部署Centos7下Haproxy實現Exchange反向代理負載並經過Keepalived主備負載

mini介質安裝Centos7

1.Centos環境準備

1.1 啓用root用戶ssh登陸

vi /etc/ssh/sshd_config

PermitRootLogin yes

systemctl restart sshd.service

1.2環境準備及安裝

yum -y update

yum install wget ftp ntp* mlocate openssl openssl-devel openssl-perl.x86_64 net-tools gcc automake autoconf libtool make -y

關閉SELINUX

vi /etc/selinux/config

SELINUX=enforcing改爲SELINUX=disabled

getenforce

建立系統帳號

useradd -s /sbin/nologin -M haproxy

id haproxy

配置NTP服務

vi /etc/ntp.config

添加以下內容

fudge 127.127.1.0 stratum 12

server ntp.api.bz iburst minpoll 6 maxpoll 7

server 0.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

server 1.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

server 2.cn.pool.ntp.org iburst minpoll 6 maxpoll 7

service ntpd start

systemctl enable ntpd.service

檢查服務狀態

netstat -ano |grep :123

ntpq -p

1.2.1 Cert證書準備

1.2.2 根證書

1.2.2.1檢查根證書是否包含在主機內：

curl https://mail.alan.corp/owa

1.2.2.2 第三方根證書導入主機

root.cer（根證書） intermediate.cer 中間證書機構

Der格式證書轉Base64格式

openssl x509 -in root.cer -inform der -outform pem -out root.pem

openssl x509 -in intermediate.cer -inform der -outform pem -out intermediate.pem

將頒發證書機構導入本機證書

c_rehash .

cat 4b37341f.0 >> /etc/pki/tls/certs/ca-bundle.crt

1.2.2.3 將Exchange主機私有證書導入本機

mail.pfx（Exchange主機證書帶私有證書，導出保存Base64格式）

openssl pkcs12 -in mail.pfx -nocerts -out exchange_private_key_passwordprotected.pem

輸入pfx文件密碼，輸入Pem文件密碼（4位以上）

openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem

輸入Pem密碼

openssl pkcs12 -in mail.pfx -clcerts -nokeys -out exchange_certificate.pem

輸入pfx密碼

cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem

mv exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/

1.3 安裝haproxy

1.3.1軟件下載編譯及安裝

cd /tmp

下載並解壓縮

下載方法01：wget http://www.haproxy.org/download/1.9/src/haproxy-1.9.6.tar.gz

tar -zxvf haproxy-1.9.6.tar.gz

下載方法02：curl --progress http://www.haproxy.org/download/1.9/src/haproxy-1.9.6.tar.gz | tar xz

cd haproxy-1.9.6

#安裝haproxy

Hadir=/data/haproxy #安裝目錄

mkdir -p $Hadir

tar -axf haproxy- && cd ./haproxy-

make TARGET=linux310 ARCH=x86_64 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1 PREFIX=$Hadir

make install PREFIX=$Hadir

$Hadir/sbin/haproxy -v

$Hadir/sbin/haproxy -vv

#內核優化

#NAT轉發

sed -i 's@net.ipv4.ip_forward = 0@net.ipv4.ip_forward = 1@g' /etc/sysctl.conf

grep ip_forward /etc/sysctl.conf

echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf #容許沒監聽IP時啓動

sysctl -p

1.3.2啓動腳本配置

cp ./examples/haproxy.init $Hadir/haproxy

chmod 755 $Hadir/haproxy

sed -i '/^BIN=/cBIN='$Hadir'/sbin/$BASENAME' $Hadir/haproxy

sed -i '/^CFG=/cCFG='$Hadir'/$BASENAME.cfg' $Hadir/haproxy

1.3.3日誌配置

sed -i 's/^#$ModLoad imudp/$ModLoad imudp/g' /etc/rsyslog.conf

sed -i 's/^#$UDPServerRun 514/$UDPServerRun 514/g' /etc/rsyslog.conf

echo 'local0.* /var/log/haproxy.log'>>/etc/rsyslog.conf #添加haproxy日誌路徑

systemctl restart rsyslog

echo "">$Hadir/haproxy.cfg

1.3.4 其餘及防火牆配置

mkdir -p /var/lib/haproxy

#防火牆配置

firewall-cmd --permanent --add-port=443/tcp

firewall-cmd --permanent --add-port=80/tcp

firewall-cmd --permanent --add-port=25/tcp

firewall-cmd --permanent --add-port=110/tcp

firewall-cmd --permanent --add-port=143/tcp

firewall-cmd --permanent --add-port=465/tcp

firewall-cmd --permanent --add-port=587/tcp

firewall-cmd --permanent --add-port=993/tcp

firewall-cmd --permanent --add-port=995/tcp

firewall-cmd --permanent --add-port=9000/tcp

systemctl restart firewalld

1.3.5 建立配置文件

echo "

