本文以LVS的DR模型做讲解,关于DR模型搭建请参考LVS集群之DR模型
使用持久连接要求:
首先在每台realserver启用ssl功能安装mod_ssl模块
需要在DIP上安装CA证书服务,然后为RIP颁发证书,然后在DIP上对防火墙打标,最后定义集群服务
实验环境:
DIP 172.18.20.126 VIP 172.18.20.128 主机名: node1.com
RIP1 172.18.20.125 主机名: node2.com RIP2 172.18.20.124 主机名: node3.com
DIP配置成CA服务器:
[root@node1 ~]# cd /etc/pki/CA 切换到CA证书目录
[root@node1 CA]# less /etc/pki/tls/openssl.cnf 阅读模板文件,里面详细讲解配置参数及格式
[root@node1 CA]# (umask 077;openssl genrsa 2048 > private/cakey.pem) 生成私钥
Generating RSA private key,2048 bit long modulus
....................+++
..................................................................................+++
e is 65537 (0x10001)
[root@node1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
生成请求新证书类型为x509,指定key文件,输出为证书信息文件,指定证书有效天数
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 填写国家
State or Province Name (full name) []:GD 填写省份
Locality Name (eg, city) [Default City]:SZ 填写市县
Organization Name (eg, company) [Default Company Ltd]:Test 填写机构名称
Organizational Unit Name (eg, section) []:Tech 填写部门
Common Name (eg, your name or your server's hostname) []:node.com 填写CA主机名称
Email Address []:admin@node.com 填写邮箱
[root@node1 CA]# touch index.txt 创建数据索引文件
[root@node1 CA]# echo 01 > serial 创建序列号 RIP1配置:
[root@node2 ~]# mkdir /etc/httpd/conf/ssl 在RIP1上创建ssl目录
[root@node2 ~]# cd /etc/httpd/conf/ssl 切换到ssl目录
[root@node2 ssl]# (umask 077;openssl genrsa 2048 > httpd.key) 生成私钥
Generating RSA private key, 2048 bit long modulus
..........................+++
......................................................+++
e is 65537 (0x10001)
[root@node2 ssl]# openssl req -new -key httpd.key -out httpd.csr
生成证书请求,指定key文件,输出请求文件格式为csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 填写国家
State or Province Name (full name) []:GD 填写省份
Locality Name (eg, city) [Default City]:SZ 填写市县
Organization Name (eg, company) [Default Company Ltd]:Test 填写机构名称,需与CA一致
Organizational Unit Name (eg, section) []:Tech 填写部门
Common Name (eg, your name or your server's hostname) []:node2.com
填写主机名或IP,必须与使用证书主机一致.
如使用IP则SSL只能使用IP,如使用主机名则SSL只能使用主机名,使用其它均不能使用SSL
Email Address []:admin@node2.com 填写邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:linux 填写证书密码
An optional company name []:node2 填写公司名称
CA为RIP签署证书:
[root@node1CA]#scp 172.18.20.125:/etc/httpd/conf/ssl/httpd.csr /tmp 复制RIP1证书请求至本地
[root@node1 CA]# openssl ca -in /tmp/httpd.csr -out httpd.crt -days 365
指定请求文件,签署证书,格式为crt,指定签署证书有效天数
[root@node1 CA]# scp httpd.crt 172.18.20.125:/etc/httpd/conf/ssl/ 复制证书至RIP1
[root@node1 CA]# scp -rp 172.18.20.125:/etc/httpd/conf/ssl/ /tmp/ 复制RIP1SSL目录至本地
[root@node1 CA]# scp -rp /tmp/ssl/ 172.18.20.124:/etc/httpd/conf/ 复制SSL目录至RIP2
[root@node2 ssl]# vim /etc/httpd/conf.d/ssl.conf 修改RIP1SSL配置
SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt 指定证书路径
SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key 指定密钥路径
[root@node2 ssl]# httpd -t 使用httpd测试配置文件是否有错
[root@node2 ssl]# service httpd restart 重启httpd服务
[root@node2 ssl]# netstat -tuanlp | grep -E "80|443" 查看80、443端口是否启用
[root@node3 ssl]# vim /etc/httpd/conf.d/ssl.conf 修改RIP2SSL配置
SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt 指定证书路径
SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key 指定密钥路径
[root@node3 ssl]# httpd -t 使用httpd测试配置文件是否有错
[root@node3 ssl]# service httpd restart 重启httpd服务
[root@node3 ssl]# netstat -tuanlp | grep -E "80|443" 查看80、443端口是否启用
DIP配置集群服务:
[root@node1 CA]# iptables -t mangle -A PREROUTING -d 172.18.20.128 -p tcp --dport 80 -j MARK --set-mark 10
[root@node1 CA]# iptables -t mangle -A PREROUTING -d 172.18.20.128 -p tcp --dport 443 -j MARK --set-mark 10
使用iptables将80、443端口进行标记
[root@node1 CA]# ipvsadm -A -f 10 -s wlc -p 创建集群,-f指定标记,-s指定集群算法,-p使用标记
[root@node1 CA]# ipvsadm -a -f 10 -r 172.18.20.124 -g -w 1 为集群添加RIP,指定DR模型,指定权重
[root@node1 CA]# ipvsadm -a -f 10 -r 172.18.20.125 -g -w 2
[root@node1 CA]# ipvsadm -L -n 查看集群情况
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 10 wlc persistent 360 标记为10,算法为wlc,标记时长默认360秒
-> 172.18.20.124:0 Route 1 0 0
-> 172.18.20.125:0 Route 2 1 217
[root@node1 CA]# ipvsadm -L -n --rate --stats 查看集群情况,具体显示速率、统计信息
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port 结果显示所有80、443服务均定向至同一RIP
FWM 10 218 1470 0 208963 0
-> 172.18.20.124:0 0 0 0 0 0
-> 172.18.20.125:0 218 1470 0 208963 0
QQ群⑧:
窥视卡
雷达卡
发表于 2019-1-4 10:32:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