lvs之搭建NAT模式的HTTPS负载集群

lvs配置之NAT模式这篇文章配置的基础上搭建https

环境

系统 ip
redhat8 test 192.168.100.130
redhat8 DR 192.168.100.131 vip:192.168.18.250
redhat8 RS1 192.168.100.132
redhat8 RS2 192.168.100.133

 

LVS服务器搭建CA服务端

//RS1
echo test1 > /var/www/html/index.html
//RS2
echo test2 > /var/www/html/index.html

生成一对密钥

//DR
[root@DR ~]# mkdir -p /etc/pki/CA/private
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@DR CA]# openssl rsa -in private/cakey.pem -pubout

生成自签署证书

//DR
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:thl  
Organizational Unit Name (eg, section) []:thl
Common Name (eg, your name or your server's hostname) []:thl
Email Address []:1@2.com
[root@DR CA]# touch index.txt && echo 01 > serial

RS1生成证书签署请求,并发送给CA

//RS1
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:thl
Organizational Unit Name (eg, section) []:thl
Common Name (eg, your name or your server's hostname) []:thl
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr  httpd.key

//把证书签署请求文件发送给CA
[root@RS1 ssl]# scp httpd.csr root@192.168.100.131:/root/

CA签署证书并发给RS1

//DR
[root@DR ~]# mkdir /etc/pki/CA/newcerts
[root@DR ~]# touch /etc/pki/CA/index.txt

//跟踪最后一次颁发证书的序列号
[root@DR ~]# echo "01" > /etc/pki/CA/serial

[root@DR ~]# ls
anaconda-ks.cfg  httpd.csr
[root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  6 08:10:00 2021 GMT
            Not After : Feb 24 08:10:00 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = thl
            organizationalUnitName    = thl
            commonName                = thl
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C5:3B:A3:CD:89:65:21:12:CC:88:1A:AD:67:21:58:8A:66:DE:76:55
            X509v3 Authority Key Identifier: 
                keyid:CA:22:DC:EF:D3:15:26:6A:EA:AA:B1:83:66:8E:E6:FB:AD:G4:0B:DF

Certificate is to be certified until Feb 24 08:10:00 2024 GMT (1024 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr

//CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1
[root@DR ~]# scp httpd.crt root@192.168.100.132:/etc/httpd/ssl  
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.132:/etc/httpd/ssl

配置https

将RS1的证书和密钥发给RS2

//RS2
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl

//RS1
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.100.133:/etc/httpd/ssl

//RS2
[root@RS2 ~]# ls /etc/httpd/ssl/
cacert.pem  httpd.crt  httpd.key

修改https配置文件

//RS1
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
//修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······

//重启服务
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# ss -antl
State      Recv-Q     Send-Q          Local Address:Port           Peer Address:Port     
LISTEN     0          128                   0.0.0.0:22                  0.0.0.0:*        
LISTEN     0          128                      [::]:22                     [::]:*        
LISTEN     0          128                         *:443                       *:*        
LISTEN     0          128                         *:80                        *:*  

//RS2
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
//修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······

//重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State      Recv-Q     Send-Q          Local Address:Port           Peer Address:Port     
LISTEN     0          128                   0.0.0.0:22                  0.0.0.0:*        
LISTEN     0          128                      [::]:22                     [::]:*        
LISTEN     0          128                         *:443                       *:*        
LISTEN     0          128                         *:80                        *:*  

添加并保存规则

//DR
//添加调度器
[root@DR ~]# ipvsadm -A -t 192.168.18.250:443 -s rr

//添加跳转的IP地址
[root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.132 -m
[root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.133 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.18.250:80 rr
  -> 192.168.100.132:80             Masq    1      0          0         
  -> 192.168.100.133:80             Masq    1      0          0         
TCP  192.168.18.250:443 rr
  -> 192.168.100.132:443            Masq    1      0          0         
  -> 192.168.100.133:443            Masq    1      0          0   
  
//保存规则
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm

访问测试

//test
[root@client ~]# curl -k https://192.168.18.250
test1
[root@client ~]# curl -k https://192.168.18.250
test2
[root@client ~]# curl -k https://192.168.18.250
test1
[root@client ~]# curl -k https://192.168.18.250
test2

 

上一篇:Chrome屏蔽多个 TCP端口,以阻止NAT Slipstreaming***


下一篇:学习记录_NAT技术