dr模式实现http和https两种负载均衡居群，各RS都要提供通过一个私钥和同一个证书

安装完成http后获取证书

[root@localhost ~]# mkdir /etc/pki/CA
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
.................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ZDJ
Organizational Unit Name (eg, section) []:ZDJ
Common Name (eg, your name or your server's hostname) []:zdj.com
Email Address []:1@2.com
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ZDJ
Organizational Unit Name (eg, section) []:ZDJ
Common Name (eg, your name or your server's hostname) []:zdj.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 14 14:32:35 2021 GMT
            Not After : Jun 14 14:32:35 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = ZDJ
            organizationalUnitName    = ZDJ
            commonName                = zdj.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2A:55:39:2C:01:07:0A:ED:D2:43:57:0C:65:04:C1:20:A8:F6:E4:53
            X509v3 Authority Key Identifier: 
                keyid:1B:81:BC:B9:AA:11:D6:68:22:5E:D5:C6:33:E4:AB:25:A9:37:4C:31

Certificate is to be certified until Jun 14 14:32:35 2022 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

创建index.html文件

[root@R1 CA]#  echo "R1" >/usr/local/apache/htdocs/index.html

[root@R2 ~]# echo "R2" >/usr/local/apache/htdocs/index.html 

在调度器上配置VIP和DIP

[root@lb ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR0=192.168.98.123
NETMASK0=255.255.255.0
IPADDR1=192.168.98.66
NETMASK1=255.255.255.0
GATEWAY=192.168.98.2
DNS1=114.114.114.114

在RS上关闭arp包的通告和响应然后配置RIP和VIP

[root@R1 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root@R2 ~]# cat >> /etc/sysctl.conf <<EOF
> net.ipv4.conf.all.arp_ignore=1
> net.ipv4.conf.all.arp_announce=2
> EOF
[root@R2 ~]# sysctl -p
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

[root@R1 ~]# ifconfig lo:0 192.168.98.66/32 broadcast 192.168.98.66 up
[root@R1 ~]# route add -host 192.168.98.66 dev lo:0
[root@R1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.98.77
NETMASK=255.255.255.0
GATEWAY=192.168.98.2
DNS1=114.114.114.114

[root@R2 ~]# ifconfig lo:0 192.168.98.66/32 broadcast 192.168.98.66 up
[root@R2 ~]# route add -host 192.168.98.66 dev lo:0
[root@R2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.98.88
NETMASK=255.255.255.0
GATEWAY=192.168.98.2
DNS1=114.114.114.114

在调度器上添加，保存规则并开机自动读取规则

[root@lb ~]# ipvsadm -A -t 192.168.98.66:80 -s rr
[root@lb ~]# ipvsadm -a -t 192.168.98.66:80 -r 192.168.98.77:80 -g
[root@lb ~]# ipvsadm -a -t 192.168.98.66:80 -r 192.168.98.88:80 -g
[root@lb ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.98.66:80 rr
  -> 192.168.98.77:80             Route   1      0          0         
  -> 192.168.98.88:80             Route   1      0          0

[root@lb ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lb ~]# echo "ipvsadm -Sn > /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.local

测试

[root@lb ~]# curl 192.168.98.66
R1
[root@lb ~]# curl 192.168.98.66
R2
[root@lb ~]# curl 192.168.98.66
R1
[root@lb ~]# curl 192.168.98.66
R2