• lvs-nat模式


    lvs-nat 模式配置

    环境 IP 服务
    centos8

    eth1 仅主机模式   VIP 192.168.17.132/24

    eth0  NAT   DIP  192.168.248.202/24

     DR
    centos8

    eth0 NAT 192.168.248.200/24

        gw 192.1682.48.202

    RS1 httpd
    centos8

    eth0 NAT  192.168.248.201/24

        gw 192.168.248.202

    RS2 httpd

    1) 配置网络环境

    配置DR

    # 配置DIP
    [root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
    TYPE=Ethernet
    NAME=eth0
    DEVICE=eth0
    BOOTPROTO=static
    ONBOOT=yes
    IPADDR=192.168.248.202
    NETMASK=255.255.255.0
    
    #配置VIP
    [root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
    TYPE=Ethernet
    NAME=eth1
    DEVICE=eth1
    BOOTPROTO=static
    ONBOOT=yes
    IPADDR=192.168.17.132
    NETMASK=255.255.255.0
    
    [root@LVS ~]# nmcli c reload
    [root@LVS ~]#nmcil c up eth0
    [root@LVS ~]#nmcil c up eth1
    
    
    #开启IP转发功能
    [root@LVS ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
    [root@LVS ~]# sysctl -p
    net.ipv4.ip_forward = 1
    

    RS上的配置

    #RS1
    [root@RS1 ~]# yum -y install httpd
    [root@RS1 ~]#  echo RS1 > /var/www/html/index.html
    [root@RS1 ~]# systemctl  start httpd
    
    #RS2
    [root@RS2 ~]# yum -y install httpd
    [root@RS2 ~]#  echo RS2 > /var/www/html/index.html
    [root@RS2 ~]# systemctl  start httpd
    
    
    # RS1网络配置
    [root@RS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=eth0
    DEVICE=eth0
    ONBOOT=yes
    IPADDR=192.168.248.200
    NATEMASK=255.255.255.0
    GATEWAY=192.168.248.202
    
    [root@RS1 ~]# nmcli c reload
    [root@RS1 ~]# nmcli c up eth0
    
    #RS2网络配置
    [root@RS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 
    TYPE=Ethernet
    BOOTPROTO=static
    NAME=eth0
    DEVICE=eth0
    ONBOOT=yes
    IPADDR=192.168.248.201
    NATEMASK=255.255.255.0
    GATEWAY=192.168.248.202
    
    [root@RS2 ~]# nmcli c reload
    [root@RS2 ~]# nmcli c up eth0
    

    2) 配置DR服务器

    [root@LVS ~]# yum -y install ipvsadm
    [root@LVS ~]# ipvsadm -A -t 192.168.17.132:80 -s rr
    [root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.200 -m
    [root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.201 -m
    

     2) 测试访问

    [root@LVS ~]# curl 192.168.17.132:80
    RS2
    [root@LVS ~]# curl 192.168.17.132:80
    RS1
    [root@LVS ~]# curl 192.168.17.132:80
    RS2
    [root@LVS ~]# curl 192.168.17.132:80
    RS1
    

    开启https,在后端服务器安装mod_ssl

     DR服务器上搭建CA服务端

    #生成一对密钥
    [root@LVS ~]# mkdir -p /etc/pki/CA/private
    [root@LVS ~]# cd /etc/pki/CA
    [root@LVS CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
    [root@LVS CA]# openssl rsa -in private/cakey.pem -pubout
    
    #生成自签署证书
    [root@LVS CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:ch
    State or Province Name (full name) []:hb
    Locality Name (eg, city) [Default City]:wh
    Organization Name (eg, company) [Default Company Ltd]:xx
    Organizational Unit Name (eg, section) []:xxx
    Common Name (eg, your name or your server's hostname) []:xxx
    Email Address []:1@1.com
    
    [root@LVS CA]# touch index.txt && echo 01 > serial
    

     RS1生成证书请求并发送给CA

    [root@RS1 ~]# yum -y install mod_ssl
    [root@RS1 ~]# mkdir /etc/httpd/ssl
    [root@RS1 ~]# cd /etc/httpd/ssl
    [root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
    