###########全局配置#########

global

log 127.0.0.1 local0

log 127.0.0.1 local1 notice

daemon

#nbproc 1     #進程數量 

maxconn 4096  #最大鏈接數 

user haproxy  #運行用戶  

group haproxy #運行組 

chroot /var/lib/haproxy

pidfile /var/run/haproxy.pid

########默認配置############

defaults

log global

mode http             #默認模式{ tcp|http|health }

option httplog       #日誌類別,採用httplog

option dontlognull   #不記錄健康檢查日誌信息  

retries 2            #2次鏈接失敗不可用

option forwardfor    #後端服務得到真實ip

option httpclose     #請求完畢後主動關閉http通道

option abortonclose  #服務器負載很高，自動結束比較久的連接  

maxconn 4096         #最大鏈接數  

timeout connect 5m   #鏈接超時  

timeout client 1m    #客戶端超時  

timeout server 31m   #服務器超時  

timeout check 10s    #心跳檢測超時  

balance roundrobin   #負載均衡方式，輪詢

#狀態頁面控制

listen stats

bind *:9000 #假裝的端口號

mode http #工做模式

balance #負載模式

stats enable #顯示狀態頁面

stats hide-version #隱藏haproxy的版本號

stats realm HAProxy\ Stats #提示信息

stats auth admin:P@44w0rd #登陸狀態頁面的賬號和密碼

stats admin if TRUE #狀態頁面出現管理功能

stats uri /haproxy?stats #訪問入口

#轉發配置

Http 80 負載

frontend ft_exchange_HTTP

bind *:80 name web

maxconn 10000

default_backend bk_exchange_HTTP

backend bk_exchange_HTTP

server Node01 10.101.0.150:80 maxconn 10000 check

server Node02 10.101.0.151:80 maxconn 10000 check backup

Https 443 負載

frontend ft_exchange_SSL

bind *:443 name ssl

maxconn 10000 #alctl: connection max (depends on capacity)

default_backend bk_exchange_SSL #alctl: default farm to use

backend bk_exchange_SSL

server Node01 10.101.0.150:443 maxconn 10000 check

server Node02 10.101.0.151:443 maxconn 10000 check backup

">$Hadir/haproxy.cfg

---

SMTP 25 負載

frontend ft_exchange_SMTP

bind *:25 name smtp

maxconn 10000

default_backend bk_exchange_SMTP

backend bk_exchange_SMTP

server Node01 10.101.0.150:25 maxconn 10000 check

server Node02 10.101.0.151:25 maxconn 10000 check backup

SMTPS 465 負載

frontend ft_exchange_SMTP_Secure465

bind *:465 name smtpssl465

maxconn 10000

default_backend bk_exchange_SMTP_Secure465

backend bk_exchange_SMTP_Secure465

server Node01 10.101.0.150:465 maxconn 10000 check

server Node02 10.101.0.151:465 maxconn 10000 check backup

SMTPS 587 負載

frontend ft_exchange_SMTP_Secure587

bind *:587 name smtpssl587

maxconn 10000

default_backend bk_exchange_SMTP_Secure587

backend bk_exchange_SMTP_Secure587

server Node01 10.101.0.150:587 maxconn 10000 check

server Node02 10.101.0.151:587 maxconn 10000 check backup

IMTP 143 負載

frontend ft_exchange_IMAP

bind *:143 name imap

maxconn 10000

default_backend bk_exchange_IMAP

backend bk_exchange_IMAP

server Node01 10.101.0.150:143 maxconn 10000 check

server Node02 10.101.0.151:143 maxconn 10000 check backup

IMTPS 993 負載

frontend ft_exchange_IMAP_Secure

bind *:993 name imapssl

maxconn 10000

default_backend bk_exchange_IMAP_Secure

backend bk_exchange_IMAP_Secure

server Node01 10.101.0.150:993 maxconn 10000 check

server Node02 10.101.0.151:993 maxconn 10000 check backup

POP3 110 負載

frontend ft_exchange_POP3

bind *:110 name pop3

maxconn 10000

default_backend bk_exchange_POP3

backend bk_exchange_POP3

server Node01 10.101.0.150:110 maxconn 10000 check

server Node02 10.101.0.151:110 maxconn 10000 check backup

POP3S 995 負載

frontend ft_exchange_POP3_Secure

bind *:995 name pop3ssl

maxconn 10000

default_backend bk_exchange_POP3_Secure

backend bk_exchange_POP3_Secure

server Node01 10.101.0.150:995 maxconn 10000 check

server Node02 10.101.0.151:995 maxconn 10000 check backup

---

1.4 #啓動

/data/haproxy/haproxy start

netstat -antp|grep haproxy

ps -ef|grep haproxy

1.5 #添加自啓動

ln -sf /data/haproxy/haproxy /etc/init.d/haproxy

chkconfig --add haproxy

chkconfig haproxy on

chkconfig --list haproxy

service haproxy restart

1.6 重啓檢查服務狀態：

systemctl status haproxy

ps -A |grep haproxy

firewall-cmd --query-port 443/tcp

firewall-cmd --list-services # 查看開放的服務

firewall-cmd --add-port=3306/tcp # 開放經過tcp訪問3306

firewall-cmd --remove-port=80tcp # 阻止經過tcp訪問3306

firewall-cmd --add-port=233/udp # 開放經過udp訪問233

firewall-cmd --list-ports # 查看開放的端口

1.7 keepalived配置

安裝前環境準備

yum -y install psmisc libnfnetlink-devel curl gcc openssl-devel libnl3-devel net-snmp-devel

