業務需求:
用13臺虛擬機搭建一個高可用負載均衡集羣架構出來,並運行三個站點,具體需求如下。
1 設計你認爲合理的架構,用visio把架構圖畫出來
2 搭建lnmp、tomcat+jdk環境
3 三個站點分別爲:discuz論壇、dedecms企業網站以及zrlog博客
4 由於機器有限,儘可能地把三個站點放到同一臺服務器上,然後做負載均衡集羣,要求所有站點域名解析到一個ip上,也就是說只有一個出口ip
5 需要共享靜態文件,比如discuz需要共享的目錄是 data/attachment,dedecms需要共享upload(具體目錄,你可以先上傳一個圖片,查看圖片所在目錄)
6 設計合理的目錄、文件權限,比如discuz的data目錄需要給php-fpm進程用戶可寫權限,其他目錄不用寫的就不要給寫權限(目錄755,文件644,屬主屬組root)
7 所有服務器要求只能普通用戶登錄,而且只能密鑰登錄,root只能普通用戶sudo
8 給所有服務器做一個簡單的命令審計功能
9 php-fpm服務要求設置慢執行日誌,超時時間爲2s,並做日誌切割,日誌保留一月
10 所有站點都需要配置訪問日誌,並做日誌切割,要求靜態文件日誌不做記錄,日誌保留一月
11 制定合理的mysql數據備份方案,並寫備份腳本,要求把備份數據傳輸到備份服務器
12 制定代碼、靜態文件的備份方案,並寫備份腳本,要求把備份數據傳輸到備份服務器
12 編寫數據恢復文檔,能保證當數據丟失在2小時內恢復所有數據
13 搭建zabbix監控告警系統,要求監控各個基礎指標(cpu、內存、硬盤),網卡流量需要成圖,還需要監控web站點的可用性
14 定製自定義監控腳本,監控web服務器的併發連接數,接入zabbix,成圖,設置觸發器,超過100告警
15 定製自定義監控腳本,監控mysql的隊列,接入zabbix,成圖,設置觸發器,隊列超過300告警
16 定製自定義監控腳本,監控mysql的慢查詢日誌,接入zabbix,成圖,設置觸發器,每分鐘超過60條日誌需要告警,需要仔細分析慢查詢日誌的規律,確定日誌條數
17 利用jmx,在zabbix上監控tomcat
18 給三個站點的後臺訪問做二次認證,增加安全性
19 用shell腳本實現文件、代碼同步上線(參考分發系統)
可以簡單把需求分爲以下幾部分:
•第一部分:基礎
1 、設計你認爲合理的架構,用visio把架構圖畫出來
7、所有服務器要求只能普通用戶登錄,而且只能密鑰登錄,root只能普通用戶sudo
8 、給所有服務器做一個簡單的命令審計功能
18、用shell腳本實現文件、代碼同步上線(參考分發系統)
•第二部分:web服務器
2 搭建lnmp、tomcat+jdk環境
3 三個站點分別爲:discuz論壇、dedecms企業網站以及zrlog博客
4 由於機器有限,儘可能地把三個站點放到同一臺服務器上,然後做負載均衡集羣,要求所有站點域名解析到一個ip上,也就是說只有一個出口ip
5 需要共享靜態文件,比如discuz需要共享的目錄是 data/attachment,dedecms需要共享upload(具體目錄,你可以先上傳一個圖片,查看圖片所在目錄)
6 設計合理的目錄、文件權限,比如discuz的data目錄需要給php-fpm進程用戶可寫權限,其他目錄不用寫的就不要給寫權限(目錄755,文件644,屬主屬組root)
9 php-fpm服務要求設置慢執行日誌,超時時間爲2s,並做日誌切割,日誌保留一月
10 所有站點都需要配置訪問日誌,並做日誌切割,要求靜態文件日誌不做記錄,日誌保留一月
17 給三個站點的後臺訪問做二次認證,增加安全性
•第三部分:
11 制定合理的mysql數據備份方案,並寫備份腳本,要求把備份數據傳輸到備份服務器
12 制定代碼、靜態文件的備份方案,並寫備份腳本,要求把備份
12 編寫數據恢復文檔,能保證當數據丟失在2小時內恢復所有數據
•第四部分:zabbix監控
13 搭建zabbix監控告警系統,要求監控各個基礎指標(cpu、內存、硬盤),網卡流量需要成圖,還需要監控web站點的可用性,
14 定製自定義監控腳本,監控web服務器的併發連接數,超過100告警
15 定製自定義監控腳本,監控mysql的隊列,隊列超過300告警
16 定製自定義監控腳本,監控mysql的慢查詢日誌,每分鐘超過60條日誌需要告警,需要仔細分析慢查詢日誌的規律,確定日誌條數
第一部分需求設置:
1、架構圖
2、根據架構圖分配機器角色:
192.168.66.100 VIP
192.168.66.130 前端nginx負載主機+keepalived
192.168.66.131 前端nginx負載備機+keepalived
192.168.66.132 web服務器(lnmp+tomcat)
192.168.66.133 web服務器(lnmp+tomcat)
192.168.66.134 web服務器(lnmp+tomcat)
192.168.66.135 web服務器(lnmp+tomcat)
192.168.66.136 web服務器(lnmp+tomcat)
192.168.66.137 web服務器(lnmp+tomcat)
192.168.66.138 mysql讀寫分離調度器(mycat)+備份服務器
192.168.66.139 mysql主服務器
192.168.66.140 mysql從服務器
192.168.66.141 mysql從服務器
192.168.66.142 zabbix服務器
3、通過expect腳本批量創建普通用戶linux,並授予sudo權限
需要在13臺機器上創建linux用戶,創建密碼並授予sudo權限,IP爲192.168.66.130-142
•先登錄192.168.66.130,安裝expect
[root@localhost ~]# yum install -y expect vim
[root@localhost ~]# cd /usr/local/sbin
[root@localhost sbin]# vim useradd.expect #內容如下
#!/usr/bin/expect
set user [ lindex $argv 0 ]
set passwd "123456"
set host [ lindex $argv 1 ]
set cm [ lindex $argv 2 ]
spawn ssh $user@$host
expect {
"yes/no" { send "yes\r"; exp_continue}
"assword:" { send "$passwd\r" }
}
expect "]*"
send "$cm\r"
expect "]*"
send "exit\r"
interact
[root@localhost sbin]# chmod +x useradd.expect #賦予執行權限
•創建useradd.sh腳本調用useradd.expect
[root@localhost sbin]# vim ip.txt #增加ip列表,內容如下
192.168.66.130
192.168.66.131
192.168.66.132
192.168.66.133
192.168.66.134
192.168.66.135
192.168.66.136
192.168.66.137
192.168.66.138
192.168.66.139
192.168.66.140
192.168.66.141
192.168.66.142
[root@localhost sbin]# vim useradd.sh #創建用戶,密碼並授予sudo權限,並創建.ssh目錄爲密鑰準備
#!/bin/bash
for i in `cat ip.txt`
do
./useradd.expect "root" "$i" " useradd linux && echo "linux123"|passwd --stdin linux && echo 'linux ALL=(ALL) NOPASSWD:ALL' >>/etc/sudoers &&mkdir /home/linux/.ssh&&chmod 700 /home/linux/.ssh"
done
[root@localhost sbin]# sh useradd.sh
注意:第4步,請放到所有服務都搭建完成後再執行,因爲搭建web服務器和mysql等啓動服務需要用到root用戶
4、所有服務器要求只能普通用戶登錄,而且只能密鑰登錄
首先生成密鑰對,這裏xshell生成
工具-新建用戶密鑰生成嚮導-設置密鑰長度-生成密鑰對-生成公鑰-設置私鑰-複製公鑰內容
在Linux上配置公鑰,先用linux用戶登陸130機器,之前創建用戶的時候已經創建.ssh目錄和設定了權限
①創建公鑰文件
vim /home/linux/.ssh/authorized_keys
#粘貼剛纔複製的公鑰內容,保存退出
chmod 644 /home/linux/.ssh/authorized_keys
②同步authorized_keys到所有機器,用expect腳本實現
cd /usr/local/sbin
sudo vim rsync-pub.expect
#!/usr/bin/expect
#同步公鑰文件到其他服務器,配合rsync-pub.sh使用
set user "linux"
set passwd "linux123"
set host [ lindex $argv 0 ]
spawn rsync -av /home/linux/.ssh/authorized_keys $user@$host:/home/linux/.ssh/
