LVS负载均衡实战之lvs-nat模型
1.准备好机器,配置好时间同步,配置号网络,主机名
172.16.251.91 client [桥接] [网关为172.16.251.90] #lvs负载均衡两块网卡 172.16.251.90 lvs [网卡1] [桥接] 192.168.42.150 lvs [网卡2] [VMnet8] 192.168.42.152 rs1 [网关为192.168.42.150] [VMnet8] 192.168.42.153 rs2 [网关为192.168.42.150] [VMnet8]
2.在172.16.251.90安装软件
(1).安装ipvsadm组件
yum install ipvsadm -y
(2).启动网卡间核心转发功能
sysctl -w net.ipv4.ip_forward=1 cat /proc/sys/net/ipv4/ip_forward
3.在 rs1,rs2上安装httpd,启动rs1,rs2的httpd,并测试 curl 127.0.0.1
(1).rs1: 在rs1节点上添加测试页面:
echo "this is rs1 test page." >/var/www/html/index.html systemctl start httpd.service [root@rs1 ~]# curl 127.0.0.1 this is rs1 test page
(2).rs2: 在rs2节点上添加测试页面:
echo "this is rs2 test page." >/var/www/html/index.html systemctl start httpd.service [root@rs2 ~]# curl 127.0.0.1 this is rs2 test page
4.lvs机器上添加负载均衡集群规则 此次定义DIP是以-s指定为rr算法进行轮询调度,-m指定模式为lvs-nat
ipvsadm -A -t 172.16.251.90:80 -s rr ipvsadm -a 172.16.251.90:80 -r 192.168.42.152:80 -m ipvsadm -a 172.16.251.90:80 -r 192.168.42.153:80 -m [root@lvs ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.16.251.90:80 rr -> 192.168.42.152:80 Masq 1 0 0 -> 192.168.42.153:80 Masq 1 0 0
5.client端测试
[root@client ~]# for i in {1..10};do curl http://172.16.251.90 ;done this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page
可以看出访问时轮询访问的
6.我们换个调度算法看看
此处将上面的lvs-nat的rr的基础上进行修改 ,改成wrr加权轮询算法:
将192.168.42.152的权重设为1
将192.168.42.153的权重设为3
ipvsadm -E -t 172.16.251.90:80 -s wrr ipvsadm -e -t 172.16.251.90:80 -r 192.168.42.152:80 -w 1 -m ipvsadm -e -t 172.16.251.90:80 -r 192.168.42.153:80 -w 3 -m
在进行测试一下
[root@client ~]# for i in {1..10};do curl http://172.16.251.90 ;done this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs2 test page . this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs2 test page . this is rs2 test page . this is rs1 test page
可以看出权重为3的访问次数较多
LVS负载均衡实战之lvs-dr模型
1.准备好机器,配置好时间同步,配置号网络,主机名
192.16.251.90 [client][网关172.16.0.1] #此次lvs一张网卡即可,但需要做一个网卡别名[172.16.50.50]做为vip 172.16.251.91 [lvs] 172.16.251.92 [rs1] 172.16.251.93 [rs2]
2.lvs节点配置vip
ifconfig ens33:0 172.16.50.50 netmask 255.255.255.255 broadcast 172.16.50.50 up [root@lvs ~]# ifconfig ens33:0 172.16.50.50 netmask 255.255.255.255 broadcast 172.16.50.50 up [root@lvs ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.251.90 netmask 255.255.0.0 broadcast 172.16.255.255 ether 00:0c:29:bf:24:15 txqueuelen 1000 (Ethernet) RX packets 47889 bytes 43113530 (41.1 MiB) RX errors 0 dropped 30 overruns 0 frame 0 TX packets 15611 bytes 1033180 (1008.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.50.50 netmask 255.255.255.255 broadcast 172.16.50.50 ether 00:0c:29:bf:24:15 txqueuelen 1000 (Ethernet) lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1 (Local Loopback) RX packets 174 bytes 15234 (14.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 174 bytes 15234 (14.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3.在rs1,rs2节点上配置vip
ifconfig lo:0 172.16.50.50 netmask 255.255.255.255 broadcast 172.16.50.50 up
rs1节点:
[root@rs1 ~]# ifconfig lo:0 172.16.50.50 netmask 255.255.255.255 broadcast 172.16.50.50 up [root@rs1 ~]# route add -host 172.16.50.50 dev lo:0 #配置rs主机参数 echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce echo 1 > /proc/sys/net/ipv4/conf/ens33/arp_ignore echo 2 > /proc/sys/net/ipv4/conf/ens33/arp_announce
- [x] rs2节点同上:
4.lvs机器上添加负载均衡集群规则
ipvsadm -A -t 172.16.50.50:80 -s rr ipvsadm -a -t 172.16.50.50:80 -r 172.16.251.92:80 -g ipvsadm -a -t 172.16.50.50:80 -r 172.16.251.93:80 -g [root@lvs ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.16.50.50:80 rr -> 172.16.251.92:80 Route 1 0 0 -> 172.16.251.93:80 Route 1 0 0
5.在client上测试
[root@client ~]# for i in {1..10};do curl http://172.16.50.50 ;done this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page
同样得到负载均衡的效果
我们再一次调整调度算法,调整权重,改成wrr加权轮询算法:
将172.16.251.92的权重设为1
将172.16.251.93的权重设为3
ipvsadm -E -t 172.16.50.50:80 -s wrr ipvsadm -e -t 172.16.50.50:80 -r 172.16.251.92:80 -w 1 -g ipvsadm -e -t 172.16.50.50:80 -r 172.16.251.93:80 -w 3 -g [root@lvs ~]# ipvsadm -Ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 172.16.50.50:80 wrr -> 172.16.251.92:80 Route 1 0 0 -> 172.16.251.93:80 Route 3 0 0
我们再一次在client上测试
[root@client ~]# for i in {1..10};do curl http://172.16.50.50 ;done this is rs2 test page . this is rs2 test page . this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs2 test page . this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs2 test page .