    [root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.cs
    Ignoring -days; not generating a certificate
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:ch
    State or Province Name (full name) []:hb
    Locality Name (eg, city) [Default City]:wh
    Organization Name (eg, company) [Default Company Ltd]:xx
    Organizational Unit Name (eg, section) []:xxx
    Common Name (eg, your name or your server's hostname) []:xxx
    Email Address []:1@1.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
    [root@RS1 ssl]# ls
    httpd.csr  httpd.key
    
    #把证书签署请求文件发送给CA
    [root@RS1 ssl]# scp httpd.csr root@192.168.248.202:/root/
    

    CA签署证书并发给RS1

    [root@LVS ~]#  mkdir /etc/pki/CA/newcerts
    [root@LVS ~]# touch /etc/pki/CA/index.txt
    
    #跟踪最后一次颁发证书的序列号
    [root@LVS ~]# echo "01" > /etc/pki/CA/serial
    
    [root@LVS ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
    Using configuration from /etc/pki/tls/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: May  7 12:35:37 2021 GMT
                Not After : May  7 12:35:37 2022 GMT
            Subject:
                countryName               = ch
                stateOrProvinceName       = hb
                organizationName          = xx
                organizationalUnitName    = xxx
                commonName                = xxx
                emailAddress              = 1@1.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    BF:C5:50:36:FE:1A:65:D6:6F:32:92:5C:F9:C2:B5:B0:31:66:D7:9D
                X509v3 Authority Key Identifier: 
                    keyid:BE:17:D2:7A:54:3A:83:A6:F1:0D:AA:AD:BF:70:39:80:05:A6:58:E0
    
    Certificate is to be certified until May  7 12:35:37 2022 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    
    #CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1
    [root@LVS ~]# scp  httpd.crt  192.168.248.200:/etc/httpd/ssl
    [root@LVS ~]# scp /etc/pki/CA/cacert.pem 192.168.248.200:/etc/httpd/ssl
    

     将RS1的证书和密钥发给RS2

    #RS2
    [root@RS2 ~]# yum -y install mod_ssl
    [root@RS2 ~]# mkdir /etc/httpd/ssl
    
    #在RS1上将签署好的证书httpd.crt和服务端的证书cacert.pem及httpd.key发给RS2
    [root@RS1 ssl]# scp cacert.pem  httpd.crt httpd.key  192.168.248.201:/etc/httpd/ssl
    

     修改RS中的httpd配置文件,都需要修改

    [root@RS1 ssl]# sed -n '85p;93p;109p' /etc/httpd/conf.d/ssl.conf
    SSLCertificateFile /etc/httpd/ssl/httpd.crt
    SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
    SSLCACertificateFile /etc/httpd/ssl/cacert.pem
    
    #重启服务
    [root@RS1 ssl]# systemctl  restart httpd
    

     DR上添加集群

    [root@LVS ~]# ipvsadm -At 192.168.17.132:443 -s rr
    [root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.200 -m
    [root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.201 -m
    

    测试访问,会发现它会认为https和http是两个不同的服务,当一个访问https一个访问http时可能会调度到一个RS上,它会认为https和http是两个不同的服务

    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS2
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS1
    RS1
    

    在DR上使用防火墙标签只要使用80或443便认为是同一个服务

    #标识可以是任意整数这里使用100
    [root@LVS ~]# iptables -t mangle -A PREROUTING -d 192.168.17.132 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 100
    
    #清空规则
    [root@LVS ~]# ipvsadm -C
    
    [root@LVS ~]# ipvsadm  -Af 100 -s rr
    
    [root@LVS ~]# ipvsadm  -af 100 -r 192.168.248.200 -m
    
    #测试访问
    [root@LVS ~]# ipvsadm  -af 100 -r 192.168.248.201 -m
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS1
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS1
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS1
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS1
    [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132
    RS2
    RS1
    
  • 相关阅读:
    牛顿迭代法
    C语言补遗
    Manjaro添加开机启动脚本
    tensorboard查看pytorch模型
    Kindle最佳排版记录
    01背包问题详解
    差分法介绍
    BFS详解
    UVA11732 "strcmp()" Anyone?
    LA3942 Remember the Word
  • 原文地址:https://www.cnblogs.com/diqiyao/p/14742638.html
Copyright © 2020-2023  润新知