expect {
"yes/no" { send "yes\r";exp_continue }
"password:" { send "$passwd\r" }
}
expect eof
•保存後記得賦予執行權限
rsync-pub.sh
sudo vim rsync-pub.sh
#!/bin/bash
#同步公鑰文件到其他機器,配合rsync-pub.expect
for ip in `cat ip.txt`
do
if [ $ip == "192.168.66.130" ]
then
continue
else
./rsync-pub.expect "$ip"
fi
done
執行rsync-pub.sh即可把文件同步到所有機器
④使root無法遠程登錄的方法,用戶只能使用密鑰登錄
修改/etc/ssh/sshd_config的內容,將"#PermitRootLogin yes"修改爲"PermitRootLogin no"
將"#PasswordAuthentication yes"修改爲"PasswordAuthentication no"
將"#PubkeyAuthentication yes"修改爲"PubkeyAuthentication yes"
重啓sshd服務
⑥批量修改所有機器
cd /usr/local/sbin
vim nologin.expect
#!/usr/bin/expect
set user "linux"
set passwd "linux123"
set host [ lindex $argv 0 ]
spawn ssh $user@$host
expect {
"yes/no" { send "yes\r";exp_continue }
"password" { send "$passwd\r" }
}
expect "]*"
send "sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config \r"
expect "]*"
send "sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config \r"
expect "]*"
send "sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config \r"
expect "]*"
send "sudo systemctl restart sshd \r"
expect "]*"
send "exit \r"
•保存後需要賦予執行權限
⑦創建nologin.sh
vim nologin.sh
#!/bin/bash
for ip in `cat ip.txt`
do
./nologin.expect $ip &>>nologin.log
if [ $? -eq "0" ]
then
echo $ip.....[ ok ]
else
echo $ip.....[ faild ]
fi
done
執行nologin.sh即可實現root用戶不能遠程登陸,普通用戶只能密鑰登陸,至此,第一部分需求完成
二、搭建mysql,因爲搭建web服務器需要用到數據庫mysql,所以先搭建第三部分
192.168.66.138 mysql讀寫分離調度器(mycat)+備份服務器
192.168.66.139 mysql主服務器
192.168.66.140 mysql從服務器
192.168.66.141 mysql從服務器
用root用戶登陸,寫一個通用的可以批量遠程執行命令的expect腳本
[root@localhost ~]# vim cmd.expect
#!/usr/bin/expect
set user [lindex $argv 0] # 系統用戶
set host [lindex $argv 1] # 服務器地址
set passwd [lindex $argv 2] # 密碼
set cm [lindex $argv 3] # 需要執行的命令
spawn ssh $user@$host
set timeout -1
expect {
"yes/no" { send "yes\r"}
"password:" { send "$passwd\r" }
}
expect "]#"
send "$cm\r"
expect "]#"
send "exit\r"
interact
[root@localhost ~]# chmod a+x cmd.expect
[root@localhost ~]# vim cmd.sh # 調用腳本
#!/bin/bash
user=$2
password=$3
cm=$4
for ip in `cat $1`
do
./cmd.expect "$user" "$ip" "$password" "$cm"
done
## 參數1是存儲ip列表的文件路徑
## 參數2是用戶名
## 參數3是密碼
## 參數4需要執行的命令
# 使用這個腳本批量安裝一些基礎通用的工具
[root@localhost ~]# sh ./cmd.sh "/root/ip.txt" "root" "123456" "yum -y install expect vim-enhanced epel-release libmcrypt-devel libmcrypt"
ip.txt內容爲
192.168.66.130
192.168.66.131
192.168.66.132
192.168.66.133
192.168.66.134
192.168.66.135
192.168.66.136
192.168.66.137
192.168.66.138
192.168.66.139
192.168.66.140
192.168.66.141
192.168.66.142
通過之前寫的批量執行命令腳本安裝mysql:
[root@localhost ~]# sh ./cmd.sh "/root/dbip.txt" "root" "123456" "cd /usr/local/src/; yum install -y epel-release wget perl-Module-Install.noarch libaio*; wget http://mirrors.163.com/mysql/Downloads/MySQL-5.6/mysql-5.6.39-linux-glibc2.12-x86_64.tar.gz; tar -zxvf mysql-5.6.39-linux-glibc2.12-x86_64.tar.gz; mv mysql-5.6.39-linux-glibc2.12-x86_64 ../mysql; cd /usr/local/mysql; mkdir /data/; useradd mysql; ./scripts/mysql_install_db --user=mysql --datadir=/data/mysql; echo $? > /root/downloadMySQL.log"
dbip.txt內容爲
192.168.66.139
192.168.66.140
192.168.66.141
先配置主139的配置文件,然後使用rsync同步到從上:
# 拷貝配置文件
[root@localhost ~]# cp /usr/local/mysql/support-files/my-default.cnf /etc/my.cnf
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
datadir=/data/mysql
socket=/tmp/mysql.sock
# 拷貝啓動腳本
[root@localhost ~]# cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
# 然後定義basedir和datadir的路徑
[root@localhost ~]# vim /etc/init.d/mysqld
basedir=/usr/local/mysql
datadir=/data/mysql
# 將mysql加入服務列表裏面去,並設置爲開機啓動:
[root@localhost ~]# chkconfig --add mysqld
[root@localhost ~]# chkconfig mysqld on
編寫同步文件的expect腳本:sync.expect
[root@localhost ~]# vim sync.expect #寫入如下內容
#!/usr/bin/expect
set host [lindex $argv 0]
set passwd [lindex $argv 1]
set file [lindex $argv 2]
spawn rsync -avR --files-from=$file / root@$host:/
expect {
"yes/no" { send "yes\r"}
"password:" { send "$passwd\r" }
}
expect eof
調用腳本:sync.sh
[root@localhost ~]# vim sync.sh #寫入如下內容
#!/bin/bash
passwd=$2
file=$3
for ip in `cat $1`
do
./sync.expect $ip $passwd $file
done
## 使用方式:##
## sh sync.sh "ip列表文件" "密碼" "文件列表路徑" ##
[root@localhost ~]$ sh ./sync.sh "/root/slaveIP.txt" "123456" "/tmp/DBfile.txt" # 同步配置文件
