一割以、實(shí)驗(yàn)環(huán)境

操作系統(tǒng)：CentOS7.2?Mininal

serverA：192.168.1.104

serverB：192.168.1.109

VIP：???????192.168.1.110

test： ? ? ?192.168.1.120

二、軟件安裝

在serverA?和?serverB?上

#?yum??-y?install??nginx bind? ntp ?keepalived?

#?systemctl??enable??named??ntpd??nginx?keepalived

三、特殊配置

在serverA?和?serverB?上

#?sysctl?-w?net.ipv4.ip_nonlocal_bind=1

#?echo?"net.ipv4.ip_nonlocal_bind=1"?>>?/etc/sysctl.conf

注：更改Linux系統(tǒng)控制文件巫糙，使得端口即使監(jiān)聽在不存在的IP上旦签，也不報錯

#?setenforce?0

#?sed?-i?'s/^SELINUX=.*/SELINUX=permissive/g'???/etc/selinux/config

#?systemctl?stop???firewalld

#?systemctl?diable?firewalld

三、serverA服務(wù)配置

# vim ?/etc/keepalived/keepalived.conf

##############################

! Configuration File for keepalived

global_defs {

? ?router_id LVS_DEVEL

}

vrrp_script check {?

? ? script "/etc/keepalived/check.sh"?

? ? interval 5 ? ??

} ??

vrrp_instance VI_1 {

? ? state BACKUP

? ? interface eno16777736

? ? virtual_router_id 100

? ? priority 100

? ? advert_int 1

? ? nopreempt

? ? authentication {

? ? ? ? auth_type PASS

? ? ? ? auth_pass 1111

? ? }

? ? track_script { ??

? ? ? check

? ? } ??

? ? virtual_ipaddress {

? ? ? ? 192.168.1.110

? ? }

}

##############################

注意：?vrrp_script{}中的interval時間需大于腳本中的sleep時間肪跋！

# ?vim /etc/keepalived/check.sh

##############################

#!/bin/bash

nginx_status1=$(ps -C nginx --no-heading|wc -l)

if [ "${nginx_status1}" = "0" ]; then

? systemctl start nginx.service

? sleep 3

? nginx_status2=$(ps -C nginx --no-heading|wc -l)

? if [ "${nginx_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

named_status1=$(ps -C named --no-heading|wc -l)

if [ "${named_status1}" = "0" ]; then

? systemctl start named.service

? sleep 3

? named_status2=$(ps -C named --no-heading|wc -l)

? if [ "${named_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

ntpd_status1=$(ps -C ntpd --no-heading|wc -l)

if [ "${ntpd_status1}" = "0" ]; then

? systemctl start ntpd.service

? sleep 3

? ntpd_status2=$(ps -C ntpd --no-heading|wc -l)

? if [ "${ntpd_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

#######################################

# chmod +x ?/etc/keepalived/check.sh

#?vim ?/etc/ntp.conf

########################################

driftfile /var/lib/ntp/drift

restrict default nomodify notrap nopeer noquery

restrict 127.0.0.1

restrict ::1

restrict 192.168.1.0 mask 255..255.255.0 nomodify notrap

server 192.168.1.110 iburst

server 127.127.1.0

fudge 127.127.1.0 stratum 10

interface ignore ?wildcard

interface listen ?192.168.1.110

interface listen ?127.0.0.1

includefile /etc/ntp/crypto/pw

keys /etc/ntp/keys

disable monitor

##########################################

# vim /etc/named.conf

##########################################

options {

? ? ? ? listen-on port 53 { 192.168.1.110; };

? ? ? ? listen-on-v6 port 53 { ::1; };

? ? ? ? directory ? ? ? "/var/named";

? ? ? ? dump-file ? ? ? "/var/named/data/cache_dump.db";

? ? ? ? statistics-file "/var/named/data/named_stats.txt";

? ? ? ? memstatistics-file "/var/named/data/named_mem_stats.txt";

? ? ? ? allow-query ? ? { any; };

? ? ? ? recursion yes;

? ? ? ? dnssec-enable yes;

