使用LVS的DR模型來配置集羣服務
規劃IP地址如下:
VIP:192.168.0.10
DIP:192.168.0.61
RIP1:192.168.0.62
RIP2:192.168.0.63
爲了簡單起見,先使用同網段架設LVS服務。
預先安裝好http和htpps服務:
RS1:
# yum install mod_ssl
# cd /etc/httpd/conf
# mkdir ssl
# (umask 077;openssl genrsa 1024 > httpd.key)
# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Tech
Organizational Unit Name (eg, section) []:test.glx.com
Common Name (eg, your name or your server's hostname) []:
Email Address []:
申請證書生成完畢,發送給自建CA進行證書籤署
Dircetor:
# cd /etc/pki/CA
# (umask 077 ;openssl genrsa 2048 > private/cakey.pem)
# openssl req -new -x509 -key private/cakey.pem -out caccrt.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:Tech
Organizational Unit Name (eg, section) []:test.glx.com
Common Name (eg, your name or your server's hostname) []:
Email Address []:
# touch index.txt
# echo 01 > serial
簽署證書:
# openssl ca -in httpd.csr -out httpd.crt -days 365
將簽署完畢的證書分別發送給RS1
在RS1上需要配置文件如下:
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/httpd.key
DocumentRoot "/var/www/html"
三個證書相關文件分別放在這裏
# ls /etc/httpd/conf/ssl/
httpd.crt httpd.csr httpd.key
將上面的ssl.conf和三個證書相關文件複製到RS2上一份
# scp ssl.conf 192.168.0.63:/etc/httpd/conf.d/
# scp -rp ssl/* 192.168.0.63:/etc/httpd/conf/ssl/
在RS1和RS2上分別驗證一下httpd的配置文件正確性:
# httpd -t
Syntax OK
# service httpd start
至此RS上面的httpd和httpds準備完畢
在Director上配置lvs集羣
# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 80 -j MARK --set-mark 10
# iptables -t mangle -A PREROUTING -d 192.168.0.10 -p tcp --dport 443 -j MARK --set-mark 10
將標記爲10的標籤定義爲LVS服務,並使用-p選項定義爲綁定服務:
# ipvsadm -A -f 10 -s rr -p
# ipvsadm -a -f 10 -r 192.168.0.62 -g
# ipvsadm -a -f 10 -r 192.168.0.63 -g
客戶端訪問驗證一下: