利用LVS的Mark功能实现HTTP和HTTPS服务的持久连接
使用LVS的DR模型来配置集群服务
规划IP地址如下:
VIP:192.168.0.10
DIP:192.168.0.61
RIP1:192.168.0.62
RIP2:192.168.0.63
为了简单起见,先使用同网段架设LVS服务。
预先安装好http和htpps服务:
RS1:
# yum install mod_ssl
# cd /etc/httpd/conf
# mkdir ssl
# (umask 077;openssl genrsa 1024 > httpd.key)
# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Tech
Organizational Unit Name (eg, section) []:test.glx.com
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
申请证书生成完毕,发送给自建CA进行证书签署
Dircetor:
# cd /etc/pki/CA
# (umask 077 ;openssl genrsa 2048 > private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -out caccrt.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Tech
Organizational Unit Name (eg, section) []:test.glx.com
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
# touch index.txt
# echo 01 > serial
签署证书:
# openssl ca -in httpd.csr -out httpd.crt -days 365
将签署完毕的证书分别发送给RS1
在RS1上需要配置文件如下:
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key
DocumentRoot "/var/www/html"
三个证书相关文件分别放在这里
# ls /etc/httpd/conf/ssl/
httpd.crt httpd.csr httpd.key
将上面的ssl.conf和三个证书相关文件复制到RS2上一份
# scp ssl.conf 192.168.0.63:/etc/httpd/conf.d/
# scp -rp ssl/* 192.168.0.63:/etc/httpd/conf/ssl/
在RS1和RS2上分别验证一下httpd的配置文件正确性:
# httpd -t
Syntax OK
# service httpd start
至此RS上面的httpd和httpds准备完毕
在Director上配置lvs集群
# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 80 -j MARK --set-mark 10
# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 443 -j MARK --set-mark 10
将标记为10的标签定义为LVS服务,并使用-p选项定义为绑定服务:
# ipvsadm -A -f 10 -s rr -p
# ipvsadm -a -f 10 -r 192.168.0.62 -g
# ipvsadm -a -f 10 -r 192.168.0.63 -g
客户端访问验证一下:
本文出自 “农夫的博客” 博客,请务必保留此出处http://gaolingxu.blog.51cto.com/3009644/1581268
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。