? ? ? ? dnssec-validation yes;

? ? ? ? pid-file "/run/named/named.pid";

};

zone "test.com" IN {

? ? ? ? type master;

? ? ? ? file "test.com.zone";

};

###############################################

# cp ?-p ?/var/named/named.localhost ? ?/var/named/test.com.zone

# vim??/var/named/test.com.zone

# vim /etc/nginx/nginx.conf

#########################################

# ? ?For more information on configuration, see:

# ? * Official English Documentation:http://nginx.org/en/docs/

# ? * Official Russian Documentation:http://nginx.org/ru/docs/

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

? ? worker_connections ?1024;

}

# stream轉(zhuǎn)發(fā)

stream {

# ? ?hash $remote_addr consistent;

? ? proxy_connect_timeout 3s;

? ? include /etc/nginx/conf.d/stream_proxy.conf;

}

# http轉(zhuǎn)發(fā)

http {

? ? client_max_body_size ? ? 500M;

? ? include ? ? ? ? ? ? ? ? ? ? ? ? ? ? mime.types;

? ? default_type ? ? ? ? ? ? ? ? ? ? application/octet-stream;

? ? server_tokens ? ? ? ? ? ? ? ? ? off;

? ? sendfile ? ? ? ? ? ? ? ? ? ? ?? ? ? on;

? ? keepalive_timeout ? ? ? ? ? 65;

? ? include /etc/nginx/conf.d/http_proxy.conf;

}

############################################

# ?vim ?/etc/nginx/conf.d/stream_proxy.conf

#############################################

upstream stream_service?{

? ? hash $remote_addr consistent;

? ? server192.168.1.103:12345? ? ? ? max_fails=1 fail_timeout=180s;

? ? server 192.168.1.104:12345? ? ? ?max_fails=1 fail_timeout=180s;

}

server {

? ? listen 192.168.1.110:54321;

? ? proxy_pass stream_service;

}

#####################################################

# ?vim /etc/nginx/conf.d/http_proxy.conf

#####################################################

upstream http_service?{

? ? server 192.168.1.107:443 ? ? ?max_fails=1 fail_timeout=180s;

? ? server 192.168.1.108:443 ? ? ? max_fails=1 fail_timeout=180s;

? }

server {

? ? listen 192.168.1.110:443 ssl;

? ? ssl_certificate ? ? ? ? ?/etc/nginx/ssl/nginx-selfsigned.crt;

? ? ssl_certificate_key ?/etc/nginx/ssl/nginx-selfsigned.key;

? ? location / {

? ? ? ? proxy_connect_timeout ? ? 3;

? ? ? ? proxy_send_timeout ? ? ? ? 600;

? ? ? ? proxy_read_timeout ? ? ? ?? 600;

? ? ? ? send_timeout ? ? ? ? ? ? ? ? ?? 600;

? ? ? ? proxy_set_header ? ? ? ? ?? X-Real-IP $remote_addr;

? ? ? ? proxy_set_header ? ? ? ?? ? X-Forwarded-For $proxy_add_x_forwarded_for;

? ? ? ? ?proxy_pass ?https://http_service;

? ? }

}

#################################################################

# mkdir ?/etc/nginx/ssl

# openssl req ?-x509 ?-nodes \

? ? -newkey rsa:2048 \

? ? -days 365 \

? ? -subj "/C=CN/ST=Gunagdong/L=Shenzhen/O=TEST/OU=TEST/CN=www.test.com" \

? ? -keyout /etc/nginx/ssl/nginx-selfsigned.key \

? ? -out /etc/nginx/ssl/nginx-selfsigned.crt

四歧蒋、serverB服務(wù)配置

# vim ?/etc/keepalived/keepalived.conf

##########################

! Configuration File for keepalived

global_defs {

? ?router_id LVS_DEVEL

}

vrrp_script check {?

? ? script "/etc/keepalived/check.sh"?

? ? interval 5 ? ??

