拓扑图
- 用户访问www.abc.com解析到10.4.7.8,防火墙做DNAT将访问10.4.7.8:80的请求转换到VIP 172.16.10.7:80,负载均衡器再将请求转发到后端web服务器。
实验环境
VIP:负载均衡服务器的虚拟ip地址
LB :负载均衡服务器
realserver:后端真实服务器
一、配置防火墙,先让内网服务器能上网
1、先确认网关服务器能上网
(1) 查看网关服务器ip地址
[root@gateway ~]# ifconfig ens33 |grep -w "inet"
inet 10.4.7.8 netmask 255.255.255.0 broadcast 10.4.7.255
[root@gateway ~]# ifconfig ens37 |grep -w "inet"
inet 172.16.10.8 netmask 255.255.255.0 broadcast 172.16.10.255
(2) ping百度
[root@gateway ~]# ping www.baidu.com -c 2
PING www.a.shifen.com (39.156.66.14) 56(84) bytes of data.
64 bytes from 39.156.66.14 (39.156.66.14): icmp_seq=1 ttl=128 time=9.51 ms
64 bytes from 39.156.66.14 (39.156.66.14): icmp_seq=2 ttl=128 time=8.90 ms
2、防火墙开启路由转发,并配置NAT规则
(1) 开启路由转发
[root@gateway ~]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf
[root@gateway ~]# sysctl -p
(2) 配置SNAT让来自172.16.10.0/24的内网用户能上网(公网ip不固定就是用自动寻路)
[root@gateway ~]# iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j MASQUERADE
(3) 配置DNAT让访问目标地址是10.4.7.8:80的请求,跳转到VIP172.16.10.7:80
[root@gateway ~]# iptables -t nat -A PREROUTING -p tcp -d 10.4.7.8 --dport 80 -j DNAT --to-destination 172.16.10.7:80
[root@gateway ~]# service iptables save
3、将所有内网服务器网关指向gateway服务器内网ip
(1) lvs-master
[root@lvs-master ~]# echo -e "GATEWAY=172.16.10.8\nDNS1=8.8.8.8" >> /etc/sysconfig/network-scripts/ifcfg-ens33
[root@lvs-master ~]# systemctl restart network
[root@lvs-master ~]# ping www.baidu.com
PING www.wshifen.com (104.193.88.77) 56(84) bytes of data.
64 bytes from 104.193.88.77 (104.193.88.77): icmp_seq=1 ttl=127 time=198 ms
(2) lvs-slave
[root@lvs-slave ~]# echo -e "GATEWAY=172.16.10.8\nDNS1=8.8.8.8" >> /etc/sysconfig/network-scripts/ifcfg-ens33
[root@lvs-slave ~]# systemctl restart network
[root@lvs-slave ~]# ping www.baidu.com
PING www.wshifen.com (104.193.88.77) 56(84) bytes of data.
64 bytes from 104.193.88.77 (104.193.88.77): icmp_seq=2 ttl=127 time=218 ms
(3) web1
[root@web1 ~]# echo -e "GATEWAY=172.16.10.8\nDNS1=8.8.8.8" >> /etc/sysconfig/network-scripts/ifcfg-ens33
[root@web1 ~]# systemctl restart network
[root@web1 ~]# ping www.baidu.com
PING www.wshifen.com (104.193.88.77) 56(84) bytes of data.
64 bytes from 104.193.88.77 (104.193.88.77): icmp_seq=1 ttl=127 time=221 ms
(4) web2
[root@web2 ~]# echo -e "GATEWAY=172.16.10.8\nDNS1=8.8.8.8" >> /etc/sysconfig/network-scripts/ifcfg-ens33
[root@web2 ~]# systemctl restart network
[root@web2 ~]# ping www.baidu.com
PING www.wshifen.com (104.193.88.77) 56(84) bytes of data.
