一、haproxy介绍

HAProxy 提供高可用性、负载均衡以及基于 TCP 和 HTTP 应用的代理,支持虚拟主机,它是免费、快速并且可靠的一种解决方案.HAProxy 特别适用于那些负载特大的 web 站点, 这些站点通常又需要会话保持或七层处理.HAProxy 运行在当前的硬件上,完全可以支持数以万计的并发连接.并且它的运行模式使得它可以很简单安全的整合进您当前的架构中, 同时可以保护你的 web 服务器不被暴露到网络上.

二、haproxy安装

// 关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld.service
[root@DR ~]# setenforce 0
[root@DR ~]# getenforce 
Disabled

// 安装服务
[root@DR ~]# yum -y install openssl make gcc pcre-devel bzip2-devel openssl-devel systemd-devel

// 创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy

// 上传haproxy包
[root@DR ~]# ls
公共  视频  文档  音乐  anaconda-ks.cfg       initial-setup-ks.cfg
模板  图片  下载  桌面  haproxy-2.4.0.tar.gz
[root@DR ~]# tar xf haproxy-2.4.0.tar.gz
[root@DR ~]# ls
公共  视频  文档  音乐  anaconda-ks.cfg  haproxy-2.4.0.tar.gz
模板  图片  下载  桌面  haproxy-2.4.0    initial-setup-ks.cfg
[root@DR ~]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# ls
addons     CONTRIBUTING  include      Makefile   scripts  VERDATE
admin      dev           INSTALL      README     src      VERSION
BRANCHES   doc           LICENSE      reg-tests  SUBVERS
CHANGELOG  examples      MAINTAINERS  ROADMAP    tests
[root@DR haproxy-2.4.0]# make clean
[root@DR haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install prefix=/usr/local/haproxy
[root@DR haproxy-2.4.0]# which haproxy 
/usr/local/sbin/haproxy

// 配置内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >>  /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl  -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1

// 提供配置文件
[root@DR etc]# mkdir haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# cat > /etc/haproxy/haproxy.cfg <<EOF
> #--------------全局配置----------------
> global
>     log 127.0.0.1 local0  info
>     #log loghost local0 info
>     maxconn 20480
> #chroot /usr/local/haproxy
>     pidfile /var/run/haproxy.pid
>     #maxconn 4000
>     user haproxy
>     group haproxy
>     daemon
> #---------------------------------------------------------------------
> #common defaults that all the 'listen' and 'backend' sections will
> #use if not designated in their block
> #---------------------------------------------------------------------
> defaults
>     mode http
>     log global
>     option dontlognull
>     option httpclose
>     option httplog
>     #option forwardfor
>     option redispatch
>     balance roundrobin
>     timeout connect 10s
>     timeout client 10s
>     timeout server 10s
>     timeout check 10s
>     maxconn 60000
>     retries 3
> #--------------统计页面配置------------------
> listen admin_stats
>     bind 0.0.0.0:8189
>     stats enable
>     mode http
>     log global
>     stats uri /haproxy_stats
>     stats realm Haproxy\ Statistics
>     stats auth admin:admin
>     #stats hide-version
>     stats admin if TRUE
>     stats refresh 30s
> #---------------web设置-----------------------
> listen webcluster
>     bind 0.0.0.0:80
>     mode http
>     #option httpchk GET /index.html
>     log global
>     maxconn 3000
>     balance roundrobin
>     cookie SESSION_COOKIE insert indirect nocache
>     server web01 192.168.47.129:80 check inter 2000 fall 5
>     server web02 192.168.47.130:80 check inter 2000 fall 5
> EOF

// haproxy.service文件编写
[root@DR ~]# cat > /usr/lib/systemd/system/haproxy.service <<EOF
> [Unit]
> Description=HAProxy Load Balancer
> After=syslog.target network.target
> 
> [Service]
> ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg   -c -q
> ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg  -p /var/run/haproxy.pid
> ExecReload=/bin/kill -USR2 $MAINPID
> 
> [Install]
> WantedBy=multi-user.target
> EOF
[root@DR ~]# systemctl daemon-reload

// 启用日志
[root@DR ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log   //加入这行

// 重启服务
[root@DR ~]# systemctl restart rsyslog.service

// 启动服务
[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -antl
State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port  
LISTEN  0       128            0.0.0.0:8189          0.0.0.0:*     
LISTEN  0       128            0.0.0.0:111           0.0.0.0:*     
LISTEN  0       128            0.0.0.0:80            0.0.0.0:*     
LISTEN  0       32       192.168.122.1:53            0.0.0.0:*     
LISTEN  0       128            0.0.0.0:22            0.0.0.0:*     
LISTEN  0       5            127.0.0.1:631           0.0.0.0:*     
LISTEN  0       128               [::]:111              [::]:*     
LISTEN  0       128               [::]:22               [::]:*     
LISTEN  0       5                [::1]:631              [::]:*

