LVS的NAT和DR模式下http负载均衡
环境说明:
| IP | 职责 | |
|---|---|---|
| localhost | DIP:192.168.44.128 VIP:192.168.163.250 | 调度器 |
| node2 | 192.168.44.129 | 服务器(RS) |
| node3 | 192.168.44.130 | 服务器(RS) |
LVS的NAT模式实现http负载均衡
(NAT模式调度器上要保证有两个不同类型的网卡,且RS的网关要指向LVS的DIP)
//配置作为调度器的localhost [root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 [root@localhost ~]# ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:b5:30:0b brd ff:ff:ff:ff:ff:ff inet 192.168.44.128/24 brd 192.168.44.255 scope global dynamic noprefixroute eth0 valid_lft 954sec preferred_lft 954sec inet6 fe80::3abf:3271:9b0e:fc06/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:b5:30:15 brd ff:ff:ff:ff:ff:ff inet 192.168.163.129/24 brd 192.168.163.255 scope global dynamic noprefixroute eth1 valid_lft 954sec preferred_lft 954sec inet6 fe80::4801:eaae:c044:e6a4/64 scope link noprefixroute valid_lft forever preferred_lft forever //配置调度器的dip [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO="static" NAME="eth0" UUID="0a3ca56e-efb2-4610-9095-1b1942f240c0" DEVICE="eth0" ONBOOT="yes" IPADDR=192.168.44.128 NETMASK=255.255.255.0 //配置DR的vip(此时实验环境并不需要配置网关) [root@localhost ~]# cp /etc/sysconfig/network-scripts/ifcfg-ens160 /etc/sysconfig/network-scripts/ifcfg-ens161 [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens161 TYPE="Ethernet" BOOTPROTO="static" NAME="eth1" DEVICE="eth1" ONBOOT="yes" IPADDR=192.168.163.250 NETMASK=255.255.255.0 [root@localhost ~]# systemctl restart NetworkManager [root@localhost ~]# ifdown ens160;ifup ens160 [root@localhost ~]# ifdown ens161;ifup ens161 [root@localhost ~]# yum -y install ipvsadm //配置作为RS的node2 [root@node2 ~]# systemctl stop firewalld [root@node2 ~]# setenforce 0 [root@node2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO=none NAME="ens160" UUID="c54bed09-7878-4374-b05f-d1e60c00f45a" DEVICE="ens160" ONBOOT="yes" IPADDR=192.168.44.129 NETMASK=255.255.255.0 GATEWAY=192.168.44.128 DNS1=114.114.114.114 [root@node2 ~]# systemctl restart NetworkManager [root@node2 ~]# ifdown ens160;ifup ens160 [root@node2 ~]# yum -y install httpd [root@node2 ~]# systemctl start httpd //配置作为RS的node3 [root@node3 ~]# systemctl stop firewalld [root@node3 ~]# setenforce 0 [root@node3 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO=none NAME="ens160" UUID="6e78e498-f57d-41f9-bc2e-2de83d77b4ec" DEVICE="ens160" ONBOOT="yes" IPADDR=192.168.44.130 NETMASK=255.255.255.0 GATEWAY=192.168.44.128 DNS1=114.114.114.114 [root@node3 ~]# systemctl restart NetworkManager [root@node3 ~]# ifdown ens160;ifup ens160 [root@node3 ~]# yum -y install httpd [root@node3 ~]# systemctl start httpd //在调度器上开启IP转发功能 [root@localhost ~]# vim /etc/sysctl.conf //在文件最后面加入下面这行 net.ipv4.ip_forward = 1 [root@localhost ~]# sysctl -p //在调度器上添加并保存规则 [root@localhost ~]# ipvsadm -A -t 192.168.163.250:80 -s rr [root@localhost ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.163.250:80 rr [root@localhost ~]# ipvsadm -a -t 192.168.163.250:80 -r 192.168.44.129:80 -m [root@localhost ~]# ipvsadm -a -t 192.168.163.250:80 -r 192.168.44.130:80 -m [root@localhost ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm [root@localhost ~]# systemctl enable ipvsadm [root@localhost ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.163.250:80 rr -> 192.168.44.129:80 Masq 1 1 0 -> 192.168.44.130:80 Masq 1 0 1 //验证,为了实验效果故意使两个服务器的网页不一样 [root@node2 ~]# echo 'RS1' > /var/www/html/index.html [root@node3 ~]# echo 'RS2' > /var/www/html/index.html [root@localhost ~]# curl http://192.168.163.250 RS1 [root@localhost ~]# curl http://192.168.163.250 RS2
LVS的NAT模式实现https负载均衡