[root@localhost ~]$ sh ./cmd.sh "/root/slaveIP.txt" "root" "123456" "/etc/init.d/mysqld start; chkconfig --add mysqld; chkconfig mysqld on" # 啓動服務並且將服務添加到服務列表裏
[root@localhost ~]$ sh ./cmd.sh "/root/slaveIP.txt" "root" "123456" "ln -s /usr/local/mysql/bin/mysql /usr/bin/mysql" # 製作軟鏈接到/usr/bin/目錄下
啓動主從mysql服務,登陸mysql,設置密碼
[root@localhost ~]$ mysql -uroot
mysql> set password=password('123456');
完成密碼的修改和重啓mysql服務器後,先配置主機器:
1.修改my.cnf配置文件:
[root@localhost ~]$ vim /etc/my.cnf
[mysqld]
#增加下面兩行
server-id=139 #要和從上不一致
log_bin=master-bin #主上要打開binlog
[root@localhost ~]$ service mysqld restart # 修改完配置文件後,重啓mysqld服務
[root@localhost ~]$ ls /data/mysql # 看看是否多了以下兩個文件
master-bin.000001 master-bin.index
2.登錄master上的mysql,爲兩臺slave添加一個同步賬號:
mysql> grant replication slave on *.* to 'repl'@'192.168.66.140' identified by '123456';
mysql> grant replication slave on *.* to 'repl'@'192.168.66.141' identified by '123456';
3.master機器上進行鎖表:
mysql> flush tables with read lock;
4.看一下master的狀態,並記錄:
mysql> show master status;
+-------------------+----------+--------------+------------------+-------------------+
| File| Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set |
+-------------------+----------+--------------+------------------+-------------------+
| master-bin.000001 | 166 | | | |
+-------------------+----------+--------------+------------------+-------------------+
1 row in set (0.00 sec)
完成以上master上的操作後,開始配置slave機器:
1.修改slave的/etc/my.cnf
# slave1
[root@localhost ~]$ vim /etc/my.cnf
[mysqld]
#增加下面一行,不用打開binlog
server-id=140
[root@localhost ~]$ service mysqld restart
# slave2
[root@localhost ~]$ vim /etc/my.cnf
[mysqld]
#增加下面一行,不用打開binlog
server-id=141
[root@localhost ~]$ service mysqld restart
2.登錄兩臺slave的mysql的root用戶,分別執行以下命令:
# slave1
[root@localhost ~]$ mysql -uroot -p'123456'
mysql> stop slave;
mysql> change master to master_host='192.168.66.139', master_user='repl', master_password='123456', master_log_file='master-bin.000001', master_log_pos=166;
mysql> start slave;
# slave2
[root@localhost ~]$ mysql -uroot -p'123456'
mysql> stop slave;
mysql> change master to master_host='192.168.66.139', master_user='repl', master_password='123456', masterr_log_file='master-bin.000001', master_log_pos=120;
mysql> start slave;
3.查看兩臺slave的主從狀態是否正常,Slave_IO_Running和 Slave_SQL_Running要爲yes:
mysql> show slave status\G
#下面兩行要爲yes,說明主從同步成功
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
4.回到master139機器上解鎖表,並創建庫111,看能不能同步
# master
mysql> unlock tables;
mysql> create database 111;
5.到slave上看是否同步了創建:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| 111 |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.00 sec)
主從配置完成
在192.168.66.138上搭建Mycat服務器
主從搭建完成之後就可以搭建Mycat服務器實現讀寫分離了,因爲Mycat是Java開發的,所以在安裝Mycat之前得先安裝好jdk環境。
1.下載並安裝JDK:
jdk的下載地址要去官網獲取,官網下載地址:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
下載完之後用xshell自帶的xftp上傳到服務器/usr/local/src目錄下,我這裏已經下載好了
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# ls
jdk-8u181-linux-x64.tar.gz
[root@localhost src]# tar zxf jdk-8u181-linux-x64.tar.gz
[root@localhost src]$ mv jdk1.8.0_181/ /usr/local/jdk1.8
編輯/etc/profile環境變量配置文件加入以下內容:
JAVA_HOME=/usr/local/jdk1.8/
JAVA_BIN=/usr/local/jdk1.8/bin
JRE_HOME=/usr/local/jdk1.8/jre
PATH=$PATH:/usr/local/jdk1.8/bin:/usr/local/jdk1.8/jre/bin
CLASSPATH=/usr/local/jdk1.8/jre/lib:/usr/local/jdk1.8/lib:/usr/local/jdk1.8/jre/lib/charsets.jar
[root@localhost ~]# source /etc/profile #加載配置
查看java環境是否搭建成功,出現如下信息說明成功
[root@localhost ~]# java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
2.下載安裝Mycat:
下載地址:http://dl.mycat.io/1.6-RELEASE/
[root@localhost ~]$ cd /usr/local/src/
[root@localhost /usr/local/src]$ wget http://dl.mycat.io/1.6-RELEASE/Mycat-server-1.6-RELEASE-20161028204710-linux.tar.gz
[root@localhost /usr/local/src]$ tar -zxvf Mycat-server-1.6-RELEASE-20161028204710-linux.tar.gz
[root@localhost /usr/local/src]$ mv mycat/ /usr/local/
[root@localhost /usr/local/src]$ ls /usr/local/mycat/
bin catlet conf lib logs version.txt
3.修改Mycat服務器參數調整和用戶授權的配置文件server.xml。主要修改配置段如下:
[root@localhost ~]$ vim /usr/local/mycat/conf/server.xml
