部署Centos7下Haproxy實現Exchange反向代理負載並通過Keepalived主備負載

mini介質安裝Centos7

1.Centos環境準備

1.1 啓用root用戶ssh登錄

vi /etc/ssh/sshd_config

   PermitRootLogin yes

   

systemctl restart sshd.service

1.2環境準備及安裝

yum -y update

yum install wget ftp ntp* mlocate openssl openssl-devel openssl-perl.x86_64 net-tools gcc automake autoconf libtool make -y

關閉SELINUX

vi /etc/selinux/config

SELINUX=enforcing改成SELINUX=disabled

getenforce

創建系統賬號

useradd -s /sbin/nologin -M haproxy

id haproxy

配置NTP服務

vi /etc/ntp.config

添加如下內容

fudge 127.127.1.0 stratum 12

server ntp.api.bz iburst minpoll 6 maxpoll 7

server 0.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

server 1.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

server 2.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

# service ntpd start

# systemctl enable ntpd.service

檢查服務狀態

# netstat -ano |grep :123

# ntpq -p

1.2.1 Cert證書準備

1.2.2 根證書

1.2.2.1檢查根證書是否包含在主機內：

curl https://mail.alan.corp/owa

1.2.2.2 第三方根證書導入主機

root.cer（根證書） intermediate.cer 中間證書機構

Der格式證書轉Base64格式

openssl x509 -in root.cer -inform der -outform pem -out root.pem

openssl x509 -in intermediate.cer -inform der -outform pem -out intermediate.pem 

將頒發證書機構導入本機證書

c_rehash .

cat 4b37341f.0 >> /etc/pki/tls/certs/ca-bundle.crt

1.2.2.3 將Exchange主機私有證書導入本機

mail.pfx（Exchange主機證書帶私有證書，導出保存Base64格式）

openssl pkcs12 -in mail.pfx -nocerts -out exchange_private_key_passwordprotected.pem

輸入pfx文件密碼，輸入Pem文件密碼（4位以上）

openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem

輸入Pem密碼

openssl pkcs12 -in mail.pfx -clcerts -nokeys -out exchange_certificate.pem

輸入pfx密碼

cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem

mv exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/

1.3 安裝haproxy

1.3.1軟件下載編譯及安裝

cd /tmp

下載並解壓縮

下載方法01：wget http://www.haproxy.org/download/1.9/src/haproxy-1.9.6.tar.gz

            tar -zxvf haproxy-1.9.6.tar.gz

下載方法02：curl --progress http://www.haproxy.org/download/1.9/src/haproxy-1.9.6.tar.gz | tar xz

cd haproxy-1.9.6

#安裝haproxy

Hadir=/data/haproxy #安裝目錄

mkdir -p $Hadir

tar -axf haproxy-* && cd ./haproxy-*

make TARGET=linux310 ARCH=x86_64 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1 PREFIX=$Hadir

make install PREFIX=$Hadir

$Hadir/sbin/haproxy -v

$Hadir/sbin/haproxy -vv

#內核優化

#NAT轉發

sed -i '[email protected]_forward = [email protected]_forward = 1@g' /etc/sysctl.conf