1.7.1 下載與安裝

軟件目錄規劃

軟件安裝目錄：/data/keepalived

日誌文件單獨存放在/var/log/keepalived/keepalived.log下

#配置主機名

hostnamectl set-hostname corp-haproxy-01

vi /etc/hosts

增長主機地址

172.16.0.222 corp-haproxy-01.localdomain

防火牆放行vrrp組播

firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens160 --destination 224.0.0.18 --protocol vrrp -j ACCEPT

firewall-cmd --reload

1.7.3開始編譯

1.7.3.1下載源碼包

下載站點：

一、http://www.keepalived.org/download.html

二、http://keepalived.org/software

cd /tmp

curl --progress http://keepalived.org/software/keepalived-2.0.13.tar.gz | tar xz

cd /tmp

wget http://www.keepalived.org/software/keepalived-2.0.15.tar.gz

1.7.3.2 編譯

kldir=/data/keepalived #安裝目錄

mkdir -p $kldir

tar -axf keepalived- && cd ./keepalived-

./configure --prefix=$kldir

make && make install

1.7.3.3自啓動腳本

檢查腳本信息是否正確

cat /usr/lib/systemd/system/keepalived.service

[Unit]

Description=LVS and VRRP High Availability Monitor

After= network-online.target syslog.target

Wants=network-online.target

[Service]

Type=forking

PIDFile=/var/run/keepalived.pid

KillMode=process

EnvironmentFile=-/data/keepalived/etc/sysconfig/keepalived

ExecStart=/data/keepalived/sbin/keepalived $KEEPALIVED_OPTIONS

ExecReload=/bin/kill -HUP $MAINPID

[Install]

WantedBy=multi-user.target

!!!!默認的日誌存放位置在/var/log/messages中。

echo 'local3.* /var/log/keepalived/keepalived.log' >>/etc/rsyslog.conf

而後須要修改keepalived.conf

建立默認啓動文件

mkdir -p /etc/keepalived

cp /data/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/

cp /tmp/keepalived-2.0.15/keepalived/etc/init.d/keepalived /etc/rc.d/init.d/

cp /data/keepalived/etc/sysconfig/keepalived /etc/sysconfig/

vi /etc/keepalived/keepalived.conf

! Configuration File for keepalived

global_defs {

notification_email { #指定keepalived在發生事情的時候，發送郵件告知，能夠有多個地址，每行一個.

sysadmin@firewall.loc

}

notification_email_from Alexandre.Cassen@firewall.loc #指定發件人

smtp_server 192.168.200.1 #發送email的smtp地址

smtp_connect_timeout 30 #超時時間

router_id Haproxy_MASTER #運行keepalived的機器的一個標識,多個節點標識能夠相同，也能夠不一樣

}

vrrp_script check_haproxy { #killall (安裝 yum install psmisc -y)

script "killall -0 haproxy"

interval 2

weighit 2 #權值腳本成功時（0）等於priority+weghit #不然爲priority

}

vrrp_instance Haproxy_01 {

state MASTER                    #指定當前節點爲主節點 備用節點上設置爲BACKUP便可

interface ens160                #綁定虛擬IP的網絡接口

mcast_src_ip 172.16.0.222       #本機IP地址

virtual_router_id 51 #VRRP組名，兩個節點的設置必須同樣，以指明各個節點屬於同一VRRP組

priority 100                    #主節點的優先級（1-254之間），備用節點必須比主節點優先級低

advert_int 1                    #設置主備之間的檢查時間，單位爲s

authentication {                #設置驗證信息，兩個節點必須一致

    auth_type PASS

    auth_pass 1111

}

virtual_ipaddress {                      #指定虛擬IP, 兩個節點設置必須同樣

    172.16.0.220/24 brd 172.16.0.255 dev ens160 label ens160:vip

}

track_script {

check_haproxy

}

smtp_alert            #狀態切換，使用郵件通知

}

重啓服務便可。

1.7.3.4 設置開機啓動

systemctl enable keepalived.service

第二臺主機修改:

1.主機名：

hostnamectl set-hostname SD-haproxy02

vi /etc/hosts

修改成第二臺主機地址

10.101.0.154 SD-haproxy02.localdomain

2.修改IP

vi /etc/sysconfig/network-scripts/ifcfg-ens160

修改成第二臺主機地址

IPADDR=10.101.0.154

service network restart

3.修改keepalived配置

vi /etc/keepalived/keepalived.conf

修改以下行

smtp_server 10.101.0.151 #發送email的smtp地址

router_id Haproxy_BACKUP #運行keepalived的機器的一個標識,多個節點標識能夠相同，也能夠不一樣

vrrp_instance Haproxy_BACKUP {

state BACKUP #指定當前節點爲主節點 備用節點上設置爲BACKUP便可

priority 99 #主節點的優先級（1-254之間），備用節點必須比主節點優先級低

轉載於:http://www.javashuo.com/article/p-mwjdvxxc-hv.html