溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

haproxy和keepalived配置方法

發(fā)布時(shí)間:2020-05-29 17:10:21 來源:億速云 閱讀:603 作者:鴿子 欄目:系統(tǒng)運(yùn)維

haproxy和keepalived

# 架構(gòu)一 兩臺(tái)服務(wù)器,不能使用與業(yè)務(wù)相同端口,不能代理原有業(yè)務(wù)的ssl
websrv1:8080/8443  haproxy1:80/443    keepalived1-master
websrv2:8080/8443  haproxy1:80/443    keepalived1-backup

# 架構(gòu)二 四臺(tái)服務(wù)器,可以使用與業(yè)務(wù)相同端口,不能代理原有業(yè)務(wù)的ssl
websrv1:8080/8443
websrv2:8080/8443
haproxy1:8080/8443    keepalived1-master
haproxy2:8080/8443    keepalived1-backup

實(shí)驗(yàn)按架構(gòu)一部署,架構(gòu)二基本類似

1. soft install

yum install -y haproxy keepalived openssl
systemctl enable haproxy keepalived && systemctl restart haproxy keepalived

2. keepalived (只做HA Keepalived可以單獨(dú)配置)

vi /etc/keepalived/keepalived.conf

  • MASTER (keepalived1-master)
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   router_id LVS_DEVEL
#   vrrp_strict

}

vrrp_instance VI_1 {
    state MASTER
#   config with right interface name
    interface eth0
    virtual_router_id 51
    priority 110
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.10.80.50/24
    }
}
  • BACKUP (keepalived2-slave)
! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   router_id LVS_DEVEL
#   vrrp_strict
}

vrrp_instance VI_1 {
    state BACKUP
#   config with right interface name
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.10.80.50/24
    }
}

# check config

systemctl restart keepalived

3. haproxy config (haproxy1 / haproxy2)

vi /etc/haproxy/haproxy.cfg

external-check need haproxy >1.6

global 
   log /dev/log local0 
   log /dev/log local1 notice 
   stats timeout 30s 
#   external-check 
   user haproxy 
   group haproxy 
   tune.ssl.default-dh-param 4096 
   daemon 

defaults 
   log global 
   mode http 
   option httplog 
   option dontlognull 
   timeout connect 5000 
   timeout client 50000 
   timeout server 50000 
   stats uri /haproxy?stats 

frontend http_front 
   bind :80 
   bind :443 ssl crt /etc/ssl/server.pem 
   default_backend http_back 

backend http_back 
   balance roundrobin 
   cookie SERVERID maxidle 30m maxlife 12h insert indirect nocache 
#   option external-check 
#   external-check command /bin/haproxy/etxstat.sh 
#   external-check path "/usr/bin:/bin" 
   server etx1 10.10.80.51:8080 check cookie etx1
   server etx2 10.10.80.52:8080 check cookie etx2

4. ssl pam 配置

cd /etc/ssl
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365
cat server.crt server.key | tee server.pem 

# sync pem srv1 -> srv2
scp haproxy1:/etc/ssl/server.pem haprox2:/etc/ssl/

5. haproxy check config

vi /bin/haproxy/etxstat.sh

#!/bin/bash 
status=$(curl -s --user etxadmin:password http://$3:$4/etx/state) 
if [ "$status" = "RUNNING" ]; then 
   exit 0 
else 
   exit 1 
fi
  • check config
chmod a+x /bin/haproxy/etxstat.sh 
sudo -u haproxy /bin/haproxy/etxstat.sh
haproxy -c -V -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy
http://ip:port/haproxy?stats

向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI