haproxy和keepalived

# 架构一 两台服务器,不能使用与业务相同端口，不能代理原有业务的ssl
websrv1:8080/8443  haproxy1:80/443    keepalived1-master
websrv2:8080/8443  haproxy1:80/443    keepalived1-backup

# 架构二 四台服务器,可以使用与业务相同端口，不能代理原有业务的ssl
websrv1:8080/8443
websrv2:8080/8443
haproxy1:8080/8443    keepalived1-master
haproxy2:8080/8443    keepalived1-backup

实验按架构一部署，架构二基本类似

1. soft install

yum install -y haproxy keepalived openssl
systemctl enable haproxy keepalived && systemctl restart haproxy keepalived

2. keepalived (只做HA Keepalived可以单独配置)

vi /etc/keepalived/keepalived.conf

• MASTER (keepalived1-master)

! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   router_id LVS_DEVEL
#   vrrp_strict

}

vrrp_instance VI_1 {
    state MASTER
#   config with right interface name
    interface eth0
    virtual_router_id 51
    priority 110
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.10.80.50/24
    }
}

• BACKUP (keepalived2-slave)

! Configuration File for keepalived

global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   router_id LVS_DEVEL
#   vrrp_strict
}

vrrp_instance VI_1 {
    state BACKUP
#   config with right interface name
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.10.80.50/24
    }
}

# check config

systemctl restart keepalived

3. haproxy config (haproxy1 / haproxy2)

vi /etc/haproxy/haproxy.cfg

external-check need haproxy >1.6

global 
   log /dev/log local0 
   log /dev/log local1 notice 
   stats timeout 30s 
#   external-check 
   user haproxy 
   group haproxy 
   tune.ssl.default-dh-param 4096 
   daemon 

defaults 
   log global 
   mode http 
   option httplog 
   option dontlognull 
   timeout connect 5000 
   timeout client 50000 
   timeout server 50000 
   stats uri /haproxy?stats 

frontend http_front 
   bind :80 
   bind :443 ssl crt /etc/ssl/server.pem 
   default_backend http_back 

backend http_back 
   balance roundrobin 
   cookie SERVERID maxidle 30m maxlife 12h insert indirect nocache 
#   option external-check 
#   external-check command /bin/haproxy/etxstat.sh 
#   external-check path "/usr/bin:/bin" 
   server etx1 10.10.80.51:8080 check cookie etx1
   server etx2 10.10.80.52:8080 check cookie etx2 

4. ssl pam 配置

cd /etc/ssl
openssl req -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 365
cat server.crt server.key | tee server.pem 

# sync pem srv1 -> srv2
scp haproxy1:/etc/ssl/server.pem haprox2:/etc/ssl/

5. haproxy check config

vi /bin/haproxy/etxstat.sh

#!/bin/bash 
status=$(curl -s --user etxadmin:password http://$3:$4/etx/state) 
if [ "$status" = "RUNNING" ]; then 
   exit 0 
else 
   exit 1 
fi 

• check config

chmod a+x /bin/haproxy/etxstat.sh 
sudo -u haproxy /bin/haproxy/etxstat.sh
haproxy -c -V -f /etc/haproxy/haproxy.cfg
systemctl restart haproxy
http://ip:port/haproxy?stats