Lvs配置方法
Posted 卑微小胡
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Lvs配置方法相关的知识,希望对你有一定的参考价值。
Lvs配置方法
Nat模式
要求:
nat模型实现http和https两种负载均衡集群,RS都要提供同一个私钥和同一个证书。
实验环境(注意:千万不要给服务器两张网卡)
| 调度器 | 真实服务器1 | 真实服务器2 | |
|---|---|---|---|
| IP | vip:192.168.32.128 Dip:192.168.96.129 | 192.168.96.133 | 192.168.96.134 |
| 主机名 | lvs | R1 | R2 |
关闭防火墙
#lvs
[root@lvs ~]# setenforce 0
[root@lvs ~]# systemctl disable --now firewalld
#R1
[root@R1 ~]# setenforce 0
[root@R1 ~]# systemctl disable --now firewalld
#R2
[root@R2 ~]# setenforce 0
[root@R2 ~]# systemctl disable --now firewalld
安装apache生成证书
#R1
[root@R1 ~]# dnf -y install httpd
#安装过程省略
[root@R1 ~]# systemctl start httpd
[root@R1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 64 0.0.0.0:2049 0.0.0.0:*
LISTEN 0 128 0.0.0.0:33921 0.0.0.0:*
LISTEN 0 64 0.0.0.0:43789 0.0.0.0:*
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:20048 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 64 [::]:2049 [::]:*
LISTEN 0 64 [::]:34469 [::]:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:20048 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 [::]:49047 [::]:*
#创建证书
[root@R1 ~]# mkdir /etc/pki/CA
[root@R1 ~]# cd /etc/pki/CA
[root@R1 CA]# mkdir private
[root@R1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
..............................................................+++++
e is 65537 (0x010001)
[root@R1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:BWXH
Organizational Unit Name (eg, section) []:BWXH
Common Name (eg, your name or your server's hostname) []:BWXH.com
Email Address []:123@456.com
[root@R1 CA]# mkdir certs newcerts crl]
[root@R1 CA]# touch index.txt && echo 01 > serial
[root@R1 CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
...................+++++
e is 65537 (0x010001)
[root@R1 CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:BWXH
Organizational Unit Name (eg, section) []:BWXH
Common Name (eg, your name or your server's hostname) []:BWXH.com
Email Address []:123@456.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:bwxh123
An optional company name []:BWXH
[root@R1 CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 14 15:18:22 2021 GMT
Not After : Jun 14 15:18:22 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = BWXH
organizationalUnitName = BWXH
commonName = BWXH.com
emailAddress = 123@456.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6B:2A:40:97:D3:1F:C0:03:3D:1F:68:1F:1D:38:40:75:D9:90:65:DD
X509v3 Authority Key Identifier:
keyid:AF:B5:C1:CB:3F:15:BB:04:47:FD:B9:5E:55:12:19:7C:85:12:19:04
Certificate is to be certified until Jun 14 15:18:22 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@R1 CA]# mv httpd.key httpd.crt /etc/httpd/
[root@R1 CA]# scp /etc/httpd/httpd.key 192.168.96.134:/etc/httpd/
httpd.key 100% 1675 1.3MB/s 00:00
[root@R1 CA]# scp /etc/httpd/httpd.crt 192.168.96.134:/etc/httpd/
httpd.crt 100% 4525 3.4MB/s 00:00
#R2:
[root@R2 ~]# dnf -y install httpd
#安装过程省略
[root@R2 ~]# systemctl start httpd
[root@R2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
[root@R2 html]# ls /etc/httpd/
conf conf.d conf.modules.d httpd.crt httpd.key logs modules run state
lvs配置
[root@lvs ~]# dnf -y install ipvsadm
#安装过程省略
#开启ip转发功能
[root@lvs ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@lvs ~]# sysctl -p
net.ipv4.ip_forward = 1
#在调度器上添加并保持规则
[root@lvs ~]# ipvsadm -A -t 192.168.32.128:80 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.32.128:80 -r 192.168.96.133:80 -m
[root@lvs ~]# ipvsadm -a -t 192.168.32.128:80 -r 192.168.96.134:80 -m
[root@lvs ~]# ipvsadm -A -t 192.168.32.128:443 -s rr
[root@lvs ~]# ipvsadm -a -t 192.168.32.128:443 -r 192.168.96.134:443 -m
[root@lvs ~]# ipvsadm -a -t 192.168.32.128:443 -r 192.168.96.133:443 -m
[root@lvs ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lvs ~]# cat /etc/sysconfig/ipvsadm
-A -t 192.168.32.128:80 -s rr
-a -t 192.168.32.128:80 -r 192.168.96.133:80 -m -w 1
-a -t 192.168.32.128:80 -r 192.168.96.134:80 -m -w 1
-A -t 192.168.32.128:443 -s rr
-a -t 192.168.32.128:443 -r 192.168.96.133:443 -m -w 1
-a -t 192.168.32.128:443 -r 192.168.96.134:443 -m -w 1
#设置开机自启
[root@lvs ~]# systemctl enable ipvsadm
Created symlink /etc/systemd/system/multi-user.target.wants/ipvsadm.service → /usr/lib/systemd/system/ipvsadm.service.