//在调度器上生成一对密钥 [root@localhost ~]# mkdir -p /etc/pki/CA/private [root@localhost ~]# yum -y install expect [root@localhost ~]# cd /etc/pki/CA/ [root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@localhost CA]# openssl rsa -in private/cakey.pem -pubout ////生成自签署证书 [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:csl Organizational Unit Name (eg, section) []:csl Common Name (eg, your name or your server's hostname) []:csl Email Address []:1@2.com //在node2上配置 [root@node2 ~]# yum -y install mod_ssl [root@node2 ~]# mkdir /etc/httpd/ssl [root@node2 ~]# cd /etc/httpd/ssl [root@node2 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) //在node2上生成证书签署请求(要和之前DR上生成的证书填的内容一样) [root@node2 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:csl Organizational Unit Name (eg, section) []:csl Common Name (eg, your name or your server's hostname) []:csl Email Address []:1@2.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@node2 ssl]# ls httpd.csr httpd.key //把证书签署请求文件发送给CA [root@node2 ssl]# scp httpd.csr root@192.168.44.128:/root //DR签署证书并发给客户端 [root@localhost ~]# mkdir /etc/pki/CA/newcerts [root@localhost ~]# touch /etc/pki/CA/index.txt [root@localhost ~]# echo "01" > /etc/pki/CA/serial [root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 1024 [root@localhost ~]# ls anaconda-ks.cfg httpd.crt httpd.csr //调度器把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端 [root@localhost ~]# scp httpd.crt root@192.168.44.129:/etc/httpd/ssl [root@localhost ~]# scp /etc/pki/CA/cacert.pem root@192.168.44.129:/etc/httpd/ssl //配置https [root@node3 ~]# yum -y install mod_ssl [root@node3 ~]# mkdir /etc/httpd/ssl [root@node2 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.44.130:/etc/httpd/ssl //在node3上查看 [root@node3 ~]# ls /etc/httpd/ssl/ cacert.pem httpd.crt httpd.key //在node2上修改https配置文件 [root@node2 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key SSLCACertificateFile /etc/httpd/ssl/cacert.pem //重启服务 [root@node2 ~]# systemctl restart httpd //在node3上修改https配置文件 [root@node3 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key SSLCACertificateFile /etc/httpd/ssl/cacert.pem //重启服务 [root@node3 ~]# systemctl restart httpd //在DR上配置规则并保存 [root@localhost ~]# ipvsadm -A -t 192.168.163.250:443 -s rr [root@localhost ~]# ipvsadm -a -t 192.168.163.250:443 -r 192.168.44.129 -m [root@localhost ~]# ipvsadm -a -t 192.168.163.250:443 -r 192.168.44.130 -m [root@localhost ~]# ipvsadm -S > /etc/sysconfig/ipvsadm //测试 [root@localhost ~]# curl -k https://192.168.163.250 RS1 [root@localhost ~]# curl -k https://192.168.163.250 RS2
LVS的DR模式实现http负载均衡
环境说明
| 主机名 | IP | 职责 |
|---|---|---|
| localhost | DIP:192.168.44.128 VIP:192.168.44.250 | 调度器 |
| node2 | 192.168.44.129 VIP:192.168.44.250 | 服务器(RS) |
| node3 | 192.168.44.130 VIP:192.168.44.250 | 服务器(RS) |
//配置作为调度器的localhost [root@localhost ~]# systemctl stop firewalld [root@localhost ~]# setenforce 0 [root@localhost ~]# ip a .. 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:b5:30:0b brd ff:ff:ff:ff:ff:ff inet 192.168.44.128/24 brd 192.168.44.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb5:300b/64 scope link valid_lft forever preferred_lft forever [root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO=none NAME="eth0" UUID="0a3ca56e-efb2-4610-9095-1b1942f240c0" DEVICE="eth0" ONBOOT="yes" IPADDR=192.168.44.128 NETMASK=255.255.255.0 GATEWAY=192.168.44.2 DNS1=114.114.114.114 [root@localhost ~]# systemctl restart NetworkManager [root@localhost ~]# ip addr add 192.168.44.250/24 dev eth0 [root@localhost ~]# ls /etc/sysconfig/network-scripts/ ifcfg-ens160 [root@localhost ~]# vim /etc/sysconfig/network-scripts/route-ens160 192.168.44.250/32 via 192.168.44.128 [root@localhost ~]# systemctl restart NetworkManager [root@localhost ~]# ifdown ens160;ifup ens160 [root@localhost ~]# yum -y install net-tools [root@localhost ~]# yum -y install ipvsadm [root@localhost ~]# ipvsadm -A -t 192.168.44.250:80 -s rr [root@localhost ~]# ipvsadm -a -t 192.168.44.250:80 -r 192.168.44.129:80 -g [root@localhost ~]# ipvsadm -a -t 192.168.44.250:80 -r 192.168.44.130:80 -g [root@localhost ~]# systemctl enable ipvsadm [root@localhost ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm [root@localhost ~]# ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.44.250:80 rr -> 192.168.44.129:80 Route 1 0 0 -> 192.168.44.130:80 Route 1 0 0 //配置作为RS的node2 [root@node2 ~]# systemctl stop firewalld [root@node2 ~]# setenforce 0 [root@node2 ~]# ip a .. 