高可用nginx反向代理
文章目录
- 高可用nginx反向代理
- @[toc]
- nginx反向代理简介
- 代理服务器的作用
- nginx的作用
- nginx反向代理的配置
- 访问测试
- 高可用nginx反向代理
- 访问测试
- 高可用自动化转换主备节点
- 测试访问
文章目录
- 高可用nginx反向代理
- @[toc]
- nginx反向代理简介
- 代理服务器的作用
- nginx的作用
- nginx反向代理的配置
- 访问测试
- 高可用nginx反向代理
- 访问测试
- 高可用自动化转换主备节点
- 测试访问
nginx反向代理简介
代理服务器是位于客户端和原始服务器的一台中间服务器,为了从原始服务器获取到内容,客户端向代理服务器发送一个请求并带上目标服务器(原始服务器),代理服务器在接收到请求后就会将请求转发给原始服务器,并将从原始服务器上获取到的数据返回给客户端,代理服务器是代理的客户端,所以一般客户端是知道代理服务器的存在的,比如翻墙就用了代理服务器。
反向代理服务器是位于原始服务器端的服务器,反向代理服务器接受来自互联网的请求,然后将这些请求发送给内网的服务器,并将从内网的服务器获取结果返回给互联网上的客户端,反向代理服务器是代理的服务端,所以客户端是不知道反向代理服务器的存在的,服务端是知道反向代理服务器的。
代理服务器的作用
- 访问原来无法访问的资源
- 用作缓存,加速访问速度
- 对客户端访问授权,上网进行认证
- 代理可以记录用户访问记录(上网行为管理),对外隐藏用户信息
反向代理服务器的作用
- 保护内网安全
- 负载均衡
- 缓存,减少服务器的压力
nginx的作用
1.反向代理,将多台服务器代理成一台服务器
2.负载均衡,将多个请求均匀的分配到多台服务器上,减轻每台服务器的压力,提高服务的吞吐量
3.动静分离,nginx可以用作静态文件的缓存服务器,提高访问速度
nginx反向代理的配置
配置环境:
系统 | ip | 服务 | 主机名 |
---|---|---|---|
centos8 | 192.168.171.133 | nginx(负载均衡调度器) | localhost |
centos8 | 192.168.171.142 | nginx(网站服务) | RS1 |
centos8 | 192.168.171.141 | apache(网站服务) | RS2 |
RS1配置
//关闭防火墙和selinux
[root@RS1 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config//下载网页服务nginx
[root@RS1 ~]# dnf -y install nginx//配置测试网站
[root@RS1 ~]# cd /usr/share/nginx/html/
[root@RS1 html]# ls
404.html 50x.html index.html nginx-logo.png poweredby.png
[root@RS1 html]# echo "nginx" >index.html
[root@RS1 html]# systemctl restart nginx.service
[root@RS1 html]# systemctl enable nginx.service
[root@RS1 html]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:80 [::]:*
RS2配置
//关闭防火墙selinux
[root@RS2 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config//下载网页服务apache
[root@RS2 ~]# dnf -y install httpd//配置测试网页
[root@RS2 ~]# echo "apache" >/var/www/html/index.html
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.