grep ip_forward /etc/sysctl.conf

echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf #允許沒監聽IP時啓動

sysctl -p

1.3.2啓動腳本配置

cp ./examples/haproxy.init $Hadir/haproxy

chmod 755 $Hadir/haproxy

sed -i '/^BIN=/cBIN='$Hadir'/sbin/$BASENAME' $Hadir/haproxy

sed -i '/^CFG=/cCFG='$Hadir'/$BASENAME.cfg' $Hadir/haproxy

1.3.3日誌配置

sed -i 's/^#$ModLoad imudp/$ModLoad imudp/g' /etc/rsyslog.conf

sed -i 's/^#$UDPServerRun 514/$UDPServerRun 514/g' /etc/rsyslog.conf

echo 'local0.* /var/log/haproxy.log'>>/etc/rsyslog.conf #添加haproxy日誌路徑

systemctl restart rsyslog

echo "">$Hadir/haproxy.cfg

1.3.4 其他及防火牆配置

mkdir -p /var/lib/haproxy

#防火牆配置

firewall-cmd --permanent --add-port=443/tcp

firewall-cmd --permanent --add-port=80/tcp

firewall-cmd --permanent --add-port=25/tcp

firewall-cmd --permanent --add-port=110/tcp

firewall-cmd --permanent --add-port=143/tcp

firewall-cmd --permanent --add-port=465/tcp

firewall-cmd --permanent --add-port=587/tcp

firewall-cmd --permanent --add-port=993/tcp

firewall-cmd --permanent --add-port=995/tcp

firewall-cmd --permanent --add-port=9000/tcp

systemctl restart firewalld

1.3.5 創建配置文件

echo "

###########全局配置#########

    global

    log 127.0.0.1 local0

    log 127.0.0.1 local1 notice

    daemon

    #nbproc 1     #進程數量 

    maxconn 4096  #最大連接數 

    user haproxy  #運行用戶  

    group haproxy #運行組 

    chroot /var/lib/haproxy

    pidfile /var/run/haproxy.pid

########默認配置############

    defaults

    log global

    mode http             #默認模式{ tcp|http|health }

    option httplog       #日誌類別,採用httplog

    option dontlognull   #不記錄健康檢查日誌信息  

    retries 2            #2次連接失敗不可用

    option forwardfor    #後端服務獲得真實ip

    option httpclose     #請求完畢後主動關閉http通道

    option abortonclose  #服務器負載很高，自動結束比較久的鏈接  

    maxconn 4096         #最大連接數  

    timeout connect 5m   #連接超時  

    timeout client 1m    #客戶端超時  

    timeout server 31m   #服務器超時  

    timeout check 10s    #心跳檢測超時  

    balance roundrobin   #負載均衡方式，輪詢

#狀態頁面控制

listen stats

    bind *:9000 #僞裝的端口號

    mode http #工作模式

balance #負載模式

    stats enable #顯示狀態頁面

    stats hide-version #隱藏haproxy的版本號

    stats realm HAProxy\ Stats #提示信息

    stats auth admin:P@44w0rd #登錄狀態頁面的帳號和密碼

#   stats admin if TRUE #狀態頁面出現管理功能

    stats uri /haproxy?stats #訪問入口

#轉發配置

# Http 80 負載

frontend ft_exchange_HTTP

bind *:80 name web

maxconn 10000

default_backend bk_exchange_HTTP

backend bk_exchange_HTTP

server Node01 10.101.0.150:80 maxconn 10000 check

server Node02 10.101.0.151:80 maxconn 10000 check backup

# Https 443 負載

frontend ft_exchange_SSL

bind *:443 name ssl

maxconn 10000 #alctl: connection max (depends on capacity)

