作業系統redhat 5.8(2.6.18-308.el5)
通過以下三個例子,了解LVS:
一、LVS基于NAT模型
二、LVS基于DR模型
三、PNMPP持久防火牆标記,利用防火牆定義80端口和443端口之間的煙親關系
實驗拓撲圖如下:
實驗環境準備:
三台伺服器:
Director兩塊網卡
Director VIP:172.16.0.22(網卡連接配接方式Bridge)
Director DIP:192.168.10.1(網卡連接配接方式host-only)
RS1:192.168.0.11(網卡連接配接方式host-only)
RS2:192.168.0.12 (網卡連接配接方式host-only)
1、配置RS1,安裝httpd
- #yum -y install httpd
- #echo "<h1>RS1</h1>" >/var/www/html/index.html
- #啟動httpd服務:service httpd start
2、配置RS2,安裝httpd
- #yum -y install httpd
- #echo "<h1>RS2</h1>" >/var/www/html/index.html
- #啟動httpd服務:service httpd start
3、安裝ipvsadm,定義叢集并添加Real Server
- echo 1 >/proc/sys/net/ipv4/ip_forward #打開路由轉發功能
- yum -y install ipvsadm #安裝ipvsadm
- 添加規則
- ipvsadm -A -t 172.16.0.22:80 -s rr
- ipvsadm -a -t 172.16.0.22:80 -r 192.168.10.2 -m
- ipvsadm -a -t 172.16.0.22:80 -r 192.168.10.3 -m
- 儲存規則:/etc/init.d/ipvsadm save
4、測試
請在浏覽器中輸入http://172.16.0.22/
請再次重新整理一下
使用ipvsadm檢視一下連接配接的狀态:
- [root@localhost ~]# ipvsadm -Lcn
- IPVS connection entries
- pro expire state source virtual destination
- TCP 01:55 TIME_WAIT 192.168.0.208:56673 172.16.0.22:80 192.168.10.3:80
- TCP 00:07 CLOSE 192.168.0.208:56691 172.16.0.22:80 192.168.10.3:80
- TCP 00:07 CLOSE 192.168.0.208:56694 172.16.0.22:80 192.168.10.2:80
實驗環境:
網卡使用橋接
DIP:172.16.0.22
VIP:172.16.0.100
RS1:172.16.0.23
RS2:172.16.0.24
1、配置RS1
- 修改RS1的核心參數
- #echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
- #echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
- #echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
- #echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
- 配置RS1的VIP位址并添加路由
- #ifconfig lo:0 172.16.0.100 broadcast 172.16.0.100 netmask 255.255.255.255 up
- #route add -host 172.16.0.100 dev lo:0
- 使用elinks測試RS1的配置的VIP是否生效
- [root@RS1 html]# elinks -dump http://172.16.0.23/index.html
- RS1
- [root@RS1 html]# elinks -dump http://172.16.0.100/index.html
- RS1
- 測試成功
2、配置RS2
- 修改RS2的核心參數
- #echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
- #echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
- #echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
- #echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
- 配置RS2的VIP位址并添加路由
- #ifconfig lo:0 172.16.0.100 broadcast 172.16.0.100 netmask 255.255.255.255 up
- #route add -host 172.16.0.100 dev lo:0
- 使用elinks測試RS2的配置的VIP是否生效
- [root@RS2 html]# elinks -dump http://172.16.0.24/index.html
- RS2
- [root@RS2 html]# elinks -dump http://172.16.0.100/index.html
- RS2
- 測試成功
3、配置Director Server
- 配置Director的VIP位址并添加路由
- #ifconfig eth0:0 172.16.0.100 broadcast 172.16.0.100 netmask 255.255.255.255 up
- #route add -host 172.16.0.100 dev eth0:0
- 打開路由轉發功能
- #echo 1 >/proc/sys/net/ipv4/ip_forward
- 定義叢集服務并添加Real Server
- #ipvsadm -A -t 172.16.0.100:80 -s rr
- #ipvsadm -a -t 172.16.0.100:80 -r 172.16.0.23 -g
- #ipvsadm -a -t 172.16.0.100:80 -r 172.16.0.24 -g