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:a5:b0:d2 brd ff:ff:ff:ff:ff:ff inet 192.168.44.129/24 brd 192.168.44.255 scope global dynamic noprefixroute ens160 valid_lft 890sec preferred_lft 890sec inet6 fe80::384c:3bc6:9a9f:58ce/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@node2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO=none NAME="ens160" DEVICE="ens160" ONBOOT="yes" IPADDR=192.168.44.129 NETMASK=255.255.255.0 GATEWAY=192.168.44.2 DNS1=114.114.114.114 [root@node2 ~]# systemctl restart NetworkManager [root@node2 ~]# ifdown ens160;ifup ens160 [root@node2 ~]# vim /etc/sysctl.conf //在文件最下方加入两行 net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 [root@node2 ~]# sysctl -p [root@node2 ~]# ip addr add 192.168.44.250/24 dev ens160 [root@localhost ~]# ls /etc/sysconfig/network-scripts/ ifcfg-ens160 [root@localhost ~]# vim /etc/sysconfig/network-scripts/route-ens160 192.168.44.250/32 via 192.168.44.129 [root@localhost ~]# systemctl restart NetworkManager [root@localhost ~]# ifdown ens160;ifup ens160 [root@localhost ~]# yum -y install net-tools [root@node2 ~]# yum -y install httpd [root@node2 ~]# systemctl start httpd //配置作为RS的node3 [root@node3 ~]# systemctl stop firewalld [root@node3 ~]# setenforce 0 [root@node3 ~]# ip a .. 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:73:b3:0c brd ff:ff:ff:ff:ff:ff inet 192.168.44.130/24 brd 192.168.44.255 scope global dynamic noprefixroute ens160 valid_lft 1399sec preferred_lft 1399sec inet6 fe80::757b:3307:cfa2:f23f/64 scope link noprefixroute valid_lft forever preferred_lft forever [root@node3 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens160 TYPE="Ethernet" BOOTPROTO=none NAME="ens160" DEVICE="ens160" ONBOOT="yes" IPADDR=192.168.44.130 NETMASK=255.255.255.0 GATEWAY=192.168.44.2 DNS1=114.114.114.114 [root@node3 ~]# systemctl restart NetworkManager [root@node3 ~]# ifdown ens160;ifup ens160 [root@node3 ~]# vim /etc/sysctl.conf //在文件最下方加入两行 net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_announce = 2 [root@node3 ~]# sysctl -p [root@node3 ~]# ip addr add 192.168.44.250/24 dev ens160 [root@localhost ~]# ls /etc/sysconfig/network-scripts/ ifcfg-ens160 [root@localhost ~]# vim /etc/sysconfig/network-scripts/route-ens160 192.168.44.250/32 via 192.168.44.130 [root@localhost ~]# systemctl restart NetworkManager [root@localhost ~]# ifdown ens160;ifup ens160 [root@localhost ~]# yum -y install net-tools [root@node3 ~]# yum -y install httpd [root@node3 ~]# systemctl start httpd //验证,为了实验效果故意使两个服务器的网页不一样 [root@node2 ~]# echo 'RS1' > /var/www/html/index.html [root@node3 ~]# echo 'RS2' > /var/www/html/index.html [root@localhost ~]# curl http://192.168.44.250 RS1 [root@localhost ~]# curl http://192.168.44.250 RS2
LVS的DR模式实现https负载均衡
//在两个RS上安装mod_ssl [root@node2 ~]# yum -y install mod_ssl [root@node3 ~]# yum -y install mod_ssl //这里就不做证书,使用默认的证书,重启服务查看443是否启动 [root@node2 ~]# systemctl restart httpd [root@node3 ~]# systemctl restart httpd //查看443端口是否启动 [root@node2 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* [root@node3 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* //在调度器上配置 [root@localhost ~]# ipvsadm -C [root@localhost ~]# ipvsadm -A -t 192.168.44.250:443 -s wrr [root@localhost ~]# ipvsadm -a -t 192.168.44.250:443 -r 192.168.44.129 -g [root@localhost ~]# ipvsadm -a -t 192.168.44.250:443 -r 192.168.44.130 -g [root@localhost ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.44.250:443 wrr -> 192.168.44.129:443 Route 1 0 0 -> 192.168.44.130:443 Route 1 0 0 [root@localhost ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm //测试 [root@localhost ~]# curl -k https://192.168.44.250 RS1 [root@localhost ~]# curl -k https://192.168.44.250 RS2
