NAT和DR模式配置负载均衡
环境
| 环境 | DIP | VIP | 需要安装的应用 | 系统版本 |
|---|---|---|---|---|
| client | 192.168.100.140 | RedHat 8 | ||
| DR | 192.168.100.141 | 192.168.10.250 | ipvsadm | RedHat 8 |
| RS1 | 192.168.100.142 | httpd | RedHat 8 | |
| RS2 | 192.168.100.143 | httpd | RedHat 8 |
准备工作:
DR: [root@DR ~]# systemctl disable --now firewalld [root@DR ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config [root@DR ~]# setenforce 0 [root@DR ~]# yum -y install ipvsadm RS1: [root@RS1 ~]# systemctl disable --now firewalld [root@RS1 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config [root@RS1 ~]# setenforce 0 [root@RS1 ~]# yum -y install httpd net-tools [root@RS1 ~]# systemctl enable --now httpd [root@RS1 ~]# echo lvs-web1 > /var/www/html/index.html RS2: [root@RS2 ~]# systemctl disable --now firewalld [root@RS2 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config [root@RS2 ~]# setenforce 0 [root@RS2 ~]# yum -y install httpd net-tools [root@RS2 ~]# systemctl enable --now httpd [root@RS2 ~]# echo lvs-web2 > /var/www/html/index.html
开启IP转发
[root@DR ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@DR ~]# sysctl -p net.ipv4.ip_forward = 1
添加并保存规则
[root@DR network-scripts]# ipvsadm -A -t 192.168.100.100:80 -s wrr [root@DR network-scripts]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.142 -g [root@DR network-scripts]# ipvsadm -a -t 192.168.100.100:80 -r 192.168.100.143 -g [root@DR network-scripts]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.100.100:80 wrr -> 192.168.100.142:80 Route 1 0 0 -> 192.168.100.143:80 Route 1 0 0 [root@DR network-scripts]# ipvsadm -S > /etc/sysconfig/ipvsadm [root@DR network-scripts]# systemctl enable --now ipvsadm
访问测试
[root@client ~]# curl 192.168.10.100 lvs-web2 [root@client ~]# curl 192.168.10.100 lvs-web1 [root@client ~]# curl 192.168.10.100 lvs-web2 [root@client ~]# curl 192.168.10.100 lvs-web1
搭建NAT模式的HTTPS负载集群
在以上配置基础下搭建https
LVS服务器搭建CA服务端
生成一对密钥
DR [root@DR ~]# mkdir -p /etc/pki/CA/private [root@DR ~]# cd /etc/pki/CA [root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@DR CA]# openssl rsa -in private/cakey.pem -pubout
生成自签署证书
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:HW Organization Name (eg, company) [Default Company Ltd]:baozi Organizational Unit Name (eg, section) []:baozi Common Name (eg, your name or your server's hostname) []:baozi Email Address []:1@2.com [root@DR CA]# touch index.txt && echo 01 > serial
RS1生成证书签署请求,并发送给CA
RS1 [root@RS1 ~]# yum -y install mod_ssl [root@RS1 ~]# mkdir /etc/httpd/ssl [root@RS1 ~]# cd /etc/httpd/ssl [root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) [root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:baozi Organizational Unit Name (eg, section) []:baozi Common Name (eg, your name or your server's hostname) []:baozi Email Address []:1@2.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@RS1 ssl]# ls httpd.csr httpd.key #把证书签署请求文件发送给CA [root@RS1 ssl]# scp httpd.csr root@192.168.100.141:/root/
CA签署证书并发给RS1
DR [root@DR ~]# mkdir /etc/pki/CA/newcerts [root@DR ~]# touch /etc/pki/CA/index.txt //跟踪最后一次颁发证书的序列号 [root@DR ~]# echo "01" > /etc/pki/CA/serial [root@DR ~]# ls anaconda-ks.cfg httpd.csr [root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 7 15:34:00 2021 GMT Not After : Feb 24 15:34:00 2024 GMT Subject: countryName = CN stateOrProvinceName = HB organizationName = cb organizationalUnitName = cb commonName = cb emailAddress = 1@2.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C7:3B:A3:CD:87:98:12:12:CC:88:1A:ED:23:66:97:8A:66:EB:65:29 X509v3 Authority Key Identifier: keyid:CD:31:DC:BD:F4:70:26:6A:EA:AA:B1:83:08:8E:E6:FB:AD:F7:0B:BA Certificate is to be certified until Feb 24 15:34:00 2024 GMT (1024 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@DR ~]# ls anaconda-ks.cfg httpd.crt httpd.csr //CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1 [root@DR ~]# scp httpd.crt root@192.168.100.142:/etc/httpd/ssl [root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.142:/etc/httpd/ssl
配置https
将RS1的证书和密钥发给RS2
RS2 [root@RS2 ~]# yum -y install mod_ssl [root@RS2 ~]# mkdir /etc/httpd/ssl RS1 [root@RS1 ~]# cd /etc/httpd/ssl/ [root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.100.143:/etc/httpd/ssl RS2 [root@RS2 ~]# ls /etc/httpd/ssl/ cacert.pem httpd.crt httpd.key
修改https配置文件
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt ······ SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ······ SSLCACertificateFile /etc/httpd/ssl/cacert.pem //重启服务 [root@RS1 ~]# systemctl restart httpd [root@RS1 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:80 *:* [root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt ······ SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ······ SSLCACertificateFile /etc/httpd/ssl/cacert.pem //重启服务 [root@RS2 ~]# systemctl restart httpd [root@RS2 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:80 *:*
添加并保存规则
//添加调度器 [root@DR ~]# ipvsadm -A -t 192.168.10.250:443 -s rr //添加跳转的IP地址 [root@DR ~]# ipvsadm -a -t 192.168.10.250:443 -r 192.168.100.142 -m [root@DR ~]# ipvsadm -a -t 192.168.10.250:443 -r 192.168.100.143 -m [root@DR ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.10.250:80 rr -> 192.168.100.142:80 Masq 1 0 0 -> 192.168.100.143:80 Masq 1 0 0 TCP 192.168.10.250:443 rr -> 192.168.100.142:443 Masq 1 0 0 -> 192.168.100.143:443 Masq 1 0 0 //保存规则 [root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
访问测试
[root@client ~]# curl -k https://192.168.10.250 lvs-web2 [root@client ~]# curl -k https://192.168.10.250 lvs-web1 [root@client ~]# curl -k https://192.168.10.250 lvs-web2 [root@client ~]# curl -k https://192.168.10.250 lvs-web1
浙公网安备 33010602011771号