[root@lvs ~]# echo "ipvsadm -R < /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.loca
将RIP的网关都指向DIP
[root@R1 CA]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.96.133
PREFIX=24
GATEWAY=192.168.96.129
DNS1=114.114.114.114
#R2
[root@R2 html]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.96.134
PREFIX=24
GATEWAY=192.168.96.129
DNS1=114.114.114.114
测试
[root@c1 ~]# curl 192.168.96.129
R1 #因为集群是轮询的方式,所以每次访问的内容不一样
[root@c1 ~]# curl 192.168.96.129
R2
[root@c1 ~]# curl 192.168.96.129
R1
[root@c1 ~]# curl 192.168.96.129
R2
Dr模式
安装配置httpd并且生成证书后使用同一个证书和上面一样
在调度器上配置VIP和DIP
[root@lb ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR0=192.168.96.129
PREFIX0=24
IPADDR1=192.168.96.128
PREFIX1=24
GATEWAY=192.168.96.2
DNS1=114.114.114.114
在RS上先关闭arp包的通告和响应然后配置RIP和VIP
[root@R1 ~]# cat >> /etc/sysctl.conf <<EOF
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@R1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@R2 ~]# cat >> /etc/sysctl.conf <<EOF
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@R2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
[root@R1 ~]# ifconfig lo:0 192.168.96.128/32 broadcast 192.168.96.128 up
[root@R1 ~]# route add -host 192.168.96.128 dev lo:0
[root@R1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.96.133
PREFIX=24
GATEWAY=192.168.96.2
DNS1=114.114.114.114
[root@R2 ~]# ifconfig lo:0 192.168.96.128/32 broadcast 192.168.96.128 up
[root@R2 ~]# route add -host 192.168.96.128 dev lo:0
[root@R2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
ONBOOT=yes
IPADDR=192.168.96.133
PREFIX=24
GATEWAY=192.168.96.2
DNS1=114.114.114.114
在调度器上添加、保存规则并且设置开机自动读取规则
[root@lb ~]# ipvsadm -A -t 192.168.96.128:80 -s rr
[root@lb ~]# ipvsadm -a -t 192.168.96.128:80 -r 192.168.96.133:80 -g
[root@lb ~]# ipvsadm -a -t 192.168.96.128:80 -r 192.168.96.134:80 -g
[root@lb ~]# ipvsadm -A -t 192.168.96.128:443 -s rr
[root@lb ~]# ipvsadm -a -t 192.168.96.128:443-r 192.168.96.133:443 -g
[root@lb ~]# ipvsadm -a -t 192.168.96.128:443 -r 192.168.96.134:443 -g
[root@lb ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.96.128:80 rr
-> 192.168.96.134:80 Route 1 0 0
-> 192.168.96.133:80 Route 1 0 0
TCP 192.168.96.128:443 rr
-> 192.168.96.134:443 Route 1 0 0
-> 192.168.96.133:443 Route 1 0 0
ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lb ~]# echo "ipvsadm -Sn > /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.local
测试
[root@c1 ~]# curl 192.168.96.129
R1
[root@c1 ~]# curl 192.168.96.129
R2
[root@c1 ~]# curl 192.168.96.129
R2
[root@c1 ~]# curl 192.168.96.129
R1
以上是关于Lvs配置方法的主要内容,如果未能解决你的问题,请参考以下文章