在RS上安装httpd服务

[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl start httpd
[root@RS1 ~]# echo "wjj1" > /var/www/html/index.html

[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl start httpd
[root@RS2 ~]# echo "wjj2" > /var/www/html/index.html

在这里插入图片描述

证书生成

[root@RS1 ~]# yum -y install openssl
[root@RS1 ~]# mkdir ~/keys
[root@RS1 ~]# cd keys
[root@RS1 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.......................+++++
....................................................................+++++
e is 65537 (0x010001)
[root@RS1 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:wjj
Organizational Unit Name (eg, section) []:  test
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wjj123
An optional company name []:
[root@RS1 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = cn, ST = hb, L = wh, O = wjj, OU = test, CN = localhost, emailAddress = 
Getting Private key
[root@RS1 keys]# ls
passport.com.crt  passport.com.csr passport.com.key

// 将文件传输到RS2上面去
[root@RS1 keys]# scp passport.com.crt passport.com.key 192.168.47.130:/root/
The authenticity of host '192.168.47.130 (192.168.47.130)' can't be established.
ECDSA key fingerprint is SHA256:R1sHsPUKGqzvhsHbbdaEr0NcNxutf4OEUT3JuAss6m4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.47.130' (ECDSA) to the list of known hosts.
root@192.168.47.130's password: 
passport.com.crt                 100% 1294     2.6MB/s   00:00    
passport.com.key                 100% 1679     2.3MB/s   00:00    

[root@RS2 ~]# ls
公共  视频  文档  音乐  anaconda-ks.cfg       passport.com.crt
模板  图片  下载  桌面  initial-setup-ks.cfg  passport.com.key

RS1和RS2上配置https

[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@RS2 ~]# mv passport.com.* /etc/httpd/ssl/
[root@RS2 ~]# cd /etc/httpd/ssl/
[root@RS2 ssl]# ls
passport.com.crt  passport.com.key
[root@RS2 ssl]# cd ..
[root@RS2 httpd]# ls
conf  conf.d  conf.modules.d  logs  modules  run  ssl  state
[root@RS2 httpd]# cd conf.d
[root@RS2 conf.d]# ls
autoindex.conf  README  ssl.conf  userdir.conf  welcome.conf
[root@RS2 conf.d]# vim ssl.conf
# 取消下面两行注释
 43 DocumentRoot "/var/www/html"
 44 ServerName www.example.com:443
# 修改下面两行路径
 85 SSLCertificateFile /etc/httpd/ssl/passport.com.crt
 93 SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key

// 重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State   Recv-Q  Send-Q   Local Address:Port     Peer Address:Port  
LISTEN  0       128            0.0.0.0:111           0.0.0.0:*     
LISTEN  0       32       192.168.122.1:53            0.0.0.0:*     
LISTEN  0       128            0.0.0.0:22            0.0.0.0:*     
LISTEN  0       5            127.0.0.1:631           0.0.0.0:*     
LISTEN  0       128               [::]:111              [::]:*     
LISTEN  0       128                  *:80                  *:*     
LISTEN  0       128               [::]:22               [::]:*     
LISTEN  0       5                [::1]:631              [::]:*     
LISTEN  0       128                  *:443                 *:*  

// 修改配置文件
 [root@DR haproxy]# cat haproxy.cfg 
#--------------全局配置----------------
global
    log 127.0.0.1 local0  info
    #log loghost local0 info
    maxconn 20480
#chroot /usr/local/haproxy
    pidfile /var/run/haproxy.pid
    #maxconn 4000
    user haproxy
    group haproxy
    daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode tcp     // 模式改为tcp
    log global
    option dontlognull
    option httpclose
    option httplog
    #option forwardfor
    option redispatch
    balance roundrobin
    timeout connect 10s
    timeout client 10s
    timeout server 10s
    timeout check 10s
    maxconn 60000
    retries 3
#--------------统计页面配置------------------
listen admin_stats
    bind 0.0.0.0:8189
    stats enable
    mode http
    log global
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth admin:admin
    #stats hide-version
    stats admin if TRUE
    stats refresh 30s
#---------------web设置-----------------------
listen webcluster
    bind 0.0.0.0:443    // 端口改为443
    mode tcp        // 模式改为tcp
    #option httpchk GET /index.html
    log global
    maxconn 3000
    balance roundrobin
    cookie SESSION_COOKIE insert indirect nocache
    server web01 192.168.47.129:443 check inter 2000 fall 5    //端口改为443
    server web02 192.168.47.130:443 check inter 2000 fall 5    //端口改为443
    #server web01 192.168.47.128:80 cookie web01 check inter 2000 fall 5
[root@DR ~]# systemctl restart haproxy.service