# mycat用戶對邏輯數據庫ultrax,DedeCMS,zrlog具有增刪改查的權限
<user name="mycat">
<property name="password">123456</property>
<property name="schemas">ultrax,DedeCMS,zrlog</property>
</user>
# discuz用戶對邏輯數據庫ultrax具有增刪改查的權限
<user name="discuz">
<property name="password">123456</property>
<property name="schemas">ultrax</property>
</user>
# dedecms用戶對邏輯數據庫DedeCMS具有增刪改查的權限
<user name="dedecms">
<property name="password">123456</property>
<property name="schemas">DedeCMS</property>
</user>
# zrlog用戶對邏輯數據庫zrlog具有增刪改查的權限
<user name="zrlog">
<property name="password">123456</property>
<property name="schemas">zrlog</property>
</user>
# 該用戶對邏輯數據庫ultrax,DedeCMS,zrlog僅有隻讀的權限
<user name="user">
<property name="password">123456</property>
<property name="schemas">ultrax,DedeCMS,zrlog</property>
<property name="readOnly">true</property>
</user>
# 創建以上這些用戶是用於連接mycat中間件。
4.修改mycat邏輯庫定義和表及分片定義的配置文件schema.xml:
# 把自帶的配置文件重命名,作爲備份
[root@localhost ~]$ mv /usr/local/mycat/conf/schema.xml /usr/local/mycat/conf/schema.xml_bak
# 新建配置文件
[root@localhost ~]$ vim /usr/local/mycat/conf/schema.xml
# 配置內容如下:
<?xml version="1.0"?>
<!DOCTYPE mycat:schema SYSTEM "schema.dtd">
<mycat:schema xmlns:mycat="http://io.mycat/">
<schema name="ultrax" checkSQLschema="false" sqlMaxLimit="1000" dataNode="dn1" />
<schema name="DedeCMS" checkSQLschema="false" sqlMaxLimit="1000" dataNode="dn2" />
<schema name="zrlog" checkSQLschema="false" sqlMaxLimit="1000" dataNode="dn3" />
<dataNode name="dn1" dataHost="localhost1" database="ultrax" />
<dataNode name="dn2" dataHost="localhost1" database="DedeCMS" />
<dataNode name="dn3" dataHost="localhost1" database="zrlog" />
<dataHost name="localhost1" maxCon="2000" minCon="1" balance="3"
writeType="1" dbType="mysql" dbDriver="native" switchType="1" slaveThreshold="100">
<heartbeat>select user()</heartbeat>
<writeHost host="hostM1" url="192.168.66.139:3306" user="root" password="123456">
<!-- can have multi read hosts -->
<readHost host="hostS1" url="192.168.66.140:3306" user="root" password="123456" />
<readHost host="hostS2" url="192.168.66.141:3306" user="root" password="123456" />
</writeHost>
</dataHost>
</mycat:schema>
schema.xml配置文件詳解:
<?xml version="1.0"?> xml文件格式;
<!DOCTYPE mycat:schema SYSTEM "schema.dtd"> 文件標籤屬性;
<mycat:schema xmlns:mycat="http://io.mycat/"> Mycat起始標籤
配置邏輯庫,與server.xml指定庫名保持一致,綁定數據節點dn1;
<schema name="testdb" checkSQLschema="false" sqlMaxLimit="1000" dataNode="dn1"></schema>
添加數據節點dn1,設置數據節點host名稱,同時設置數據節點真實database爲discuz;
<dataNode name="dn1" dataHost="localhost1" database="discuz" />
數據節點主機,綁定數據節點,設置連接數及均衡方式、切換方法、驅動程序、連接方法;
<dataHost name="localhost1" maxCon="2000" minCon="1" balance="3" writeType="1" dbType="mysql" dbDriver="native" switchType="1" slaveThreshold="100">
Balance均衡策略設置:
1) balance=0 不開啓讀寫分離機制,所有讀操作都發送到當前可用writehost;
2) balance=1 全部的readHost與stand by writeHost參與select語句的負載均衡,簡單的說,當雙主雙從模式(M1->S1,M2->S2,並且M1與 M2互爲主備),正常情況下,M2,S1,S2都參與select語句的負載均衡
3) balance=2 所有讀操作都隨機的在readhost和writehost上分發;
4) balance=3 所有讀請求隨機的分發到wiriterHost對應的readhost執行,writerHost不負擔讀壓力。
writeType 寫入策略設置
1) writeType=0, 所有寫操作發送到配置的第一個writeHost;
2) writeType=1,所有寫操作都隨機的發送到配置的writeHost;
3) writeType=2,不執行寫操作。
switchType 策略設置
1) switchType=-1,表示不自動切換;
2) switchType=1,默認值,自動切換;
3) switchType=2,基於MySQL 主從同步的狀態決定是否切換;
4) switchType=3,基於MySQL galary cluster的切換機制(適合集羣)(1.4.1),心跳語句爲 show status like 'wsrep%'。
檢測後端MYSQL實例,SQL語句;
<heartbeat>select user()</heartbeat>
指定讀寫請求,同時轉發至後端MYSQL真實服務器,配置連接後端MYSQL用戶名和密碼(該用戶名和密碼爲MYSQL數據庫用戶名和密碼);
<writeHost host="hostM1" url="192.168.66.139:3306" user="mycat" password="123456">
<readHost host="hostS1" url="192.168.66.140:3306" user="mycat" password="123456" />
<readHost host="hostS2" url="192.168.66.141:3306" user="mycat" password="123456" />
</writeHost>
</dataHost> 數據主機標籤;
</mycat:schema> mycat結束標籤;
•在主上授權mycat用戶連接
mysql> grant all on *.* to 'mycat'@'192.168.66.138' identified by '123456';
mysql> grant all on ultrax.* to 'discuz'@'192.168.66.%' identified by '123456';
mysql> grant all on DedeCMS.* to 'dedecms'@'192.168.66.%' identified by '123456';
mysql> grant all on zrlog.* to 'zrlog'@'192.168.66.%' identified by '123456';
5.mycat配置完畢。啓動mycat並查看端口8066和9066端口是否起來:
