LB&HA Cluster / LVS

1.6 LVS与防火墙标记

luciferLeave a comment

 

netfilter:借助防火墙标记来分类报文,而后基于标记定义集群服务;可将多个不同的应用服务使用同一个集群服务进行调度;

在Director主机上打标记方法:
~]# iptables  -t  mangle  -A  PREROUTING  -d  $VIP  -p  $protocol  -m  multiport  –dports  PORT1,PORT2  -j  MARK  –set-mark  NUMBER

基于防火墙标记定义集群服务:
~]# ipvsadm  -A  -f  NUMBER  [options]

下面以http和https为例,在VS上整合2种服务;

拓扑图:
===============

Client ---> Router ---> Switch ---> (physical adapter:0 VIP) Virtual Server (DIP)
                           |
                           |
                           |---------(RIP1) Real Server 1 (lo:0 VIP)
                           |
                           |---------(RIP1) Real Server 1 (lo:0 VIP)
               
VS、RS1、RS2处在同一网络;

DIP:192.168.206.55    物理网卡:0(VIP):192.168.206.200
RIP1:192.168.206.66   lo:0(VIP):192.168.206.200
RIP2:192.168.206.99   lo:0(VIP):192.168.206.200

GATEWAY:192.168.206.2

以下操作步骤承接<1.5 lvs-dr配置>;

环境准备:
=============

1、2台RS上安装nginx或者httpd,创建测试页;

我这边由于之前的环境配置问题:192.168.206.66安装的是httpd(apache),192.168.206.99安装的是nginx;
现在延用此环境;

[root@localhost ~]# curl http://192.168.206.66
<h1> hello 192.168.206.66 </h1>
[root@localhost ~]# curl http://192.168.206.99
<h2> hello 192.168.206.99 ..........  </h2>
[root@localhost ~]#

2、在VS主机上配置CA服务,当做CA颁发机构;

~]# cd /etc/pki/CA 
~]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
~]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
~]# touch index.txt
~]# echo "1" > serial

3、生成RS的证书,并配置SSL;
说明,后端的2台RS都需要用到同一个SSL证书,此处采用的是IP地址进行测试,所有SSL证书上使用者为VIP;
现在直接在VS主机上生成后端RS使用的私钥、申请证书、生成证书:

~]# (umask 077; openssl genrsa -out nginx.key 2048)
~]# openssl req -new  -key nginx.key -out nginx.csr -days 365
~]# openssl ca in nginx.csr -out certs/nginx.crt -days 365

把nginx.key和nginx.crt拷贝到后端服务器192.168.206.66(apache:httpd),并配置SSL(需要mod_ssl模块支持):

~]# scp nginx.key certs/nginx.crt root@192.168.206.66:/etc/httpd/66ssl/

~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/66ssl/nginx.crt
SSLCertificateKeyFile /etc/httpd/66ssl/nginx.key

~]# systemc	reload httpd

把nginx.key和nginx.crt拷贝到后端服务器192.168.206.99(nginx),并配置SSL:

~]# scp nginx.key certs/nginx.crt root@192.168.206.99:/etc/nginx/conf.d/


~]# vim /etc/nginx/conf.d/ssl.conf

server {
        listen              443 ssl;
        keepalive_timeout   65;
    root /usr/share/nginx/html;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /etc/nginx/conf.d/nginx.crt;
        ssl_certificate_key /etc/nginx/conf.d/nginx.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        
    }


~]# nginx -s reload

测试:在浏览器上分别测试2台RS的https的访问;

3、VS上配置:定义防火墙标记(绑定80和443端口);

~]# yum -y install iptables-services

~]# iptables -F
~]# iptables -t mangle -A PREROUTING -d 192.168.206.200 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 5

4、配置ipvsadm集群服务;

首先确定之前的环境数据已经清除:

~]# ipvsadm -l
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
[root@localhost CA]#

添加集群服务、添加后端RS:

~]# ipvsadm -A -f 5 -s sh
~]# ipvsadm -a -f 5 -r 192.168.206.66 -g
~]# ipvsadm -a -f 5 -r 192.168.206.99 -g

~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  5 sh
  -> 192.168.206.66:0             Route   1      0          0         
  -> 192.168.206.99:0             Route   1      0          0

浏览器测试略;

更改VS的调度算法:

~]# ipvsadm -E -f 5 -s rr

测试(在第四台Linux上测试,测试之前需要把CA的公钥拷贝到此主机上):

~]# for i in {1..10}; do curl http://192.168.206.200; curl --cacert cacert.pem https://192.168.206.200;done
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>
<h1>192.168.206.66 hello word..........</h1>
<h2> hello 192.168.206.99 ..........  </h2>

 

Leave a Reply

Your email address will not be published. Required fields are marked *