环境说明:
主机名 |
角色 |
IP地址 |
mylinux1.contoso.com
|
Haproxy |
eth0:192.168.100.121
eth1:172.16.100.121
|
mylinux3.contoso.com |
ssh server(做tcp实验用) |
eth0:192.168.100.181 |
mylinux4.contoso.com |
ssh server(做tcp实验用) |
eth1:192.168.100.182 |
一、环境准备
以下配置基本上是每一次都要提前准备的,所以准备的命令我就不详细列出了,前面有一个一键优化的脚本,可以使用脚本进行自动化的处理,避免多次重复操作的困扰。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@mylinux1 ~]
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mylinux1 ~]
Disabled
[root@mylinux1 ~]
0 * * * * /usr/sbin/ntpdate 210.72.145.44 64.147.116.229 time .nist.gov
mkdir -p /etc/yum .repos.d /bak
mv /etc/yum .repos.d/*.* /etc/yum .repos.d /bak/
wget -O /etc/yum .repos.d /CentOS-Base .repo http: //mirrors .aliyun.com /repo/Centos-6 .repo
yum clean all
yum makecache
sed -i '/^HOSTNAME/s/^/#/' /etc/sysconfig/network
sed -i '/#HOSTNAME/aHOSTNAME=[主机名]' /etc/sysconfig/network
hostname [主机名]
|
二、安装Haproxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
[root@mylinux1 ~]
[root@mylinux1 ~]
[root@mylinux1 tools]
total 2608
-rw-r--r-- 1 root root 1360582 Sep 30 11:02 haproxy-1.5.18. tar .gz
[root@mylinux1 tools]
[root@mylinux1 tools]
[root@mylinux1 haproxy-1.5.18]
CHANGELOG CONTRIBUTING ebtree include Makefile ROADMAP SUBVERS VERDATE
contrib doc examples LICENSE README src tests VERSION
[root@mylinux1 haproxy-1.5.18]
[root@mylinux1 haproxy-1.5.18]
[root@mylinux1 haproxy-1.5.18]
[root@mylinux1 haproxy-1.5.18]
[root@mylinux1 haproxy]
├── doc
│ └── haproxy
│ ├── architecture.txt
│ ├── configuration.txt
│ ├── haproxy-en.txt
│ └── haproxy-fr.txt
├── sbin
│ └── haproxy
└── share
└── man
└── man1
└── haproxy.1
6 directories, 6 files
|
三、修改haproxy相关系统配置
1、生成配置文件
1
2
|
[root@mylinux1 haproxy-1.5.18]
[root@mylinux1 haproxy-1.5.18]
|
2、开启IPv4转发
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
[root@mylinux1 conf]
[root@mylinux1 conf]
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
fs. file -max = 2097152
fs.nr_open = 2097152
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.tcp_max_syn_backlog = 81920
|
3、创建haproxy相关目录
1
2
|
[root@mylinux1 conf]
[root@mylinux1 conf]
|
4、创建haproxy用户
1
2
3
4
5
|
[root@mylinux1 conf]
id : haproxy: No such user
[root@mylinux1 conf]
[root@mylinux1 conf]
uid=606(haproxy) gid=606(haproxy) groups =606(haproxy)
|
5、配置rsyslog记录haproxy日志
在haproxy.cfg中global区域添加下面一行:
log 127.0.0.1 local0 warning
然后修改rsyslog配置文件rsyslog.conf:
1
2
3
4
5
|
[root@mylinux1 conf]
[root@mylinux1 conf]
local0.* /usr/local/haproxy/logs/haproxy .log
|
再修改rsyslog的设置:
1
2
3
4
5
6
7
8
9
10
11
|
[root@mylinux1 conf]
[root@mylinux1 conf]
[root@mylinux1 conf]
SYSLOGD_OPTIONS= "-c 2 -m 0 -r -x"
[root@mylinux1 conf]
5c5,6
< SYSLOGD_OPTIONS= "-c 5"
---
>
> SYSLOGD_OPTIONS= "-c 2 -m 0 -r -x"
|
此时,我们发现在CentOS 6.5上使用netstat命令无法显示514端口的监听状态,而使用lsof命令也无法查看端口514上的服务,如下:
1
2
3
|
[root@mylinux1 ~]
[root@mylinux1 ~]
[root@mylinux1 ~]
|
然后还需要修改rsyslog.conf中的一个配置:
1
2
3
4
5
6
|
[root@mylinux1 ~]
[root@mylinux1 ~]
[root@mylinux1 ~]
$ModLoad imudp
[root@mylinux1 ~]
$UDPServerRun 514
|
最后重启rsyslog服务:
1
2
3
|
