keepalived实现nginx服务高可以性
利用keepalived的脚本实现
ka1
[root@ka1 keepalived]#cat keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from ka@localhost
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id ka1
vrrp_mcast_group4 230.10.10.10
}
vrrp_script chk_down { #定义脚本
script "[ -f /etc/keepalived/down ] && exit 1 ||exit 0" #或者写到脚本里,此处写脚本名称
interval 1
weight -30
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 50
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 123456
}
virtual_ipaddress {
10.0.0.100/24
}
track_script { #添加脚本调用
chk_down
}
}
vrrp_instance VI_2 {
state BACKUP
interface eth0
virtual_router_id 60
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 654321
}
virtual_ipaddress {
10.0.0.200/24
}
}
virtual_server 10.0.0.100 80 {
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 192.168.31.27 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.0.0.200 80 {
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 192.168.31.37 80 {
weight 2
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}实验:基于FWM实现主从LVS高可用性集群http https
[root@ka2 keepalived ]#rpm -ql keepalived
/usr/share/doc/keepalived-1.3.5/samples/keepalived.conf.fwmark
#实现http和https的结合访问,打标签为
[root@ka1 keepalived ]#iptables -t mangle -A PREROUTING -d 10.0.0.100 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 6
[root@ka2 keepalived ]#iptables -t mangle -A PREROUTING -d 10.0.0.100 -p tcp -m multiport --dports 80,443 -j MARK --set-mark 6
[root@rs1 ~ ]#yum install mod_ssl
[root@rs2 ~ ]#yum install mod_sslka1如下更改,ka2同理
[root@ka1 keepalived]#cat keepalived.conf
**省略**
virtual_server fwmark 6 {
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 192.168.31.27 80 {
weight 1
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server fwmark6 { #未更改前 virtual_server 10.0.0.100 80
delay_loop 6
lb_algo wrr
lb_kind DR
#persistence_timeout 50
protocol TCP
sorry_server 127.0.0.1 80
real_server 192.168.31.37 80 {
weight 2
HTTP_GET {
url {
path /
status_code 200
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}[root@rs1 ~ ]#curl https://192.168.31.27
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@rs1 ~ ]#curl -k https://192.168.31.27
<h1>cos27.localdomain</h1>
[root@client ~ ]#curl -k https://192.168.31.27
<h1>cos27.localdomain</h1>