haproxy和keepalived配置方法
haproxy和keepalived
# 架构一 两台服务器,不能使用与业务相同端口,不能代理原有业务的ssl
websrv1:8080/8443 haproxy1:80/443 keepalived1-master
websrv2:8080/8443 haproxy1:80/443 keepalived1-backup
# 架构二 四台服务器,可以使用与业务相同端口,不能代理原有业务的ssl
websrv1:8080/8443
websrv2:8080/8443
haproxy1:8080/8443 keepalived1-master
haproxy2:8080/8443 keepalived1-backup
实验按架构一部署,架构二基本类似
1. soft install
yum install -y haproxy keepalived openssl
systemctl enable haproxy keepalived && systemctl restart haproxy keepalived
2. keepalived (只做HA Keepalived可以单独配置)
vi /etc/keepalived/keepalived.conf
创新互联公司长期为上千余家客户提供的网站建设服务,团队从业经验10年,关注不同地域、不同群体,并针对不同对象提供差异化的产品和服务;打造开放共赢平台,与合作伙伴共同营造健康的互联网生态环境。为洛南企业提供专业的网站设计、成都网站建设,洛南网站改版等技术服务。拥有10多年丰富建站经验和众多成功案例,为您定制开发。
- MASTER (keepalived1-master)
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
router_id LVS_DEVEL
# vrrp_strict
}
vrrp_instance VI_1 {
state MASTER
# config with right interface name
interface eth0
virtual_router_id 51
priority 110
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.80.50/24
}
}
- BACKUP (keepalived2-slave)
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
router_id LVS_DEVEL
# vrrp_strict
}
vrrp_instance VI_1 {
state BACKUP
# config with right interface name
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.80.50/24
}
}
# check config
systemctl restart keepalived
3. haproxy config (haproxy1 / haproxy2)
vi /etc/haproxy/haproxy.cfg
external-check need haproxy >1.6
global
log /dev/log local0
log /dev/log local1 notice
stats timeout 30s
# external-check
user haproxy
group haproxy
tune.ssl.default-dh-param 4096
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
stats uri /haproxy?stats
frontend http_front
bind :80
bind :443 ssl crt /etc/ssl/server.pem
default_backend http_back
backend http_back
balance roundrobin
cookie SERVERID maxidle 30m maxlife 12h insert indirect nocache
# option external-check
# external-check command /bin/haproxy/etxstat.sh
# external-check path "/usr/bin:/bin"
server etx1 10.10.80.51:8080 check cookie etx1
server etx2 10.10.80.52:8080 check cookie etx2
4. ssl pam 配置
cd /etc/ssl
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365
cat server.crt server.key | tee server.pem
# sync pem srv1 -> srv2
scp haproxy1:/etc/ssl/server.pem haprox2:/etc/ssl/
5. haproxy check config
vi /bin/haproxy/etxstat.sh
#!/bin/bash
status=$(curl -s --user etxadmin:password http://$3:$4/etx/state)
if [ "$status" = "RUNNING" ]; then
exit 0
else
exit 1
fi
- check config
chmod a+x /bin/haproxy/etxstat.sh
sudo -u haproxy /bin/haproxy/etxstat.sh
haproxy -c -V -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy
http://ip:port/haproxy?stats
网页题目:haproxy和keepalived配置方法
URL链接:http://scjbc.cn/article/jijiee.html