[root@localhost ~]$ /usr/local/mycat/bin/mycat start
[root@localhost ~]$ netstat -lntp
tcp6 0 0 :::9066 :::* LISTEN 1413/java
tcp6 0 0 :::8066 :::* LISTEN 1413/java
# 注意:如果沒有這兩個端口沒有啓動,查看java環境是否生效。
# 8066是用於web連接mycat.
# 9066是用於SA|DBA管理端口.
回到master139上,通過mycat機器的IP和8066端口連接mysql:
[root@localhost ~]$ mysql -h'192.168.66.138' -udiscuz -p'123456' -P'8066'
mysql> show databases;
+----------+
| DATABASE |
+----------+
| ultrax |
+----------+
1 row in set (0.01 sec)
使用root用戶登錄看看是否能查看到所有的數據庫:
[root@localhost ~]$ mysql -h'192.168.66.138' -uroot -p'123456' -P'8066'
mysql> show databases;
+----------+
| DATABASE |
+----------+
| DedeCMS |
| ultrax |
| zrlog |
+----------+
3 rows in set (0.00 sec)
然後以9066端口登陸查看數據源:
[root@localhost ~]$ mysql -h'192.168.66.138' -uroot -p'123456' -P'9066'
mysql> show @@datasource;
+----------+--------+-------+-----------------+------+------+--------+------+------+---------+-----------+------------+
| DATANODE | NAME | TYPE | HOST | PORT | W/R | ACTIVE | IDLE | SIZE | EXECUTE | READ_LOAD | WRITE_LOAD |
+----------+--------+-------+-----------------+------+------+--------+------+------+---------+-----------+------------+
| dn1 | hostM1 | mysql | 192.168.66.139 | 3306 | W | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn1 | hostS1 | mysql | 192.168.66.140 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn1 | hostS2 | mysql | 192.168.66.141 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn3 | hostM1 | mysql | 192.168.66.139 | 3306 | W | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn3 | hostS1 | mysql | 192.168.66.140 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn3 | hostS2 | mysql | 192.168.66.141 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn2 | hostM1 | mysql | 192.168.66.139 | 3306 | W | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn2 | hostS1 | mysql | 192.168.66.140 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
| dn2 | hostS2 | mysql | 192.168.66.141 | 3306 | R | 0 | 0 | 2000 | 0 | 0 | 0 |
+----------+--------+-------+-----------------+------+------+--------+------+------+---------+-----------+------------+
9 rows in set (0.00 sec)
6.在master139上登錄mysql,創建這三個數據庫:
[root@localhost ~]$ mysql -uroot -p'123456'
mysql> create database ultrax default character set utf8;
mysql> create database DedeCMS default character set utf8;
mysql> create database zrlog default character set utf8;
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| DedeCMS |
| mysql |
| performance_schema |
| test |
| ultrax |
| zrlog |
+--------------------+
7 rows in set (0.00 sec)
至此主從複製和讀寫分離就弄好了,接下來就是搭建web服務器
先搭建LNMP環境,和Tomcat+Java環境,默認80端口給Nginx,Tomcat使用8080端口。
1.先在一臺機器上部署好全部環境,然後通過rsync同步整個環境:
①下載並安裝Nginx:
[root@localhost ~]$ yum -y install epel-release wget gcc gcc-c++ libmcrypt-devel libmcrypt libcurl-devel libxml2-devel openssl-devel bzip2-devel libjpeg-devel libpng-devel freetype-devel libmcrypt-devel; cd /usr/local/src/; wget http://nginx.org/download/nginx-1.12.1.tar.gz; tar -zxvf nginx-1.12.1.tar.gz; cd nginx-1.12.1; ./configure --prefix=/usr/local/nginx --with-http_ssl_module; echo $? > /root/downloadNginx.log; make && make install; echo $? >> /root/downloadNginx.log
先配置其中一臺機器的配置文件:
編輯啓動腳本:/etc/init.d/nginx
vim /etc/init.d/nginx
#!/bin/bash
# chkconfig: - 30 21
# description: http service.
# Source Function Library
. /etc/init.d/functions
# Nginx Settings
NGINX_SBIN="/usr/local/nginx/sbin/nginx"
NGINX_CONF="/usr/local/nginx/conf/nginx.conf"
NGINX_PID="/usr/local/nginx/logs/nginx.pid"
RETVAL=0
prog="Nginx"
start()
{
echo -n $"Starting $prog: "
mkdir -p /dev/shm/nginx_temp
daemon $NGINX_SBIN -c $NGINX_CONF
RETVAL=$?
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -TERM
rm -rf /dev/shm/nginx_temp
RETVAL=$?
echo
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
killproc -p $NGINX_PID $NGINX_SBIN -HUP
RETVAL=$?
echo
return $RETVAL
}
restart()
{
stop
start
}
configtest()
{
$NGINX_SBIN -c $NGINX_CONF -t
return 0
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
restart
;;
configtest)
configtest
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|configtest}"
RETVAL=1
esac
exit $RETVAL
編輯完成後,給這個啓動腳本文件設置755權限:
chmod 755 /etc/init.d/nginx
把nginx服務添加到服務列表,並設置開機啓動:
chkconfig --add nginx
chkconfig nginx on
進入nginx的conf目錄:
cd /usr/local/nginx/conf
然後重命名一下配置文件:
mv nginx.conf nginx.conf.bak
因爲不使用nginx自帶的配置文件,所以需要編輯一個配置文件:
vim /etc/init.d/nginx
user nobody nobody;
worker_processes 2;
error_log /usr/local/nginx/logs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 6000;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 3526;
server_names_hash_max_size 4096;
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
' $host "$request_uri" $status'
' "$http_referer" "$http_user_agent"';
sendfile on;
tcp_nopush on;
keepalive_timeout 30;
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 3m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 8 4k;
request_pool_size 4k;
output_buffers 4 32k;
postpone_output 1460;
client_max_body_size 10m;
client_body_buffer_size 256k;
client_body_temp_path /usr/local/nginx/client_body_temp;
proxy_temp_path /usr/local/nginx/proxy_temp;
fastcgi_temp_path /usr/local/nginx/fastcgi_temp;
fastcgi_intercept_errors on;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 8k;
gzip_comp_level 5;
gzip_http_version 1.1;
gzip_types text/plain application/x-javascript text/css text/htm
application/xml;
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
}
檢查配置文件有沒有錯誤:
/usr/local/nginx/sbin/nginx -t
沒有問題就可以啓動nginx 了:
service nginx start
②安裝mysql,這是因爲php需要用到mysql的驅動庫,所以只需要安裝即可,不需要進行配置:
