群集-lvs持久连接

持久链接的类型

1.       Persistent client connections pcc 持久的客户端连接

2.       persistent port connections ppc 持久的端口连接

3.       persistent netfilter marked packet persistence 防火墙标记的连接

4.       ftp connections

主动21 20  打成一致的标签

被动 21 和一定范围的端口 打成一致标签

Pasv_min_port=10000

Pasv_max_port=20000

Pasv_address=n.n.n.n

/sbin/iptables –t mangle –A PREROUTING –p tcp –d n.n.n.n/32

--dport 21 –j MARK –set-mark 21

/sbin/iptables –t mangle –A PREROUNTING –p tcp –d n.n.n.n/32

--dport 10000:20000 –j MARK –set-mark 21

5.       expired persistence 过期的持久连接

常用的是防火墙和ftp的持久链接

 

1.       持久的客户端连接

默认端口是0

只要是某一台固定的pc链接都会定义到某一固定的server上

[root@director Cluster]# ipvsadm -C

[root@director Cluster]# ipvsadm -A -t 192.168.2.100:0 -s  rr -p

[root@director Cluster]# ipvsadm -a -t 192.168.2.100:0 -r 192.168.2.20 -g

[root@director Cluster]# ipvsadm -a -t 192.168.2.100:0 -r 192.168.2.30 -g

 

52-1

 

换地址

52-2

2.持久端口连接

[root@director ~]# ipvsadm -C

[root@director ~]#

[root@director ~]#

[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -p -s rr

invalid timeout value `-s' specified

[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -s -p rr

unexpected argument rr

[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -s rr -p

[root@director ~]# ipvsadm -A -t 192.168.2.100:22 -s rr -p

[root@director ~]# ipvsadm -a -t 192.168.2.100:80 -r 192.168.2.20 -g

[root@director ~]# ipvsadm -a -t 192.168.2.100:80 -r 192.168.2.30 -g

[root@director ~]# ipvsadm -a -t 192.168.2.100:22 -r 192.168.2.10  

[root@director ~]#

[root@director ~]#

 [root@director ~]# ipvsadm -Ln

IP Virtual Server version (size=4096)

Prot LocalAddress:Port Scheduler Flags

  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn

TCP  192.168.2.100:80 rr persistent 360

  -> 192.168.2.30:80              Route   1      0          2        

  -> 192.168.2.20:80              Route   1      0          0        

TCP  192.168.2.100:22 rr persistent 360

  -> 192.168.2.10:22              Local   1      0          0        

[root@director ~]#

 

3.防火墙标记的连接

--具有依赖关系的 会被分配到不同的服务器上80 443； 21 20

Mangle表格主要用作tos数据包类型服务的。

只有在director server生效 ，real server 看不到

1.做Ca

[root@server2 ~]# vim /etc/pki/tls/

 45 dir             = /etc/pki/CA           # Where everything is kept

88 countryName             = optional

 89 stateOrProvinceName     = optional

 90 organizationName        = optional        

：88,90 s/match/potional    

[root@server2 ~]#

[root@server2 ~]# cd /etc/pki/CA/      

[root@server2 CA]# mkdir crl certs newcerts

[root@server2 CA]# touch index.txt serail

[root@server2 CA]# echo "01">>serial

[root@server2 CA]# cat serial

01

[root@server2 CA]# openssl genrsa 1024 >private/cakey.pem

Generating RSA private key, 1024 bit long modulus

......................................++++++

.............++++++

e is 65537 (0x10001)

[root@server2 CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) []:hn

Locality Name (eg, city) [Newbury]:zz

Organization Name (eg, company) [My Company Ltd]:zzu

Organizational Unit Name (eg, section) []:lib

Common Name (eg, your name or your server's hostname) []:web1.zzu.com

Email Address []:

[root@server2 CA]# chmod 600 private*

 

[root@server2 CA]# mkdir /etc/httpd/certs

[root@server2 CA]# cd /etc/httpd/certs

[root@server2 certs]# openssl genrsa 1024 >httpd.key

Generating RSA private key, 1024 bit long modulus

........++++++

..........................++++++

e is 65537 (0x10001)

