keepalived+haproxy(SSL)实现web高可用(双主模式)

frtd

编译安装pcre


[iyunv@ha1 ha]# tar xvf pcre-8.33.tar.gz
[iyunv@ha1 ha]# cd pcre-8.33
[iyunv@ha1 pcre-8.33]# ./configure
[iyunv@ha2 pcre-8.33]# make && make install
编译安装haproxy


[iyunv@ha1 ha]# tar xvf haproxy-ss-20130912.tar.gz
[iyunv@ha1 ha]# cd haproxy-ss-20130912
[iyunv@ha1 haproxy-ss-20130912]#  make TARGET=linux2628 ARCH=i686 USE_STATIC_PCRE=1 USE_OPENSSL=1
[iyunv@ha1 haproxy-ss-20130912]# make PREFIX=/usr/local install
添加用户和组


[iyunv@ha1 ha]# groupadd -r haproxy
[iyunv@ha1 ha]# useradd -r -g haproxy haproxy
复制配置文件样例


[iyunv@ha1 ha]# mkdir /etc/haproxy
[iyunv@ha1  haproxy-ss-20130912]# cp examples/haproxy.cfg /etc/haproxy
复制启动脚本使用chkconfig管理


[iyunv@ha1 haproxy-ss-20130912]# cp examples/haproxy.init /etc/init.d/haproxy
[iyunv@ha1 ~]# chmod +x /etc/init.d/haproxy
[iyunv@ha1 ~]# ln -sv /usr/local/sbin/haproxy /usr/sbin/haproxy
`/usr/sbin/haproxy' -> `/usr/local/sbin/haproxy'
[iyunv@ha1 haproxy-ss-20130912]# chkconfig --add haproxy
[iyunv@ha1 haproxy-ss-20130912]# chkconfig haproxy on
[iyunv@ha1 ~]# vim /etc/sysconfig/rsyslog
#SYSLOGD_OPTIONS="-c 4"
SYSLOGD_OPTIONS="-c 2 -r"
[iyunv@ha1 ~]# vim /etc/rsyslog.conf
local2.*                                                /var/log/haproxy.log
[iyunv@ha1 ~]# service rsyslog restart
Shutting down system logger:                               [  OK  ]
Starting system logger:                                    [  OK  ]
编辑配置文件


[iyunv@ha1 ~]# cat /etc/haproxy/haproxy.cfg
# this config needs haproxy-1.1.28 or haproxy-1.2.1
global
    log 127.0.0.1   local2
    maxconn 4096
    chroot /usr/local
    user        haproxy
        group       haproxy
    daemon
defaults
    mode                    http
    log                     global
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 30000
listen stats
    mode http
    bind 0.0.0.0:1080
    stats enable
    stats hide-version
    stats uri     /haproxyadmin?stats
    stats realm   Haproxy Statistics
    stats auth    admin:admin
    stats admin if TRUE
frontend http-in
    bind *:80
    mode http
    log global
    option httpclose
    option logasap
    option dontlognull
    option httplog
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    capture request  header Host len 20
    capture request  header Referer len 60
    default_backend http-servers
backend http-servers
    balance roundrobin
        server web3 172.16.100.42:80 check port 80  inter 1500 rise 3 fall 3 maxconn 2000
        server web4 172.16.100.44:80 check port 80  inter 1500 rise 3 fall 3 maxconn 2000
frontend https-in
    bind *:443 ssl crt /etc/haproxy/server.pem
    mode http
    log global
    default_backend https-servers
backend https-servers
    balance source
        server web4 172.16.100.44:80 check port 80 inter 1500 rise 3 fall 3 maxconn 2000
准备好pem格式的证书（crt格式的证书会报错）