[root@RS2 ~]# ss -antl | grep 80
LISTEN 0 128 *:80 *:*
负载均衡调度器配置
//关闭防火墙和selinux
[root@localhost ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config//下载nginx服务,做反向代理。
[root@localhost ~]# dnf -y install nginx
[root@localhost ~]# cd /etc/nginx/
[root@localhost nginx]# vi nginx.conf//配置反向代理upstream webserver {server 192.168.171.141; #这里写RS1的ip也就是提供服务那台主机的ipserver 192.168.171.142; #与上面同理,相当于RS2的ip }server {listen 80;server_name _;root /usr/share/nginx/html;location / {proxy_pass http://webserver; #代理转发到这里。这里的webserver就相当于(192.168.171.141,或者192.168.171.142).}
[root@localhost ~]# systemctl enable --now nginx.service
访问测试
[root@localhost ~]# curl 192.168.171.133
apache
[root@localhost ~]# curl 192.168.171.133
nginx
[root@localhost ~]# curl 192.168.171.133
apache
[root@localhost ~]# curl 192.168.171.133
nginx
[root@localhost ~]# curl 192.168.171.133
apache
高可用nginx反向代理
配置环境:
系统 | ip | 服务 | 主机名 |
---|---|---|---|
centos8 | 192.168.171.133 | nginx(负载均衡调度器 keepalived) | KD1 |
centos8 | 192.168.171.142 | nginx(网站服务) | RS1 |
centos8 | 192.168.171.141 | apache(网站服务) | RS2 |
centos8 | 192.168.171.150 | nginx(负载均衡调度器 keepalived) | KD2 |
RS1、RS2和上面配置一样保持不变
虚拟vip:192.168.171.250
配置KD1
//下载高可用的服务。
[root@KD1 ~]# dnf -y install keepalived//配置keepalived的配置文件
[root@KD1 ~]# cd /etc/keepalived/
[root@KD1 keepalived]# ls
keepalived.conf
[root@KD1 keepalived]# mv keepalived.conf keepalived.conf-bek
[root@KD1 keepalived]# ls
keepalived.conf-bek
[root@KD1 keepalived]# vi keepalived.conf
! Configuration File for keepalivedglobal_defs {router_id lb01
}vrrp_instance VI_1 {state MASTERinterface ens33 #这里的网课名称一定要和主机的网卡名称一致virtual_router_id 51priority 100advert_int 1authentication {auth_type PASSauth_pass nuanchun #两台主机的keepalived服务的密码要一致}virtual_ipaddress {192.168.171.250 #虚拟IP也要一致}
}virtual_server 192.168.171.250 80 {delay_loop 6lb_algo rrlb_kind DRpersistence_timeout 50protocol TCPreal_server 192.168.171.133 80 { #这里需要写你负载均衡调度器的ipweight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.171.150 80 { #这里要写你高可用的另外一台主机的ipweight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}//重启服务,查看ip
[root@KD1 keepalived]# systemctl restart keepalived.service
[root@KD1 keepalived]# systemctl enable keepalived.service
[root@KD1 keepalived]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33inet 192.168.171.250/32 scope global ens33
配置KD2
//关闭防火墙和selinux
[root@KD2 ~]# systemctl disable --now firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@KD2 ~]# setenforce 0
[root@KD2 ~]# sed -ri 's/^(SELINUX=).*/\1disabled/g' /etc/selinux/config//KD2必须要和KD1的内容保持一致才能做高可用
[root@KD2 ~]# dnf -y install nginx//在KD1上面把nginx.conf的配置文件cp到KD2上
[root@KD1 nginx]# scp nginx.conf 192.168.171.150:/etc/nginx/
The authenticity of host '192.168.171.150 (192.168.171.150)' can't be established.
ECDSA key fingerprint is SHA256:b2+ErORHLlANCY23XTlkC8uzQ6KKscSXnc5aIAK80dI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.171.150' (ECDSA) to the list of known hosts.