} ??

vrrp_instance VI_1 {

? ? state BACKUP

? ? interface eno16777736

? ? virtual_router_id 100

? ? priority 90

? ? advert_int 1

? ? authentication {

? ? ? ? auth_type PASS

? ? ? ? auth_pass 1111

? ? }

? ? track_script { ??

? ? ? check

? ? } ??

? ? virtual_ipaddress {

? ? ? ? 192.168.1.110

? ? }

}

##############################

注意：?vrrp_script{}中的interval時間需大于腳本中的sleep時間！

# ?vim /etc/keepalived/check.sh

##############################

#!/bin/bash

nginx_status1=$(ps -C nginx --no-heading|wc -l)

if [ "${nginx_status1}" = "0" ]; then

? systemctl start nginx.service

? sleep 3

? nginx_status2=$(ps -C nginx --no-heading|wc -l)

? if [ "${nginx_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

named_status1=$(ps -C named --no-heading|wc -l)

if [ "${named_status1}" = "0" ]; then

? systemctl start named.service

? sleep 3

? named_status2=$(ps -C named --no-heading|wc -l)

? if [ "${named_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

ntpd_status1=$(ps -C ntpd --no-heading|wc -l)

if [ "${ntpd_status1}" = "0" ]; then

? systemctl start ntpd.service

? sleep 3

? ntpd_status2=$(ps -C ntpd --no-heading|wc -l)

? if [ "${ntpd_status2}" = "0" ]; then

? ? systemctl stop keepalived.service

? fi

fi

#######################################

# chmod +x ?/etc/keepalived/check.sh

#?vim ?/etc/ntp.conf

########################################

driftfile /var/lib/ntp/drift

restrict default nomodify notrap nopeer noquery

restrict 127.0.0.1

restrict ::1

restrict 192.168.1.0 mask 255..255.255.0 nomodify notrap

server 192.168.1.110 iburst

server 127.127.1.0

fudge 127.127.1.0 stratum 10

interface ignore ?wildcard

interface listen ?192.168.1.110

interface listen ?127.0.0.1

includefile /etc/ntp/crypto/pw

keys /etc/ntp/keys

disable monitor

##########################################

# vim /etc/named.conf

##########################################

options {

? ? ? ? listen-on port 53 { 192.168.1.110; };

? ? ? ? listen-on-v6 port 53 { ::1; };

? ? ? ? directory ? ? ? "/var/named";

? ? ? ? dump-file ? ? ? "/var/named/data/cache_dump.db";

? ? ? ? statistics-file "/var/named/data/named_stats.txt";

? ? ? ? memstatistics-file "/var/named/data/named_mem_stats.txt";

? ? ? ? allow-query ? ? { any; };

? ? ? ? recursion yes;

? ? ? ? dnssec-enable yes;

? ? ? ? dnssec-validation yes;

? ? ? ? pid-file "/run/named/named.pid";

};

zone "test.com" IN {

? ? ? ? type master;

? ? ? ? file "test.com.zone";

};

###############################################

# cp ?-p ?/var/named/named.localhost ? ?/var/named/test.com.zone

# vim??/var/named/test.com.zone

# vim /etc/nginx/nginx.conf

#########################################

# ? ?For more information on configuration, see:

# ? * Official English Documentation:http://nginx.org/en/docs/

# ? * Official Russian Documentation:http://nginx.org/ru/docs/

user nginx;

worker_processes auto;

error_log /var/log/nginx/error.log;

pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {

? ? worker_connections ?1024;

}

# stream轉(zhuǎn)發(fā)

stream {

# ? ?hash $remote_addr consistent;

? ? proxy_connect_timeout 3s;

? ? include /etc/nginx/conf.d/stream_proxy.conf;

}

# http轉(zhuǎn)發(fā)

http {

? ? client_max_body_size ? ? 500M;

? ? include ? ? ? ? ? ? ? ? ? ? ? ? ? ? mime.types;

? ? default_type ? ? ? ? ? ? ? ? ? ? application/octet-stream;

? ? server_tokens ? ? ? ? ? ? ? ? ? off;

? ? sendfile ? ? ? ? ? ? ? ? ? ? ?? ? ? on;

