作业 – 05.8
实现整站https 部署discuz 实现lb01和lb02故障转移
实现整站https
一、多台HTTPS配置 — 假证书
1.检查nginx
[root@web01 ~]# nginx -V
--with-http_ssl_module ---有这个模块是支持
2.创建证书存放目录
[root@web01 ~]# mkdir /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key/
3.造假证书
# 1、生成私钥
#使用openssl命令充当CA权威机构创建证书(生产不使用此方式生成证书,不被互联网认可的黑户证书)
[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048 # 最少密码4位
Generating RSA private key, 2048 bit long modulus
...............................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 123456 # 密码6位
Verifying - Enter pass phrase for server.key: 123456
[root@web01 ssl_key]# ll
total 4
-rw-r--r--. 1 root root 1739 Dec 9 11:27 server.key
# 2、生成公钥
#生成自签证书(公钥),同时去掉私钥的密码
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
........................+++
...............................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:riben
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:skz
Organizational Unit Name (eg, section) []:mm
Common Name (eg, your name or your server's hostname) []:mm
Email Address []:1234@qq.com
# req --> 用于创建新的证书
# new --> 表示创建的是新证书
# x509 --> 表示定义证书的格式为标准格式
# key --> 表示调用的私钥文件信息
# out --> 表示输出证书文件信息
# days --> 表示证书的有效期
# sha256 --> 加密方式
# 3、查看生成的证书
[root@web01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1342 Apr 8 15:00 server.crt
-rw-r--r-- 1 root root 1708 Apr 8 15:00 server.key
全站HTTPS
1、环境准备
主机 内网IP 外网IP 身份 web01 172.16.1.7 web服务器 web02 172.16.1.8 web服务器 lb01 172.16.1.5 192.168.15.5 负载均衡 lb02 172.16.1.6 192.168.15.6 负载均衡
2.配置web服务器
# web01与web02都提前安装好nginx官方源与php
二、部署discuz
1、web01搭建discuz论坛
1、创建站点目录
[root@web01 ~]# mkdir /mm/discuz
2、上传并解压代码包
[root@web01 ~]# rz
-rw-r--r--. 1 root root 10829853 Dec 7 12:04 Discuz_X3.3_SC_GBK.zip
[root@web01 ~]# unzip Discuz_X3.3_SC_GBK.zip -d /mm/discuz/
[root@web01 ~]# chown -R www.www /mm/discuz/
2、配置discuz论坛的nginx配置文件
## HTTPS访问的话以下这2个文件必须有
[root@pingweb01 nginx]# cd ssl_key/
[root@pingweb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May 8 19:18 server.crt
-rw-r--r-- 1 root root 1704 May 8 19:18 server.key
1、配置nginx
[root@pingweb01 conf.d]# cat linux12mm.discuz.https.com.conf
server {
listen 80;
server_name linux12mm.discuz.com;
root /mm/discuz/upload;
location / {
index index.php;
}
location ~* \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; #开启https模式
include fastcgi_params;
}
}
## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx php-fpm
3.必须保证web01单台HTTPS可以访问 —了解
[root@pingweb01 conf.d]# cat linux12mm.discuz.https.com.conf
server {
listen 80;
server_name linux12mm.discuz.com;
root /mm/discuz/upload;
location / {
index index.php;
}
location ~* \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; #开启https模式
include fastcgi_params;
}
}
# 必须保证web01单台HTTPS可以访问,否则负载均衡就不能实现
4、web02机器与web01机器相同
## web01服务端推送都web02
# 1、上传配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.8:/etc/nginx/
# 2.web02查看证书
[root@pingweb02 mm]# cd /etc/nginx/ssl_key/
[root@pingweb02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May 8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May 8 19:25 server.key
# 2、上传配置文件
[root@pingweb01 conf.d]# scp -r /mm/discuz/ 172.16.1.8:/mm
[root@pingweb01 conf.d]# scp -r linux12mm.discuz.https.com.conf 172.16.1.8:/etc/nginx/conf.d/
