keepalived高可用+nginx证书代理
Posted 小武初名
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了keepalived高可用+nginx证书代理相关的知识,希望对你有一定的参考价值。
安装nginx
yum -y install gcc pcre-devel openssl-devel #安装依赖包
wget http://nginx.org/download/nginx-1.12.2.tar.gz (也可配置阿里源用yum安装)
tar -xf nginx-1.12.2.tar.gz
./configure \\
--prefix=/usr/local/nginx \\ #指定安装路径
--user=nginx \\ #指定用户
--group=nginx \\ #指定组
--with-http_ssl_module #开启SSL加密功能
make && make install #编译并安装 (如果没有安装make请自行安装)
nginx命令的用法
cat /etc/nginx/conf.d/default.conf (此路径为正式环境156的路径) conf.d/的意思为附加文件同源文件效果一样
server {
listen 80; 这个是80端口的
server_name www.chengshizhichuang.com cszc.top; (域名)
client_max_body_size 100M;
location / {
proxy_pass http://192.168.1.134/; 访问
www.chengshizhichuang.com cszc.top转到此ip
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /pay/ {
proxy_pass http://192.168.1.212:21612/pay/; 访问
www.chengshizhichuang.com cszc.top/pay 转到此ip
}
location /publicgood/ {
proxy_pass http://192.168.1.212:21612/publicgood/; 同上
}
location /shared/ {
proxy_pass http://192.168.1.212:21612/shared/; 同上
}
location /zhyl/ {
proxy_pass http://192.168.1.121:12102/zhyl/; 同上
}
# location /pay/static/ {
# proxy_pass http://192.168.1.212:21612/pay/static/; 同上
# }
}
server {
listen 443; 443端口做了证书认证加密 但是直接访问域名时是不会自动跳到https上的 要手动加https 之前做的转发因为有的80端口转发不过来所以就没做了
server_name www.chengshizhichuang.com cszc.top;
client_max_body_size 100M;
ssl on;
ssl_certificate /etc/nginx/ssl/www.chengshizhichuang.com.crt;
ssl_certificate_key /etc/nginx/ssl/www.chengshizhichuang.com.rsa;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.1.134/;
}
location /pay/ {
proxy_pass http://192.168.1.212:21612/pay/;
}
location /zhyl/ {
proxy_pass http://192.168.1.121:12102/zhyl/;
}
location /shared/ {
proxy_pass http://192.168.1.212:21612/shared/;
}
}
Keepalived的安装及配置
yum -y install keepliaved
vim /etc/keepliaved/keepliaved.conf
global_defs {
notification_email {
acassen@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id 112
vrrp_skip_check_adv_addr
vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_script chk_http_port {
script "/opt/chk_nginx.sh" 设定一个监控nginx脚本链接nginx
interval 2
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER 从服务改为
BACKUP
interface eth0 用ip a 查看自己的网卡名
virtual_router_id 51
priority 100 优先值 从服务不能高于主
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.157/24 # 虚拟vip
}
track_script {
chk_http_port
}
}
@@@分别在主备服务器/etc/keepalived
目录下创建nginx_check.sh
脚本,并为其添加执行权限chmod +x /opt/chk_nginx.sh
。
用于keepalived定时检测nginx的服务状态,如果nginx停止了,会尝试重新启动nginx,如果启动失败,会将keepalived进程杀死,将vip漂移到备份机器上。
vim /opt/chk_nginx.sh
#!/bin/bash
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
/usr/sbin/nginx #尝试重新启动nginx
sleep 2 #睡眠2秒
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
killall keepalived #启动失败,将keepalived服务杀死。将vip漂移到其它备份节点
fi
fi
chmod +x /opt/chk_nginx.sh
。
systemctl start keepalived.service 启动keepalived
ip a 查看vip有没有和本地ip绑定如下
如果把keepalived关掉 vip就会调到另一个服务上
以上是关于keepalived高可用+nginx证书代理的主要内容,如果未能解决你的问题,请参考以下文章