Haproxy+keepalived+apache

一、拓扑图:

wKiom1cTiQyzwQ6xAAFY-jQlWtw236.jpg

二、编译安装haproxy(两台机器一样安装)

  • 解压:tar zxvf haproxy-1.6.4.tar.gz

  • 编译:注意:下边的等号前边的参数必须大写

cd haproxy-1.6.4

        make TARGET=linux26 ARCH=x86_64 PREFIX=/usr/local/haproxy

        make install PREFIX=/usr/local/haproxy

  • 安装后,创建配置文件和启动文件

    mkdir -p /usr/local/haproxy/etc/haproxy

    cp examples/acl-content-sw.cfg/usr/local/haproxy/etc/haproxy/haproxy.cfg

    cp examples/haproxy.init /etc/init.d/haproxy

    chmod +x /etc/init.d/haproxy

  • 修改启动文件:

    vi /etc/init.d/haproxy

    修改BINCFG路径

    BIN=/usr/local/haproxy/sbin/$BASENAME

    CFG=/usr/local/etc/$BASENAME/$BASENAME.cfg

三、编辑配置文件(两台机器一样)

  • cd /usr/local/haproxy/etc/haproxy

  • cp haproxy.cfg haproxy.cfg.bak

  • vi haproxy.cfg

    

# This sampleconfiguration makes extensive use of the ACLs. It requires

# HAProxyversion 1.3.12 minimum.

 

global

        log        localhost   local3

        maxconn    250

        uid        71

        gid        71

        chroot     /usr/local/haproxy

        pidfile    /var/run/haproxy.pid

        daemon

        quiet

 

frontendhttp-in

        bind       :80

        mode       http

        log        global

        clitimeout 30000

        option     httplog

        option     dontlognull

        #option    logasap

        option     httpclose

        maxconn    100

 

        stats refresh 30s                      

        stats uri  /stats                            

        stats realm linuxidc-test-Haproxy    

        stats auth admin:admin123                 

        stats hide-version

 

        capture request  header Host           len 20

        capture request  header User-Agent     len 16

        capture request  header Content-Length len 10

        capture request  header Referer        len 20

        capture response header Content-Lengthlen 10

 

        # block any unwanted source IPaddresses or networks

        acl forbidden_src src      0.0.0.0/7 224.0.0.0/3

        acl forbidden_src src_port 0:1023

        block if forbidden_src

 

        # block requests beginning with http://on wrong domains

        acl dangerous_pfx  url_beg -i http://

        acl valid_pfx      url_reg -i ^http://[^/]*1wt\.eu/

        block if dangerous_pfx !valid_pfx

 

        # block apache chunk exploit, ...

        acl forbidden_hdrshdr_sub(transfer-encoding) -i chunked

        acl forbidden_hdrs hdr_beg(host)              -i apache- localhost

 

        # ... some HTTP content smugling andother various things

        acl forbidden_hdrs hdr_cnt(host) gt 1

        acl forbidden_hdrshdr_cnt(content-length) gt 1

        acl forbidden_hdrshdr_val(content-length) lt 0

        acl forbidden_hdrshdr_cnt(proxy-authorization) gt 0

        block if forbidden_hdrs

 

        # block annoying worms that fill thelogs...

        acl forbidden_uris url_reg -i.*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)

        acl forbidden_uris url_sub -i %00<script xmlrpc.php

        acl forbidden_uris path_end -i/root.exe /cmd.exe /default.ida /awstats.pl .asp .dll

 

        # block other common attacks (awstats,manual discovery...)

        acl forbidden_uris path_dir -i chatmain.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin M

SOffice

        acl forbidden_uris url_reg -i(\.php\?temppath=|\.php\?setmodules=|[=:]http://)

        block if forbidden_uris

 

        # we rewrite the "options"request so that it only tries '*', and we

        # only report GET, HEAD, POST andOPTIONS as valid methods

        reqirep         ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\\\*\ HTTP/1.0

        rspirep         ^Allow:\ .* Allow:\ GET,\ HEAD,\POST,\ OPTIONS

 

        acl web   hdr_beg(host) -i www.abc.com

        use_backend     www  if web

 

backend www

        mode   http

        #source 192.168.11.13:0

        balance roundrobin

        cookie SERVERID

        server web01 192.168.1.13:80 checkinter 30000 fall 3 weight 10

        server web02 192.168.1.14:80 checkinter 30000 fall 3 weight 10

 

        # long timeout to support connectionqueueing

        contimeout      20000

        srvtimeout      20000

        fullconn 100

        redispatch

        retries 3

 

        option httpchk HEAD /

        option forwardfor

        option checkcache

        option httpclose

 

        # allow other syntactically validrequests, and block any other method

        acl valid_method method GET HEAD POSTOPTIONS

        block if !valid_method

        block if HTTP_URL_STAR !METH_OPTIONS

        block if !HTTP_URL_SLASH !HTTP_URL_STAR!HTTP_URL_ABS

 

        # remove unnecessary precisions on theserver version. Let's say

        # it's an apache under Unix on theFormilux Distro.

        rspidel         ^Server:\

        rspadd          Server:\ Apache\ (Unix;\Formilux/0.1.8)

# end ofdefaults


  • 配置日志相关步骤

    haproxy.cfg 上边已经配置

    log        localhost   local3

    vi /etc/rsyslog.conf

    去掉#

$ModLoad imudp

       $UDPServerRun 514

    在local7.*下边添加以下内容:

    local3.*                            /var/log/haproxy/haproxy.log

    vi /etc/sysconfig/rsyslog

    修改为:

    SYSLOGD_OPTIONS="-r -m 0"

    重启rsyslog和haproxy服务service rsyslog restart

    service haproxy restart

    日志文件:/var/log/haproxy/haproxy.log

    查看haproxy状态信息http://ip/stats 用户密码:admin:admin123

四、Web01web02安装httpd

    yum –y install httpd

    分别建立配置文件:

    Web01: vi /var/www/html/index.html

       Wo shi 13.

