在lnmp架構中,通常一臺裝有nginx服務器做反向代理服務器,又做內網的路由。在這臺服務器上綁有一個公網ip和一個內網ip.我們把域名解析到這個公網ip上,讓nginx代理到後端的web服務器上,這樣我們就可以訪問到我們的站點,與此同時必須讓內網訪問外網。這臺反向代理服務器又需要做內網的路由。這臺服務器,在整個應用架構中相當重要。下面我來闡述一下nginx+keepalived雙機實現nginx反向代理服務的高可用。也就是說在當一臺nginx掛掉之後不影響應用也不影響內網訪問外網。
一、架構圖
二、部署
1、在0.205和0.207上安裝keepalived(略請參考http://linux008.blog.51cto.com/2837805/665390)
2、keepalived配置
192.168.0.205
# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id yuangnag.com
}
vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 88
priority 100
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass yuangang.net
}
track_script {
check_run
}
virtual_ipaddress {
192.168.0.206/24 dev eth0
110.110.110.25/25 dev eth1
}
}
啓動腳本寫入到/etc/rc.local裏
#echo "/etc/init.d/keepalived start" >> /etc/rc.local
192.168.0.207
# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id yuangang.com
}
vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 88
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass yuangang.com
}
track_script {
check_run
}
virtual_ipaddress {
192.168.0.206/24 dev eth0
110.110.110.25/25 dev eth1
}
}
啓動腳本寫入到/etc/rc.local裏
#echo "/etc/init.d/keepalived start" >> /etc/rc.local
分別在192.168.0.205和192.168.0.207編寫檢測nginx服務是否正常。腳本如下:
# cat /root/bin/nginx_check.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l`
if [ $A -eq 0 ]
then
/usr/local/nginx/sbin/nginx
sleep 1
if [ `ps -C nginx --no-header |wc -l` -eq 0 ]
then
killall keepalived
fi
fi
3、iptables配置
192.168.0.205和192.168.0.207iptables都做如下設置
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [12001:793841]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 110.110.110.25
COMMIT
4、驗證
當192.168.0.205nginx服務宕機或重啓,vip會飄移到192.168.0.207上;當192.168.0.205,正常後vip會再次綁定到192.168.0.205上。