Nginx+Keepalived实现四层及七层负载均衡

 

 

 

一.Nginx及Openssl编译安装

1.卸载就版本Nginx及Openssl
[root@localhost ~]# yum remove nginx
[root@localhost ~]# yum remove openssl
​
2.安装编译环境依赖
[root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
[root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc
​
3.下载最新版Nginx及openssl(http://nginx.org/en/download.html)
[root@localhost ~]# mkdir /opt/nginx
[root@localhost ~]# cd /opt/nginx/
[root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
[root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
​
4.编译安装Openssl
[root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
[root@localhost nginx]# cd openssl-1.1.1k
[root@localhost openssl-1.1.1k]# ./config
[root@localhost openssl-1.1.1k]# make && make install
​
5.编译安装Nginx
[root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
[root@localhost nginx]# cd nginx-1.21.1
[root@localhost nginx-1.21.1]# ./configure --with-stream  --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
[root@localhost nginx-1.21.1]# make && make install
​
6.添加系统变量
[root@localhost /]# vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
​
7.[root@localhost /]# systemctl start nginx

二.keepalived安装

[root@localhost /]# yum install -y keepalived
[root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@localhost /]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
#   notification_email {    ####此处定义发生替换会邮件通知
#     cuimingkun@yinwuweiye.com
#   }
#   notification_email_from liuqingliang@domain.com
#   smtp_server 127.0.0.1
#   smtp_connect_timeout 30
   router_id NGINX_BACK
}
vrrp_script chk_http_port {
                script "/usr/local/sbin/nginx_pid.sh" ##监控脚本位置
                interval 2
                weight 2
}
vrrp_instance VI_1 {
    state MASTER        #####备机为BACKUP
    interface ens33
    virtual_router_id 51
    priority 100        #####备机要小于主
    advert_int 1
    track_script {
       chk_http_port
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {     
        172.16.16.15 ####虚拟IP
    }
}
​
[root@localhost /]# service keepalived start
[root@localhost /]# chkconfig keepalived on

三.配置Nginx监测脚本

[root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
        /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
        sleep 3
        if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
                killall keepalived
        fi
fi
​
[root@localhost /]# service keepalived restart

四.配置nginx四层负载均衡

[root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
events {
    worker_connections  1024;
}
stream {
    log_format  proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
                      '"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
    #access_log /var/log/nginx/proxy.log proxy;
​
#定义转发ssh的22端口
    upstream ssh {
            hash $remote_addr consistent;
            server 172.16.16.16:22;
            server 172.16.16.17:22;
    }
#定义转发mysql的3306端口
    upstream mysql {
            hash $remote_addr consistent;
            server 172.16.16.16:3306;
            server 172.16.16.17:3306;
    }
    server {
            listen 2021;
            proxy_connect_timeout 3s;
            proxy_timeout 300s;
            proxy_pass ssh;
    }
​
    server {
            listen 2022;
            proxy_connect_timeout 3s;
            proxy_timeout 3s;
            proxy_pass mysql;
    }
}
​
root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf

五.配置nginx七层负载均衡

5.1nginx七层负载均衡—HTTP

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
events {
    use epoll;
    worker_connections  65535;
}
http 
{
  include       mime.types;
  default_type  application/octet-stream;
  server_tokens off;
​
    upstream R-Server {
    ip_hash;
    server 172.16.16.16:80;
    server 172.16.16.17:80;
    }
#HTTP-server    
    server {
        listen       80;
        server_name  localhost;
        location /imedical/web {
            proxy_pass   http://R-Server;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
            }     
    }
}

5.2nginx七层负载均衡—HTTPS

5.2.1自签发SSL证书

[root@localhost /]# mkdir CA-Server
[root@localhost /]# cd CA-Server/
[root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
#会有两次要求输入密码,输入同一个即可,然后你就获得了一个server.key文件
#以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:
[root@localhost CA-Server]# openssl rsa -in server.key -out server.key
​
#创建服务器证书的申请文件server.csr,运行:
[root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
#其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填. 
​
#创建CA证书:
[root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
#此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名. 
​
#创建自当前日期起有效期为期十年的服务器证书server.crt：
[root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
​
#ls你的文件夹,可以看到一共生成了5个文件:
ca.crt   ca.srl    server.crt   server.csr   server.key
#其中,server.crt和server.key就是你的nginx需要的证书文件.

5.2.2配置Nginx

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
events {
    use epoll;
    worker_connections  65535;
}
http 
{
  include       mime.types;
  default_type  application/octet-stream;
  server_tokens off;
​
    upstream R-Server {
    ip_hash;
    server 172.16.16.16:80;
    server 172.16.16.17:80;
    server 172.16.16.18:80;
    }
#HTTP-server    
    server {
        listen       80;
        server_name  localhost;
        location /imedical/web {
            proxy_pass   http://R-Server;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
            }     
    }
​
#HTTPS-server
    server {
        listen       443 ssl;
        server_name  localhost;
​
        ssl_certificate      /usr/local/nginx/ssl/server.crt;
        ssl_certificate_key  /usr/local/nginx/ssl/server.key;
​
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
​
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
             proxy_pass   https://R-Server;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
        }
    }
}