root@192.168.171.150's password:
nginx.conf 100% 2529 1.5MB/s 00:00
[root@KD1 nginx]# //看配置文件
[root@KD2 ~]# cat /etc/nginx/nginx.confupstream webserver {server 192.168.171.141;server 192.168.171.142;}server {listen 80;server_name _;root /usr/share/nginx/html;location / {proxy_pass http://webserver;}//下载keepalived高可用服务
[root@KD2 ~]# dnf -y install keepalived//再把keepalived的配置文件备份一下
[root@KD2 ~]# cd /etc/keepalived/
[root@KD2 keepalived]# ls
keepalived.conf
[root@KD2 keepalived]# mv keepalived.conf keepalived.conf-bek
[root@KD2 keepalived]# ls
keepalived.conf-bek//然后在把KD1上面的keepalived的配置文件scp过来
[root@KD1 keepalived]# scp keepalived.conf 192.168.171.150:/etc/keepalived/
root@192.168.171.150's password:
keepalived.conf 100% 870 556.4KB/s 00:00
[root@KD2 keepalived]# cat keepalived.conf
! Configuration File for keepalivedglobal_defs {router_id lb02 #全局唯一的路由id
}vrrp_instance VI_1 {state BACKUPinterface ens33 #自己做高可用那台主机的ipvirtual_router_id 51priority 90 #权重值90,需要比前面拿一台主机低.advert_int 1authentication {auth_type PASSauth_pass nuanchun #密码需要一致}virtual_ipaddress {192.168.171.250 #虚拟ip}
}virtual_server 192.168.171.250 80 {delay_loop 6lb_algo rrlb_kind DRpersistence_timeout 50protocol TCPreal_server 192.168.171.133 80 { #kD1服务器ipweight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.171.150 80 { #kD2服务器ipweight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
[root@KD2 keepalived]# systemctl restart keepalived
[root@KD2 keepalived]# systemctl status keepalived
● keepalived.service - LVS and VRRP High Availability MonitorLoaded: loaded (/usr/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)Active: active (running) since Mon 2022-10-17 04:54:18 EDT; 1min 26s agoProcess: 79776 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID: 79777 (keepalived)Tasks: 3 (limit: 23460)Memory: 2.0MCGroup: /system.slice/keepalived.service
访问测试
//用虚拟ip访问
[root@KD1 nginx]# cd /etc/keepalived/
[root@KD1 keepalived]# ls
[root@KD1 keepalived]# curl 192.168.171.250
nginx
[root@KD1 keepalived]# curl 192.168.171.250
apache
[root@KD1 keepalived]# curl 192.168.171.250
nginx
[root@KD1 keepalived]# curl 192.168.171.250
apache//模拟KD1主机寄掉了,看会不会把从负载均衡调度器变成主
[root@KD1 keepalived]# systemctl stop nginx
[root@KD1 keepalived]# systemctl stop keepalived.service
[root@KD1 keepalived]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
[root@KD1 keepalived]# //在从主机上查看vip是否过去,可以看到vip已经起来了。
[root@KD2 keepalived]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000inet 192.168.171.150/24 brd 192.168.171.255 scope global noprefixroute ens33inet 192.168.171.250/32 scope global ens33[root@KD2 keepalived]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:* //在KD2上访问一下看看
[root@KD2 keepalived]# curl 192.168.171.250
apache
[root@KD2 keepalived]# curl 192.168.171.250
nginx
[root@KD2 keepalived]# curl 192.168.171.250
apache
[root@KD2 keepalived]# curl 192.168.171.250
nginx
高可用自动化转换主备节点
keepalived通过脚本来监控nginx负载均衡机的状态
在KD1上编写脚本
//创建一个放置脚本的目录用来写监控脚本的状态
[root@KD1 ~]# mkdir scripts
[root@KD1 ~]# ls
anaconda-ks.cfg scripts
[root@KD1 ~]# cd scripts/
[root@KD1 scripts]# ls
[root@KD1 scripts]# vi check_n.sh
#!/bin/bashnginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)
if [ $nginx_status -lt 1 ];thensystemctl stop keepalived
fi[root@KD1 scripts]# chmod +x check_n.sh
[root@KD1 scripts]# ls[root@KD1 scripts]# vi notify.sh
#!/bin/bash
VIP=$2
case "$1" inmaster)nginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)if [ $nginx_status -lt 1 ];thensystemctl start nginxfisendmail;;backup)nginx_status=$(ps -ef|grep -Ev "grep|$0"|grep '\bnginx\b'|wc -l)if [ $nginx_status -gt 0 ];thensystemctl stop nginxfi;;*)echo "Usage:$0 master|backup VIP";;