    Web02: vi /var/www/html/index.html

            Wo shi 14.

    两台都执行以下配置:

    关闭selinux

    vi /etc/sysconfig/selinux

    SELINUX=disabled

    重启

    service iptables stop

    chkconfig iptables off

    chkconfig httpd on

    service httpd start

    浏览器测试是否都能打开web01web02

    

wKioL1cTjKvwYe-kAAAYo6zwvq4917.png      wKioL1cTjWvg0B2YAAAsX0rNcbY017.png      

五、编译安装keepalived

  • 安装相关包:

    yum -y install openssl openssl-devel

  • 解压:

    tar zxvf keepalived-1.2.20.tar.gz

  • 编译

    cd keepalived-1.2.20

    ./configure --prefix=/usr/local/keepalived1.2.20

    make

    make install

  • 配置启动文件:

    cd /usr/local/keepalived1.2.20/

    cp etc/rc.d/init.d/keepalived /etc/init.d/

    vi /etc/init.d/keepalived

    修改三处:

    . /usr/local/keepalived1.2.20/etc/sysconfig/keepalived

    config="/usr/local/keepalived1.2.20/etc/keepalived/keepalived.conf"

    daemon keepalived -D -f $config

  • 配置keepalived.conf文件

    cd etc/keepalived/

    备份:cp keepalived.conf keepalived.conf.bak

    vi keepalived.conf(注意两个配置文件有所不同)

    192.168.0.11的keepalived.conf

    

! Configuration File for keepalived

global_defs {

        notification_email {

                506@qq.com

        }

        notification_email_from postmaster@it.com

        smtp_server mail.it.com

        smtp_connect_timeout 30

        router_id LVS_01

}

vrrp_script chk_haproxy {

        script "/usr/local/keepalived1.2.20/check_haproxy.sh"

        interval 2

        weight 2

}

vrrp_instance VI_1 {

    state MASTER

    interface eth2

    virtual_router_id 51

    priority 100

    advert_int 1

    authentication {

        auth_type PASS

        auth_pass 1111

    }

    virtual_ipaddress {

        192.168.0.222/24

    }

}

192.168.0.12的keepalived.conf

    

! Configuration File for keepalived

global_defs {

        notification_email {

                506@qq.com

        }

        notification_email_from postmaster@it.com

        smtp_server mail.it.com

        smtp_connect_timeout 30

        router_id LVS_01

}

vrrp_script chk_haproxy {

        script "/usr/local/keepalived1.2.20/check_haproxy.sh"

        interval 2

        weight 2

}

vrrp_instance VI_1 {

    state BACKUP

    interface eth2

    virtual_router_id 51

    priority 99

    advert_int 1

    authentication {

        auth_type PASS

        auth_pass 1111

    }

    virtual_ipaddress {

        192.168.0.222/24

    }

}

  • ln -s/usr/local/keepalived1.2.20/sbin/keepalived /usr/sbin/

  • 开启路由功能

    net.ipv4.ip_forward= 1

    开启IP转发功能 

    net.ipv4.ip_nonlocal_bind= 1

    开启允许绑定非本机的IP 

    如果使用LVS的DR或者TUN模式结合Keepalived需要在后端真实服务器上特别设置两个arp相关的参数。这里也设置好。

    net.ipv4.conf.lo.arp_ignore= 1

    net.ipv4.conf.lo.arp_announce= 2

    net.ipv4.conf.all.arp_ignore= 1

    net.ipv4.conf.all.arp_announce= 2

  • 创建防止haproxy服务关闭导致keepalived不自动切换脚本

    cat /usr/local/keepalived1.2.20/check_haproxy.sh

        #!/bin/bash

        if [ $(ps-C haproxy --no-header | wc -l) -eq 0 ]; then

         /etc/init.d/haproxy  start

        fi

        sleep 2

        if [ $(ps-C haproxy --no-header | wc -l) -eq 0 ]; then

           /etc/init.d/keepalived stop

        fi

  • 启动服务

    service keepalived restart

    ip addr查看有没有创建vip

wKioL1cTjxLT-zzqAABc93eoi1Y371.png

    这时候备的keepalived是没有vip地址的:


wKiom1cTjo7QW5-TAABZ9RzsaP0950.png

    当主keepalived断掉,备keepalived接管vip(这里停止服务模仿)

wKioL1cTj3PCEXTQAAB6X__xaQg265.png

wKiom1cTjrejWOqrAAB-X-lh67Y036.png

    当keepalived切换的时候,ping会丢一个包:

    • 当主keepalived关掉的时候,丢包:

wKioL1cTkn_CNfeEAACPg0ogb0I917.png

      • 当主keepalived恢复的时候,丢包:

wKioL1cTkhuxiGaqAACUdQ6eDnM321.png


六、Haproxy本机测试www.abc.com访问

  • 由于是测试没有dns解析,临时做hosts解析记录:

wKioL1cTkFeBsVglAAAdM8dKNRU191.png

测试:curl www.abc.com测试两次,实现轮询

wKioL1cTkJWD9S1pAAAWTauoC_w348.png

七、客户端测试www.abc.com

  • Windows客户端测试,添加hosts记录

wKiom1cTkCWCItlLAAAyrkQNgtM190.png

浏览器访问www.abc.com访问两次,也成功实现轮询


wKioL1cTkQOz6ub_AAA06vBTBrU988.png

wKiom1cTkEexkdacAAAvdrx8QYY658.png