关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalldRemoved /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@DR ~]# setenforce 0[root@RS1 ~]# systemctl disable --now firewalld[root@RS1 ~]# setenforce 0setenforce: SELinux is disabled[root@rs2 ~]# systemctl disable --now firewalld[root@rs2 ~]# setenforce 0
haproxy安装:
//安装服务[root@DR ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel//创建用户[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy[root@DR ~]# lshaproxy-2.4.7.tar.gz[root@DR ~]# tar xf haproxy-2.4.7.tar.gz -C /usr/local/[root@DR ~]# ls /usr/local/haproxy-2.4.7[root@DR ~]# cd /usr/local/[root@DR local]# ln -sv haproxy-2.4.7 haproxy'haproxy' -> 'haproxy-2.4.7'[root@DR local]# ll总用量 20drwxr-xr-x. 14 root root 164 9月 27 08:49 apachedrwxr-xr-x. 6 root root 58 9月 27 08:43 aprdrwxr-xr-x. 28 1001 1001 4096 9月 27 08:43 apr-1.7.0drwxr-xr-x. 5 root root 43 9月 27 08:45 apr-utildrwxr-xr-x. 21 1001 1001 4096 9月 27 08:45 apr-util-1.6.1drwxr-xr-x. 2 root root6 8月 12 bindrwxr-xr-x. 2 root root6 8月 12 etcdrwxr-xr-x. 2 root root6 8月 12 gameslrwxrwxrwx. 1 root root 13 10月 17 11:28 haproxy -> haproxy-2.4.7drwxrwxr-x. 13 root root 4096 10月 4 08:56 haproxy-2.4.7//编译[root@DR haproxy]# make -j $(nproc) TARGET=linux-glibc \> USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1[root@DR haproxy]# make install[root@DR haproxy]# ls /usr/local/sbin/haproxy
配置各个负载的内核参数
[root@DR haproxy]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf[root@DR haproxy]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf[root@DR haproxy]# sysctl -pnet.ipv4.ip_nonlocal_bind = 1net.ipv4.ip_forward = 1
提供配置文件
[root@DR ~]# mkdir /etc/haproxy[root@DR ~]# cd /etc/haproxy/[root@DR haproxy]# touch haproxy.cfg[root@DR haproxy]# vim haproxy.cfg [root@DR haproxy]# cat haproxy.cfg #--------------全局配置----------------globallog 127.0.0.1 local0 info#log loghost local0 infomaxconn 20480#chroot /usr/local/haproxypidfile /var/run/haproxy.pid#maxconn 4000user haproxygroup haproxydaemon#---------------------------------------------------------------------#common defaults that all the 'listen' and 'backend' sections will#use if not designated in their block#---------------------------------------------------------------------defaultsmode httplog globaloption dontlognulloption httpcloseoption httplog#option forwardforoption redispatchbalance roundrobintimeout connect 10stimeout client 10stimeout server 10stimeout check 10smaxconn 60000retries 3#--------------统计页面配置------------------listen admin_statsbind 0.0.0.0:8189stats enablemode httplog globalstats uri /haproxy_statsstats realm Haproxy\ Statisticsstats auth admin:admin#stats hide-versionstats admin if TRUEstats refresh 30s#---------------web设置-----------------------listen webclusterbind 0.0.0.0:80访问https要修改为443mode http访问https要修改为tcp#option httpchk GET /index.htmllog globalmaxconn 3000balance roundrobincookie SESSION_COOKIE insert indirect nocacheserver web01 192.168.235.155:80 check inter 2000 fall 5修改为RS1的IP,如果访问https要修改为443server web02 192.168.235.158:80 check inter 2000 fall 5修改为RS2的IP,如果访问https要修改为443
haproxy.service文件编写
[root@DR haproxy]# vim /usr/lib/systemd/system/haproxy.service [root@DR haproxy]# cat /usr/lib/systemd/system/haproxy.service [Unit]Description=HAProxy Load BalancerAfter=syslog.target network.target[Service]ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -qExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pidExecReload=/bin/kill -USR2 [Install]WantedBy=multi-user.target[root@DR ~]# systemctl daemon-reload[root@DR ~]# systemctl enable --now haproxyCreated symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /usr/lib/systemd/system/haproxy.service.[root@DR ~]# systemctl status haproxy.service ● haproxy.service - HAProxy Load BalancerLoaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disab>Active: active (running) since Sun -10-17 12:18:59 EDT; 4min 4s agoProcess: 1218 ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q (c>Main PID: 1227 (haproxy)Tasks: 3 (limit: 11159)Memory: 9.9MCGroup: /system.slice/haproxy.service├─1227 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>└─1230 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/hap>
CA:
