Centos7+Nginx+keepalived 双机 主从模式

基础介绍

负载均衡技术对于一个网站尤其是大型网站的web服务器集群来说是至关重要的!做好负载均衡架构,可以实现故障转移和高可用环境,避免单点故障,保证网站健康持续运行。

由于业务扩展,网站的访问量不断加大,负载越来越高。现需要在web前端放置nginx负载均衡,同时结合keepalived对前端nginx实现HA高可用。

一:Centos7+Nginx+keepalived 双机 主从模式

1、环境介绍

Centos7+Nginx+keepalived 双机 主从模式

2、环境安装

1、关闭selinux

临时关闭:
[root@localhost ~]# getenforce Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive
永久关闭:
[root@localhost ~]# vim /etc/sysconfig/selinux
SELINUX=enforcing 改为 SELINUX=disabled

2、安装依赖包

[root@nginx-test01 ~]# yum -y install make zlib zlib-devel gcc-c++ libtool  openssl openssl-devel
[root@nginx-test01 ~]# yum -y install wget
[root@nginx-test01 ~]# wget http://downloads.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz
[root@nginx-test01 ~]# tar -zxf pcre-8.35.tar.gz
[root@nginx-test01 ~]# cd pcre-8.35
[root@nginx-test01 ~]# ./configure
[root@nginx-test01 ~]# make
[root@nginx-test01 ~]# make install

3、查看pcre版本验证是否安装成功

[root@nginx-test01 ~]# pcre-config --version
8.35

4、安装Nginx-1.19.8

[root@nginx-test01 ~]# wget http://nginx.org/download/nginx-1.19.8.tar.gz
[root@nginx-test01 ~]# tar -zxf nginx-1.19.8.tar.gz
[root@nginx-test01 ~]# cd nginx-1.19.8
[root@nginx-test01 ~]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module #此参数为加载SSL模块。配置https必须安装此模块。
[root@nginx-test01 ~]# make&& make install

5、测试Nginx

[root@nginx-test01 ~]# cd /usr/local/nginx/sbin/
[root@nginx-test01 sbin]# ./nginx  #启动nginx
[root@nginx-test01 sbin]# ps -aux | grep nginx  #查看nginx进程
nobody    5648  0.0  0.1  52864  8484 ?        S    5月14   0:00 nginx: worker process
nobody    5649  0.0  0.1  52864  8724 ?        S    5月14   0:00 nginx: worker process
nobody    5650  0.0  0.1  52864  8540 ?        S    5月14   0:00 nginx: worker process
nobody    5651  0.0  0.1  52864  8592 ?        S    5月14   0:00 nginx: worker process
nobody    5652  0.0  0.1  52864  8604 ?        S    5月14   0:00 nginx: worker process
nobody    5653  0.0  0.1  52864  8544 ?        S    5月14   0:00 nginx: worker process
nobody    5654  0.0  0.1  52864  8504 ?        S    5月14   0:00 nginx: worker process
nobody    5655  0.0  0.1  52864  8540 ?        S    5月14   0:00 nginx: worker process
root      7773  0.0  0.0  48692  3748 ?        Ss   4月05   0:00 nginx: master process /usr/local/nginx/sbin/nginx
root     29918  0.0  0.0 112824   980 pts/0    S+   10:31   0:00 grep --color=auto nginx

通过网页访问http://10.12.243.1也可以进行验证

6、安装keepalived

[root@nginx-test01 sbin]# yum -y install keepalived
[root@nginx-test01 sbin]# systemctl start  keepalived.service #启动服务
[root@nginx-test01 keepalived]# ps -aux | grep keepalived  #验证
root      7509  0.0  0.0 118712  1380 ?        Ss   4月05   2:39 /usr/sbin/keepalived -D
root      7510  0.0  0.0 118712  2600 ?        S    4月05   2:35 /usr/sbin/keepalived -D
root      7511  0.0  0.0 120836  2504 ?        S    4月05  32:06 /usr/sbin/keepalived -D
root     31508  0.0  0.0 112824   988 pts/0    S+   10:41   0:00 grep --color=auto keepalived

7、配置防火墙策略

firewall-cmd --permanent --add-port=80/tcp  #添加端口
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT  #防止keepalived发生脑裂现象
firewall-cmd --reload  #重新加载防火墙策略
firewall-cmd --list-all  查看策略

