Nginx+Keepalived實現四層及七層負載均衡

一.Nginx及Openssl編譯安裝

1.解除安裝就版本Nginx及Openssl
[root@localhost ~]# yum remove nginx
[root@localhost ~]# yum remove openssl
​
2.安裝編譯環境依賴
[root@localhost ~]# yum -y install gcc gcc-c++ autoconf automake make
[root@localhost ~]# yum -y install zlib zlib-devel openssl openssl-devel pcre pcre-devel psmisc
​
3.下載最新版Nginx及openssl(http://nginx.org/en/download.html)
[root@localhost ~]# mkdir /opt/nginx
[root@localhost ~]# cd /opt/nginx/
[root@localhost nginx]# wget http://nginx.org/download/nginx-1.21.1.tar.gz
[root@localhost nginx]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
​
4.編譯安裝Openssl
[root@localhost nginx]# tar xzvf openssl-1.1.1k.tar.gz
[root@localhost nginx]# cd openssl-1.1.1k
[root@localhost openssl-1.1.1k]# ./config
[root@localhost openssl-1.1.1k]# make && make install
​
5.編譯安裝Nginx
[root@localhost nginx]# tar xzvf nginx-1.21.1.tar.gz
[root@localhost nginx]# cd nginx-1.21.1
[root@localhost nginx-1.21.1]# ./configure --with-stream  --with-openssl=/opt/nginx/openssl-1.1.1k --with-http_ssl_module
[root@localhost nginx-1.21.1]# make && make install
​
6.新增系統變數
[root@localhost /]# vi /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
​
7.[root@localhost /]# systemctl start nginx
 

二.keepalived安裝

[root@localhost /]# yum install -y keepalived
[root@localhost /]# mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@localhost /]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
#  notification_email {   ####此處定義發生替換會郵件通知
#   [email protected]
#  }
#  notification_email_from [email protected]
#  smtp_server 127.0.0.1
#  smtp_connect_timeout 30
  router_id NGINX_BACK
}
vrrp_script chk_http_port {
         script "/usr/local/sbin/nginx_pid.sh" ##監控指令碼位置
         interval 2
         weight 2
}
vrrp_instance VI_1 {
   state MASTER    #####備機為BACKUP
   interface ens33
   virtual_router_id 51
   priority 100    #####備機要小於主
   advert_int 1
   track_script {
    chk_http_port
   }
   authentication {
     auth_type PASS
     auth_pass 1111
   }
   virtual_ipaddress {   
        172.16.16.15 ####虛擬IP
   }
}
​
[root@localhost /]# service keepalived start
[root@localhost /]# chkconfig keepalived on
 

三.配置Nginx監測指令碼

[root@localhost /]# vi /usr/local/sbin/nginx_pid.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l` if [ $A -eq 0 ];then
     /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
    sleep 3
    if [ `ps -C nginx --no-header |wc -l` -eq 0 ];then
        killall keepalived
    fi
fi
​
[root@localhost /]# service keepalived restart
 

四.配置nginx四層負載均衡

[root@localhost /]# vi /usr/local/nginx/conf/nginx_4.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid     logs/nginx.pid;
events {
   worker_connections 1024;
}
stream {
   log_format  proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
           '"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
  #access_log /var/log/nginx/proxy.log proxy;
​
#定義轉發ssh的22埠
   upstream ssh {
       hash $remote_addr consistent;
       server 172.16.16.16:22;
       server 172.16.16.17:22;
   }
#定義轉發mysql的3306埠
   upstream mysql {
       hash $remote_addr consistent;
       server 172.16.16.16:3306;
       server 172.16.16.17:3306;
   }
   server {
       listen 2021;
       proxy_connect_timeout 3s;
       proxy_timeout 300s;
       proxy_pass ssh;
   }
​
   server {
       listen 2022;
       proxy_connect_timeout 3s;
       proxy_timeout 3s;
       proxy_pass mysql;
   }
}
​
root@localhost nginx]# /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx_4.conf

五.配置nginx七層負載均衡

5.1nginx七層負載均衡—HTTP

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
events {
   use epoll;
   worker_connections 65535;
}
http 
{
  include    mime.types;
  default_type  application/octet-stream;
  server_tokens off;
​
   upstream R-Server {
   ip_hash;
   server 172.16.16.16:80;
   server 172.16.16.17:80;
   }
#HTTP-server  
   server {
     listen    80;
     server_name  localhost;
     location /imedical/web {
       proxy_pass  http://R-Server;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
     }
     error_page  500 502 503 504  /50x.html;
     location = /50x.html {
       root  html;
       }   
   }
}

5.2nginx七層負載均衡—HTTPS

5.2.1自簽發SSL證書

[root@localhost /]# mkdir CA-Server
[root@localhost /]# cd CA-Server/
[root@localhost CA-Server]# openssl genrsa -des3 -out server.key 2048
#會有兩次要求輸入密碼,輸入同一個即可,然後你就獲得了一個server.key檔案
#以後使用此檔案(通過openssl提供的命令或API)可能經常回要求輸入密碼,如果想去除輸入密碼的步驟可以使用以下命令:
[root@localhost CA-Server]# openssl rsa -in server.key -out server.key
​
#建立伺服器證書的申請檔案server.csr,執行:
[root@localhost CA-Server]# openssl req -new -key server.key -out server.csr
#其中Country Name填CN,Common Name填主機名也可以不填,如果不填瀏覽器會認為不安全.(例如你以後的url為https://abcd/xxxx….這裡就可以填abcd),其他的都可以不填. 
​
#建立CA證書:
[root@localhost CA-Server]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
#此時,你可以得到一個ca.crt的證書,這個證書用來給自己的證書籤名. 
​
#建立自當前日期起有效期為期十年的伺服器證書server.crt：
[root@localhost CA-Server]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
​
#ls你的資料夾,可以看到一共生成了5個檔案:
ca.crt  ca.srl   server.crt  server.csr  server.key
#其中,server.crt和server.key就是你的nginx需要的證書檔案.

5.2.2配置Nginx

[root@localhost /]# mv /usr/local/nginx/conf/nginx.conf /usr/local/nginx/conf/nginx.conf.bak
[root@localhost /]# vi /usr/local/nginx/conf/nginx.conf
#user  nobody;
worker_processes  auto;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
events {
   use epoll;
   worker_connections 65535;
}
http 
{
  include    mime.types;
  default_type  application/octet-stream;
  server_tokens off;
​
   upstream R-Server {
   ip_hash;
   server 172.16.16.16:80;
   server 172.16.16.17:80;
   server 172.16.16.18:80;
   }
#HTTP-server  
   server {
     listen    80;
     server_name  localhost;
     location /imedical/web {
       proxy_pass  http://R-Server;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
     }
     error_page  500 502 503 504  /50x.html;
     location = /50x.html {
       root  html;
       }   
   }
​
#HTTPS-server
   server {
     listen    443 ssl;
     server_name  localhost;
​
     ssl_certificate    /usr/local/nginx/ssl/server.crt;
     ssl_certificate_key  /usr/local/nginx/ssl/server.key;
​
     ssl_session_cache   shared:SSL:1m;
     ssl_session_timeout  5m;
​
     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;
     location / {
       proxy_pass  https://R-Server;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
     }
   }
}