lvs-nat模式配置示例

nat模式实现http和https两种负载均衡集群，每个RS都要提供同一个私钥和同一个证书

 安装过程请找脚本
[root@localhost ~]# mkdir /etc/pki/CA
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# mkdir private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
.................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ZDJ
Organizational Unit Name (eg, section) []:ZDJ
Common Name (eg, your name or your server's hostname) []:zdj.com
Email Address []:1@2.com
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...................+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:ZDJ
Organizational Unit Name (eg, section) []:ZDJ
Common Name (eg, your name or your server's hostname) []:zdj.com
Email Address []:1@2.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost CA]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 14 14:32:35 2021 GMT
            Not After : Jun 14 14:32:35 2022 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = ZDJ
            organizationalUnitName    = ZDJ
            commonName                = zdj.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2A:55:39:2C:01:07:0A:ED:D2:43:57:0C:65:04:C1:20:A8:F6:E4:53
            X509v3 Authority Key Identifier: 
                keyid:1B:81:BC:B9:AA:11:D6:68:22:5E:D5:C6:33:E4:AB:25:A9:37:4C:31
 
Certificate is to be certified until Jun 14 14:32:35 2022 GMT (365 days)
Sign the certificate? [y/n]:y
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

创建测试index.html

 [root@R1 CA]#  echo "R1" >/usr/local/apache/htdocs/index.html
 
[root@R2 ~]# echo "R2" >/usr/local/apache/htdocs/index.html

关闭三台机子的防火墙

 [root@lb ~]# systemctl disable --now firewalld
[root@lb ~]# setenforce 0
 
[root@R1 CA]# systemctl disable --now firewalld
[root@R1 CA]# setenforce 0
 
[root@R2 ~]# systemctl disable --now firewalld
[root@R2 ~]# setenforce 0

在调度器上开启IP转发功能

 [root@lb ~]#  echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf 
[root@lb ~]# sysctl -p
net.ipv4.ip_forward = 1

在调度器上添加并保持规则

 [root@lb ~]# ipvsadm -A -t 192.168.100.123:80 -s rr
[root@lb ~]# ipvsadm -a -t 192.168.100.123:80 -r 192.168.98.77:80 -m
[root@lb ~]# ipvsadm -a -t 192.168.100.123:80 -r 192.168.98.88:80 -m
[root@lb ~]# ipvsadm -A -t 192.168.100.123:443 -s rr
[root@lb ~]# ipvsadm -a -t 192.168.100.123:443 -r 192.168.98.77:443 -m
[root@lb ~]# ipvsadm -a -t 192.168.100.123:443 -r 192.168.98.88:443 -m
[root@lb ~]# ipvsadm -Sn > /etc/sysconfig/ipvsadm
[root@lb ~]# cat /etc/sysconfig/ipvsadm
-A -t 192.168.100.123:80 -s rr
-a -t 192.168.100.123:80 -r 192.168.98.77:80 -m -w 1
-a -t 192.168.100.123:80 -r 192.168.98.88:80 -m -w 1
-A -t 192.168.100.123:443 -s rr
-a -t 192.168.100.123:443 -r 192.168.98.77:443 -m -w 1
-a -t 192.168.100.123:443 -r 192.168.98.88:443 -m -w 1

设置开机自启

 [root@lb ~]# systemctl enable ipvsadm
Created symlink /etc/systemd/system/multi-user.target.wants/ipvsadm.service → /usr/lib/systemd/system/ipvsadm.service.
[root@lb ~]# echo "ipvsadm -R < /etc/sysconfig/ipvsadm" >>/etc/rc.d/rc.local

将RIP的网关都指向DIP

 [root@R1 CA]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.98.77
PREFIX=24
GATEWAY=192.168.98.123
DNS1=114.114.114.114
 
[root@R2 htdocs]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.98.88
PREFIX=24
GATEWAY=192.168.98.123
DNS1=114.114.114.114

测试效果

 [root@lb ~]# curl 192.168.100.123
R1
[root@lb ~]# curl 192.168.100.123
R2
[root@lb ~]# curl 192.168.100.123
R1
[root@lb ~]# curl 192.168.100.123
R2

推荐文章