default_backend bk_exchange_SSL #alctl: default farm to use

backend bk_exchange_SSL

server Node01 10.101.0.150:443 maxconn 10000 check

server Node02 10.101.0.151:443 maxconn 10000 check backup

">$Hadir/haproxy.cfg

------------------------------------------------------------------------

# SMTP 25 負載

frontend ft_exchange_SMTP

bind *:25 name smtp

maxconn 10000

default_backend bk_exchange_SMTP

backend bk_exchange_SMTP

server Node01 10.101.0.150:25 maxconn 10000 check

server Node02 10.101.0.151:25 maxconn 10000 check backup

# SMTPS 465 負載

frontend ft_exchange_SMTP_Secure465

bind *:465 name smtpssl465

maxconn 10000

default_backend bk_exchange_SMTP_Secure465

backend bk_exchange_SMTP_Secure465

server Node01 10.101.0.150:465 maxconn 10000 check

server Node02 10.101.0.151:465 maxconn 10000 check backup

# SMTPS 587 負載

frontend ft_exchange_SMTP_Secure587

bind *:587 name smtpssl587

maxconn 10000

default_backend bk_exchange_SMTP_Secure587

backend bk_exchange_SMTP_Secure587

server Node01 10.101.0.150:587 maxconn 10000 check

server Node02 10.101.0.151:587 maxconn 10000 check backup

# IMTP 143 負載

frontend ft_exchange_IMAP

bind *:143 name imap

maxconn 10000

default_backend bk_exchange_IMAP

backend bk_exchange_IMAP

server Node01 10.101.0.150:143 maxconn 10000 check

server Node02 10.101.0.151:143 maxconn 10000 check backup

# IMTPS 993 負載

frontend ft_exchange_IMAP_Secure

bind *:993 name imapssl

maxconn 10000

default_backend bk_exchange_IMAP_Secure

backend bk_exchange_IMAP_Secure

server Node01 10.101.0.150:993 maxconn 10000 check

server Node02 10.101.0.151:993 maxconn 10000 check backup

# POP3 110 負載

frontend ft_exchange_POP3

bind *:110 name pop3

maxconn 10000

default_backend bk_exchange_POP3

backend bk_exchange_POP3

server Node01 10.101.0.150:110 maxconn 10000 check

server Node02 10.101.0.151:110 maxconn 10000 check backup

# POP3S 995 負載

frontend ft_exchange_POP3_Secure

bind *:995 name pop3ssl

maxconn 10000

default_backend bk_exchange_POP3_Secure

backend bk_exchange_POP3_Secure

server Node01 10.101.0.150:995 maxconn 10000 check

server Node02 10.101.0.151:995 maxconn 10000 check backup

----------------------------------------------------------------------------

1.4 #啓動

/data/haproxy/haproxy start

netstat -antp|grep haproxy

ps -ef|grep haproxy

1.5 #添加自啓動

ln -sf /data/haproxy/haproxy /etc/init.d/haproxy

chkconfig --add haproxy

chkconfig haproxy on

chkconfig --list haproxy

service haproxy restart

1.6 重啓檢查服務狀態：

systemctl status haproxy

ps -A |grep haproxy

firewall-cmd --query-port 443/tcp

firewall-cmd --list-services            # 查看開放的服務

firewall-cmd --add-port=3306/tcp        # 開放通過tcp訪問3306

firewall-cmd --remove-port=80tcp        # 阻止通過tcp訪問3306

firewall-cmd --add-port=233/udp         # 開放通過udp訪問233

firewall-cmd --list-ports               # 查看開放的端口

1.7 keepalived配置

安裝前環境準備

yum -y install psmisc libnfnetlink-devel curl gcc openssl-devel libnl3-devel net-snmp-devel

1.7.1 下載與安裝

軟件目錄規劃

軟件安裝目錄：/data/keepalived

日誌文件單獨存放在/var/log/keepalived/keepalived.log下

#配置主機名

hostnamectl set-hostname corp-haproxy-01

vi /etc/hosts

# 增加主機地址

172.16.0.222    corp-haproxy-01.localdomain

防火牆放行vrrp組播

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens160 --destination 224.0.0.18 --protocol vrrp -j ACCEPT

firewall-cmd --reload

1.7.3開始編譯

1.7.3.1下載源碼包

 下載站點：

 1、http://www.keepalived.org/download.html

 2、http://keepalived.org/software

 cd /tmp

 curl --progress http://keepalived.org/software/keepalived-2.0.13.tar.gz | tar xz

 

 cd /tmp

wget http://www.keepalived.org/software/keepalived-2.0.15.tar.gz

1.7.3.2 編譯

kldir=/data/keepalived #安裝目錄

mkdir -p $kldir

tar -axf keepalived-* && cd ./keepalived-*

./configure  --prefix=$kldir

make && make install

1.7.3.3自啓動腳本

檢查腳本信息是否正確

# cat /usr/lib/systemd/system/keepalived.service 

[Unit]

