lvs之搭建NAT模式的HTTPS负载集群
在lvs配置之NAT模式这篇文章配置的基础上搭建https
环境
| 系统 | ip |
| redhat8 test | 192.168.100.130 |
| redhat8 DR | 192.168.100.131 vip:192.168.18.250 |
| redhat8 RS1 | 192.168.100.132 |
| redhat8 RS2 | 192.168.100.133 |
LVS服务器搭建CA服务端
//RS1 echo test1 > /var/www/html/index.html //RS2 echo test2 > /var/www/html/index.html
生成一对密钥
//DR [root@DR ~]# mkdir -p /etc/pki/CA/private [root@DR ~]# cd /etc/pki/CA [root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@DR CA]# openssl rsa -in private/cakey.pem -pubout
生成自签署证书
//DR [root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:thl Organizational Unit Name (eg, section) []:thl Common Name (eg, your name or your server's hostname) []:thl Email Address []:1@2.com [root@DR CA]# touch index.txt && echo 01 > serial
RS1生成证书签署请求,并发送给CA
//RS1 [root@RS1 ~]# yum -y install mod_ssl [root@RS1 ~]# mkdir /etc/httpd/ssl [root@RS1 ~]# cd /etc/httpd/ssl [root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) [root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HB Locality Name (eg, city) [Default City]:WH Organization Name (eg, company) [Default Company Ltd]:thl Organizational Unit Name (eg, section) []:thl Common Name (eg, your name or your server's hostname) []:thl Email Address []:1@2.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@RS1 ssl]# ls httpd.csr httpd.key //把证书签署请求文件发送给CA [root@RS1 ssl]# scp httpd.csr root@192.168.100.131:/root/
CA签署证书并发给RS1
//DR [root@DR ~]# mkdir /etc/pki/CA/newcerts [root@DR ~]# touch /etc/pki/CA/index.txt //跟踪最后一次颁发证书的序列号 [root@DR ~]# echo "01" > /etc/pki/CA/serial [root@DR ~]# ls anaconda-ks.cfg httpd.csr [root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 6 08:10:00 2021 GMT Not After : Feb 24 08:10:00 2024 GMT Subject: countryName = CN stateOrProvinceName = HB organizationName = thl organizationalUnitName = thl commonName = thl emailAddress = 1@2.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C5:3B:A3:CD:89:65:21:12:CC:88:1A:AD:67:21:58:8A:66:DE:76:55 X509v3 Authority Key Identifier: keyid:CA:22:DC:EF:D3:15:26:6A:EA:AA:B1:83:66:8E:E6:FB:AD:G4:0B:DF Certificate is to be certified until Feb 24 08:10:00 2024 GMT (1024 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@DR ~]# ls anaconda-ks.cfg httpd.crt httpd.csr //CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1 [root@DR ~]# scp httpd.crt root@192.168.100.132:/etc/httpd/ssl [root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.132:/etc/httpd/ssl
配置https
将RS1的证书和密钥发给RS2
//RS2 [root@RS2 ~]# yum -y install mod_ssl [root@RS2 ~]# mkdir /etc/httpd/ssl //RS1 [root@RS1 ~]# cd /etc/httpd/ssl/ [root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.100.133:/etc/httpd/ssl //RS2 [root@RS2 ~]# ls /etc/httpd/ssl/ cacert.pem httpd.crt httpd.key
修改https配置文件
//RS1 [root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf //修改后如下所示 SSLCertificateFile /etc/httpd/ssl/httpd.crt ······ SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ······ SSLCACertificateFile /etc/httpd/ssl/cacert.pem ······ //重启服务 [root@RS1 ~]# systemctl restart httpd [root@RS1 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:80 *:* //RS2 [root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf //修改后如下所示 SSLCertificateFile /etc/httpd/ssl/httpd.crt ······ SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ······ SSLCACertificateFile /etc/httpd/ssl/cacert.pem ······ //重启服务 [root@RS2 ~]# systemctl restart httpd [root@RS2 ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 *:443 *:* LISTEN 0 128 *:80 *:*
添加并保存规则
//DR //添加调度器 [root@DR ~]# ipvsadm -A -t 192.168.18.250:443 -s rr //添加跳转的IP地址 [root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.132 -m [root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.133 -m [root@DR ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 192.168.18.250:80 rr -> 192.168.100.132:80 Masq 1 0 0 -> 192.168.100.133:80 Masq 1 0 0 TCP 192.168.18.250:443 rr -> 192.168.100.132:443 Masq 1 0 0 -> 192.168.100.133:443 Masq 1 0 0 //保存规则 [root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
访问测试
//test [root@client ~]# curl -k https://192.168.18.250 test1 [root@client ~]# curl -k https://192.168.18.250 test2 [root@client ~]# curl -k https://192.168.18.250 test1 [root@client ~]# curl -k https://192.168.18.250 test2