[root@localhost ~]$ cd /usr/local/src/; yum install -y epel-release wget perl-Module-Install.noarch libaio*;wget http://mirrors.163.com/mysql/Downloads/MySQL-5.6/mysql-5.6.39-linux-glibc2.12-x86_64.tar.gz; tar -zxvf mysql-5.6.39-linux-glibc2.12-x86_64.tar.gz; mv mysql-5.6.39-linux-glibc2.12-x86_64 ../mysql; cd /usr/local/mysql; mkdir /data/; useradd mysql; ./scripts/mysql_install_db --user=mysql --datadir=/data/mysql; echo $? > /root/downloadMySQL.log"
③安裝PHP:
批量執行命令:
[root@localhost ~]$ cd /usr/local/src/; yum -y install epel-release wget gcc gcc-c++ libmcrypt-devel libmcrypt libcurl-devel libxml2-devel openssl-devel bzip2-devel libjpeg-devel libpng-devel freetype-devel libmcrypt-devel; wget http://cn2.php.net/distributions/php-5.6.30.tar.gz; tar -zxvf php-5.6.30.tar.gz; cd php-5.6.30/; ./configure --prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc --enable-fpm --with-fpm-user=php-fpm --with-fpm-group=php-fpm --with-mysql=/usr/local/mysql --with-mysqli=/usr/local/mysql/bin/mysql_config --with-pdo-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-libxml-dir --with-gd --with-jpeg-dir --with-png-dir --with-freetype-dir --with-iconv-dir --with-zlib-dir --with-mcrypt --enable-soap --enable-gd-native-ttf --enable-ftp --enable-mbstring --enable-exif --with-pear --with-curl --with-openssl; echo $? > /root/downloadPHP.log; make && make install; echo $? >> /root/downloadPHP.log
安裝完之後拷貝php的配置文件:
[root@localhost php-5.6.30]$ cp php.ini-production /usr/local/php-fpm/etc/php.ini
創建一個php-fpm.conf文件:
[root@localhost ~]$ vim /usr/local/php-fpm/etc/php-fpm.conf
# 內容如下:
[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
拷貝啓動腳本、更改文件權限、添加到服務列表裏,並設置開機啓動:
[root@localhost php-5.6.30]# cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
[root@localhost php-5.6.30]#chmod 755 /etc/init.d/php-fpm
[root@localhost php-5.6.30]#chkconfig --add php-fpm
[root@localhost php-5.6.30]#chkconfig php-fpm on
添加php-fpm服務用戶:
useradd -s /sbin/nologin php-fpm
使用php-fpm -t檢測一下配置文件有沒有問題:
[root@localhost ~]$ /usr/local/php-fpm/sbin/php-fpm -t
沒有問題後就啓動服務,並檢查進程:
[root@localhost ~]$ service php-fpm start
Starting php-fpm done
[root@localhost ~]$ ps aux |grep php-fpm
④安裝tomcat
安裝tomcat之前要先安裝jdk,jdk安裝請參考上面安裝mycat的過程
這裏直接安裝tomcat
[root@localhost src]$ wget http://mirrors.shuosc.org/apache/tomcat/tomcat-8/v8.5.24/bin/apache-tomcat-8.5.24.tar.gz
[root@localhost src]$ tar -zxvf apache-tomcat-8.5.24.tar.gz
[root@localhost src]$ mv apache-tomcat-8.5.24 /usr/local/tomcat
啓動與關閉服務的命令:
/usr/local/tomcat/bin/startup.sh # 啓動服務
/usr/local/tomcat/bin/shutdown.sh # 關閉服務
查看進程與端口:
netstat -lntp #三個端口8080 8009 8005
ps aux |grep java
⑤搭建discuz論壇、dedecms企業網站以及zrlog博客
1.搭建discuz論壇,先給discuz配置一個虛擬主機站點,先把nginx主配置文件nginx.conf中的server段刪除
vim /usr/local/nginx/conf/nginx.conf
#刪除server那段
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /usr/local/nginx/html;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/local/nginx/html$fastcgi_script_name;
}
}
刪除後加上這一行,這是用來引用虛擬主機配置文件的:
include vhost/*.conf;
創建vhost目錄:
mkdir /usr/local/nginx/conf/vhost
進入到vhost目錄下,創建一個discuz.com.conf文件:
cd /usr/local/nginx/conf/vhost
vim discuz.com.conf #添加下面的內容
server
{
listen 80;
server_name www.discuz.com;
index index.html index.htm index.php;
root /data/wwwroot/discuz.com;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/discuz.com$fastcgi_script_name;
}
}
創建站點目錄:
mkdir -p /data/wwwroot/discuz.com/
2、開始安裝Discuz
下載Discuz的壓縮包:
Discuz的壓縮包可以在官網下載自己需要的版本:http://www.discuz.net/forum.php
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# wget http://download.comsenz.com/DiscuzX/3.3/Discuz_X3.3_SC_UTF8.zip
解壓:
[root@localhost src]# unzip Discuz_X3.3_SC_UTF8.zip
解壓後會有以下幾個目錄:
[root@localhost src]# ls
Discuz_X3.3_SC_UTF8.zip readme upload utility
把upload目錄下所有的文件拷貝到discuz.com站點目錄下:
[root@localhost src]# cp -r upload/* /data/wwwroot/discuz.com/
到windows上配置hosts文件,windows的hosts文件默認在這個目錄下:
C:\Windows\System32\drivers\etc
在hosts文件中加上這一句:
192.168.66.132 www.discuz.com
保存之後就可以在瀏覽器訪問 www.discuz.com 進入discuz的安裝界面
然後就會進入目錄、文件的權限檢查界面,但是會發現這些目錄或文件權限不足,所以都是不可寫的狀態:
用腳本把提示對應目錄權限改成777,
[root@localhost ~]# cd /data/wwwroot/discuz.com/
[root@localhost discuz.com]# vim fileList.txt # 先把路徑都放在一個文本文件中
./config
./data
./data/cache
./data/avatar
./data/plugindata
./data/download
./data/addonmd5
./data/template
./data/threadcache
./data/attachment
./data/attachment/album
./data/attachment/forum
./data/attachment/group
./data/log
./uc_client/data/cache
./uc_server/data/
./uc_server/data/cache
./uc_server/data/avatar
./uc_server/data/backup
./uc_server/data/logs
./uc_server/data/tmp uc_server/data/view
[root@localhost discuz.com]# vim filePermission.sh
#!bin/bash
for file in `cat ./fileList.txt`
do
chmod 777 $file
done
[root@localhost discuz.com]# sh ./filePermission.sh
刷新後
點擊下一步:
選擇“全新安裝 Discuz! X,點擊“下一步”,進入安裝數據庫的界面,如下圖所示,需要注意的是數據庫填的是主的IP,一會再去配置中改成mycat的地址
這裏只需要輸入你數據庫root用戶的密碼,然後再設置一個admin密碼就可以了,發送告警郵件的郵箱寫不寫都可以,剩下的會自動進行安裝:
安裝完成後點擊訪問即可
訪問:
然後回到web服務器上修改discuz的配置文件。將dbhost,dbuser,dbpw,dbname中的參數改爲和mycat一一對應。實現讀寫分離:
[root@localhost discuz.com]$ vim /data/wwwroot/discuz.com/config/config_global.php
// ---------------------------- CONFIG DB ----------------------------- //
$_config['db']['1']['dbhost'] = '192.168.66.138:8066';
$_config['db']['1']['dbuser'] = 'discuz';
$_config['db']['1']['dbpw'] = '123456';
$_config['db']['1']['dbcharset'] = 'utf8';
$_config['db']['1']['pconnect'] = '0';
$_config['db']['1']['dbname'] = 'ultrax';
$_config['db']['1']['tablepre'] = 'pre_';
$_config['db']['slave'] = '';
$_config['db']['common']['slave_except_table'] = '';
## 修改完成後重啓nginx
[root@localhost discuz.com]$ service nginx restart
Restarting nginx (via systemctl): [ 確定 ]
然後登錄discuz論壇的admin用戶,能夠成功登錄代表沒問題:
⑥搭建dedecms企業網站,同樣的也需要先配置一個虛擬主機站點:
