负载均衡企业实践应用
根据用户访问的uri信息进行负载均衡
- 提高网站服务安全性
- 管理操作工作简化
- 可以换分不同人员管理不同集群服务器
- 实现网站集群动静分离
www.1997sty.com
域名按照uri解析到不同的服务器上
| upstream upload { |
| server 10.0.0.8:80; |
| } |
| upstream static { |
| server 10.0.0.7:80; |
| } |
| upstream default { |
| server 10.0.0.9:80; |
| } |
| |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| location / { |
| proxy_pass http://default; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| location /upload { |
| proxy_pass http://upload; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| location /static { |
| proxy_pass http://static; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| } |
虽然3台服务器都设置了相同的站点目录,但只会访问某个服务器的其中一个分支目录
| mkdir -p /html/www{,/upload/static} |
| echo "static_10.0.0.7" >/html/www/static/index.html |
| echo "upload_10.0.0.7" >/html/www/upload/index.html |
| echo "default_10.0.0.7" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |
| mkdir -p /html/www{,/upload/static} |
| echo "static_10.0.0.8" >/html/www/static/index.html |
| echo "upload_10.0.0.8" >/html/www/upload/index.html |
| echo "default_10.0.0.8" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |
| mkdir -p /html/www{,/upload/static} |
| echo "static_10.0.0.9" >/html/www/static/index.html |
| echo "upload_10.0.0.9" >/html/www/upload/index.html |
| echo "default_10.0.0.9" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |

根据用户访问的终端信息显示不同页面
www.1997sty.com
域名按照user-agent区分访问的客户端类型
| upstream web { |
| server 10.0.0.8:80; |
| } |
| upstream mobile { |
| server 10.0.0.7:80; |
| } |
| upstream default { |
| server 10.0.0.9:80; |
| } |
| |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| location / { |
| if ($http_user_agent ~* iphone) { |
| proxy_pass http://mobile; |
| } |
| if ($http_user_agent ~* Chrome) { |
| proxy_pass http://web; |
| } |
| proxy_pass http://default; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| } |
| mkdir -p /html/www |
| echo "iphone_access 10.0.0.7" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |
| mkdir -p /html/www |
| echo "google_access 10.0.0.8" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |
| mkdir -p /html/www |
| echo "default_access 10.0.0.9" >/html/www/index.html |
| |
| vi /etc/nginx/www.conf |
| |
| server { |
| listen 80; |
| server_name www.1997sty.com; |
| |
| location / { |
| root /html/www; |
| index index.html index.htm; |
| } |
| } |

高可用keepalived服务
主机名称和IP地址规划
服务 |
主机名 |
eth0网卡IP |
eth1网卡IP |
软件 |
防火墙服务器 |
firewalld |
10.0.0.81 |
172.16.1.81 |
firewalld |
负载均衡服务器 |
lb01 |
10.0.0.5 |
172.16.1.5 |
nginx,keepalived |
负载均衡服务器 |
lb02 |
10.0.0.6 |
172.16.1.6 |
nginx,keepalived |
web服务器 |
web01 |
10.0.0.7 |
172.16.1.7 |
nginx |
web服务器 |
web02 |
10.0.0.8 |
172.16.1.8 |
nginx |
web服务器 |
web03 |
10.0.0.9 |
172.16.1.9 |
nginx |
存储服务器 |
nfs01 |
10.0.0.31 |
172.16.1.31 |
nfs |
备份服务器 |
backup |
10.0.0.41 |
172.16.1.41 |
rsync |
数据库服务器 |
db01 |
10.0.0.51 |
172.16.1.51 |
mysql,mariaDB |
批量管理服务器 |
m01 |
10.0.0.61 |
172.16.1.61 |
ansible |
跳板机服务器 |
jumpserver |
10.0.0.71 |
172.16.1.71 |
jumpserver |
监控服务器 |
zabbix |
10.0.0.72 |
172.16.1.72 |
zabbix |
缓存服务器 |
暂无 |
暂无 |
暂无 |
暂无 |
避免负载均衡服务出现单点问题