64 bytes from 104.193.88.77 (104.193.88.77): icmp_seq=1 ttl=127 time=209 ms
二、配置keepalive+lvs
1、安装keepalived+lvs(keepalived和lvs 在一台服务器上,主备都安装)
(1) lvs-master
[root@lvs-master ~]# yum -y install keepalived ipvsadm
[root@lvs-master ~]# keepalived -v # 查看keepalived版本号
Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
[root@lvs-master ~]# ipvsadm -v # 查看ipvsadm版本号
ipvsadm v1.27 2008/5/15 (compiled with popt and IPVS v1.2.1)
(2) lvs-slave
[root@lvs-slave ~]# yum -y install keepalived ipvsadm
[root@lvs-slave ~]# keepalived -v
Keepalived v1.3.5 (03/19,2017), git commit v1.3.5-6-g6fa32f2
[root@lvs-slave ~]# ipvsadm -v
ipvsadm v1.27 2008/5/15 (compiled with popt and IPVS v1.2.1)
2、配置keepalived+lvs主、备(keepalived是专门为lvs设计的)
- 设置非抢占模式只在master上配置就可以
(1) 配置 lvs-master
[root@lvs-master ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@lvs-master ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL_01 # keepalive标识符,主备不能相同
}
vrrp_instance VI_1 { # VRRP实例,主备必须相同
state MASTER # 角色,MASTER为主,BACKUP为备
#state BACKUP # 如果是非抢占模式要两边都为BACKUP
interface ens33 # 监听的网卡
virtual_router_id 51 # 虚拟路由标识,主备必须相同
priority 150 # 优先级,主要高于备
#nopreempt # 开启非抢占模式(在优先级高的上面配置)
advert_int 1 # 主备同步检查间隔1秒
authentication { # 主备认证密码
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.10.7 # 设置虚拟ip地址
}
}
################ 上面是keepalived设置,下面是lvs设置 ##################
virtual_server 172.16.10.7 80 { # 基于上面的VIP创建虚拟服务器
delay_loop 6 # 健康检查时间
lb_algo rr # 调度算法rr为轮训
lb_kind DR # 负载均衡模式DR路由模式
persistence_timeout 50 # 会话保持时间
protocol TCP # 转发协议类型
real_server 172.16.10.5 80 { # 设置第一台后端web服务器
weight 1 # 设置web服务器权重
HTTP_GET { # 设置健康检查页面,健康检查方式 常见有 TCP_CHECK, HTTP_GET, SSL_GET, MISC_CHECK(自定义脚本)
url {
path /index.html
# digest的值这样生成 genhash -s 172.16.10.5 -p 80 -u /index.html
digest d8cf4a4aed83e042d2b147561f1c83df
}
connect_timeout 8 # 设置响应超时时间
nb_get_retry 3 # 设置超时重试次数
delay_before_retry 3 # 设置超时重试间隔
}
}
real_server 172.16.10.6 80 { # 设置第二台后端web服务器
weight 1 # 设置web服务器权重
HTTP_GET { # 设置健康检查页面
url {
path /index.html
# digest的值这样生成 genhash -s 172.16.10.6 -p 80 -u /index.html
digest 0583558e12e704650cd8bd72e0274347
}
connect_timeout 8 # 设置响应超时时间
nb_get_retry 3 # 设置超时重试次数
delay_before_retry 3 # 设置超时重试间隔
}
}
}
---------------------------------------------------------------------------------------------------
(2) 配置lvs-slave
[root@lvs-slave ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@lvs-slave ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL_02 # keepalive标识符,主备不能相同
}
vrrp_instance VI_1 { # VRRP实例,主备必须相同
state BACKUP # 角色,MASTER为主,BACKUP为备
interface ens33 # 监听的网卡
virtual_router_id 51 # 虚拟路由标识,主备必须相同
priority 90 # 优先级,主要高于备
advert_int 1 # 主备同步检查间隔1秒
authentication { # 主备认证密码
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.16.10.7 # 设置虚拟ip地址
}
}
################ 上面是keepalived设置,下面是lvs设置 ##################
virtual_server 172.16.10.7 80 { # 根据上面的VIP创建虚拟服务器
delay_loop 6 # 健康检查时间
lb_algo rr # 调度算法rr为轮训
lb_kind DR # 负载均衡模式DR路由模式
persistence_timeout 50 # 会话保持时间
protocol TCP # 转发协议类型
real_server 172.16.10.5 80 { # 设置第一台后端web服务器
weight 1 # 设置web服务器权重
HTTP_GET { # 设置健康检查页面
url {
path /index.html
# digest的值这样生成 genhash -s 172.16.10.5 -p 80 -u /index.html
digest d8cf4a4aed83e042d2b147561f1c83df
}
connect_timeout 8 # 设置响应超时时间
nb_get_retry 3 # 设置超时重试次数
delay_before_retry 3 # 设置超时重试间隔
}
}
real_server 172.16.10.6 80 { # 设置第二台后端web服务器