[root@server2 certs]# openssl req -new -key httpd.key -out httpd.csr

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) []:hn

Locality Name (eg, city) [Newbury]:zz

Organization Name (eg, company) [My Company Ltd]:zzu

Organizational Unit Name (eg, section) []:lib

Common Name (eg, your name or your server's hostname) []:server1.zzu.com

 

[root@server2 certs]# openssl ca -in httpd.csr -out httpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 24 21:48:07 2011 GMT

            Not After : Aug 23 21:48:07 2012 GMT

        Subject:

            countryName               = cn

            stateOrProvinceName       = hn

            organizationName          = zzu

            organizationalUnitName    = lib

            commonName                = server1.zzu.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                E0:1E:9B:B8:B6:4E:61:7C:4B:D5:87:86:3B:D0:94:39:26:F4:B2:94

            X509v3 Authority Key Identifier:

                keyid:0A:C8:47:0D:AC:11:A8:E5:D0:D4:9E:F6:F8:18:F4:00:54:01:1C:E6

 

Certificate is to be certified until Aug 23 21:48:07 2012 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@server2 certs]#

 

[root@server2 certs]# chmod 600 *

 

[root@server2 certs]# cd /mnt/cdrom/Server/

[root@server2 Server]# rpm -ivh mod_ssl

error: open of mod_ssl failed: No such file or directory

[root@server2 Server]# rpm -ivh mod_ssl--22.el5.i386.rpm

warning: mod_ssl--22.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186

error: Failed dependencies:

        libdistcache.so.1 is needed by mod_ssl--22.el5.i386

        libnal.so.1 is needed by mod_ssl--22.el5.i386

[root@server2 Server]#

[root@server2 Server]# rpm -ivh distcache--14.1.i386.rpm

[root@server2 Server]# rpm -ivh mod_ssl--22.el5.i386.rpm

 

[root@server2 Server]# vim /etc/httpd/conf.d/ssl.conf

112 SSLCertificateFile /etc/httpd/certs/httpd.crt

119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

128 SSLCertificateChainFile /etc/pki/CA/cacert.pem

[root@server2 Server]# service httpd restart

 

Server1的证书

[root@server1 certs]# vim /etc/pki/tls/openssl.cnf

[root@server1 certs]# cd /etc/pki/CA/

[root@server1 CA]# mkdir crl certs newcerts

[root@server1 CA]# touch serial index.txt

[root@server1 CA]# echo "01" >serial

 [root@server1 CA]# openssl genrsa 1024 >private/cakey.pem

 

 

[root@server1 CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem

 

 

 

[root@server1 CA]# cd /etc/httpd/certs/

[root@server1 certs]# openssl genrsa 1024 >httpd.key

[root@server1 certs]# openssl req -new -key httpd.key -out httpd.csr

 

 

 

[root@server1 certs]# openssl ca -in httpd.csr -out httpd.crt

[root@server1 certs]# chmod 600 *

[root@server2 Server]# scp /etc/httpd/conf.d/ssl.conf 192.168.2.20:/etc/httpd/conf.d/ssl.conf

 

 

Please type 'yes' or 'no': yes

 

root@192.168.2.20's password:

ssl.conf                                      100% 9649     9.4KB/s   00:00   

[root@server2 Server]#

[root@server1 certs]# service httpd restart

 

持久连接测试

[root@director ~]# ipvsadm -C

[root@director ~]# ipvsadm Ln

Try `ipvsadm -h' or 'ipvsadm --help' for more information.

[root@director ~]# ipvsadm -Ln

IP Virtual Server version (size=4096)

Prot LocalAddress:Port Scheduler Flags

  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn

[root@director ~]# iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1

[root@director ~]# ipvsadm -A -f 1 -s rr -p 3600

[root@director ~]# ipvsadm -a -f 1 -r 192.168.2.20 -g

[root@director ~]# ipvsadm -a -f 1 -r 192.168.2.30 -g

[root@director ~]#