8、根据上述1-7的操作步骤配置nginx-2服务器

3、Keepalived主从配置

1、配置两台主机keepalived

[root@nginx-test01 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived

global_defs {     
   router_id LVS_01   #机器标识

vrrp_script nginx {
       script "/etc/keepalived/nginx.sh" #脚本路径
       interval 2  #每2秒检测一次nginx的运行状态
       weight -20  #失败一次,将自己的优先级-20
}


vrrp_instance VI_1 {
    state MASTER   #主服务器
    interface ens192  #网口名称,需和本机一致
    virtual_router_id 52  #两台设备配置相同参数
    priority 150   #优先级,数值越大优先级越高
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.12.243.3/24
    }
 track_script {
       nginx  # nginx存活状态检测脚本
    }
}
[root@nginx-test02 ~]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived

global_defs {
   router_id LVS_02
}

vrrp_script nginx {
       script "/etc/keepalived/nginx.sh"
       interval 2  #每2秒检测一次nginx的运行状态
       weight -20  #失败一次,将自己的优先级-20
}


vrrp_instance VI_1 {
    state BACKUP
    interface ens192
    virtual_router_id 52
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.12.243.3/24
    }
 track_script {
       nginx  # nginx存活状态检测脚本
    }

2、重启服务验证

#两台设备重启keepalived服务 
systemctl restart  keepalived.service
#验证keepalived服务 
[root@nginx-test01 keepalived]# ps -aux | grep keepalived 
#验证主备功能
[root@nginx-test01 ~]# ip add | grep 10.12.243.3
    inet 10.12.243.3/24 scope global secondary ens192

[root@nginx-test02 ~]# ip add | grep 10.12.243.3
[root@nginx-test02 ~]# 
关闭nginx1服务器中Keepalived再次执行命令查看
[root@nginx-test01 ~]# ip add | grep 10.12.243.3
[root@nginx-test01 ~]# 

[root@nginx-test02 ~]# ip add | grep 10.12.243.3
    inet 10.12.243.3/24 scope global secondary ens192
#发现VIP10.12.243.3只出现在一台设备上时,则表明keepalived双活配置成功

3、配置nginx检测脚本,实现主nginx挂掉后自动关闭keepalived实现切换功能

[root@nginx-test01 ~]# vi /etc/keepalived/nginx.sh 

#!/bin/bash
counter=$(ps -C nginx --no-heading|wc -l)
if [ "${counter}" = "0" ]; then
    /usr/local/nginx/sbin/nginx
    sleep 2
    counter=$(ps -C nginx --no-heading|wc -l)
    if [ "${counter}" = "0" ]; then
         killall keepalived
    fi
fi
[root@nginx-test01 ~]# chmod a+x /etc/keepalived/nginx.sh  #添加执行权限

4、配置Nginx负载均衡

1、配置负载均衡

[root@nginx-test01 ~]# vi /usr/local/nginx/conf/nginx.conf

#user  nobody;
worker_processes  8;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

pid        logs/nginx.pid;


events {
    use epoll;
    worker_connections  10240;

}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    server_names_hash_bucket_size 128;
    client_max_body_size 300m;
    sendfile        on;
    keepalive_timeout  65;

    gzip  on;
#隐藏版本号
    server_tokens off;

      upstream ceshi80 {
       server 10.12.243.5.80;
       server 10.12.243.6:80;
    }


server {
        listen       80;
        server_name  ceshi.com;
        access_log  /var/log/nginx/ceshi.access.log   main;
        rewrite ^ https://$http_host$request_uri? permanent; 访问80强制跳转443

        location / {
            root   html;
            proxy_pass  http://ceshi80;
            index  index.html index.htm;
        }
    }

    server {
        listen       443 ssl;
        server_name  ceshi.com;
        access_log  /var/log/nginx/ceshi.443.log   main;

        ssl_certificate      /usr/local/nginx/ssl/XXX.pem;  #ssl证书路径
        ssl_certificate_key  /usr/local/nginx/ssl/XXX.key;  #ssl秘钥路径

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            proxy_pass  http://ceshi80;
            index  index.html index.htm;
        }
    }

}

2、验证配置重启nginx服务

[root@nginx-test01 ~]# cd /usr/local/nginx/sbin/
[root@nginx-test01 sbin]# ./nginx -t #验证配置文件语法
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@nginx-test01 sbin]# ./nginx -s reload 重启服务

3、验证负载均衡

  1. 修改DNS服务器,将ceshi.com解析之10.12.243.3 
  2. 将tomcat首页设置成添加本机IP
  3. 浏览器多次访问ceshi.com。查看页面内容是否循环产生

5、nginx2配置

[root@nginx-test01 ~]# cd /usr/local/nginx/conf/            
[root@nginx-test01 conf]# scp nginx.conf root@10.12.243.2:/usr/local/nginx/conf/
[root@nginx-test02 sbin]# ./nginx -s reload 重启服务

6、操作完成

 

上一篇:keepalived——keepalived工作原理(转)


下一篇:期中架构(5)--- 前端部分:keepalived高可用 & HTTPS & iptables防火墙