請在浏覽器中輸入http://172.16.0.100/
重新整理一下
- [root@localhost ~]# ipvsadm -Lcn
- IPVS connection entries
- pro expire state source virtual destination
- TCP 01:50 FIN_WAIT 192.168.0.208:57015 172.16.0.100:80 172.16.0.23:80
- TCP 01:53 FIN_WAIT 192.168.0.208:57079 172.16.0.100:80 172.16.0.23:80
- TCP 00:02 CLOSE 192.168.0.208:57032 172.16.0.100:80 172.16.0.24:80
- TCP 01:53 FIN_WAIT 192.168.0.208:57081 172.16.0.100:80 172.16.0.23:80
- TCP 01:52 FIN_WAIT 192.168.0.208:57042 172.16.0.100:80 172.16.0.24:80
Director Sever:172.16.0.22
圖跟上面一樣采用DR模型
1、配置Director Server
- 配置Director的VIP位址并添加路由,并打開轉發功能,步驟同上
- 配置CA伺服器
- #vim /etc/pki/tls/openssl.cnf
- #dir=/etc/pki/CA
- #cd /etc/pki/CA
- #mkdir certs newcerts crl
- #touch index.txt
- #echo 01 > serial
- #(umask 077;openssl genrsa -out private/cakey.pem 2048)
- #openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
- 添加防火牆規則,定義80端口和443端口之間的煙親關系
- #iptables -t mangle -A PREROUTING -d 172.16.0.100 -p tcp --dport 80 -j MARK --set-mark 6
- #iptables -t mangle -A PREROUTING -d 172.16.0.100 -p tcp --dport 443 -j MARK --set-mark 6
- 定義叢集服務并添加Real Server
- #ipvsadm -A -f 6 -s rr
- #ipvsadm -a -f 6 -r 172.16.0.23 -g
- #ipvsadm -a -f 6 -r 172.16.0.24 -g
2、配置RS1
- 需要修改核心參數和配置VIP并添加路由,步驟同上
- 為httpd服務生成的密鑰
- #yum -y install mod_ssl
- #mkdir /etc/httpd/ssl
- #cd /etc/httpd/ssl/
- #(umask 077;openssl genrsa -out httpd.key 2048)
- #openssl req -x509 -new -key httpd.key -out httpd.csr -days 365 #請填寫好你要通路的域名,這裡寫的是www.test.com
- #CA簽署證書(CA伺服器上操作)
- #scp httpd.cst 172.16.0.22:/tmp
- #openssl ca -in httpd.csr -out httpd.crt -days 3665
- #scp httpd.crt 172.16.0.23:/etc/httpd/ssl
- #vim /etc/httpd/conf.d/ssl.conf
- DocumentRoot "/var/www/html"
- ServerName www.test.com:443
- SSLCertificateFile /etc/httpd/ssl/httpd.crt
- SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
- #service httpd restart
3、配置RS2
- 需要修改核心參數和配置VIP并添加路由并使用elinks測試,步驟同上
- 複制RS1的/etc/httpd/ssl目錄和ssl.conf檔案
- #yum -y install mod_ssl
- #scp -rp /etc/httpd/ssl 172.16.0.24:/etc/httpd/ssl
- #scp /etc/httpd/conf.d/ssl.conf 172.16.0.23:/etc/httpd/conf.d/
- #service httpd restart
先測試80端口
測試443端口:注意觀察上面浏覽器有一把鎖的标志
提示:
1、請在windows本地修改好你的hosts檔案,以友善解析域名www.test.com---->172.16.0.100
2、用戶端證書在CA上下載下傳,并導入浏覽器中
- [root@localhost ~]# ipvsadm -Lcn
- IPVS connection entries
- pro expire state source virtual destination
- TCP 01:03 FIN_WAIT 192.168.0.208:55308 172.16.0.100:443 172.16.0.23:443
- TCP 01:03 FIN_WAIT 192.168.0.208:55312 172.16.0.100:443 172.16.0.23:443
- TCP 01:45 FIN_WAIT 192.168.0.208:55349 172.16.0.100:80 172.16.0.23:80
- TCP 01:21 FIN_WAIT 192.168.0.208:55339 172.16.0.100:443 172.16.0.23:443
- TCP 01:03 FIN_WAIT 192.168.0.208:55307 172.16.0.100:443 172.16.0.24:443
- TCP 01:46 FIN_WAIT 192.168.0.208:55355 172.16.0.100:80 172.16.0.23:80
- TCP 01:46 FIN_WAIT 192.168.0.208:55354 172.16.0.100:80 172.16.0.24:80