進入到vhost目錄下,創建一個dedecms.com.conf文件:
cd /usr/local/nginx/conf/vhost
vim dedecms.com.conf
添加以下內容:
server
{
listen 80;
server_name www.dedecms.com;
index index.html index.htm index.php;
root /data/wwwroot/dedecms.com;
location ~ \.php$
{
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/dedecms.com$fastcgi_script_name;
}
}
創建站點目錄:
mkdir -p /data/wwwroot/dedecms.com/
官網上下載Dedecms的壓縮包,官網下載地址如下:
http://www.dedecms.com/products/dedecms/downloads/
這裏下載的是5.7的UTF8版本的:
[root@localhost ~]# cd /usr/local/src/
[root@localhost src]# wget http://updatenew.dedecms.com/base-v57/package/DedeCMS-V5.7-UTF8-SP2.tar.gz
下載之後解壓到對應的目錄
[root@localhost src]# tar -zxvf DedeCMS-V5.7-UTF8-SP2.tar.gz
[root@localhost src]# ls
DedeCMS-V5.7-UTF8-SP2
[root@localhost src]# cd DedeCMS-V5.7-UTF8-SP2
[root@localhos DedeCMS-V5.7-UTF8-SP2]# ls
docs uploads
[root@localhost DedeCMS-V5.7-UTF8-SP2]#cp -r ./uploads/* /data/wwwroot/dedecms.com/
完成以上操作後,同樣的配置一下windows上的hosts文件,然後使用瀏覽器訪問
因爲權限不足出現以下界面的情況:
把對應目錄權限設置下:
[root@localhost dedecms.com]$ chmod 777 ./plus
[root@localhost dedecms.com]$ chmod 777 ./dede
[root@localhost dedecms.com]$ chmod 777 ./data
[root@localhost dedecms.com]$ chmod 777 ./a
[root@localhost dedecms.com]$ chmod 777 ./install
[root@localhost dedecms.com]$ chmod 777 ./special
[root@localhost dedecms.com]$ chmod 777 ./uploads/
賦予權限後刷新頁面就好了:
設置數據庫信息和管理員密碼:
安裝完成:
訪問http://www.dedecms.com/dede/ 輸入管理的用戶密碼後可以登錄網站後臺:
登陸成功
⑦搭建zrlog博客系統:
1.配置tomcat的虛擬主機,Tomcat在server.xml文件中配置虛擬主機:
[root@localhost ~]$ vim /usr/local/tomcat/conf/server.xml
# 在文件中增加以下內容:
<Host name="www.zrlog.com" appBase=""
unpackWARs= "true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="" docBase="/data/wwwroot/zrlog.com/" debug="0" reloadable="true" crossContext="true"/>
2.創建相應的站點目錄:
mkdir /data/wwwroot/zrlog.com
3.下載zrlog,並解壓到站點目錄下:
[root@localhost ~]$ cd /usr/local/src/
[root@localhost src]$ wget http://dl.zrlog.com/release/zrlog-1.7.1-baaecb9-release.war
[root@localhost src]$ unzip zrlog-1.7.1-baaecb9-release.war -d /data/wwwroot/zrlog.com
4.爲了共享80端口還需要配置nginx反向代理tomcat,編輯主機配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/zrlog.com.conf
## 文件內容如下
upstream zrlog_com
{
ip_hash;
server localhost:8080;
}
server
{
listen 80;
server_name www.zrlog.com;
location /
{
proxy_pass http://zrlog_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@localhost ~]$ service nginx restart # 重啓nginx
5.重啓tomcat服務:
/usr/local/tomcat/bin/shutdown.sh
/usr/local/tomcat/bin/startup.sh
6.配置好Windows上的hosts文件,然後使用瀏覽器訪問 http://www.zrlog.com:
下一步後填寫後臺管理的帳號,安裝成功
⑧給站點的後臺訪問做二次認證
首先安裝httpd-tools:
yum install -y httpd-tools
然後使用httpd-tools裏的htpasswd 命令去生成一個用戶密碼文件:
[root@localhost ~]$ htpasswd -c /usr/local/nginx/conf/htpasswd admin
New password:
Re-type new password:
Adding password for user admin
生成完成後cat一下htpasswd 文件可以看到如下內容:
[root@localhost ~]$ cat /usr/local/nginx/conf/htpasswd
admin:$apr1$73nmrAKd$7eSGO2h58BrAnUMekFt7P0
如果還需要再次添加用戶的話就不需要加上-c選項了,加上-c選項會覆蓋原來的htpasswd 文件。
編輯discuz的主機配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/discuz.com.conf
## 添加以下內容,要記得添加在 location ~ \.php$ 上面
location ~ admin.php
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
}
重新加載nginx的配置文件:
/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload
然後使用curl訪問看看是否需要認證,結果如下則沒問題:
[root@localhost ~]$ curl -x127.0.0.1:80 http://www.discuz.com/admin.php -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date: Wed, 8 Aug 2018 11:01:40 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
最後指定用戶名和密碼訪問看看是否成功,結果如下則沒問題:
[root@localhost ~]$ curl -x127.0.0.1:80 -u admin:"123456" http://www.discuz.com/admin.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Wed, 8 Aug 2018 11:02:30 GMT
Content-Type: application/octet-stream
Content-Length: 2739
Last-Modified: Wed, 8 Aug 2018 11:02:40 GMT
Connection: keep-alive
ETag: "5a334add-ab3"
Accept-Ranges: bytes
配置dedecms,同樣的也是需要編輯主機配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/dedecms.com.conf
## 配置內容如下:
location /dede/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd; # 密碼文件路徑
}
然後重新加載nginx,同樣的使用curl訪問看看是否需要認證:
[root@localhost ~]$ curl -x127.0.0.1:80 http://www.dedecms.com/dede/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date:Wed, 8 Aug 2018 11:05:35 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
最後是zrlog,編輯nginx的反向代理配置文件:
[root@localhost ~]$ vim /usr/local/nginx/conf/vhost/zrlog.com.conf
## 在location / 的上面添加以下這段內容:
location /admin/
{
auth_basic "Auth";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
proxy_pass http://zrlog_com/admin/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
重啓nginx
[root@localhost ~]$ service nginx restart
測試是否需要驗證
[root@localhost ~]$ curl -x127.0.0.1:80 http://www.zrlog.com/admin/ -I
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.1
Date: Wed, 8 Aug 2018 11:10:25 GMT
Content-Type: text/html
Content-Length: 195
Connection: keep-alive
WWW-Authenticate: Basic realm="Auth"
如果出現訪問首頁正常但是訪問管理頁面nginx卻報404錯誤的情況,首先確認好配置文件是正確,重啓nginx依舊不正常的話,就試一下使用killall命令殺掉nginx進程,能讓進程將內存數據都寫入到磁盤中,然後再啓動nginx
⑨.分配目錄文件權限
discuz的目錄、文件權限之前在安裝的時候分配好了,現在把install目錄給刪除即可:
[root@localhost ~]$ cd /data/wwwroot/discuz.com
[root@localhost /data/wwwroot/discuz.com]$ rm -rf install/
然後設置dedecms的目錄、文件權限,下面是dedecms官網的目錄安全配置說明:
1、目錄權限
我們不建議用戶把欄目目錄設置在根目錄, 原因是這樣進行安全設置會十分的麻煩, 在默認的情況下,安裝完成後,目錄設置如下:
(1) data、templets、uploads、a或5.3的html目錄, 設置可讀寫,不可執行的權限;
(2) 不需要專題的,建議刪除 special 目錄, 需要可以在生成HTML後,刪除 special/index.php 然後把這目錄設置爲可讀寫,不可執行的權限;
(3) include、member、plus、後臺管理目錄 設置爲可執行腳本,可讀,但不可寫入(安裝了附加模塊的,book、ask、company、group 目錄同樣如此設置)。
2、其它需注意問題
(1) 雖然對 install 目錄已經進行了嚴格處理, 但爲了安全起見,我們依然建議把它刪除;
(2) 不要對網站直接使用MySQL root用戶的權限,給每個網站設置獨立的MySQL用戶帳號,許可權限爲:
代碼如下 複製代碼
SELECT, INSERT , UPDATE , DELETE
