lvs-nat 模式配置
环境 | IP | 服务 |
centos8 |
eth1 仅主机模式 VIP 192.168.17.132/24 eth0 NAT DIP 192.168.248.202/24 |
DR |
centos8 |
eth0 NAT 192.168.248.200/24 gw 192.1682.48.202 |
RS1 httpd |
centos8 |
eth0 NAT 192.168.248.201/24 gw 192.168.248.202 |
RS2 httpd |
1) 配置网络环境
配置DR
# 配置DIP [root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet NAME=eth0 DEVICE=eth0 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.248.202 NETMASK=255.255.255.0 #配置VIP [root@LVS ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 TYPE=Ethernet NAME=eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=192.168.17.132 NETMASK=255.255.255.0 [root@LVS ~]# nmcli c reload [root@LVS ~]#nmcil c up eth0 [root@LVS ~]#nmcil c up eth1 #开启IP转发功能 [root@LVS ~]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf [root@LVS ~]# sysctl -p net.ipv4.ip_forward = 1
RS上的配置
#RS1 [root@RS1 ~]# yum -y install httpd [root@RS1 ~]# echo RS1 > /var/www/html/index.html [root@RS1 ~]# systemctl start httpd #RS2 [root@RS2 ~]# yum -y install httpd [root@RS2 ~]# echo RS2 > /var/www/html/index.html [root@RS2 ~]# systemctl start httpd # RS1网络配置 [root@RS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=192.168.248.200 NATEMASK=255.255.255.0 GATEWAY=192.168.248.202 [root@RS1 ~]# nmcli c reload [root@RS1 ~]# nmcli c up eth0 #RS2网络配置 [root@RS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE=Ethernet BOOTPROTO=static NAME=eth0 DEVICE=eth0 ONBOOT=yes IPADDR=192.168.248.201 NATEMASK=255.255.255.0 GATEWAY=192.168.248.202 [root@RS2 ~]# nmcli c reload [root@RS2 ~]# nmcli c up eth0
2) 配置DR服务器
[root@LVS ~]# yum -y install ipvsadm [root@LVS ~]# ipvsadm -A -t 192.168.17.132:80 -s rr [root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.200 -m [root@LVS ~]# ipvsadm -a -t 192.168.17.132:80 -r 192.168.248.201 -m
2) 测试访问
[root@LVS ~]# curl 192.168.17.132:80 RS2 [root@LVS ~]# curl 192.168.17.132:80 RS1 [root@LVS ~]# curl 192.168.17.132:80 RS2 [root@LVS ~]# curl 192.168.17.132:80 RS1
开启https,在后端服务器安装mod_ssl
DR服务器上搭建CA服务端
#生成一对密钥 [root@LVS ~]# mkdir -p /etc/pki/CA/private [root@LVS ~]# cd /etc/pki/CA [root@LVS CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@LVS CA]# openssl rsa -in private/cakey.pem -pubout #生成自签署证书 [root@LVS CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ch State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:xx Organizational Unit Name (eg, section) []:xxx Common Name (eg, your name or your server's hostname) []:xxx Email Address []:1@1.com [root@LVS CA]# touch index.txt && echo 01 > serial
RS1生成证书请求并发送给CA
[root@RS1 ~]# yum -y install mod_ssl [root@RS1 ~]# mkdir /etc/httpd/ssl [root@RS1 ~]# cd /etc/httpd/ssl [root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048) [root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.cs Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:ch State or Province Name (full name) []:hb Locality Name (eg, city) [Default City]:wh Organization Name (eg, company) [Default Company Ltd]:xx Organizational Unit Name (eg, section) []:xxx Common Name (eg, your name or your server's hostname) []:xxx Email Address []:1@1.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@RS1 ssl]# ls httpd.csr httpd.key #把证书签署请求文件发送给CA [root@RS1 ssl]# scp httpd.csr root@192.168.248.202:/root/
CA签署证书并发给RS1
[root@LVS ~]# mkdir /etc/pki/CA/newcerts [root@LVS ~]# touch /etc/pki/CA/index.txt #跟踪最后一次颁发证书的序列号 [root@LVS ~]# echo "01" > /etc/pki/CA/serial [root@LVS ~]# openssl ca -in httpd.csr -out httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: May 7 12:35:37 2021 GMT Not After : May 7 12:35:37 2022 GMT Subject: countryName = ch stateOrProvinceName = hb organizationName = xx organizationalUnitName = xxx commonName = xxx emailAddress = 1@1.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BF:C5:50:36:FE:1A:65:D6:6F:32:92:5C:F9:C2:B5:B0:31:66:D7:9D X509v3 Authority Key Identifier: keyid:BE:17:D2:7A:54:3A:83:A6:F1:0D:AA:AD:BF:70:39:80:05:A6:58:E0 Certificate is to be certified until May 7 12:35:37 2022 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries #CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1 [root@LVS ~]# scp httpd.crt 192.168.248.200:/etc/httpd/ssl [root@LVS ~]# scp /etc/pki/CA/cacert.pem 192.168.248.200:/etc/httpd/ssl
将RS1的证书和密钥发给RS2
#RS2 [root@RS2 ~]# yum -y install mod_ssl [root@RS2 ~]# mkdir /etc/httpd/ssl #在RS1上将签署好的证书httpd.crt和服务端的证书cacert.pem及httpd.key发给RS2 [root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key 192.168.248.201:/etc/httpd/ssl
修改RS中的httpd配置文件,都需要修改
[root@RS1 ssl]# sed -n '85p;93p;109p' /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key SSLCACertificateFile /etc/httpd/ssl/cacert.pem #重启服务 [root@RS1 ssl]# systemctl restart httpd
DR上添加集群
[root@LVS ~]# ipvsadm -At 192.168.17.132:443 -s rr [root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.200 -m [root@LVS ~]# ipvsadm -at 192.168.17.132:443 -r 192.168.248.201 -m
测试访问,会发现它会认为https和http是两个不同的服务,当一个访问https一个访问http时可能会调度到一个RS上,它会认为https和http是两个不同的服务
[root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS2 [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS1 RS1
在DR上使用防火墙标签只要使用80或443便认为是同一个服务
#标识可以是任意整数这里使用100 [root@LVS ~]# iptables -t mangle -A PREROUTING -d 192.168.17.132 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 100 #清空规则 [root@LVS ~]# ipvsadm -C [root@LVS ~]# ipvsadm -Af 100 -s rr [root@LVS ~]# ipvsadm -af 100 -r 192.168.248.200 -m #测试访问 [root@LVS ~]# ipvsadm -af 100 -r 192.168.248.201 -m [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS1 [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS1 [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS1 [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS1 [root@LVS ~]# curl -k https://192.168.17.132;curl http://192.168.17.132 RS2 RS1