esac[root@KD1 scripts]# chmod +x notify.sh //在配置文件里面引用脚本
! Configuration File for keepalivedglobal_defs {router_id lb01
}vrrp_script nginx_check {script "/scripts/check_n.sh" #这里是引用脚本的函数interval 1weight -20
}vrrp_instance VI_1 {state MASTERinterface ens33virtual_router_id 51priority 100advert_int 1authentication {auth_type PASSauth_pass nuanchun}virtual_ipaddress {192.168.171.250}track_script {nginx_check #引用检查nginx状态的脚本}notify_master "/scripts/notify.sh master 192.168.171.250"notify_backup "/scripts/notify.sh backup 192.168.171.250"
}
} #引用切换主备节点的脚本virtual_server 192.168.171.250 80 {delay_loop 6lb_algo rrlb_kind DRpersistence_timeout 50protocol TCPreal_server 192.168.171.133 80 {weight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.171.150 80 {weight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}[root@KD1 scripts]# systemctl restart keepalived.service[root@KD1 scripts]# ip a| grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33inet 192.168.171.250/32 scope global ens33
配置KD2
//先创建一个防止脚本的目录
[root@KD2 ~]# mkdir srcipts
[root@KD2 ~]# cd srcipts///把脚本从KD1上面scp过来
[root@KD1 scripts]# scp notify.sh 192.168.171.150:srcipts
root@192.168.171.150's password:
notify.sh 100% 451 247.4KB/s 00:00
[root@KD2 srcipts]# ls
notify.sh
[root@KD2 srcipts]# //在备KD2上配置引用脚本的配置文件。
[root@KD2 srcipts]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalivedglobal_defs {router_id lb02
}vrrp_instance VI_1 {state BACKUPinterface ens33virtual_router_id 51priority 90advert_int 1authentication {auth_type PASSauth_pass nuanchun}virtual_ipaddress {192.168.171.250}notify_master "/scripts/notify.sh master 192.168.171.250"notify_backup "/scripts/notify.sh backup 192.168.171.250"
} #这里就是引用刚刚传过来的脚本virtual_server 192.168.171.250 80 {delay_loop 6lb_algo rrlb_kind DRpersistence_timeout 50protocol TCPreal_server 192.168.171.133 80 {weight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.171.150 80 {weight 1TCP_CHECK {connect_port 80connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
[root@KD2 srcipts]# systemctl restart keepalived
测试访问
//此时可以看到KD1的vip和80端口都是起来的,把KD1的nginx停掉模拟出故障
[root@KD1 ~]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000inet 192.168.171.133/24 brd 192.168.171.255 scope global noprefixroute ens33inet 192.168.171.250/32 scope global ens33
[root@KD1 ~]#
[root@KD1 ~]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
[root@KD1 ~]#
[root@KD1 ~]# systemctl stop nginx
[root@KD1 ~]# systemctl status keepalived.service
● keepalived.service - LVS and VRRP High Availability MonitorLoaded: loaded (/usr/lib/systemd/system/keepalived.service; enabled; vendor preset: disabled)Active: inactive (dead) since Tue 2022-10-18 05:11:21 EDT; 943ms agoProcess: 112308 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)Process: 238678 ExecStart=/usr/sbin/keepalived $KEEPALIVED_OPTIONS (code=exited, status=0/SUCCESS)Main PID: 238682 (code=exited, status=0/SUCCESS)//去KD2上看vip和80端口起来没
[root@KD2 srcipts]# ip a | grep ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000inet 192.168.171.150/24 brd 192.168.171.255 scope global noprefixroute ens33inet 192.168.171.250/32 scope global ens33
[root@KD2 srcipts]# ss -antl | grep 80
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
[root@KD2 srcipts]# [root@KD2 srcipts]# curl 192.168.171.250
apache
[root@KD2 srcipts]# curl 192.168.171.250
nginx
[root@KD2 srcipts]# curl 192.168.171.250
apache
[root@KD2 srcipts]# curl 192.168.171.250
nginx
[root@KD2 srcipts]#