LVS+KeepaLived+Nginx SSL驗證
keepalived安裝
- yum -y install kernel-devel openssl-* ipvsadm
- wget http://www.keepalived.org/software/keepalived-1.2.2.tar.gz
- tar zxf keepalived-1.2.2.tar.gz
- cd keepalived-1.2.2
- vim keepalived/libipvs-2.6/ip_vs.h
- #將#include <linux/types.h> /* For __beXX types in userland */移動到#include <sys/types.h>下面,以解決make時的報錯問題
- ./configure ./configure --with-kernel-dir=/usr/src/kernels/2.6.18-274.18.1.el5-x86_64/
- make && make install
- #--with-kernel-dir編譯選項 是爲了增加IPVS支持
- mkdir /etc/keepalived/
- vim /etc/keepalived/keepalived.conf
- #加入下面的內容
- vrrp_instance VI_1 {
- state MASTER
- interface eth0
- virtual_router_id 51
- priority 200
- advert_int 1
- authentication {
- auth_type PASS
- auth_pass 1111
- }
- virtual_ipaddress {
- 192.168.5.230
- }
- }
- virtual_server 192.168.5.230 443 {
- delay_loop 6
- lb_algo rr
- lb_kind DR
- persistence_timeout 50
- protocol TCP
- real_server 192.168.5.202 443 {
- weight 3
- inhibit_on_failure
- TCP_CHECK {
- connect_timeout 10
- nb_get_retry 3
- delay_before_retry 3
- connect_port 443
- }
- }
- real_server 192.168.5.204 443 {
- weight 3
inhibit_on_failure
- TCP_CHECK {
- connect_timeout 10
- nb_get_retry 3
- delay_before_retry 3
- connect_port 443
- }
- }
- }
- virtual_server 192.168.5.230 80 {
- delay_loop 6
- lb_algo rr
- lb_kind DR
- inhibit_on_failure
- persistence_timeout 50
- protocol TCP
- real_server 192.168.5.202 80 {
- weight 3
inhibit_on_failure
- TCP_CHECK {
- connect_timeout 10
- nb_get_retry 3
- delay_before_retry 3
- connect_port 80
- }
- }
- real_server 192.168.5.204 80 {
- weight 3
inhibit_on_failure
- TCP_CHECK {
- connect_timeout 10
- nb_get_retry 3
- delay_before_retry 3
- connect_port 80
- }
- }
- }
- #然後用 keepalived 命令啓動keepalived程序
- state #keepalived的狀態 有MASTER和SLAVE 兩種
- interface #實例綁定的網卡
- virtual_router_id #VRID
- priority #優先級,即使state指定爲MASTER但如果,priority低也有可能變成SLAVE(受到nopreempt影響)
- advert_int #設定檢測間隔
- authentication #設定驗證方式:auth_type,以及驗證密碼:auth_pass
- virtual_ipaddress #VIP,可以寫多個,每個佔一行
- virtual_server #指定virtual server 以及端口號
- delay_loop #對realserver的檢測間隔時間
- lb_algo #LVS的輪詢算法
- lb_kind #LVS的工作模式爲DR
- inhibit_on_failure #當檢測失效後將權重標記爲0
- persistence_timeout #將50s內來自同一ip的請求轉發到同一後端
- protocol TCP #使用的協議
- real_server #後端web配置字段
- weight #權重,權重越高接收到的請求越多
- TCP_CHECK #檢測方式
- connect_timeout #連接超時時間
- connect_port #健康檢測端口
- nb_get_retry #重連次數
- delay_before_retry #重連間隔時間
#啓動成功後可以通過ipvsadm命令來查看
realserver 啓動腳本:
- #這個IP添加到網卡配置文件中也可以,我犯懶就直接拷貝了LT論壇中的腳本, 作者名字下面有寫
- #!/bin/bash
- # description: Config realserver lo and apply noarp
- #Written by :NetSeek http://www.linuxtone.org
- SNS_VIP="192.168.5.230"
- . /etc/rc.d/init.d/functions
- case "$1" in
- start)
- ifconfig lo:0 $SNS_VIP netmask 255.255.255.255 broadcast $SNS_VIP
- /sbin/route add -host $SNS_VIP dev lo:0
- echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
- echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
- echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
- echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
- sysctl -p >/dev/null 2>&1
- echo "RealServer Start OK"
- ;;
- stop)
- ifconfig lo:0 down
- route del $SNS_VIP >/dev/null 2>&1
- echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
- echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
- echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
- echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
- echo "RealServer Stoped"
- ;;
- *)
- echo "Usage: $0 {start|stop}"
- exit 1
- esac
- exit 0