Nginx+Keepalived实现四层及七层负载均衡
一.Nginx及Openssl编译安装
1.卸载就版本Nginx及Openssl
[root@localhost ~]# yum remove nginx
[root@localhost ~]# yum remove openssl
2.安装编译环境依赖
[root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
[root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc
3.下载最新版Nginx及openssl(http://nginx.org/en/download.html)
[root@localhost ~]# mkdir /opt/nginx
[root@localhost ~]# cd /opt/nginx/
[root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
[root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
4.编译安装Openssl
[root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
[root@localhost nginx]# cd openssl-1.1.1k
[root@localhost openssl-1.1.1k]# ./config
[root@localhost openssl-1.1.1k]# make && make install
5.编译安装Nginx
[root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
[root@localhost nginx]# cd nginx-1.21.1
[root@localhost nginx-1.21.1]# ./configure --with-stream --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
[root@localhost nginx-1.21.1]# make && make install
6.添加系统变量
[root@localhost /]# vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
7.[root@localhost /]# systemctl start nginx
二.keepalived安装
[root@localhost /]# yum install -y keepalived
[root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@localhost /]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
# notification_email { ####此处定义发生替换会邮件通知
# cuimingkun@yinwuweiye.com
# }
# notification_email_from liuqingliang@domain.com
# smtp_server 127.0.0.1
# smtp_connect_timeout 30
router_id NGINX_BACK
}
vrrp_script chk_http_port {
script "/usr/local/sbin/nginx_pid.sh" ##监控脚本位置
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER #####备机为BACKUP
interface ens33
virtual_router_id 51
priority 100 #####备机要小于主
advert_int 1
track_script {
chk_http_port
}
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.16.15 ####虚拟IP
}
}
[root@localhost /]# service keepalived start
[root@localhost /]# chkconfig keepalived on
三.配置Nginx监测脚本
[root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
sleep 3
if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
killall keepalived
fi
fi
[root@localhost /]# service keepalived restart
四.配置nginx四层负载均衡
[root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
stream {
log_format proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
'"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
#access_log /var/log/nginx/proxy.log proxy;
#定义转发ssh的22端口
upstream ssh {
hash $remote_addr consistent;
server 172.16.16.16:22;
server 172.16.16.17:22;
}
#定义转发mysql的3306端口
upstream mysql {
hash $remote_addr consistent;
server 172.16.16.16:3306;
server 172.16.16.17:3306;
}
server {
listen 2021;
proxy_connect_timeout 3s;
proxy_timeout 300s;
proxy_pass ssh;
}
server {
listen 2022;
proxy_connect_timeout 3s;
proxy_timeout 3s;
proxy_pass mysql;
}
}
root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf
五.配置nginx七层负载均衡
5.1nginx七层负载均衡—HTTP
[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
use epoll;
worker_connections 65535;
}
http
{
include mime.types;
default_type application/octet-stream;
server_tokens off;
upstream R-Server {
ip_hash;
server 172.16.16.16:80;
server 172.16.16.17:80;
}
#HTTP-server
server {
listen 80;
server_name localhost;
location /imedical/web {
proxy_pass http://R-Server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
5.2nginx七层负载均衡—HTTPS
5.2.1自签发SSL证书
[root@localhost /]# mkdir CA-Server
[root@localhost /]# cd CA-Server/
[root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
#会有两次要求输入密码,输入同一个即可,然后你就获得了一个server.key文件
#以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
[root@localhost CA-Server]# openssl rsa -in server.key -out server.key
#创建服务器证书的申请文件server.csr,运行:
[root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
#其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填.
#创建CA证书:
[root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
#此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名.
#创建自当前日期起有效期为期十年的服务器证书server.crt:
[root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
#ls你的文件夹,可以看到一共生成了5个文件:
ca.crt ca.srl server.crt server.csr server.key
#其中,server.crt和server.key就是你的nginx需要的证书文件.
5.2.2配置Nginx
[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
use epoll;
worker_connections 65535;
}
http
{
include mime.types;
default_type application/octet-stream;
server_tokens off;
upstream R-Server {
ip_hash;
server 172.16.16.16:80;
server 172.16.16.17:80;
server 172.16.16.18:80;
}
#HTTP-server
server {
listen 80;
server_name localhost;
location /imedical/web {
proxy_pass http://R-Server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#HTTPS-server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://R-Server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}