Haproxy+keepalived+apache
一、拓撲圖:
<a href="http://s1.51cto.com/wyfs02/M02/7F/1A/wKiom1cTiQyzwQ6xAAFY-jQlWtw236.jpg" target="_blank"></a>
二、編譯安裝haproxy(兩台機器一樣安裝)
解壓:tar zxvf haproxy-1.6.4.tar.gz
編譯:注意:下邊的等号前邊的參數必須大寫
cd haproxy-1.6.4
make TARGET=linux26 ARCH=x86_64 PREFIX=/usr/local/haproxy
make install PREFIX=/usr/local/haproxy
安裝後,建立配置檔案和啟動檔案
mkdir -p /usr/local/haproxy/etc/haproxy
cp examples/acl-content-sw.cfg/usr/local/haproxy/etc/haproxy/haproxy.cfg
cp examples/haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
修改啟動檔案:
vi /etc/init.d/haproxy
修改BIN、CFG路徑
BIN=/usr/local/haproxy/sbin/$BASENAME
CFG=/usr/local/etc/$BASENAME/$BASENAME.cfg
三、編輯配置檔案(兩台機器一樣)
cd /usr/local/haproxy/etc/haproxy
cp haproxy.cfg haproxy.cfg.bak
vi haproxy.cfg
# This sampleconfiguration makes extensive use of the ACLs. It requires
# HAProxyversion 1.3.12 minimum.
global
log localhost local3
maxconn 250
uid 71
gid 71
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
daemon
quiet
frontendhttp-in
bind :80
mode http
log global
clitimeout 30000
option httplog
option dontlognull
#option logasap
option httpclose
maxconn 100
stats refresh 30s
stats uri /stats
stats realm linuxidc-test-Haproxy
stats auth admin:admin123
stats hide-version
capture request header Host len 20
capture request header User-Agent len 16
capture request header Content-Length len 10
capture request header Referer len 20
capture response header Content-Lengthlen 10
# block any unwanted source IPaddresses or networks
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
acl forbidden_src src_port 0:1023
block if forbidden_src
# block requests beginning with http://on wrong domains
acl dangerous_pfx url_beg -i http://
acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
block if dangerous_pfx !valid_pfx
# block apache chunk exploit, ...
acl forbidden_hdrshdr_sub(transfer-encoding) -i chunked
acl forbidden_hdrs hdr_beg(host) -i apache- localhost
# ... some HTTP content smugling andother various things
acl forbidden_hdrs hdr_cnt(host) gt 1
acl forbidden_hdrshdr_cnt(content-length) gt 1
acl forbidden_hdrshdr_val(content-length) lt 0
acl forbidden_hdrshdr_cnt(proxy-authorization) gt 0
block if forbidden_hdrs
# block annoying worms that fill thelogs...
acl forbidden_uris url_reg -i.*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
acl forbidden_uris url_sub -i %00<script xmlrpc.php
acl forbidden_uris path_end -i/root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
# block other common attacks (awstats,manual discovery...)
acl forbidden_uris path_dir -i chatmain.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin M
SOffice
acl forbidden_uris url_reg -i(\.php\?temppath=|\.php\?setmodules=|[=:]http://)
block if forbidden_uris
# we rewrite the "options"request so that it only tries '*', and we
# only report GET, HEAD, POST andOPTIONS as valid methods
reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\\\*\ HTTP/1.0
rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\POST,\ OPTIONS
acl web hdr_beg(host) -i www.abc.com
use_backend www if web
backend www
mode http
#source 192.168.11.13:0
balance roundrobin
cookie SERVERID
server web01 192.168.1.13:80 checkinter 30000 fall 3 weight 10
server web02 192.168.1.14:80 checkinter 30000 fall 3 weight 10
# long timeout to support connectionqueueing
contimeout 20000
srvtimeout 20000
fullconn 100
redispatch
retries 3
option httpchk HEAD /
option forwardfor
option checkcache
option httpclose
# allow other syntactically validrequests, and block any other method
acl valid_method method GET HEAD POSTOPTIONS
block if !valid_method
block if HTTP_URL_STAR !METH_OPTIONS
block if !HTTP_URL_SLASH !HTTP_URL_STAR!HTTP_URL_ABS
# remove unnecessary precisions on theserver version. Let's say
# it's an apache under Unix on theFormilux Distro.
rspidel ^Server:\
rspadd Server:\ Apache\ (Unix;\Formilux/0.1.8)
# end ofdefaults
配置日志相關步驟
haproxy.cfg 上邊已經配置
log localhost local3
vi /etc/rsyslog.conf
去掉#号
$ModLoad imudp
$UDPServerRun 514
在local7.*下邊添加以下内容:
local3.* /var/log/haproxy/haproxy.log
vi /etc/sysconfig/rsyslog
修改為:
SYSLOGD_OPTIONS="-r -m 0"
重新開機rsyslog和haproxy服務service rsyslog restart
service haproxy restart
日志檔案:/var/log/haproxy/haproxy.log
檢視haproxy狀态資訊http://ip/stats 使用者密碼:admin:admin123
四、Web01和web02安裝httpd
yum –y install httpd
分别建立配置檔案:
Web01: vi /var/www/html/index.html
Wo shi 13.