## web02服务端
[root@pingweb02 conf.d]# cd /mm/
[root@pingweb02 mm]# ll
drwxr-xr-x 5 www www 100 May 8 18:22 discuz
[root@pingweb02 conf.d]# ll
total 4
drwxr-xr-x 2 root root 182 May 8 19:27 backup
-rw-r--r-- 1 root root 348 May 8 19:55 linux12mm.discuz.https.com.conf
## nginx -t检查并重启
[root@web02 ~]# systemctl restart nginx php-fpm
# 必须保证web02单台HTTPS可以访问,否则负载均衡就不能实现
# 或者也可以提前挂载好,这样的话就不需要推送了!
3、配置负载均衡 lb01
# 1、配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.5:/etc/nginx/
# 2.lb01查看证书
[root@pinglb01 nginx]# cd ssl_key/
[root@pinglb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May 8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May 8 19:25 server.key
# 2、配置nginx优化文件
[root@pinglb01 ssl_key]# cat /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 20s;
proxy_read_timeout 20s;
proxy_send_timeout 20s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
# 3、配置nginx文件
[root@pinglb01 conf.d]# cat linux12mm.discuz.https.com.conf
upstream blog {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name linux12mm.discuz.com;
rewrite (.*) https://$server_name$1;
}
server {
listen 443 ssl;
server_name linux12mm.discuz.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx
3.配置本地hosts
192.168.15.5 linux12mm.discuz.com
4、配置负载均衡 lb02
# 1、推送配置证书
[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.6:/etc/nginx/
# 2.lb02查看证书
[root@pinglb02 nginx]# cd ssl_key/
[root@pinglb02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1249 May 8 19:25 server.crt
-rw-r--r-- 1 root root 1704 May 8 19:25 server.key
# 3、推送配置文件
[root@pinglb01 conf.d]# scp linux12mm.discuz.https.com.conf 172.16.1.6:/etc/nginx/conf.d/
[root@pinglb02 ssl_key]# cat /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 20s;
proxy_read_timeout 20s;
proxy_send_timeout 20s;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 8 8k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
# 4、配置nginx文件
[root@pinglb02 conf.d]# cat linux12mm.discuz.https.com.conf
upstream blog {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name linux12mm.discuz.com;
rewrite (.*) https://$server_name$1;
}
server {
listen 443 ssl;
server_name linux12mm.discuz.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
## nginx -t检查并重启
[root@web01 ~]# systemctl restart nginx
3.配置本地hosts
192.168.15.5 linux12mm.discuz.com
# lb01和lb02相同.所以都可以访问,切记,切记 lb01,lb02相同才可以做keepalived 高可用
实现lb01和lb02故障转移
1.lb01和lb02负载均衡端安装keepalived
[root@pinglb01 conf.d]# yum -y install keepalived
[root@pinglb02 conf.d]# yum -y install keepalived
2.配置keepalived
# 1、查找配置文件
[root@lb01 conf.d]# rpm -qc keepalived
/etc/keepalived/keepalived.conf
/etc/sysconfig/keepalived
# 2、配置主节点的配置文件
[root@pinglb01 conf.d]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
nopreempt
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.15.102
}
}
# 3、配置从节点
[root@pinglb02 conf.d]# cat /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
nopreempt
virtual_router_id 50
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.15.102
}
}
# 配置的是keepalived非抢占式说明
1.两个节点的state都必须配置为BACKUP
2.两个节点都必须加上配置 nopreempt
3.其中一个节点的优先级必须要高于另外一个节点的优先级。
两台服务器都角色状态启用nopreempt后,必须修改角色状态统一为BACKUP,唯一的区分就是优先级。
3. 启动服务
[root@lb01 ~]# tail -f /var/log/messages
[root@lb01 ~]# systemctl restart keepalived
[root@lb02 ~]# tail -f /var/log/messages
[root@lb02 ~]# systemctl restart keepalived
4、keepalived的抢占式与非抢占式
1.两个节点都启动的情况
#两个节点都启动时,由于节点1优先级高于节点2,所以只有节点1上有VIP,节点2为空
[root@lb01 ~]# ip addr | grep 10.10.0.102
inet 10.10.0.3/32 scope global eth0
[root@lb02 ~]# ip addr | grep 10.10.0.102
2.停止主节点
[root@lb01 ~]# systemctl stop keepalived.service
[root@lb01 ~]# ip addr | grep 10.10.0.102
#由于节点1keepalived down掉,节点2会自动接管节点1的工作,即VIP
[root@lb02 ~]# ip addr | grep 10.10.0.102
inet 10.10.0.102/32 scope global eth0
3.重新启动主节点
#启动主节点
[root@lb01 ~]# systemctl start keepalived
[root@lb01 ~]# ip addr | grep 10.10.0.102
inet 10.10.0.102/32 scope global eth0
#由于节点1优先级高于节点2,所以当节点1恢复时,会将VIP抢占回来