[iyunv@ha1 ~]# cat /etc/haproxy/server.pem
-----BEGIN CERTIFICATE-----
MIIDdDCCAlygAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHNoYW5naGFpMREwDwYDVQQHDAhzaGFuZ2hhaTEOMAwGA1UECgwF
U2FuWXUxDTALBgNVBAsMBFRlY2gxFTATBgNVBAMMDGNhLnNhbnl1LmNvbTEeMBwG
CSqGSIb3DQEJARYPYWRtaW5Ac2FueXUuY29tMB4XDTEzMDgyMjE0MDEyOVoXDTE0
MDgyMjE0MDEyOVoweDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHNoYW5naGFpMQ4w
DAYDVQQKDAVTYW5ZdTENMAsGA1UECwwEVGVjaDEXMBUGA1UEAwwOc2hvcC5zYW55
dS5jb20xHjAcBgkqhkiG9w0BCQEWD2FkbWluQHNhbnl1LmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAwih83eAjuU25k3VRvvPnHBWy6H1R8pQUyLOWURM2
QxDLaoQg2iZIsVgsRYszYnCqY9gqes+yI2lZ4b7dnF7x6Ds2feFPYNibC3kwZNAF
GXdtoEFdhSPY65YBezVAbatrA4Y6vdxrNhjTpr2xKKuk4LKjEjYjUNgUwMGP7cz8
32UCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHAP9yGUn3hmFIoryyBx1D3T
qhu2MB8GA1UdIwQYMBaAFJ+67OvJ4fT00IH9aL7tYOKcoIr1MA0GCSqGSIb3DQEB
BQUAA4IBAQCXSWPWrYmU4fAk8neVVcHj17HiN4IGzOuGPk4aa0sMrNSMaYJ4LtAQ
muaPpChWlfMv+hVVCjaGbeRSiuGRwjYxh+FfsQK7uYKps6266jPfexYbY2jZFcdg
Wuppqm6UsfrzDRJfYzGJfY5PcRGlzmCnjibhfzcBZb6NL1bYAoCWzXdsxfiXU6Be
rgnzjpsJ4uOdBBikSlgwHHLOAEd6OKS78V6pldJEjMJjUWSfXEeQpJtO2W+rJvuG
vY467CWYpAzCgeeLWYuo+TBxW5ke/PMkBNRZ/uE7aPhVDtlMvg9wTtXG2NMg22ym
ka7872zADQQ1V03Ip6WVCmp7l7zfAaQQ
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDCKHzd4CO5TbmTdVG+8+ccFbLofVHylBTIs5ZREzZDEMtqhCDa
JkixWCxFizNicKpj2Cp6z7IjaVnhvt2cXvHoOzZ94U9g2JsLeTBk0AUZd22gQV2F
I9jrlgF7NUBtq2sDhjq93Gs2GNOmvbEoq6TgsqMSNiNQ2BTAwY/tzPzfZQIDAQAB
AoGAcehxAXbLXp6j/kf5Eo9jik2MretAFZIc83aw/JXJ4uTKgo5L+9A0G5+AMbiu
B9XTkUoz+eM6Pp5DNjbVKzVks/WrK//LxRFLveKkj7wG3p2CMxckRqQDwFI6aAWy
fztzOBYDcTZ8mTDgJRPPsHVMB0HHioT29RctrcQ318a63cECQQDnS4rav/5LjFE3
Tbqw/Pv0evdfWMQMcstdv82lsbZcvXEesq/hZgicTgJFPkVwJoAOFQRg2YTz4/QK
190qSIR1AkEA1uV8NEG0erctlm8+HXg8DoLTOEyjJ4JT37zs+qn9BoAc7RWNc6Jd
rNMoPh473bXIem4UWtP5HN3TbroP/hjRMQJAEStxblWsSe1rpgBWKIdPKNHsBR7w
xr/KyvXPDUrI7898UzwOhFvvrbK4xm0d+HpTLThwL8RV80jrt9ZYa6ggdQJAGh+1
tKiUJyLjkNkfJPf73Qu8X6i5YNEwHw/ZgzNtBgBHA+9NzdPcLWlSCBMm1fIGWBPP
t6bzLrYswNYvoYUk0QJBANXdSSLPNV9lxK7qfv24xlQWbhzTQ/J0uHwqz8Qkge1U
0zcowzJstqTclr7LWd0ePm79GfJcP/fzxo+s3uLqxQM=
-----END RSA PRIVATE KEY-----
[iyunv@ha1 ~]# service haproxy start
Starting haproxy:                                          [  OK  ]
测试：