[root@DR ~]# yum -y install openssl[root@DR ~]# openssl version -aOpenSSL 1.1.1c FIPS 28 May built on: Thu Mar 5 10:03:36 UTCplatform: linux-x86_64options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"OPENSSLDIR: "/etc/pki/tls" //查看openssl证书的存放路径ENGINESDIR: "/usr/lib64/engines-1.1"Seeding source: os-specificengines: rdrand dynamic //查看openssl的配置文件f,因为配置文件中对证书的名称和存放位置等相关信息都做了定义[root@DR ~]# cd /etc/pki/[root@DR pki]# lsca-trustfwupd nssdb rpm-gpg tlsconsumerfwupd-metadata productrsyslogentitlement java product-default swid[root@DR pki]# mkdir CA[root@DR pki]# lsCA entitlementjavaproduct-default swidca-trust fwupd nssdb rpm-gpgtlsconsumer fwupd-metadata product rsyslog[root@DR pki]# cd CA/[root@DR CA]# touch serial[root@DR CA]# touch index.txt[root@DR CA]# lsindex.txt serial[root@DR CA]# echo 01 > serial[root@DR CA]# cat serial 01//生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配openssl genrsa -out private/cakey.pem 2048 #私钥默认是2048,去和根证书绑定[root@DR CA]# mkdir private[root@DR CA]# lsindex.txt private serial[root@DR CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048Generating RSA private key, 2048 bit long modulus (2 primes)...................................................+++++..........................................................+++++e is 65537 (0x010001)[root@DR CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:JXRTOrganizational Unit Name (eg, section) []:WW Common Name (eg, your name or your server's hostname) []:WXYEmail Address []:1870648704@[root@DR CA]# lscacert.pem index.txt private serial[root@DR CA]# mkdir req
RS1:
[root@RS1 ~]# yum -y install httpd[root@RS1 ~]# cd /etc/httpd[root@RS1 httpd]# mkdir ssl[root@RS1 httpd]# cd ssl[root@RS1 ssl]# openssl genrsa -out test.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes)...+++++..................................................+++++e is 65537 (0x010001)[root@RS1 ssl]# lstest.key[root@RS1 ssl]# [root@RS1 ssl]# openssl req -new -key test.key -out test.csr -days 365Ignoring -days; not generating a certificateYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HBLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:JXRTOrganizational Unit Name (eg, section) []:WWCommon Name (eg, your name or your server's hostname) []:WXYEmail Address []:1870648704@Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: [root@RS1 ssl]# cd /etc/httpd/ssl[root@RS1 ssl]# lstest.csr test.key[root@RS1 ssl]# scp test.csr 192.168.235.145:/etc/pki/CA/req//传到CA端的req文件夹The authenticity of host '192.168.235.135 (192.168.235.145)' can't be established.ECDSA key fingerprint is SHA256:YxxHZSMXHuRY/4l06pblVsAeyFwn87FXIP+3EXE+VNs.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.235.145' (ECDSA) to the list of known hosts.root@192.168.235.135's password: test.csr 100% 1058 865.3KB/s 00:00
在DR上查看
[root@DR ~]# ls /etc/pki/CA/req/test.csr//httpd端传过来的csr请求文件给CA服务器来颁发[root@DR CA]# mkdir newcerts[root@DR CA]# cd req/[root@DR req]# openssl ca -in /etc/pki/CA/req/test.csr -out /etc/pki/CA/req/test.crt -days 365Using configuration from /etc/pki/tls/fCheck that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Oct 17 14:47:27 GMTNot After : Oct 17 14:47:27 GMTSubject:countryName= CNstateOrProvinceName = HBorganizationName= JXRTorganizationalUnitName = WWcommonName= WXYemailAddress = 1870648704@X509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: CF:E2:A0:78:4C:F9:3C:FA:1E:6F:4C:81:B0:1B:32:75:75:B4:C3:A4X509v3 Authority Key Identifier: keyid:73:D3:74:56:06:3C:49:07:25:06:00:B8:A4:EB:BE:1B:67:ED:78:98Certificate is to be certified until Oct 17 14:47:27 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated//把CA上面的crt证书文件传送给httpd端下面的/etc/httpd/ssl文件[root@DR req]# scp test.crt 192.168.235.155:/etc/httpd/ssl/The authenticity of host '192.168.235.155 (192.168.235.155)' can't be established.ECDSA key fingerprint is SHA256:SYE4sY5pR2aCmZV6JqXCtCbMFPNKU1R9ID9zX9AvPr4.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.235.155' (ECDSA) to the list of known hosts.root@192.168.235.155's password: test.crt 100% 4523 492.5KB/s 00:00
RS1和RS2上配置https:
[root@RS1 ~]# yum -y install mod_ssl[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf43 DocumentRoot "/var/www/html" 44 ServerName :443 //取消掉这两汉的注释85 SSLCertificateFile /etc/httpd/ssl/test.crt //修改为证书存放文件位置94 SSLCertificateKeyFile /etc/httpd/ssl/test.key //修改为密钥文件存放位置[root@RS1 ~]# echo "hello yaya 192.168.235.155" > /var/www/html/index.html[root@rs2 ~]# yum -y install mod_ssl[root@rs2 ssl]# scp root@192.168.235.155:/etc/httpd/ssl/* .root@192.168.235.155's password: test.crt 100% 45233.2MB/s 00:00 test.csr 100% 1058 318.8KB/s 00:00 test.key 100% 16791.0MB/s 00:00 //重启[root@rs2 ssl]# systemctl restart httpd
测试:
//日志启用
[root@DR ~]# vim /etc/rsyslog.conf64 # Save boot messages also to boot.log65 local0.* /var/log/haproxy.log66 local7.* /var/log/bo ot.log[root@DR ~]# systemctl restart haproxy[root@DR ~]# ss -antlStateRecv-QSend-Q Local Address:Port Peer Address:PortLISTEN01280.0.0.0:111 0.0.0.0:* LISTEN01280.0.0.0:80 0.0.0.0:* LISTEN032192.168.122.1:53 0.0.0.0:* LISTEN01280.0.0.0:22 0.0.0.0:* LISTEN05127.0.0.1:631 0.0.0.0:* LISTEN01280.0.0.0:81890.0.0.0:* LISTEN0128 [::]:111[::]:* LISTEN0128 [::]:22 [::]:* LISTEN05 [::1]:631[::]:*
输入本机IP刷新测试负载均衡
