keepalived+haproxy(SSL)实现web高可用(双主模式)

3gipnet

编译安装pcre
1234[iyunv@ha1ha]#tar xvf pcre-8.33.tar.gz[iyunv@ha1ha]#cd pcre-8.33[iyunv@ha1pcre-8.33]#./configure[iyunv@ha2pcre-8.33]#make && make install
编译安装haproxy
1234[iyunv@ha1ha]#tar xvf haproxy-ss-20130912.tar.gz[iyunv@ha1ha]#cd haproxy-ss-20130912[iyunv@ha1haproxy-ss-20130912]# make TARGET=linux2628 ARCH=i686 USE_STATIC_PCRE=1 USE_OPENSSL=1[iyunv@ha1haproxy-ss-20130912]#make PREFIX=/usr/local install
添加用户和组
12[iyunv@ha1ha]#groupadd -r haproxy[iyunv@ha1ha]#useradd -r -g haproxy haproxy
复制配置文件样例
12[iyunv@ha1ha]#mkdir /etc/haproxy[iyunv@ha1 haproxy-ss-20130912]#cp examples/haproxy.cfg /etc/haproxy
复制启动脚本使用chkconfig管理
1234567891011121314[iyunv@ha1haproxy-ss-20130912]#cp examples/haproxy.init /etc/init.d/haproxy[iyunv@ha1~]#chmod +x /etc/init.d/haproxy[iyunv@ha1~]#ln -sv /usr/local/sbin/haproxy /usr/sbin/haproxy`/usr/sbin/haproxy'-> `/usr/local/sbin/haproxy'[iyunv@ha1haproxy-ss-20130912]#chkconfig --add haproxy[iyunv@ha1haproxy-ss-20130912]#chkconfig haproxy on[iyunv@ha1~]#vim /etc/sysconfig/rsyslog#SYSLOGD_OPTIONS="-c4"SYSLOGD_OPTIONS="-c2 -r"[iyunv@ha1~]#vim /etc/rsyslog.conflocal2.*                                                /var/log/haproxy.log[iyunv@ha1~]#service rsyslog restartShuttingdown system logger:                               [  OK  ]Startingsystem logger:                                    [  OK  ]
编辑配置文件
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556[iyunv@ha1~]#cat /etc/haproxy/haproxy.cfg#this config needs haproxy-1.1.28 or haproxy-1.2.1global    log127.0.0.1   local2    maxconn4096    chroot /usr/local    user       haproxy        group      haproxy    daemondefaults    mode                   http    log                    global    option                 redispatch    retries                3    timeouthttp-request    10s    timeoutqueue           1m    timeoutconnect         10s    timeoutclient          1m    timeoutserver          1m    timeouthttp-keep-alive 10s    timeoutcheck           10s    maxconn                30000listenstats    modehttp    bind0.0.0.0:1080    stats enable    statshide-version    statsuri     /haproxyadmin?stats    statsrealm   Haproxy\ Statistics    statsauth    admin:admin    statsadmin if TRUEfrontendhttp-in    bind*:80    modehttp    logglobal    optionhttpclose    optionlogasap    optiondontlognull    optionhttplog    optionhttp-server-close    optionforwardfor       except 127.0.0.0/8    capturerequest  header Host len 20    capturerequest  header Referer len 60    default_backendhttp-serversbackendhttp-servers    balanceroundrobin        serverweb3 172.16.100.42:80 check port 80  inter 1500 rise 3 fall 3 maxconn 2000        serverweb4 172.16.100.44:80 check port 80  inter 1500 rise 3 fall 3 maxconn 2000frontendhttps-in    bind*:443 ssl crt /etc/haproxy/server.pem    modehttp    logglobal    default_backendhttps-serversbackendhttps-servers    balance source        serverweb4 172.16.100.44:80 check port 80 inter 1500 rise 3 fall 3 maxconn 2000
准备好pem格式的证书（crt格式的证书会报错）
123456789101112131415161718192021222324252627282930313233343536373839[iyunv@ha1~]#cat /etc/haproxy/server.pem-----BEGINCERTIFICATE-----MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTEOMAwGA1UECgwFU2FuWXUxDTALBgNVBAsMBFRlY2gxFTATBgNVBAMMDGNhLnNhbnl1LmNvbTEeMBwGCSqGSIb3DQEJARYPYWRtaW5Ac2FueXUuY29tMB4XDTEzMDgyMjE0MDEyOVoXDTE0MDgyMjE0MDEyOVoweDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMQ4wDAYDVQQKDAVTYW5ZdTENMAsGA1UECwwEVGVjaDEXMBUGA1UEAwwOc2hvcC5zYW55dS5jb20xHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNhbnl1LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwih83eAjuU25k3VRvvPnHBWy6H1R8pQUyLOWURM2QxDLaoQg2iZIsVgsRYszYnCqY9gqes+yI2lZ4b7dnF7x6Ds2feFPYNibC3kwZNAFGXdtoEFdhSPY65YBezVAbatrA4Y6vdxrNhjTpr2xKKuk4LKjEjYjUNgUwMGP7cz832UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHAP9yGUn3hmFIoryyBx1D3Tqhu2MB8GA1UdIwQYMBaAFJ+67OvJ4fT00IH9aL7tYOKcoIr1MA0GCSqGSIb3DQEBBQUAA4IBAQCXSWPWrYmU4fAk8neVVcHj17HiN4IGzOuGPk4aa0sMrNSMaYJ4LtAQmuaPpChWlfMv+hVVCjaGbeRSiuGRwjYxh+FfsQK7uYKps6266jPfexYbY2jZFcdgWuppqm6UsfrzDRJfYzGJfY5PcRGlzmCnjibhfzcBZb6NL1bYAoCWzXdsxfiXU6BergnzjpsJ4uOdBBikSlgwHHLOAEd6OKS78V6pldJEjMJjUWSfXEeQpJtO2W+rJvuGvY467CWYpAzCgeeLWYuo+TBxW5ke/PMkBNRZ/uE7aPhVDtlMvg9wTtXG2NMg22ymka7872zADQQ1V03Ip6WVCmp7l7zfAaQQ-----ENDCERTIFICATE----------BEGINRSA PRIVATE KEY-----MIICXAIBAAKBgQDCKHzd4CO5TbmTdVG+8+ccFbLofVHylBTIs5ZREzZDEMtqhCDaJkixWCxFizNicKpj2Cp6z7IjaVnhvt2cXvHoOzZ94U9g2JsLeTBk0AUZd22gQV2FI9jrlgF7NUBtq2sDhjq93Gs2GNOmvbEoq6TgsqMSNiNQ2BTAwY/tzPzfZQIDAQABAoGAcehxAXbLXp6j/kf5Eo9jik2MretAFZIc83aw/JXJ4uTKgo5L+9A0G5+AMbiuB9XTkUoz+eM6Pp5DNjbVKzVks/WrK//LxRFLveKkj7wG3p2CMxckRqQDwFI6aAWyfztzOBYDcTZ8mTDgJRPPsHVMB0HHioT29RctrcQ318a63cECQQDnS4rav/5LjFE3Tbqw/Pv0evdfWMQMcstdv82lsbZcvXEesq/hZgicTgJFPkVwJoAOFQRg2YTz4/QK190qSIR1AkEA1uV8NEG0erctlm8+HXg8DoLTOEyjJ4JT37zs+qn9BoAc7RWNc6JdrNMoPh473bXIem4UWtP5HN3TbroP/hjRMQJAEStxblWsSe1rpgBWKIdPKNHsBR7wxr/KyvXPDUrI7898UzwOhFvvrbK4xm0d+HpTLThwL8RV80jrt9ZYa6ggdQJAGh+1tKiUJyLjkNkfJPf73Qu8X6i5YNEwHw/ZgzNtBgBHA+9NzdPcLWlSCBMm1fIGWBPPt6bzLrYswNYvoYUk0QJBANXdSSLPNV9lxK7qfv24xlQWbhzTQ/J0uHwqz8Qkge1U0zcowzJstqTclr7LWd0ePm79GfJcP/fzxo+s3uLqxQM=-----ENDRSA PRIVATE KEY-----[iyunv@ha1~]#service haproxy startStartinghaproxy:                                          [  OK  ]

