利用LVS的Mark功能实现HTTP和HTTPS服务的持久连接

使用LVS的DR模型来配置集群服务


规划IP地址如下:

VIP:192.168.0.10

DIP:192.168.0.61

RIP1:192.168.0.62

RIP2:192.168.0.63

为了简单起见,先使用同网段架设LVS服务。

预先安装好http和htpps服务:

RS1:

# yum install mod_ssl
# cd /etc/httpd/conf
# mkdir ssl
# (umask 077;openssl genrsa 1024 > httpd.key)
# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Tech
Organizational Unit Name (eg, section) []:test.glx.com
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:

申请证书生成完毕,发送给自建CA进行证书签署


Dircetor:

# cd /etc/pki/CA

# (umask 077 ;openssl genrsa 2048 > private/cakey.pem)

# openssl req -new -x509 -key private/cakey.pem -out caccrt.pem -days 3650

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:Tech

Organizational Unit Name (eg, section) []:test.glx.com

Common Name (eg, your name or your server‘s hostname) []:

Email Address []:

# touch index.txt

# echo 01 > serial

签署证书:

# openssl ca -in httpd.csr -out httpd.crt -days 365

将签署完毕的证书分别发送给RS1


在RS1上需要配置文件如下:

# vim /etc/httpd/conf.d/ssl.conf 

SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key

DocumentRoot "/var/www/html"


三个证书相关文件分别放在这里

# ls /etc/httpd/conf/ssl/
httpd.crt  httpd.csr  httpd.key


将上面的ssl.conf和三个证书相关文件复制到RS2上一份

# scp ssl.conf 192.168.0.63:/etc/httpd/conf.d/

# scp -rp ssl/* 192.168.0.63:/etc/httpd/conf/ssl/


在RS1和RS2上分别验证一下httpd的配置文件正确性:

# httpd -t
Syntax OK

# service httpd start


至此RS上面的httpd和httpds准备完毕


在Director上配置lvs集群


# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 80 -j MARK --set-mark 10

# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 443 -j MARK --set-mark 10


将标记为10的标签定义为LVS服务,并使用-p选项定义为绑定服务:

# ipvsadm -A -f 10 -s rr -p

# ipvsadm -a -f 10 -r 192.168.0.62 -g

# ipvsadm -a -f 10 -r 192.168.0.63 -g


客户端访问验证一下:



访问成功



本文出自 “农夫的博客” 博客,请务必保留此出处http://gaolingxu.blog.51cto.com/3009644/1581268

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。