高可用服务的原理

高可用keepalived服务部署流程
安装部署keepalived软件
yum install -y keepalived
编写keepalived配置文件
- /etc/keepalived/keepalived.conf : keepalived配置文件
- GLOBAL CONFIGURATION : 全局配置部分
- VRRPD CONFIGURATION : VRRP协议配置部分
- LVS CONFIGURATION : LVS服务管理配置部分
| |
| |
| #全局配置部分 |
| global_defs { |
| |
| notification_email { |
| acassen@firewall.loc |
| failover@firewall.loc |
| sysadmin@firewall.loc |
| } |
| |
| notification_email_from 1997sty@163.com |
| smtp_server 163.smtp.xxx_ |
| smtp_connect_timeout 30 |
| |
| router_id LVS_DEVEL |
| } |
| |
| #Vrrp协议家族 |
| vrrp_instance 1997sty { |
| |
| state MASTER |
| |
| interface eth0 |
| |
| virtual_router_id 51 |
| |
| priority 100 |
| |
| advert_int 1 |
| |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| |
| virtual_ipaddress { |
| 192.168.200.16 |
| 192.168.200.17 |
| 192.168.200.18 |
| } |
| } |
- 修改
10.0.0.5
的/etc/keepalived/keepalived.conf
配置文件
| |
| |
| global_defs { |
| router_id lb01 |
| } |
| |
| vrrp_instance 1997sty { |
| state MASTER |
| interface eth0 |
| virtual_router_id 51 |
| priority 150 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.3/24 |
| } |
| } |
- 修改
10.0.0.6
的/etc/keepalived/keepalived.conf
配置文件
| |
| |
| global_defs { |
| router_id lb02 |
| } |
| |
| vrrp_instance 1997sty { |
| state BACKUP |
| interface eth0 |
| virtual_router_id 51 |
| priority 100 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.3/24 |
| } |
| } |
配置完成后启动keepalived服务
| systemctl start keepalived.service |
| systemctl status keepalived.service |
| |
| #查看ip信息,MASTER主机的ip会增加一个keepalived的ip地址 |
| ip a |

高可用服务脑裂问题
原因是高可用备服务器接收不到主服务器发送的组播包,备服务器上会自动生成VIP地址


产生原因
- 物理原因: 高可用集群之间通讯线路出现问题
- 逻辑原因: 有安全策略阻止
解决方法
进行监控,发出邮件警告
- 在
10.0.0.6
上部署该脚本,主机不可用,备份机立刻启动并发送邮件
| #!/bin/bash |
| |
| |
| ip a s eth0|grep "10.0.0.3" >/dev/null |
| if [ $? -eq 0 ] |
| then |
| echo "keepalived服务出现异常,请进行检查"|mail -s 异常告警-keepalived admin@1997sty.com |
| fi |
| |
| |
| |
| |
| |
| |
| |
| |
- 使用邮件服务需要配置/etc/mail.rc,并重启邮件服务systemctl restart postfix.service
| vim /etc/mail.rc |
| |
| set from=邮箱地址 smtp=邮件服务器地址 |
| set smtp-auth-user=邮箱地址 smtp-auth-password=邮箱授权密码 smtp-auth=login |
| |
| systemctl restart postfix.service |
关闭其中一台服务器keepalived
服务
- 在
10.0.0.5
编写监控nginx服务状态监控,作用是监控nginx
是否启动,如果nginx
不可用,这台服务器的keepalived
也要关闭
| #!/bin/bash |
| |
| |
| |
| num=`ps -ef|grep -c [n]ginx` |
| if [ $num -lt 2 ] |
| then |
| systemctl stop keepalived |
| fi |
- 修改
10.0.0.5
的/etc/keepalived/keepalived.conf
配置文件
| |
| global_defs { |
| router_id lb01 |
| } |
| |
| vrrp_script check_web { |
| |
| script "/root/check_web.sh" |
| |
| interval 3 |
| weight 2 |
| } |
| |
| vrrp_instance 1997sty { |
| state MASTER |
| interface eth0 |
| virtual_router_id 51 |
| priority 150 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.3/24 |
| } |
| track_script { |
| |
| check_web |
| } |
| } |
高可用集群双主配置