同样权重为3的访问次数较高
LVS负载均衡实战之HTTP,HTTPS统一调度
此次试验我们在之前的试验lvs-dr模型进行改造一下 我们弄一个http虚拟主机,然后全站https,我们希望 lvs在进行负载均衡的时候,访问http和https站点,可以统一负载,该怎么做呢
我们可以利用fwm通过防火墙标记来定义lvs
1.在lvs机器上生成ca证书
(1) 生成私钥:
~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
(2) 生成自签证书:
~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655 -new:生成新证书签署请求; -x509:生成自签格式证书,专用于创建私有CA时; -key:生成请求时用到的私有文件路径; -out:生成的请求文件路径;如果自签操作将直接生成签署过的证书; -days:证书的有效时长,单位是day;
(3) 为CA提供所需的目录及文件;
~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts} ~]# touch /etc/pki/CA/{serial,index.txt} ~]# echo 01 > /etc/pki/CA/serial
(4) 输入的选项如下:
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:develop Common Name (eg, your name or your server's hostname) []:ca.test.com Email Address []:
2.生成httpd签署证书 (也是在lvs节点上) (1) 用到证书的主机生成私钥;
mkdir -p /etc/httpd/ssl cd /etc/httpd/ssl (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
(2) 生成证书签署请求
openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
(3) 签署证书;
openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/httpd/ssl/httpd.crt -days 365
(4)将httpd.key httpd.crt 发送到rs1,rs2主机上
scp httpd.key httpd.crt root@172.16.251.92:/etc/httpd/conf.d/ scp httpd.key httpd.crt root@172.16.251.93:/etc/httpd/conf.d/
3.在rs1,rs2主机上操作
(1)安装ssl模块
yum install mod_ssl openssl -y
(2)配置ssl.conf
DocumentRoot "/var/www/html" ServerName www.test.com SSLCertificateFile /etc/httpd/conf.d/httpd.crt SSLCertificateKeyFile /etc/httpd/conf.d/httpd.key
(3)重启httpd
systemctl restart httpd
4.在lvs机器上测试一下
修改域名解析 172.16.251.92 www.test.com
[root@lvs ssl]# curl --cacert /etc/pki/CA/cacert.pem https://www.test.com this is rs1 test page [root@lvs ssl]# curl http://www.test.com this is rs1 test page
修改域名解析 172.16.251.93 www.test.com
[root@lvs ssl]# curl http://www.test.com this is rs2 test page . [root@lvs ssl]# curl --cacert /etc/pki/CA/cacert.pem https://www.test.com this is rs2 test page .
5.将http,https绑定统一调度
iptables -F iptables -t mangle -A PREROUTING -d 172.16.50.50 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 99 iptables -vnL ipvsadm -C ipvsadm -A -f 99 -s rr ipvsadm -a -f 99 -r 172.16.251.92 -g ipvsadm -a -f 99 -r 172.16.251.93 -g ipvsadm -Ln
6.将ca证书发送到client进行测试
#在lvs节点上操作 scp cacert.pem root@172.16.251.91:/tmp #在client节点上操作 [root@client ~]# for i in {1..10};do curl http://www.test.com ; curl --cacert /tmp/cacert.pem https://www.test.com ;done this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page this is rs2 test page . this is rs1 test page
同样我们修改调度算法,调整权重,改成wrr加权轮询算法:
#lvs节点上操作 ipvsadm -E -f 99 -s wrr ipvsadm -e -f 99 -r 172.16.251.92 -w 3 -g ipvsadm -e -f 99 -r 172.16.251.93 -w 1 -g ipvsadm -Ln #在client节点上操作 [root@client ~]# for i in {1..10};do curl http://www.test.com ; curl --cacert /tmp/cacert.pem https://www.test.com ;done this is rs2 test page . this is rs1 test page this is rs1 test page this is rs1 test page this is rs2 test page . this is rs1 test page this is rs1 test page this is rs1 test page this is rs2 test page . this is rs1 test page this is rs1 test page this is rs1 test page this is rs2 test page . this is rs1 test page this is rs1 test page this is rs1 test page this is rs2 test page . this is rs1 test page this is rs1 test page this is rs1 test page
同样权重为3的访问次数较高
原创文章,作者:srayban,如若转载,请注明出处:http://www.178linux.com/78372