web4上停止httpd服务：


[iyunv@web4 ~]# service httpd stop
Stopping httpd:                                            [  OK  ]

https已不能访问（backend https-servers只定义了web4），但http仍能正常访问




ha2上haproxy安装完毕后


[iyunv@ha1 ~]# scp /etc/haproxy/{haproxy.cfg,server.pem} 172.16.100.72:/etc/haproxy/
[iyunv@ha2 ~]# service haproxy start
Starting haproxy:                                          [  OK  ]
测试,

keepalived提供haproxy高可用


[iyunv@ha1 keepalived]# cat keepalived.conf
! Configuration File for keepalived

global_defs {
   notification_email {
         root@sanyu.com
   }
   notification_email_from kanotify@sanyu.com
   smtp_connect_timeout 3
   smtp_server 127.0.0.1
   router_id LVS_DEVEL
}
vrrp_script chk_haproxy {
    script "killall -0 haproxy"
    interval 1
    weight 2
}
vrrp_script chk_mantaince_down {
   script "[[ -f /etc/keepalived/down ]] && exit 1 || exit 0"
   interval 1
   weight 2
}
vrrp_instance VI_1 {
    interface eth0
    state MASTER  # BACKUP for slave routers
    priority 101  # 100 for BACKUP
    virtual_router_id 70
    garp_master_delay 1

    authentication {
        auth_type PASS
        auth_pass password
    }
    track_interface {
       eth0  
    }
    virtual_ipaddress {
        172.16.100.70/16 dev eth0 label eth0:0
    }
    track_script {
        chk_haproxy
        chk_mantaince_down
    }
}
vrrp_instance VI_2 {
    interface eth0
    state BACKUP  # BACKUP for slave routers
    priority 100  # 100 for BACKUP
    virtual_router_id 79
    garp_master_delay 1

    authentication {
        auth_type PASS
        auth_pass password
    }
    track_interface {
       eth0  
    }
    virtual_ipaddress {
        172.16.100.79/16 dev eth0 label eth0:1
    }
    track_script {
        chk_haproxy
        chk_mantaince_down
    }  
}


[iyunv@ha1 keepalived]# diff keepalived.conf keepalived.conf.ha2
25,26c25,26
<     state MASTER  # BACKUP for slave routers
<     priority 101  # 100 for BACKUP
---
>     state BACKUP  # BACKUP for slave routers
>     priority 100  # 100 for BACKUP
48,49c48,49
<     state BACKUP  # BACKUP for slave routers
<     priority 100  # 100 for BACKUP
---
>     state MASTER  # BACKUP for slave routers
>     priority 101  # 100 for BACKUP
[iyunv@ha1 ~]# scp /etc/keepalived/keepalived.conf.ha2 172.16.100.72:/etc/keepalived/keepalived.conf
[iyunv@ha1 ~]# service keepalived start
Starting keepalived:                                       [  OK  ]
[iyunv@ha2 ~]# service keepalived start
Starting keepalived:                                       [  OK  ]



故障转移：


[iyunv@ha2 ~]# service haproxy stop
Shutting down haproxy:                                     [  OK  ]
vip漂到了ha1上

gaohan

我喜欢孩子，更喜欢造孩子的过程!

cnq

我本非随便的人，但如果你想随便，那我就随你的便好啦！

chunjihong

男人偷腥时的智商仅次于爱因斯坦!

gaojinguan

微机原理闹危机，随机过程随机过，实变函数学十遍，汇编语言不会编！

linuxx

我不怕生命有挫折，就怕回忆会有皱褶。

qmya00

〆.﹏微小的幸福就在身边，容易满足就是天堂...