修改keepalived
配置文件
- 修改
10.0.0.5
的/etc/keepalived/keepalived.conf
配置文件
| |
| global_defs { |
| router_id lb01 |
| } |
| |
| vrrp_instance 1997sty { |
| state MASTER |
| interface eth0 |
| virtual_router_id 51 |
| priority 150 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.3/24 |
| } |
| } |
| vrrp_instance sty1997 { |
| state BACKUP |
| interface eth0 |
| virtual_router_id 52 |
| priority 100 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.4/24 |
| } |
| } |
- 修改
10.0.0.6
的/etc/keepalived/keepalived.conf
配置文件
| |
| global_defs { |
| router_id lb02 |
| } |
| |
| vrrp_instance 1997sty { |
| state BACKUP |
| interface eth0 |
| virtual_router_id 51 |
| priority 100 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.3/24 |
| } |
| } |
| vrrp_instance sty1997 { |
| state MASTER |
| interface eth0 |
| virtual_router_id 52 |
| priority 150 |
| advert_int 1 |
| authentication { |
| auth_type PASS |
| auth_pass 1111 |
| } |
| virtual_ipaddress { |
| 10.0.0.4/24 |
| } |
| } |
重启keepalived
服务后查看网卡信息
如果其中任意一台失效,另一台主机就会同时拥有10.0.0.3
和10.0.0.4
的地址
| [root@lb01 ~]# ip a |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 |
| inet 127.0.0.1/8 scope host lo |
| valid_lft forever preferred_lft forever |
| inet6 ::1/128 scope host |
| valid_lft forever preferred_lft forever |
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
| link/ether 00:0c:29:20:f8:30 brd ff:ff:ff:ff:ff:ff |
| inet 10.0.0.5/24 brd 10.0.0.255 scope global noprefixroute eth0 |
| valid_lft forever preferred_lft forever |
| inet 10.0.0.3/24 scope global secondary eth0 |
| valid_lft forever preferred_lft forever |
| inet6 fe80::e07d:4f53:a2a8:f415/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| inet6 fe80::40b1:ca4:d21:8f0b/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| inet6 fe80::2bf8:4ec5:b3b1:5c3b/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
| link/ether 00:0c:29:20:f8:3a brd ff:ff:ff:ff:ff:ff |
| inet 172.16.1.5/24 brd 172.16.1.255 scope global noprefixroute eth1 |
| valid_lft forever preferred_lft forever |
| inet6 fe80::8b98:49b4:5566:ec9d/64 scope link noprefixroute |
| valid_lft forever preferred_lft forever |
| [root@lb02 ~]# ip a |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 |
| inet 127.0.0.1/8 scope host lo |
| valid_lft forever preferred_lft forever |
| inet6 ::1/128 scope host |
| valid_lft forever preferred_lft forever |
| 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
| link/ether 00:0c:29:56:e6:44 brd ff:ff:ff:ff:ff:ff |
| inet 10.0.0.6/24 brd 10.0.0.255 scope global noprefixroute eth0 |
| valid_lft forever preferred_lft forever |
| inet 10.0.0.4/24 scope global secondary eth0 |
| valid_lft forever preferred_lft forever |
| inet6 fe80::e07d:4f53:a2a8:f415/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| inet6 fe80::40b1:ca4:d21:8f0b/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| inet6 fe80::2bf8:4ec5:b3b1:5c3b/64 scope link tentative dadfailed |
| valid_lft forever preferred_lft forever |
| 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 |
| link/ether 00:0c:29:56:e6:4e brd ff:ff:ff:ff:ff:ff |
| inet 172.16.1.6/24 brd 172.16.1.255 scope global noprefixroute eth1 |
| valid_lft forever preferred_lft forever |
| inet6 fe80::5ef1:fc45:5747:6395/64 scope link noprefixroute |
| valid_lft forever preferred_lft forever |
| inet6 fe80::8b98:49b4:5566:ec9d/64 scope link tentative noprefixroute dadfailed |
| valid_lft forever preferred_lft forever |
高可用服务安全访问配置(负载均衡服务)
- 配置
10.0.0.5
和10.0.0.6
的/etc/nginx/conf.d/www.conf
配置文件
| upstream 1997sty { |
| server 10.0.0.7:80; |
| server 10.0.0.8:80; |
| server 10.0.0.9:80; |
| } |
| server { |
| listen 10.0.0.3:80; |
| server_name www.1997sty.com; |
| location / { |
| proxy_pass http://1997sty; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| } |
| server { |
| listen 10.0.0.4:80; |
| server_name bbs.1997sty.com; |
| location / { |
| proxy_pass http://1997sty; |
| proxy_set_header Host $host; |
| proxy_set_header X-Forwarded-For $remote_addr; |
| proxy_next_upstream error timeout http_404 http_502 http_403; |
| } |
| } |
如果直接重启服务不会成功,默认nginx
不能监听网卡上没有的地址
| echo 'net.ipv4.ip_nonlocal_bind = 1' >>/etc/sysctl.conf |
| sysctl -p |
| systemctl restart nginx |
| |
| |
| |
| netstat -luntp |grep 80 |
| [root@lb01 ~] |
| tcp 0 0 10.0.0.4:80 0.0.0.0:* LISTEN 4127/nginx: master |
| tcp 0 0 10.0.0.3:80 0.0.0.0:* LISTEN 4127/nginx: master |
| [root@lb02 ~] |
| tcp 0 0 10.0.0.4:80 0.0.0.0:* LISTEN 3529/nginx: master |
| tcp 0 0 10.0.0.3:80 0.0.0.0:* LISTEN 3529/nginx: master |
0 条评论