Nginx+Keepalived实现四层及七层负载均衡

Nginx+Keepalived实现四层及七层负载均衡

Nginx+Keepalived实现四层及七层负载均衡

 

 

 

一.Nginx及Openssl编译安装

1.卸载就版本Nginx及Openssl
[root@localhost ~]# yum remove nginx
[root@localhost ~]# yum remove openssl

2.安装编译环境依赖
[root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
[root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc

3.下载最新版Nginx及openssl(http://nginx.org/en/download.html)
[root@localhost ~]# mkdir /opt/nginx
[root@localhost ~]# cd /opt/nginx/
[root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
[root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

4.编译安装Openssl
[root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
[root@localhost nginx]# cd openssl-1.1.1k
[root@localhost openssl-1.1.1k]# ./config
[root@localhost openssl-1.1.1k]# make && make install

5.编译安装Nginx
[root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
[root@localhost nginx]# cd nginx-1.21.1
[root@localhost nginx-1.21.1]# ./configure --with-stream --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
[root@localhost nginx-1.21.1]# make && make install

6.添加系统变量
[root@localhost /]# vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

7.[root@localhost /]# systemctl start nginx

二.keepalived安装

[root@localhost /]# yum install -y keepalived
[root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@localhost /]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
#   notification_email {   ####此处定义发生替换会邮件通知
#     cuimingkun@yinwuweiye.com
#   }
#   notification_email_from liuqingliang@domain.com
#   smtp_server 127.0.0.1
#   smtp_connect_timeout 30
  router_id NGINX_BACK
}
vrrp_script chk_http_port {
              script "/usr/local/sbin/nginx_pid.sh" ##监控脚本位置
              interval 2
              weight 2
}
vrrp_instance VI_1 {
  state MASTER        #####备机为BACKUP
  interface ens33
  virtual_router_id 51
  priority 100        #####备机要小于主
  advert_int 1
  track_script {
      chk_http_port
  }
  authentication {
      auth_type PASS
      auth_pass 1111
  }
  virtual_ipaddress {    
172.16.16.15 ####虚拟IP
  }
}

[root@localhost /]# service keepalived start
[root@localhost /]# chkconfig keepalived on

三.配置Nginx监测脚本

[root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
      /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
       sleep 3
       if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
               killall keepalived
       fi
fi

[root@localhost /]# service keepalived restart

四.配置nginx四层负载均衡

[root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid       logs/nginx.pid;
events {
  worker_connections  1024;
}
stream {
  log_format proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
                     '"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
   #access_log /var/log/nginx/proxy.log proxy;

#定义转发ssh的22端口
  upstream ssh {
          hash $remote_addr consistent;
          server 172.16.16.16:22;
          server 172.16.16.17:22;
  }
#定义转发mysql的3306端口
  upstream mysql {
          hash $remote_addr consistent;
          server 172.16.16.16:3306;
          server 172.16.16.17:3306;
  }
  server {
          listen 2021;
          proxy_connect_timeout 3s;
          proxy_timeout 300s;
          proxy_pass ssh;
  }

  server {
          listen 2022;
          proxy_connect_timeout 3s;
          proxy_timeout 3s;
          proxy_pass mysql;
  }
}

root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf

五.配置nginx七层负载均衡

5.1nginx七层负载均衡—HTTP

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
  use epoll;
  worker_connections  65535;
}
http
{
include       mime.types;
default_type application/octet-stream;
server_tokens off;

  upstream R-Server {
  ip_hash;
  server 172.16.16.16:80;
  server 172.16.16.17:80;
  }
#HTTP-server    
  server {
      listen       80;
      server_name localhost;
      location /imedical/web {
          proxy_pass   http://R-Server;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
      }
      error_page   500 502 503 504 /50x.html;
      location = /50x.html {
          root   html;
          }    
  }
}

5.2nginx七层负载均衡—HTTPS

5.2.1自签发SSL证书

[root@localhost /]# mkdir CA-Server
[root@localhost /]# cd CA-Server/
[root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
#会有两次要求输入密码,输入同一个即可,然后你就获得了一个server.key文件
#以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
[root@localhost CA-Server]# openssl rsa -in server.key -out server.key

#创建服务器证书的申请文件server.csr,运行:
[root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
#其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填.

#创建CA证书:
[root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
#此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名.

#创建自当前日期起有效期为期十年的服务器证书server.crt:
[root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

#ls你的文件夹,可以看到一共生成了5个文件:
ca.crt   ca.srl   server.crt   server.csr   server.key
#其中,server.crt和server.key就是你的nginx需要的证书文件.

5.2.2配置Nginx

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user nobody;
worker_processes auto;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
events {
  use epoll;
  worker_connections  65535;
}
http
{
include       mime.types;
default_type application/octet-stream;
server_tokens off;

  upstream R-Server {
  ip_hash;
  server 172.16.16.16:80;
  server 172.16.16.17:80;
  server 172.16.16.18:80;
  }
#HTTP-server    
  server {
      listen       80;
      server_name localhost;
      location /imedical/web {
          proxy_pass   http://R-Server;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
      }
      error_page   500 502 503 504 /50x.html;
      location = /50x.html {
          root   html;
          }    
  }

#HTTPS-server
  server {
      listen       443 ssl;
      server_name localhost;

      ssl_certificate     /usr/local/nginx/ssl/server.crt;
      ssl_certificate_key /usr/local/nginx/ssl/server.key;

      ssl_session_cache   shared:SSL:1m;
      ssl_session_timeout 5m;

      ssl_ciphers HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      location / {
            proxy_pass   https://R-Server;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
      }
  }
}

 

上一篇:双机热备之nginx和keepalived


下一篇:LVS+keepalived集群