haproxy 负载均衡 https
| haproxy服务器(DR)(CA) | IP:192.168.101.200 |
| httpd服务器(RS1) | IP:192.168.101.110 |
| httpd服务器(RS2) | IP:192.168.101.210 |
关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
[root@RS1 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS2 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
CA上的操作
[root@DR ~]# yum -y install openssl
##查看openssl的配置文件openssl.cnf,因为配置文件中对证书的名称和存放位置等相关信息都做了定义
图片
[root@DR ~]# openssl version -a
OpenSSL 1.1.1k FIPS 25 Mar 2021
built on: Wed Jul 21 11:11:34 2021 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic
##创建为根证书CA所需的目录及文件
[root@DR ~]# mkdir /etc/pki/CA
[root@DR ~]# cd /etc/pki/CA/
[root@DR CA]# touch serial
[root@DR CA]# touch index.txt
[root@DR CA]# ls
index.txt serial
[root@DR CA]# echo 01 > serial # 指明证书的开始编号
[root@DR CA]# cat serial
01
## 生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配
openssl genrsa -out private/cakey.pem 2048 #私钥默认是2048,去和根证书绑定
[root@DR CA]# mkdir private
[root@DR CA]# ls
index.txt private serial
[root@DR CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......................+++++
..............................................................................+++++
e is 65537 (0x010001)
[root@DR CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:
[root@DR CA]# ls
cacert.pem index.txt private serial
RS1端
## 安装httpd服务
[root@RS1 ~]# yum -y install httpd
## 创建一个放证书的路径
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# openssl genrsa -out test.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
.......................................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]# ls
test.key
## 把私钥文件和证书绑定在一起
[root@RS1 ssl]# openssl req -new -key test.key -out test.csr -days 365
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:linux
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA上操作
[root@DR CA]# mkdir req
[root@DR CA]# ls
cacert.pem index.txt private req serial
RS1端操作
[root@RS1 ssl]# pwd
/etc/httpd/ssl
[root@RS1 ssl]# ls
test.csr test.key
[root@RS1 ssl]# scp test.csr 192.168.101.210:/etc/pki/CA/req #传到CA端的req文件夹
The authenticity of host '192.168.101.210 (192.168.101.210)' can't be established.
ECDSA key fingerprint is SHA256:UwSyNs7bVY8llVNT48EzhoTDI6WoX9g1eQyxL/miZuk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.101.210' (ECDSA) to the list of known hosts.
root@192.168.101.210's password:
test.csr 100% 989 1.2MB/s 00:00
CA端查看
[root@DR CA]# cd req/
[root@DR req]# ls
test.csr
# httpd端传过来的csr请求文件给CA服务器来颁发
[root@DR req]# cd ..
[root@DR CA]# mkdir newcerts
[root@DR CA]# openssl ca -in /etc/pki/CA/req/test.csr -out /etc/pki/CA/req/test.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 17 12:31:09 2021 GMT
Not After : Oct 17 12:31:09 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = linux
commonName = localhost
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
keyid:D8:20:B4:94:77:EA:F6:D7:14:88:DB:8B:0A:EB:80:92:7C:FB:FA:32
Certificate is to be certified until Oct 17 12:31:09 2022 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 把CA上面的crt证书文件传送给httpd端下面的/etc/httpd/ssl文件
[root@DR req]# scp test.crt 192.168.101.110:/etc/httpd/ssl/
root@192.168.101.110's password:
test.crt 100% 4424 3.1MB/s 00:00
RS1端上
vim /etc/httpd/conf.d/ssl.conf
......
43 DocumentRoot "/var/www/html" # 两行取消注释
44 ServerName www.example.com:443
.......
85 SSLCertificateFile /etc/httpd/ssl/test.crt # 修改为证书存放文件位置
......
93 SSLCertificateKeyFile /etc/httpd/ssl/test.key # 修改为密钥文件存放位置
.....
[root@RS1 conf.d]# echo "hello ! 192.168.101.110" > /var/www/html/index.html
在RS2做与RS1相同的配置。
haproxy安装
DR操作
[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
[root@DR ~]# wget https://www.haproxy.org/download/2.4/src/haproxy-2.4.0.tar.gz
[root@DR ~]# tar xf haproxy-2.4.0.tar.gz -C /usr/local/
[root@DR ~]# ls /usr/local/
bin etc games haproxy-2.4.0 include lib lib64 libexec sbin share src
[root@DR ~]# cd /usr/local/
[root@DR local]# ln -sv haproxy-2.4.0/ haproxy
'haproxy' -> 'haproxy-2.4.0/'
[root@DR local]# ls
bin etc games haproxy haproxy-2.4.0 include lib lib64 libexec sbin share src
[root@DR local]# useradd -r -M -s /sbin/nologin haproxy
开始编译
[root@DR local]# cd haproxy
[root@DR haproxy]# ls
addons CHANGELOG doc INSTALL Makefile ROADMAP SUBVERS VERSION
admin CONTRIBUTING examples LICENSE README scripts tests
BRANCHES dev include MAINTAINERS reg-tests src VERDATE
[root@DR haproxy]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy]# make install
[root@DR haproxy]# ls /usr/local/sbin/
haproxy
配置各个负载的内核参数
[root@DR haproxy]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR haproxy]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR haproxy]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
提供配置文件
[root@DR ~]# mkdir /etc/haproxy
cat > /etc/haproxy/haproxy.cfg <<EOF
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80 # 访问https要修改为443
mode http # 访问https要修改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.101.110:80 check inter 2000 fall 5 # 修改为RS1的IP,如果访问https要修改为443
server web02 192.168.101.210:80 check inter 2000 fall 5 # 修改为RS2的IP,如果访问https要修改为443
haproxy.service文件编写
cat > /usr/lib/systemd/system/haproxy.service <<EOF
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2
[Install]
WantedBy=multi-user.target
EOF
[root@DR ~]# systemctl daemon-reload
[root@DR ~]# systemctl enable --now haproxy.service
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.
[root@DR ~]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-10-17 21:55:40 CST; 45s ago
Main PID: 304179 (haproxy)
Tasks: 5 (limit: 23353)
Memory: 8.8M
CGroup: /system.slice/haproxy.service
├─304179 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haprox>
└─304182 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haprox>
......
日志启用
[root@DR ~]# vim /etc/rsyslog.conf
64 # Save boot messages also to boot.log
65 local0.* /var/log/haproxy.log # 添加
66 local7.* /var/log/boot.log
启动
[root@DR ~]# systemctl restart haproxy
[root@DR ~]# ss -anlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:111 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 32 192.168.122.1:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 5 127.0.0.1:631 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 [::]:111 [::]:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 5 [::1]:631 [::]:*
