lvs-nat 模式配置

环境	IP	服务
centos8	eth1 仅主机模式   VIP 192.168.17.132/24 eth0  NAT   DIP  192.168.248.202/24	LVS
centos8	eth0 NAT 192.168.248.200/24     gw 192.1682.48.202	RS1 httpd
centos8	eth0 NAT  192.168.248.201/24     gw 192.168.248.202	RS2 httpd

 

1) 配置网络环境

配置lvs

# 配置DIP
[root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
NAME=eth0
DEVICE=eth0
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.248.202
NETMASK=255.255.255.0

#配置VIP
[root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
NAME=eth1
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.17.132
NETMASK=255.255.255.0

[root@LVS ~]# nmcli c reload
[root@LVS ~]#nmcil c up eth0
[root@LVS ~]#nmcil c up eth1


#开启IP转发功能
[root@LVS ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@LVS ~]# sysctl -p
net.ipv4.ip_forward = 1

 

RS上的配置

#RS1
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]#  echo RS1 > /var/www/html/index.html
[root@RS1 ~]# systemctl  start httpd

#RS2
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]#  echo RS2 > /var/www/html/index.html
[root@RS2 ~]# systemctl  start httpd


# RS1网络配置
[root@RS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.248.200
NATEMASK=255.255.255.0
GATEWAY=192.168.248.202

[root@RS1 ~]# nmcli c reload
[root@RS1 ~]# nmcli c up eth0

#RS2网络配置
[root@RS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.248.201
NATEMASK=255.255.255.0
GATEWAY=192.168.248.202

[root@RS2 ~]# nmcli c reload
[root@RS2 ~]# nmcli c up eth0

 

 

2) 配置LVS服务器

[root@LVS ~]# yum -y install ipvsadm
[root@LVS ~]# ipvsadm -A -t 192.168.17.132:80 -s rr
[root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.200 -m
[root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.201 -m

 

 2) 测试访问

[root@LVS ~]# curl 192.168.17.132:80
RS2
[root@LVS ~]# curl 192.168.17.132:80
RS1
[root@LVS ~]# curl 192.168.17.132:80
RS2
[root@LVS ~]# curl 192.168.17.132:80
RS1

 

开启https，在后端服务器安装mod_ssl

 LVS服务器上搭建CA服务端

#生成一对密钥
[root@LVS ~]# mkdir -p /etc/pki/CA/private
[root@LVS ~]# cd /etc/pki/CA
[root@LVS CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@LVS CA]# openssl rsa -in private/cakey.pem -pubout

#生成自签署证书
[root@LVS CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:xxx
Common Name (eg, your name or your server's hostname) []:xxx
Email Address []:1@1.com

[root@LVS CA]# touch index.txt && echo 01 > serial

 

 RS1生成证书请求并发送给CA

[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)

[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.cs
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:xx
Organizational Unit Name (eg, section) []:xxx
Common Name (eg, your name or your server's hostname) []:xxx
Email Address []:1@1.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@RS1 ssl]# ls
httpd.csr  httpd.key

#把证书签署请求文件发送给CA
[root@RS1 ssl]# scp httpd.csr root@192.168.248.202:/root/

 

CA签署证书并发给RS1

[root@LVS ~]#  mkdir /etc/pki/CA/newcerts
[root@LVS ~]# touch /etc/pki/CA/index.txt

#跟踪最后一次颁发证书的序列号
[root@LVS ~]# echo "01" > /etc/pki/CA/serial

[root@LVS ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  7 12:35:37 2021 GMT
            Not After : May  7 12:35:37 2022 GMT
        Subject:
            countryName               = ch
            stateOrProvinceName       = hb
            organizationName          = xx
            organizationalUnitName    = xxx
            commonName                = xxx
            emailAddress              = 1@1.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BF:C5:50:36:FE:1A:65:D6:6F:32:92:5C:F9:C2:B5:B0:31:66:D7:9D
            X509v3 Authority Key Identifier: 
                keyid:BE:17:D2:7A:54:3A:83:A6:F1:0D:AA:AD:BF:70:39:80:05:A6:58:E0

Certificate is to be certified until May  7 12:35:37 2022 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries

#CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1
[root@LVS ~]# scp  httpd.crt  192.168.248.200:/etc/httpd/ssl
[root@LVS ~]# scp /etc/pki/CA/cacert.pem 192.168.248.200:/etc/httpd/ssl

 

 将RS1的证书和密钥发给RS2

#RS2
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl

#在RS1上将签署好的证书httpd.crt和服务端的证书cacert.pem及httpd.key发给RS2
[root@RS1 ssl]# scp cacert.pem  httpd.crt httpd.key  192.168.248.201:/etc/httpd/ssl

 

 修改RS中的httpd配置文件，都需要修改

[root@RS1 ssl]# sed -n '85p;93p;109p' /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem

#重启服务
[root@RS1 ssl]# systemctl  restart httpd

 

 LVS上添加集群

[root@LVS ~]# ipvsadm -At 192.168.17.132:443 -s rr
[root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.200 -m
[root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.201 -m

 

测试访问，会发现它会认为https和http是两个不同的服务，当一个访问https一个访问http时可能会调度到一个RS上,它会认为https和http是两个不同的服务

[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS2
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS1
RS1

 

在LVS上使用防火墙标签只要使用80或443便认为是同一个服务

#标识可以是任意整数这里使用100
[root@LVS ~]# iptables -t mangle -A PREROUTING -d 192.168.17.132 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 100

#清空规则
[root@LVS ~]# ipvsadm -C

[root@LVS ~]# ipvsadm  -Af 100 -s rr

[root@LVS ~]# ipvsadm  -af 100 -r 192.168.248.200 -m

#测试访问
[root@LVS ~]# ipvsadm  -af 100 -r 192.168.248.201 -m
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS1
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS1
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS1
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS1
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
RS2
RS1