在lnmp架構中,通常一臺裝有nginx服務器做反向代理服務器,又做內網的路由。在這臺服務器上綁有一個公網ip和一個內網ip.我們把域名解析到這個公網ip上,讓nginx代理到後端的web服務器上,這樣我們就可以訪問到我們的站點,與此同時必須讓內網訪問外網。這臺反向代理服務器又需要做內網的路由。這臺服務器,在整個應用架構中相當重要。下面我來闡述一下nginx+keepalived雙機實現nginx反向代理服務的高可用。也就是說在當一臺nginx掛掉之後不影響應用也不影響內網訪問外網。
一、架構圖
二、部署
1、在0.205和0.207上安裝keepalived(略請參考http://linux008.blog.51cto.com/2837805/665390)
2、keepalived配置
192.168.0.205
# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id yuangnag.com } vrrp_script check_run { script "/root/bin/nginx_check.sh" interval 5 } vrrp_sync_group VG1 { group { VI_1 } } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 88 priority 100 advert_int 1 nopreempt authentication { auth_type PASS auth_pass yuangang.net } track_script { check_run } virtual_ipaddress { 192.168.0.206/24 dev eth0 110.110.110.25/25 dev eth1 } } 啓動腳本寫入到/etc/rc.local裏 #echo "/etc/init.d/keepalived start" >> /etc/rc.local
192.168.0.207
# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id yuangang.com } vrrp_script check_run { script "/root/bin/nginx_check.sh" interval 5 } vrrp_sync_group VG1 { group { VI_1 } } vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 88 priority 80 advert_int 1 authentication { auth_type PASS auth_pass yuangang.com } track_script { check_run } virtual_ipaddress { 192.168.0.206/24 dev eth0 110.110.110.25/25 dev eth1 } } 啓動腳本寫入到/etc/rc.local裏 #echo "/etc/init.d/keepalived start" >> /etc/rc.local
分別在192.168.0.205和192.168.0.207編寫檢測nginx服務是否正常。腳本如下:
# cat /root/bin/nginx_check.sh #!/bin/bash A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ] then /usr/local/nginx/sbin/nginx sleep 1 if [ `ps -C nginx --no-header |wc -l` -eq 0 ] then killall keepalived fi fi
3、iptables配置
192.168.0.205和192.168.0.207iptables都做如下設置
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [12001:793841]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 110.110.110.25
COMMIT
4、驗證
當192.168.0.205nginx服務宕機或重啓,vip會飄移到192.168.0.207上;當192.168.0.205,正常後vip會再次綁定到192.168.0.205上。