weight 1 # 设置web服务器权重
HTTP_GET { # 设置健康检查页面
url {
path /index.html
# digest的值这样生成 genhash -s 172.16.10.6 -p 80 -u /index.html
digest 0583558e12e704650cd8bd72e0274347
}
connect_timeout 8 # 设置响应超时时间
nb_get_retry 3 # 设置超时重试次数
delay_before_retry 3 # 设置超时重试间隔
}
}
}
三、配置nginx服务器
1、配置web1
(1) 安装nginx
[root@web1 ~]# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
[root@web1 ~]# yum -y install nginx
(2) 增加虚拟主机
[root@web1 ~]# cat /etc/nginx/conf.d/www_abc_com.conf
server {
listen 80;
server_name www.abc.com;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@web1 ~]# echo "web1-172.16.10.5" > /usr/share/nginx/html/index.html
(3) 配置vip,以及抑制ARP广播脚本
[root@web1 ~]# cat /etc/init.d/lvs_realserver
#!/bin/sh
VIP=172.16.10.7
Usage ()
{
echo "Usage:`basename $0` (start|stop)"
exit 1
}
if [ $# -ne 1 ];then
Usage
fi
case $1 in
start)
echo "reparing for Real Server"
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/ens33/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/ens33/arp_announce
/sbin/ifconfig lo:0 $VIP netmask 255.255.255.255 up
#/sbin/route add -host $VIP dev lo:0
;;
stop)
/sbin/ifconfig lo:0 down
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/ens33/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/ens33/arp_announce
echo "stop Real Server"
;;
*)
Usage
esac
2、配置web2
(1) 安装nginx
[root@web2 ~]# rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
[root@web2 ~]# yum -y install nginx
(2) 增加虚拟主机
[root@web2 ~]# cat /etc/nginx/conf.d/www_abc_com.conf
server {
listen 80;
server_name www.abc.com;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@web2 ~]# echo "web2-172.16.10.6" > /usr/share/nginx/html/index.html
(3) 编写绑定vip和抑制ARP广播脚本
[root@web2 ~]# cat /etc/init.d/lvs_realserver
#!/bin/sh
VIP=172.16.10.7
Usage ()
{
echo "Usage:`basename $0` (start|stop)"
exit 1
}
if [ $# -ne 1 ];then
Usage
fi
case $1 in
start)
echo "reparing for Real Server"
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/ens33/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/ens33/arp_announce
/sbin/ifconfig lo:0 $VIP netmask 255.255.255.255 up
#/sbin/route add -host $VIP dev lo:0
;;
stop)
/sbin/ifconfig lo:0 down
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/ens33/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/ens33/arp_announce
echo "stop Real Server"
;;
*)
Usage
esac
四、启动服务器
(1) 启动keepalive和lvs
[root@lvs-master ~]# systemctl start keepalived
[root@lvs-slave ~]# systemctl start keepalived
(2) 启动nginx、启动绑定VIP并抑制ARP广播的脚本
[root@web1 ~]# systemctl start nginx
[root@web1 ~]# /etc/init.d/lvs_realserver start
[root@web1 ~]# ifconfig lo:0 |grep "inet"
inet 172.16.10.7 netmask 255.255.255.255 # 已经绑定vip
[root@web2 ~]# systemctl start nginx
[root@web2 ~]# /etc/init.d/lvs_realserver start
[root@web2 ~]# ifconfig lo:0 |grep "inet"
inet 172.16.10.7 netmask 255.255.255.255
(3) 查看keepalived当前的vip状态和监听的后端web节点
[root@lvs-master ~]# ip add
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP
inet 172.16.10.3/24 brd 172.16.10.255 scope global ens33 # 这是本机地址
inet 172.16.10.7/32 scope global ens33 # keepalived已经绑定VIP成功
[root@lvs-master ~]# ipvsadm -L
TCP lvs-master:http rr persistent 50
-> 172.16.10.5:http Route 1 3 0 # 监听后端web1
-> 172.16.10.6:http Route 1 0 0 # 监听后端web2
五、客户端绑定hosts,并访问http://www.abc. com
1、设置hosts
172.16.10.7 www.abc.com
2、访问测试(由于是轮训rr算法,多次访问才会访问到web1上面)
