题目要求两者关系谁负责负载均衡Nginxupstreamproxy_pass谁负责故障转移KeepalivedVIP 漂移 健康检查两者如何配合Keepalived 保证 HaProxy 节点高可用Nginx 在活节点上做负载均衡解题思路第一部分HaProxy1主节点 - 192.168.10.1配置1.1 登录HaProxy1虚拟机# 在HaProxy1上执行以下所有命令sshroot192.168.10.1# 或直接在HaProxy1的控制台操作1.2 查看网卡接口名ipa预期输出2: ens33: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500link/ether 00:0c:29:bf:46:4f brd ff:ff:ff:ff:ff:ffinet 192.168.10.1/24 brd 192.168.10.255 scope global ens33记住网卡名 ens33后续配置要用1.3 关闭防火墙和SELinuxsystemctl stop firewalldsystemctl disable firewalldsetenforce0sed -is/SELINUXenforcing/SELINUXdisabled//etc/selinux/config1.4 从Web1获取证书# 创建证书目录mkdir -p/csk-rootca# 从Web1复制证书输入Web1的root密码scproot192.168.10.3:/csk-rootca/httpd.crt /csk-rootca/scproot192.168.10.3:/csk-rootca/httpd.key /csk-rootca/scproot192.168.10.3:/root/csk-ca.pem /root/# 复制到标准目录避免SELinux问题cp/csk-rootca/httpd.crt /etc/pki/tls/certs/cp/csk-rootca/httpd.key /etc/pki/tls/private/# 设置权限chmod644/etc/pki/tls/certs/httpd.crtchmod600/etc/pki/tls/private/httpd.keychmod644/root/csk-ca.pem# 验证文件ls -l/etc/pki/tls/certs/httpd.crt /etc/pki/tls/private/httpd.key /root/csk-ca.pem1.5 安装Nginx和Keepalivedyuminstall -yepel-releaseyuminstall -ynginx keepalivedsystemctlenablenginx keepalived1.6 配置Nginx# 备份原配置mv/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak2/dev/null# 创建Nginx配置文件cat /etc/nginx/conf.d/proxy.confEOF# 缓存路径proxy_cache_path /tmp/cache levels1:2 keys_zonecskcache:10m;# 定义Web服务器组轮询upstream web {server 192.168.10.3;server 192.168.10.4;}# HTTPS虚拟主机server {listen 443 ssl;server_name www.chinaskills.cn;# SSL证书使用标准路径ssl_certificate /etc/pki/tls/certs/httpd.crt;ssl_certificate_key /etc/pki/tls/private/httpd.key;# 缓存配置proxy_cache cskcache;proxy_cache_valid 200 1s;proxy_cache_key $request_uri;location / {# 传递真实IPproxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;# 后端证书验证proxy_ssl_trusted_certificate /root/csk-ca.pem;# 反向代理到Web服务器组proxy_pass https://web;# 添加缓存状态头add_header X-Cache-Status $upstream_cache_status;}}# HTTP重定向到HTTPSserver {listen 80;server_name www.chinaskills.cn;return 301 https://$server_name$request_uri;}EOF# 创建缓存目录mkdir -p/tmp/cachechmod755/tmp/cachechownnginx:nginx /tmp/cache# 测试Nginx配置nginx-t预期输出nginx: configuration file /etc/nginx/nginx.conf test is successful1.7 创建Keepalived健康检查脚本cat /etc/keepalived/check_nginx.shEOF#!/bin/bashif systemctl is-active nginx /dev/null; thenexit 0elseexit 1fiEOFchmodx /etc/keepalived/check_nginx.sh1.8 配置Keepalived主节点注意将 ens33 替换为1.2步查到的实际网卡名cat /etc/keepalived/keepalived.confEOFglobal_defs {router_id HAPROXY1}vrrp_script check_nginx {script /etc/keepalived/check_nginx.shinterval 5fall 2rise 1}vrrp_instance VI_1 {state MASTERinterface ens33virtual_router_id 51priority 101advert_int 1authentication {auth_type PASSauth_pass haproxy!}virtual_ipaddress {192.168.10.100/24}track_script {check_nginx}}EOF1.9 创建维护页面mkdir -p/homeecho This site is being maintained/home/index.html1.10 启动服务# 启动Nginxsystemctl start nginxsystemctl status nginx# 启动Keepalivedsystemctl start keepalivedsystemctl status keepalived# 查看VIPipaddr show| grep192.168.10.100预期输出 应该看到VIP绑定在HaProxy1上第二部分HaProxy2备节点 - 192.168.10.2配置2.1 登录HaProxy2虚拟机# 在HaProxy2上执行以下所有命令sshroot192.168.10.2# 或直接在HaProxy2的控制台操作2.2 查看网卡接口名ipa预期输出2: ens33: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500link/ether 00:0c:29:b5:e8:bb brd ff:ff:ff:ff:ff:ffinet 192.168.10.2/24 brd 192.168.10.255 scope global ens33记住网卡名 ens33后续配置要用2.3 关闭防火墙和SELinuxsystemctl stop firewalldsystemctl disable firewalldsetenforce0sed -is/SELINUXenforcing/SELINUXdisabled//etc/selinux/config2.4 从Web1获取证书# 创建证书目录mkdir -p/csk-rootca# 从Web1复制证书输入Web1的root密码scproot192.168.10.3:/csk-rootca/httpd.crt /csk-rootca/scproot192.168.10.3:/csk-rootca/httpd.key /csk-rootca/scproot192.168.10.3:/root/csk-ca.pem /root/# 复制到标准目录避免SELinux问题cp/csk-rootca/httpd.crt /etc/pki/tls/certs/cp/csk-rootca/httpd.key /etc/pki/tls/private/# 设置权限chmod644/etc/pki/tls/certs/httpd.crtchmod600/etc/pki/tls/private/httpd.keychmod644/root/csk-ca.pem# 验证文件ls -l/etc/pki/tls/certs/httpd.crt /etc/pki/tls/private/httpd.key /root/csk-ca.pem2.5 安装Nginx和Keepalivedyuminstall -yepel-releaseyuminstall -ynginx keepalivedsystemctlenablenginx keepalived2.6 配置Nginx与HaProxy1相同# 备份原配置mv/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.bak2/dev/null# 创建Nginx配置文件cat /etc/nginx/conf.d/proxy.confEOF# 缓存路径proxy_cache_path /tmp/cache levels1:2 keys_zonecskcache:10m;# 定义Web服务器组轮询upstream web {server 192.168.10.3;server 192.168.10.4;}# HTTPS虚拟主机server {listen 443 ssl;server_name www.chinaskills.cn;# SSL证书使用标准路径ssl_certificate /etc/pki/tls/certs/httpd.crt;ssl_certificate_key /etc/pki/tls/private/httpd.key;# 缓存配置proxy_cache cskcache;proxy_cache_valid 200 1s;proxy_cache_key $request_uri;location / {proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_ssl_trusted_certificate /root/csk-ca.pem;proxy_pass https://web;add_header X-Cache-Status $upstream_cache_status;}}server {listen 80;server_name www.chinaskills.cn;return 301 https://$server_name$request_uri;}EOF# 创建缓存目录mkdir -p/tmp/cachechmod755/tmp/cachechownnginx:nginx /tmp/cache# 测试Nginx配置nginx-t预期输出nginx: configuration file /etc/nginx/nginx.conf test is successful2.7 创建Keepalived健康检查脚本cat /etc/keepalived/check_nginx.shEOF#!/bin/bashif systemctl is-active nginx /dev/null; thenexit 0elseexit 1fiEOFchmodx /etc/keepalived/check_nginx.sh2.8 配置Keepalived备节点注意将 ens33 替换为2.2步查到的实际网卡名cat /etc/keepalived/keepalived.confEOFglobal_defs {router_id HAPROXY2}vrrp_script check_nginx {script /etc/keepalived/check_nginx.shinterval 5fall 2rise 1}vrrp_instance VI_1 {state BACKUPinterface ens33virtual_router_id 51priority 99advert_int 1authentication {auth_type PASSauth_pass haproxy!}virtual_ipaddress {192.168.10.100/24}track_script {check_nginx}}EOF2.9 创建维护页面mkdir -p/homeecho This site is being maintained/home/index.html2.10 启动服务# 启动Nginxsystemctl start nginxsystemctl status nginx# 启动Keepalivedsystemctl start keepalivedsystemctl status keepalived# 查看VIP此时应该看不到因为在主节点ipaddr show| grep192.168.10.100预期输出 看不到VIP第三部分Web服务器配置Web1和Web23.1 登录Web1 (192.168.10.3) 和 Web2 (192.168.10.4)# 在Web1上执行sshroot192.168.10.3# 在Web2上执行sshroot192.168.10.43.2 修改Apache日志格式获取真实IP# 备份配置文件cp/etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak# 修改日志格式sed -is/^LogFormat %h %l %u %t/LogFormat %h %{X-Real-IP}i %l %u %t//etc/httpd/conf/httpd.conf# 或者手动编辑vim/etc/httpd/conf/httpd.conf# 找到大约196行修改为# LogFormat %h %{X-Real-IP}i %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined# 重启Apachesystemctl restart httpdsystemctl status httpd第四部分验证测试4.1 验证VIP位置# 在HaProxy1上执行ipaddr show| grep192.168.10.100# 应该看到VIP# 在HaProxy2上执行ipaddr show| grep192.168.10.100# 应该看不到VIP4.2 测试负载均衡# 在任意机器上执行多次访问curl -khttps://www.chinaskills.cncurl -khttps://www.chinaskills.cncurl -khttps://www.chinaskills.cn4.3 查看Web服务器日志# 在Web1上查看日志tail -f/var/log/httpd/access_log# 在Web2上查看日志tail -f/var/log/httpd/access_log应该看到请求被轮流分发到两台服务器4.4 测试高可用故障切换# 在HaProxy1主节点上停止Nginxsystemctl stop nginx# 等待5-10秒后在HaProxy2上查看VIPipaddr show| grep192.168.10.100# 应该看到VIP漂移到HaProxy2# 测试访问仍然应该成功curl -khttps://www.chinaskills.cn# 恢复HaProxy1的Nginxsystemctl start nginx# 等待几秒后VIP应该漂移回HaProxy1第五部分故障排查命令在HaProxy1/HaProxy2上# 查看Nginx状态systemctl status nginx-ljournalctl-xe -unginx# 查看Nginx日志tail -f/var/log/nginx/error.logtail -f/var/log/nginx/access.log# 查看Keepalived状态systemctl status keepalived-ltail -f/var/log/messages| grepKeepalived# 测试后端Web服务器curl -khttps://192.168.10.3curl -khttps://192.168.10.4在Web1/Web2上# 查看Apache状态systemctl status httpdtail -f/var/log/httpd/error_logtail -f/var/log/httpd/access_log声明本文内容仅为个人学习笔记整理与归纳仅供本人学习参考使用严禁外传。若文中存在疏漏或错误欢迎交流探讨共同进步。