Web02: vi /var/www/html/index.html
Wo shi 14.
兩台都執行以下配置:
關閉selinux
vi /etc/sysconfig/selinux
SELINUX=disabled
重新開機
service iptables stop
chkconfig iptables off
chkconfig httpd on
service httpd start
浏覽器測試是否都能打開web01和web02
五、編譯安裝keepalived
安裝相關包:
yum -y install openssl openssl-devel
解壓:
tar zxvf keepalived-1.2.20.tar.gz
編譯
cd keepalived-1.2.20
./configure --prefix=/usr/local/keepalived1.2.20
make
make install
配置啟動檔案:
cd /usr/local/keepalived1.2.20/
cp etc/rc.d/init.d/keepalived /etc/init.d/
vi /etc/init.d/keepalived
修改三處:
. /usr/local/keepalived1.2.20/etc/sysconfig/keepalived
config="/usr/local/keepalived1.2.20/etc/keepalived/keepalived.conf"
daemon keepalived -D -f $config
配置keepalived.conf檔案
cd etc/keepalived/
備份:cp keepalived.conf keepalived.conf.bak
vi keepalived.conf(注意兩個配置檔案有所不同)
192.168.0.11的keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
}
notification_email_from [email protected]
smtp_server mail.it.com
smtp_connect_timeout 30
router_id LVS_01
}
vrrp_script chk_haproxy {
script "/usr/local/keepalived1.2.20/check_haproxy.sh"
interval 2
weight 2
vrrp_instance VI_1 {
state MASTER
interface eth2
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.0.222/24
192.168.0.12的keepalived.conf
state BACKUP
priority 99
ln -s/usr/local/keepalived1.2.20/sbin/keepalived /usr/sbin/
開啟路由功能
net.ipv4.ip_forward= 1
開啟IP轉發功能
net.ipv4.ip_nonlocal_bind= 1
開啟允許綁定非本機的IP
如果使用LVS的DR或者TUN模式結合Keepalived需要在後端真實伺服器上特别設定兩個arp相關的參數。這裡也設定好。
net.ipv4.conf.lo.arp_ignore= 1
net.ipv4.conf.lo.arp_announce= 2
net.ipv4.conf.all.arp_ignore= 1
net.ipv4.conf.all.arp_announce= 2
建立防止haproxy服務關閉導緻keepalived不自動切換腳本
cat /usr/local/keepalived1.2.20/check_haproxy.sh
#!/bin/bash
if [ $(ps-C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/init.d/haproxy start
fi
sleep 2
/etc/init.d/keepalived stop
啟動服務
service keepalived restart
ip addr檢視有沒有建立vip
<a href="http://s3.51cto.com/wyfs02/M02/7F/18/wKioL1cTjxLT-zzqAABc93eoi1Y371.png" target="_blank"></a>
這時候備的keepalived是沒有vip位址的:
<a href="http://s1.51cto.com/wyfs02/M02/7F/1B/wKiom1cTjo7QW5-TAABZ9RzsaP0950.png" target="_blank"></a>
當主keepalived斷掉,備keepalived接管vip(這裡停止服務模仿)
<a href="http://s1.51cto.com/wyfs02/M00/7F/18/wKioL1cTj3PCEXTQAAB6X__xaQg265.png" target="_blank"></a>
<a href="http://s1.51cto.com/wyfs02/M00/7F/1B/wKiom1cTjrejWOqrAAB-X-lh67Y036.png" target="_blank"></a>
當keepalived切換的時候,ping會丢一個包:
當主keepalived關掉的時候,丢包:
<a href="http://s1.51cto.com/wyfs02/M01/7F/18/wKioL1cTkn_CNfeEAACPg0ogb0I917.png" target="_blank"></a>
當主keepalived恢複的時候,丢包:
<a href="http://s4.51cto.com/wyfs02/M02/7F/18/wKioL1cTkhuxiGaqAACUdQ6eDnM321.png" target="_blank"></a>
六、Haproxy本機測試www.abc.com通路
由于是測試沒有dns解析,臨時做hosts解析記錄:
<a href="http://s1.51cto.com/wyfs02/M02/7F/18/wKioL1cTkFeBsVglAAAdM8dKNRU191.png" target="_blank"></a>
測試:curl www.abc.com測試兩次,實作輪詢
<a href="http://s3.51cto.com/wyfs02/M02/7F/18/wKioL1cTkJWD9S1pAAAWTauoC_w348.png" target="_blank"></a>
Windows用戶端測試,添加hosts記錄
<a href="http://s4.51cto.com/wyfs02/M01/7F/1B/wKiom1cTkCWCItlLAAAyrkQNgtM190.png" target="_blank"></a>
浏覽器通路www.abc.com通路兩次,也成功實作輪詢
<a href="http://s3.51cto.com/wyfs02/M01/7F/18/wKioL1cTkQOz6ub_AAA06vBTBrU988.png" target="_blank"></a>
<a href="http://s1.51cto.com/wyfs02/M01/7F/1B/wKiom1cTkEexkdacAAAvdrx8QYY658.png" target="_blank"></a>
本文轉自506554897 51CTO部落格,原文連結:http://blog.51cto.com/506554897/1764842,如需轉載請自行聯系原作者
![Apache靜态檔案通路配置(書封伺服器)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)