[root@mylinux1 conf]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
|
再次尝试去看一下514端口的监听状态和服务:
1
2
3
4
5
6
7
|
[root@mylinux1 ~]
COMMAND PID USER FD TYPE DEVICE SIZE /OFF NODE NAME
rsyslogd 2436 root 3u IPv4 24957 0t0 UDP *:syslog
rsyslogd 2436 root 4u IPv6 24958 0t0 UDP *:syslog
[root@mylinux1 ~]
udp 0 0 0.0.0.0:514 0.0.0.0:* 2436 /rsyslogd
udp 0 0 :::514 :::* 2436 /rsyslogd
|
四、编辑haproxy配置文件
下面给出基于tcp的haproxy代理的配置文件内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@mylinux1 conf]
global
log 127.0.0.1 local0
log 127.0.0.1:514 local0 warning
pidfile /usr/local/haproxy/var/run/haproxy .pid
daemon
maxconn 20480
chroot /usr/local/haproxy/var/chroot
user haproxy
group haproxy
spread-checks 3
nbproc 1
defaults
logglobal
retries3
option redispatch
maxconn2000
timeout connect 5000
timeout client 50000
timeoutserver 50000
listenssh
bind 172.16.100.121:80
mode tcp
balance roundrobin
timeout server 15s
timeout connect 30s
server mylinux3 192.168.100.181:22 check port 22
server mylinux4 192.168.100,182:22 check port 22
|
五、启动haproxy并测试
1、启动haproxy
使用以下命令测试haproxy的配置文件是否可用:
1
2
|
[root@mylinux1 conf]
Configuration file is valid
|
然后使用如下命令启动haproxy:
可以通过下面的方法检查haproxy是否启动:
1
2
3
4
5
6
|
[root@mylinux1 conf]
haproxy 1550 1 0 18:25 ? 00:00:00 /usr/local/haproxy/sbin/haproxy -f haproxy.cfg -D
root 1553 1015 0 18:26 pts /1 00:00:00 grep haproxy
[root@mylinux1 conf]
COMMAND PID USER FD TYPE DEVICE SIZE /OFF NODE NAME
haproxy 1550 haproxy 4u IPv4 12088 0t0 TCP 172.16.100.121:http (LISTEN)
|
2、测试haproxy代理ssh
上面的配置文件中,使用haproxy的eth1的地址172.16.100.121的80端口来代理后端mylinux3和mylinux4上的22端口,也就是ssh服务,这样只要客户端使用ssh 172.16.100.121的80端口就可以远程访问后端两台服务器的ssh服务了,下面来测试一下是否如预想的那样。
1
2
3
4
5
6
7
8
9
10
11
|
[root@mylinux1 conf]
The authenticity of host '[172.16.100.121]:80 ([172.16.100.121]:80)' can't be established.
RSA key fingerprint is ea:b0:45:d6:fa:48:60:41:a9:e4:f7:30:b9:ed:16:a4.
Are you sure you want to continue connecting ( yes /no )? yes
Warning: Permanently added '[172.16.100.121]:80' (RSA) to the list of known hosts.
root@172.16.100.121's password:
Last login: Fri Sep 30 12:42:12 2016 from 192.168.100.1
[root@mylinux4 ~]
mylinux4.contoso.com
[root@mylinux4 ~]
inet 192.168.100.182 /24 brd 192.168.100.255 scope global eth0
|
好的,成功的通过haproxy代理远程到了mylinux4这一台主机上。
再进行第二次测试之前,需要先清空known_hosts中的内容,不然会提示加密私钥改变,使用下面的命令处理一下:
然后再次ssh 172.16.100.121的80端口,结果如下:
1
2
3
4
5
6
7
8
9
10
11
|
[root@mylinux1 conf]
The authenticity of host '[172.16.100.121]:80 ([172.16.100.121]:80)' can't be established.
RSA key fingerprint is 99:05:e5:e4:d3:78:bd:cf:94:e9:80:36:b5:5d:cc:11.
Are you sure you want to continue connecting ( yes /no )? yes
Warning: Permanently added '[172.16.100.121]:80' (RSA) to the list of known hosts.
root@172.16.100.121's password:
Last login: Fri Sep 30 18:29:10 2016 from 192.168.100.121
[root@mylinux3 ~]
mylinux3.contoso.com
[root@mylinux3 ~]
inet 192.168.100.181 /24 brd 192.168.100.255 scope global eth0
|
这次成功的远程到了mylinux3这台主机上,说明haproxy代理tcp服务成功。
本文转自 jerry1111111 51CTO博客,原文链接:http://blog.51cto.com/jerry12356/1858204,如需转载请自行联系原作者