证书会报错）


# cat /etc/haproxy/server.pem
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTEOMAwGA1UECgwF
U2FuWXUxDTALBgNVBAsMBFRlY2gxFTATBgNVBAMMDGNhLnNhbnl1LmNvbTEeMBwG
CSqGSIb3DQEJARYPYWRtaW5Ac2FueXUuY29tMB4XDTEzMDgyMjE0MDEyOVoXDTE0
MDgyMjE0MDEyOVoweDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMQ4w
DAYDVQQKDAVTYW5ZdTENMAsGA1UECwwEVGVjaDEXMBUGA1UEAwwOc2hvcC5zYW55
dS5jb20xHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNhbnl1LmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwih83eAjuU25k3VRvvPnHBWy6H1R8pQUyLOWURM2
QxDLaoQg2iZIsVgsRYszYnCqY9gqes+yI2lZ4b7dnF7x6Ds2feFPYNibC3kwZNAF
GXdtoEFdhSPY65YBezVAbatrA4Y6vdxrNhjTpr2xKKuk4LKjEjYjUNgUwMGP7cz8
32UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHAP9yGUn3hmFIoryyBx1D3T
qhu2MB8GA1UdIwQYMBaAFJ+67OvJ4fT00IH9aL7tYOKcoIr1MA0GCSqGSIb3DQEB
BQUAA4IBAQCXSWPWrYmU4fAk8neVVcHj17HiN4IGzOuGPk4aa0sMrNSMaYJ4LtAQ
muaPpChWlfMv+hVVCjaGbeRSiuGRwjYxh+FfsQK7uYKps6266jPfexYbY2jZFcdg
Wuppqm6UsfrzDRJfYzGJfY5PcRGlzmCnjibhfzcBZb6NL1bYAoCWzXdsxfiXU6Be
rgnzjpsJ4uOdBBikSlgwHHLOAEd6OKS78V6pldJEjMJjUWSfXEeQpJtO2W+rJvuG
vY467CWYpAzCgeeLWYuo+TBxW5ke/PMkBNRZ/uE7aPhVDtlMvg9wTtXG2NMg22ym
ka7872zADQQ1V03Ip6WVCmp7l7zfAaQQ
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDCKHzd4CO5TbmTdVG+8+ccFbLofVHylBTIs5ZREzZDEMtqhCDa
JkixWCxFizNicKpj2Cp6z7IjaVnhvt2cXvHoOzZ94U9g2JsLeTBk0AUZd22gQV2F
I9jrlgF7NUBtq2sDhjq93Gs2GNOmvbEoq6TgsqMSNiNQ2BTAwY/tzPzfZQIDAQAB
AoGAcehxAXbLXp6j/kf5Eo9jik2MretAFZIc83aw/JXJ4uTKgo5L+9A0G5+AMbiu
B9XTkUoz+eM6Pp5DNjbVKzVks/WrK//LxRFLveKkj7wG3p2CMxckRqQDwFI6aAWy
fztzOBYDcTZ8mTDgJRPPsHVMB0HHioT29RctrcQ318a63cECQQDnS4rav/5LjFE3
Tbqw/Pv0evdfWMQMcstdv82lsbZcvXEesq/hZgicTgJFPkVwJoAOFQRg2YTz4/QK
190qSIR1AkEA1uV8NEG0erctlm8+HXg8DoLTOEyjJ4JT37zs+qn9BoAc7RWNc6Jd
rNMoPh473bXIem4UWtP5HN3TbroP/hjRMQJAEStxblWsSe1rpgBWKIdPKNHsBR7w
xr/KyvXPDUrI7898UzwOhFvvrbK4xm0d+HpTLThwL8RV80jrt9ZYa6ggdQJAGh+1
tKiUJyLjkNkfJPf73Qu8X6i5YNEwHw/ZgzNtBgBHA+9NzdPcLWlSCBMm1fIGWBPP
t6bzLrYswNYvoYUk0QJBANXdSSLPNV9lxK7qfv24xlQWbhzTQ/J0uHwqz8Qkge1U
0zcowzJstqTclr7LWd0ePm79GfJcP/fzxo+s3uLqxQM=
-----END RSA PRIVATE KEY-----
# service haproxy start
Starting haproxy:                                          
测试：

web4上停止httpd服务：


# service httpd stop
Stopping httpd:                                          

https已不能访问（backend https-servers只定义了web4），但http仍能正常访问




ha2上haproxy安装完毕后


# scp /etc/haproxy/{haproxy.cfg,server.pem} 172.16.100.72:/etc/haproxy/
# service haproxy start
Starting haproxy:                                          
测试,

keepalived提供haproxy高可用


# cat keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
         root@sanyu.com
   }
   notification_email_from kanotify@sanyu.com
   smtp_connect_timeout 3
   smtp_server 127.0.0.1
   router_id LVS_DEVEL
}
vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 1
    weight 2
}
vrrp_script chk_mantaince_down {
   script "[[ -f /etc/keepalived/down ]] && exit 1 || exit 0"
   interval 1
   weight 2
}
vrrp_instance VI_1 {
    interface eth0
    state MASTER# BACKUP for slave routers
    priority 101# 100 for BACKUP
    virtual_router_id 70
    garp_master_delay 1

    authentication {
      auth_type PASS
      auth_pass password
    }
    track_interface {
       eth0
    }
    virtual_ipaddress {
      172.16.100.70/16 dev eth0 label eth0:0
    }
    track_script {
      chk_haproxy
      chk_mantaince_down
    }
}
vrrp_instance VI_2 {
    interface eth0
    state BACKUP# BACKUP for slave routers
    priority 100# 100 for BACKUP
    virtual_router_id 79
    garp_master_delay 1

    authentication {
      auth_type PASS
      auth_pass password
    }
    track_interface {
       eth0
    }
    virtual_ipaddress {
      172.16.100.79/16 dev eth0 label eth0:1
    }
    track_script {
      chk_haproxy
      chk_mantaince_down
    }
}


# diff keepalived.conf keepalived.conf.ha2
25,26c25,26
<   state MASTER# BACKUP for slave routers
<   priority 101# 100 for BACKUP
---
>   state BACKUP# BACKUP for slave routers
>   priority 100# 100 for BACKUP
48,49c48,49
<   state BACKUP# BACKUP for slave routers
<   priority 100# 100 for BACKUP
---
>   state MASTER# BACKUP for slave routers
>   priority 101# 100 for BACKUP
# scp /etc/keepalived/keepalived.conf.ha2 172.16.100.72:/etc/keepalived/keepalived.conf
# service keepalived start
Starting keepalived:                                       
# service keepalived start
Starting keepalived:                                       



故障转移：


# service haproxy stop
Shutting down haproxy:                                    
vip漂到了ha1上

gaohan 发表于 2013-10-18 11:56:50

我喜欢孩子，更喜欢造孩子的过程!

cnq 发表于 2013-10-26 19:35:44

我本非随便的人，但如果你想随便，那我就随你的便好啦！

chunjihong 发表于 2013-11-5 20:23:03

男人偷腥时的智商仅次于爱因斯坦!

gaojinguan 发表于 2013-11-24 12:14:56

微机原理闹危机，随机过程随机过，实变函数学十遍，汇编语言不会编！

linuxx 发表于 2013-12-10 10:00:16

我不怕生命有挫折，就怕回忆会有皱褶。

qmya00 发表于 2013-12-20 18:06:10

〆.﹏微小的幸福就在身边，容易满足就是天堂...

查看完整版本: keepalived+haproxy(SSL)实现web高可用(双主模式)