# 架构一 两台服务器,不能使用与业务相同端口,不能代理原有业务的ssl
websrv1:8080/8443 haproxy1:80/443 keepalived1-master
websrv2:8080/8443 haproxy1:80/443 keepalived1-backup
# 架构二 四台服务器,可以使用与业务相同端口,不能代理原有业务的ssl
websrv1:8080/8443
websrv2:8080/8443
haproxy1:8080/8443 keepalived1-master
haproxy2:8080/8443 keepalived1-backup
yum install -y haproxy keepalived openssl
systemctl enable haproxy keepalived && systemctl restart haproxy keepalived
vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
router_id LVS_DEVEL
# vrrp_strict
}
vrrp_instance VI_1 {
state MASTER
# config with right interface name
interface eth0
virtual_router_id 51
priority 110
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.80.50/24
}
}
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
router_id LVS_DEVEL
# vrrp_strict
}
vrrp_instance VI_1 {
state BACKUP
# config with right interface name
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.80.50/24
}
}
# check config
systemctl restart keepalived
vi /etc/haproxy/haproxy.cfg
external-check need haproxy >1.6
global
log /dev/log local0
log /dev/log local1 notice
stats timeout 30s
# external-check
user haproxy
group haproxy
tune.ssl.default-dh-param 4096
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
stats uri /haproxy?stats
frontend http_front
bind :80
bind :443 ssl crt /etc/ssl/server.pem
default_backend http_back
backend http_back
balance roundrobin
cookie SERVERID maxidle 30m maxlife 12h insert indirect nocache
# option external-check
# external-check command /bin/haproxy/etxstat.sh
# external-check path "/usr/bin:/bin"
server etx1 10.10.80.51:8080 check cookie etx1
server etx2 10.10.80.52:8080 check cookie etx2
cd /etc/ssl
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365
cat server.crt server.key | tee server.pem
# sync pem srv1 -> srv2
scp haproxy1:/etc/ssl/server.pem haprox2:/etc/ssl/
vi /bin/haproxy/etxstat.sh
#!/bin/bash
status=$(curl -s --user etxadmin:password http://$3:$4/etx/state)
if [ "$status" = "RUNNING" ]; then
exit 0
else
exit 1
fi
chmod a+x /bin/haproxy/etxstat.sh
sudo -u haproxy /bin/haproxy/etxstat.sh
haproxy -c -V -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy
http://ip:port/haproxy?stats
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。