web4上停止httpd服务：　　

12[iyunv@web4~]#service httpd stopStoppinghttpd:           https已不能访问（backend https-servers只定义了web4），但http仍能正常访问





ha2上haproxy安装完毕后　　

123[iyunv@ha1~]#scp /etc/haproxy/{haproxy.cfg,server.pem} 172.16.100.72:/etc/haproxy/[iyunv@ha2~]#service haproxy startStartinghaproxy:                                          [  OK  ]测试



keepalived提供haproxy高可用　　

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566[iyunv@ha1keepalived]#cat keepalived.conf!Configuration File for keepalived                               global_defs{   notification_email{         root@sanyu.com   }   notification_email_fromkanotify@sanyu.com   smtp_connect_timeout3   smtp_server127.0.0.1   router_idLVS_DEVEL}vrrp_scriptchk_haproxy {    script "killall-0 haproxy"    interval1    weight2}vrrp_scriptchk_mantaince_down {   script "[[-f /etc/keepalived/down ]] && exit 1 || exit 0"   interval1   weight2}vrrp_instanceVI_1 {    interfaceeth0    stateMASTER  #BACKUP for slave routers    priority101  #100 for BACKUP    virtual_router_id70    garp_master_delay1                                   authentication{        auth_typePASS        auth_passpassword    }    track_interface{       eth0      }    virtual_ipaddress{        172.16.100.70/16 deveth0 label eth0:0    }    track_script{        chk_haproxy        chk_mantaince_down    }}vrrp_instanceVI_2 {    interfaceeth0    stateBACKUP  #BACKUP for slave routers    priority100  #100 for BACKUP    virtual_router_id79    garp_master_delay1                                   authentication{        auth_typePASS        auth_passpassword    }    track_interface{       eth0      }    virtual_ipaddress{        172.16.100.79/16 deveth0 label eth0:1    }    track_script{        chk_haproxy        chk_mantaince_down    }  }
123456789101112131415161718[iyunv@ha1keepalived]#diff keepalived.conf keepalived.conf.ha225,26c25,26<    state MASTER  #BACKUP for slave routers<    priority 101  #100 for BACKUP--->    state BACKUP  #BACKUP for slave routers>    priority 100  #100 for BACKUP48,49c48,49<    state BACKUP  #BACKUP for slave routers<    priority 100  #100 for BACKUP--->    state MASTER  #BACKUP for slave routers>    priority 101  #100 for BACKUP[iyunv@ha1~]#scp /etc/keepalived/keepalived.conf.ha2 172.16.100.72:/etc/keepalived/keepalived.conf[iyunv@ha1~]#service keepalived startStartingkeepalived:                                       [  OK  ][iyunv@ha2~]#service keepalived startStartingkeepalived:                                       [  OK  ]



故障转移：　　

12[iyunv@ha2~]#service haproxy stopShuttingdown haproxy:                                     [  OK  ]vip漂到了ha1上




本文转载于出处http://sanyu.blog.iyunv.com/7339300/1306479