? ? keepalive_timeout ? ? ? ? ? 65;

? ? include /etc/nginx/conf.d/http_proxy.conf;

}

############################################

# ?vim ?/etc/nginx/conf.d/stream_proxy.conf

#############################################

upstream stream_service?{

? ? hash $remote_addr consistent;

? ? server192.168.1.103:12345? ? ? ? max_fails=1 fail_timeout=180s;

? ? server 192.168.1.104:12345? ? ? ?max_fails=1 fail_timeout=180s;

}

server {

? ? listen 192.168.1.110:54321;

? ? proxy_pass stream_service;

}

#####################################################

# ?vim /etc/nginx/conf.d/http_proxy.conf

#####################################################

upstream http_service?{

? ? server 192.168.1.107:443 ? ? ?max_fails=1 fail_timeout=180s;

? ? server 192.168.1.108:443 ? ? ??max_fails=1 fail_timeout=180s;

? }

server {

? ? listen 192.168.1.110:443 ssl;

? ? ssl_certificate ? ? ? ???/etc/nginx/ssl/nginx-selfsigned.crt;

? ? ssl_certificate_key??/etc/nginx/ssl/nginx-selfsigned.key;

? ? location / {

? ? ? ? proxy_connect_timeout ? ? 3;

? ? ? ? proxy_send_timeout ? ? ? ? 600;

? ? ? ? proxy_read_timeout ? ? ? ?? 600;

? ? ? ? send_timeout ? ? ? ? ? ? ? ? ?? 600;

? ? ? ? proxy_set_header ? ? ? ? ?? X-Real-IP $remote_addr;

? ? ? ? proxy_set_header ? ? ? ?? ? X-Forwarded-For $proxy_add_x_forwarded_for;

? ? ? ? proxy_pass ?https://http_service;

? ? }

}

#################################################################

# mkdir ?/etc/nginx/ssl

# openssl req ?-x509 ?-nodes \

? ? -newkey rsa:2048 \

? ? -days 365 \

? ? -subj "/C=CN/ST=Gunagdong/L=Shenzhen/O=TEST/OU=TEST/CN=www.test.com" \

? ? -keyout /etc/nginx/ssl/nginx-selfsigned.key \

? ? -out /etc/nginx/ssl/nginx-selfsigned.crt

五州既、啟動服務(wù)

在serverA 和 serveB上

#?systemctl??start named??ntpd??nginx?keepalived

六谜洽、查看服務(wù)狀態(tài)

在serverA

在serverB

七、在test服務(wù)器上測試

反向代理測試：

https://192.168.1.110:443

DNS測試：

# vim ??/etc/resolv.conf

######################

nameserver 192.168.1.110

# Generated by NetworkManager

nameserver 202.96.128.166

nameserver 202.96.134.133

#####################

# ping www.test.com

# ping mysql.test.com

NTP測試：

# ntpdate 192.168.1.110

# vim ?/etc/ntp.conf

#########################

driftfile /var/lib/ntp/drift

restrict default nomodify notrap nopeer noquery

restrict 127.0.0.1

restrict ::1

server 192.168.1.110 iburst

restrict 192.168.1.110 nomodify notrap noquery

server 127.127.1.0

fudge 127.127.1.0 stratum 10

includefile /etc/ntp/crypto/pw

keys /etc/ntp/keys

disable monitor

#########################

# systemctl start ? ntpd

# systemctl enable ntpd

八吴叶、前端的高可用性測試

在 serverA

# systemctl ?restart keepalived

# systemctl ?status keepalived

# ip addr list

在 serverB

# systemctl ?status keepalived

# ip addr list

可以看到阐虚，重啟serverA的keepalived,VIP成功漂移了，實(shí)際上蚌卤，VIP所在的服務(wù)器上的 nginx实束、named 、ntpd任何一個服務(wù)出問題逊彭，keepalived的檢測腳本就會停其keepalived服務(wù)咸灿，使得VIP漂移，服務(wù)基本不受影響诫龙，實(shí)現(xiàn)高可用析显！