CREATE , DROP , INDEX , ALTER , CREATE TEMPORARY TABLES
我嘗試按照說明去修改權限結果出現網站無法訪問的問題,於是實踐過後發現只需要更改以下幾個目錄的權限即可:
[root@localhost /data/wwwroot]$ cd dedecms.com/
[root@localhost /data/wwwroot/dedecms.com]$ chmod 766 ./uploads
[root@localhost /data/wwwroot/dedecms.com]$ chmod 766 ./a
[root@localhost /data/wwwroot/dedecms.com]$ chmod 755 ./plus
[root@localhost /data/wwwroot/dedecms.com]$ chmod 644 data/common.inc.php
[root@localhost /data/wwwroot/dedecms.com]$ rm -rf install/
[root@localhost /data/wwwroot/dedecms.com]$ mv ./special/ /tmp/
zrlog的就默認即可,因爲默認都是755、644的權限。
最後將配置文件和站點目錄使用之前的腳本都同步到其他web服務器上,同步/data/目錄和/usr/local/目錄即可。
⑩.配置機器中web服務器的靜態文件共享,這一步我們使用NFS完成
1.服務端需要安裝nfs-utils和rpcbind包,安裝命令:
yum install -y nfs-utils rpcbind
2.客戶端需要安裝nfs-utils包,安裝命令,使用腳本批量安裝:
yum install -y nfs-utils
3.確定需要共享的目錄:
discuz需要共享的目錄是:/data/wwwroot/discuz.com/data/attachment/
dedecms需要共享的目錄是:/data/wwwroot/dedecms.com/uploads/
zrlog需要共享的目錄是:/data/wwwroot/zrlog.com/attached/
然後給這些目錄777的權限
4.爲了安全性需要限定共享的ip,所以需要編寫一個簡單的循環腳本,批量在服務端的/etc/exports文件中寫入配置,腳本內容如下:
file=$1
for i in `seq 3 7`
do
echo "$file 192.168.66.13$i/24(rw,sync,no_root_squash)" >> /etc/exports
done
# 執行腳本,參數是需要共享的目錄路徑
[root@localhost ~]$ sh forIP.sh "/data/wwwroot/discuz.com/data/attachment/"
[root@localhost ~]$ sh forIP.sh "/data/wwwroot/dedecms.com/uploads/"
[root@localhost ~]$ sh forIP.sh "/data/wwwroot/zrlog.com/attached/"
執行完腳本之後,/etc/exports文件內容如下:
/data/wwwroot/discuz.com/data/attachment/ 192.168.66.133/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/discuz.com/data/attachment/ 192.168.66.134/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/discuz.com/data/attachment/ 192.168.66.135/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/discuz.com/data/attachment/ 192.168.66.136/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/discuz.com/data/attachment/ 192.168.66.137/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/dedecms.com/uploads/ 192.168.66.133/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/dedecms.com/uploads/ 192.168.66.134/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/dedecms.com/uploads/ 192.168.66.135/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/dedecms.com/uploads/ 192.168.66.136/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/dedecms.com/uploads/ 192.168.66.137/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/zrlog.com/attached/ 192.168.66.133/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/zrlog.com/attached/ 192.168.66.134/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/zrlog.com/attached/ 192.168.66.135/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/zrlog.com/attached/ 192.168.66.136/24(rw,sync,anonuid=1000,anongid=1000)
/data/wwwroot/zrlog.com/attached/ 192.168.66.137/24(rw,sync,anonuid=1000,anongid=1000)
5.使用之前的批量命令腳本查看機器有沒有監聽111端口,一般來講安裝完nfs之後就會自動啓動服務並監聽端口的,如果沒有啓動的話,就手動啓動一下,命令如下:
systemctl start rpcbind
systemctl start nfs
6.置rpcbind和nfs服務開機啓動:
systemctl enable rpcbind
systemctl enable nfs
7.把共享的目錄分別掛載到各個客戶端上
使用Keepalived結合nginx負載均衡
192.168.66.100 VIP
192.168.66.130 前端nginx負載主機+keepalived
192.168.66.131 前端nginx負載備機+keepalived
分別在130和131的機器安裝keepalived+nginx
yum install -y keepalived
nginx源碼安裝參考上面的過程(兩臺都要配置)
安裝好之後新增一個nginx虛擬主機配置文件
vi /usr/local/nginx/conf/vhost/lb.conf
upstream lb
{
ip_hash;
server 192.168.66.132:80;
server 192.168.66.133:80;
server 192.168.66.134:80;
server 192.168.66.135:80;
server 192.168.66.136:80;
server 192.168.66.137:80;
}
server
{
listen 80;
server_name ww.discuz.com www.dedecms.com www.zrlog.com;
location /
{
proxy_pass http://lb;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
更改130的keepalived配置文件
默認的配置文件路徑在/etc/keepalived/keepalived.conf
清空文件內容
> /etc/keepalived/keepalived.conf
編輯配置文件
vim /etc/keepalived/keepalived.conf
添加加以下內容:
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_nginx {
script "/usr/local/sbin/check_ng.sh"
interval 3
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass aminglinux>com
}
virtual_ipaddress {
192.168.66.100
}
track_script {
chk_nginx
}
}
這裏需要注意的是:"virtual_ipaddress"也就是所謂的vip我們設置爲192.168.66.100
2.定義監控腳本
腳本路徑在keepalived配置文件中有定義,路徑爲/usr/local/sbin/check_ng.sh
編輯配置文件:
vim /usr/local/sbin/check_ng.sh
增加以下內容:
#!/bin/bash
#時間變量,用於記錄日誌
d=`date --date today +%Y%m%d_%H:%M:%S`
#計算nginx進程數量
n=`ps -C nginx --no-heading|wc -l`
#如果進程爲0,則啓動nginx,並且再次檢測nginx進程數量,
#如果還爲0,說明nginx無法啓動,此時需要關閉keepalived
if [ $n -eq "0" ]; then
/etc/init.d/nginx start
n2=`ps -C nginx --no-heading|wc -l`
if [ $n2 -eq "0" ]; then
echo "$d nginx down,keepalived will stop" >> /var/log/check_ng.log
systemctl stop keepalived
fi
fi
3.腳本創建完之後,還需要改變腳本的權限
chmod 755 /usr/local/sbin/check_ng.sh
4.啓動keepalived服務,因爲,上面定義了檢測nginx服務,所有會自動把nginx帶起來
systemctl start keepalived
5.查看是否加載了vip
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:a4:dd:e8 brd ff:ff:ff:ff:ff:ff
inet 192.168.66.130/24 brd 192.168.66.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.66.100/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::3116:74ed:1d0a:3851/64 scope link noprefixroute
valid_lft forever preferred_lft forever
131機器的keepalived配置
vim /etc/keepalived/keepalived.conf
添加加以下內容:
global_defs {
notification_email {
[email protected]
}
notification_email_from [email protected]
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_nginx {
script "/usr/local/sbin/check_ng.sh"
interval 3
}
vrrp_instance VI_1 {
state BACKUP //這裏 和master不一樣的名字
interface eno33 //網卡和當前機器一致,否則無法啓動keepalived服務
virtual_router_id 51 //和主機器 保持一致
priority 90 //權重,要比主機器小的數值
advert_int 1
authentication {
auth_type PASS
auth_pass aminglinux>com
}
virtual_ipaddress {
192.168.66.100 VIP和主上一致
}
track_script {
chk_nginx
}
}
nginx配置和腳本和130機器一樣
最後測試訪問VIP三個站點正常即可