使用Nginx+Keepalived组建高可用负载平衡Web server集群

作者:W.S.T 发布时间:January 7, 2016 分类:Nginx

一,首先说明一下网络拓扑结构:
nginx-keepalived-webserver

1,Nginx 反向代理Server(HA):
①Nginx master:192.168.1.157
②Nginx backup:192.168.1.158
虚拟IP统一为:192.168.1.110
2,web服务器:
192.168.1.160 ,192.168.1.161,192.168.1.162   即web服务器,已配置好 Tomcat(Jboss等皆可)和java程序
3,mysql 数据库Server
mysql主从服务器

二,Nginx安装配置
1,安装
建议先用yum install yum-fastestmirror更新下源

下载并安装nginx1.0.9,下载文件均放到/usr/local/src目录下
cd /usr/local/src

①update yum
yum -y update

②利用CentOS Linux系统自带的yum命令安装、升级所需的程序库

安装依赖包
#yum install gcc pcre pcre-devel zlib zlib-devel openssl openssl-devel

下载nginx
#cd /usr/local/src
#wget http://www.nginx.org/download/nginx-1.0.9.tar.gz
#tar zxvf nginx-1.0.9.tar.gz
#cd nginx-1.0.9

配置安装:
#./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/
#make
#make install

建立用户:
/usr/sbin/groupadd nginx
/usr/sbin/useradd -g nginx -M nginx
mkdir -p /var/tmp/nginx/client
启动nginx
#/usr/sbin/nginx

ps:如果中途提示缺少库,直接yum install xxx即可。
即:conf-path=/etc/nginx/nginx.conf,用户名为nginx,所属的组为nginx

2,配置
Nginx负载均衡设置:

①修改配置文件:
vi /etc/nginx/nginx.conf

步骤1,添加负载均衡的http upstream模块
upstream esbwebserver {
server 192.168.1.160:8888;
server 192.168.1.161:8888;
}

步骤2,server指令
server
{
listen 80;
server_name localhost;#注意此处为localhost

location / {
proxy_pass http://esbwebserver;# 添加的tomcat集群名称
......
}

②,重启Nginx,加载修改过的配置文件:
步骤1, 停止nginx引擎
killall -9 nginx

步骤2,启动nginx
/usr/sbin/nginx

到此为止,我们的负载均衡就实现了,下面实现Nginx的高可用,即双机热备。

三,Keepalived 安装配置
1,下载并安装keepalived-1.1.15.tar.gz,下载文件均放到/usr/local/src目录下
cd /usr/local/src
wget http://www.keepalived.org/software/keepalived-1.1.15.tar.gz

①解压缩
tar zxvf keepalived-1.1.15.tar.gz

②安装
cd keepalived-1.1.15
./configure --prefix=/usr/local/keepalived
make && make install

③安装成功后做成服务模式,方便启动和关闭
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
cp /usr/local/keepalived/etc/rc.d/init.d/keepalived /etc/init.d/

④ 分别设置主和备Nginx上的 安装Keepalived配置文件。

配置文件位置:
/usr/local/keepalived/etc/keepalived/keepalived.conf

步骤一,先配置主Nginx server上的keepalived.conf文件,如下所示:

! Configuration File for keepalived

global_defs {
notification_email {
644856452@qq.com
}
notification_email_from 644856452@qq.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}

vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}

vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
mcast_src_ip 192.168.1.157
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}

track_script {
check_run
}

virtual_ipaddress {
192.168.1.110
}
}

步骤二,配置backup 服务器的keepalived.conf文件,如下所示:
! Configuration File for keepalived

global_defs {
notification_email {
644856452@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}

vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}

vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}

track_script {
check_run
}
virtual_ipaddress {
192.168.1.110
}
}

参考下例配置:
-----------------------------------------------------带注释的示例----------------------------------------------------
在主服务器编写配置文件
vrrp_script check_run{
script "/opt/nginx_pid.sh"
###监控脚本
interval 2
###监控时间
weight 2 ###如果检测返回值不为真weight 2 表示减2,权重值降低,backup server权重值>现Master的,切换
}

vrrp_instance VI_1 {
state MASTER ### 设置为 主
interface eth0 ### 监控网卡
virtual_router_id 51 ### 这个两台服务器必须一样
priority 101 ### 权重值 MASTRE 一定要高于 BAUCKUP
authentication {
auth_type PASS ### 加密
auth_pass 1111 ###加密的密码,两台服务器一定要一样,不然会出错
}

track_script {
check_run ### 执行监控的服务
}

virtual_ipaddress {
192.168.1.110 ### VIP 地址
}
}

6.在backup server 服务器 keepalived 配置
vrrp_script check_run{
script "/opt/nginx_pid.sh"
interval 2
weight 2
}

vrrp_instance VI_1 {
state BACKUP ### 设置为 辅机
interface eth0
virtual_router_id 51 ### 与 MASTRE 设置 值一样
priority 100 ### 比 MASTRE权重值 低

authentication {
auth_type PASS
auth_pass eric ### 密码 与 MASTRE 一样
}

track_script {
check_run
}

virtual_ipaddress {
192.168.1.110
}
}
----------------------------------------------over-------------------------------------------------------------------

说明:
1,绑定虚拟IP:
ifconfig eth0:1 192.168.1.110 broadcast 192.168.1.255 netmask 255.255.255.0 up
route add -host 192.168.1.110 dev eth0:1

2, 启动,关闭keepalived :
service keepalived start
service keepalived stop

3,测试可用性:
①主Nginx停止Nginx或直接断网情况下(backup正常),访问虚拟IP:192.168.1.110的相关Web服务,正常,测试通过
②backup Nginx停止Nginx或直接断网情况下(Master正常),访问虚拟IP:192.168.1.110的相关Web服务,正常,测试通过

4,监控
可用安装Nagios监控服务,详细请网络搜寻,很多这种资料的。
也可以参考:
http://blog.csdn.net/luxiaoyu_sdc/article/details/7333416

nginx 安全优化配置https站点

作者:W.S.T 发布时间:December 14, 2015 分类:Nginx

Nginx安全优化HTTPS站点,通过SSL测试,验证结果A+,配置如下:


            ssl on;
            ssl_certificate ssl.crt;
            ssl_certificate_key ssl.key;
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; 
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
            ssl_stapling on;
            resolver 114.114.114.114;
            ssl_prefer_server_ciphers on;
            ssl_stapling_verify on;
            ssl_dhparam wst2048.pem;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout 10m;
            ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;  

其中ssl.key ssl.cst为域名的SSL证书 wst2048.pem在linux通过命令
openssl gendh -out wst2048.pem 2048生成

这样通过https://www.ssllabs.com/ssltest/analyze.html 来测试分析https站点 就可以得分A+

nginx-https-ssl