Description=LVS and VRRP High Availability Monitor

After= network-online.target syslog.target

Wants=network-online.target

[Service]

Type=forking

PIDFile=/var/run/keepalived.pid

KillMode=process

EnvironmentFile=-/data/keepalived/etc/sysconfig/keepalived

ExecStart=/data/keepalived/sbin/keepalived $KEEPALIVED_OPTIONS

ExecReload=/bin/kill -HUP $MAINPID

[Install]

WantedBy=multi-user.target

!!!!默認的日誌存放位置在/var/log/messages中。

echo 'local3.* /var/log/keepalived/keepalived.log' >>/etc/rsyslog.conf                             

然後需要修改keepalived.conf

創建默認啓動文件

mkdir -p /etc/keepalived

cp /data/keepalived/etc/keepalived/keepalived.conf  /etc/keepalived/

cp /tmp/keepalived-2.0.15/keepalived/etc/init.d/keepalived  /etc/rc.d/init.d/

cp /data/keepalived/etc/sysconfig/keepalived  /etc/sysconfig/

 

# vi /etc/keepalived/keepalived.conf

! Configuration File for keepalived

global_defs {

   notification_email {                    #指定keepalived在發生事情的時候，發送郵件告知，可以有多個地址，每行一個.

     [email protected]

   }

   notification_email_from [email protected]   #指定發件人

   smtp_server 192.168.200.1     #發送email的smtp地址

   smtp_connect_timeout 30       #超時時間

   router_id Haproxy_MASTER      #運行keepalived的機器的一個標識,多個節點標識可以相同，也可以不同

}

vrrp_script check_haproxy {        #killall (安裝 yum install psmisc -y)

   script "killall -0 haproxy"

   interval 2

   weighit 2                        #權值腳本成功時（0）等於priority+weghit #否則爲priority

   }

vrrp_instance  Haproxy_01 {

    state MASTER                    #指定當前節點爲主節點 備用節點上設置爲BACKUP即可

    interface ens160                #綁定虛擬IP的網絡接口

    mcast_src_ip 172.16.0.222       #本機IP地址 

virtual_router_id 51            #VRRP組名，兩個節點的設置必須一樣，以指明各個節點屬於同一VRRP組

    priority 100                    #主節點的優先級（1-254之間），備用節點必須比主節點優先級低

    advert_int 1                    #設置主備之間的檢查時間，單位爲s

    authentication {                #設置驗證信息，兩個節點必須一致

        auth_type PASS

        auth_pass 1111

    }

    virtual_ipaddress {                      #指定虛擬IP, 兩個節點設置必須一樣

        172.16.0.220/24 brd 172.16.0.255 dev ens160 label ens160:vip

    }

    track_script {

    check_haproxy

    }

    smtp_alert            #狀態切換，使用郵件通知

}

 

重啓服務即可。

1.7.3.4 設置開機啓動

systemctl enable keepalived.service 

第二臺主機修改:

1.主機名：

hostnamectl set-hostname SD-haproxy02

vi /etc/hosts

修改爲第二臺主機地址

10.101.0.154    SD-haproxy02.localdomain

2.修改IP

vi  /etc/sysconfig/network-scripts/ifcfg-ens160

修改爲第二臺主機地址

IPADDR=10.101.0.154

service network restart

3.修改keepalived配置

vi /etc/keepalived/keepalived.conf

修改如下行

   smtp_server 10.101.0.151 #發送email的smtp地址

   router_id  Haproxy_BACKUP #運行keepalived的機器的一個標識,多個節點標識可以相同，也可以不同

vrrp_instance Haproxy_BACKUP {

    state BACKUP #指定當前節點爲主節點 備用節點上設置爲BACKUP即可

    priority 99 #主節點的優先級（1-254之間），備用節點必須比主節點優先級低