Bii a ṣe le ṣeto HAProxy bi Iwontunwosi Load fun Nginx lori CentOS 8
Lati rii daju pe wiwa ohun elo wẹẹbu ti o pọ julọ, asewọn, ati iṣẹ giga, o jẹ wọpọ bayi lati ṣe awọn imọ-ẹrọ ti o ṣafihan apọju, gẹgẹbi iṣakojọpọ olupin ati iwọntunwọnsi fifuye. Fun apẹẹrẹ, ṣiṣeto iṣupọ awọn olupin ti gbogbo wọn nṣiṣẹ ohun elo (s) kanna ati lẹhinna ṣiṣiṣẹ awọn onigbọwọ ẹrù ni iwaju wọn lati pin kaakiri naa.
HAProxy jẹ orisun ṣiṣi, alagbara, iṣẹ giga, igbẹkẹle, aabo ati ailewu ti a lo ni wiwa giga TCP/HTTP balancer balansi, olupin aṣoju ati ifopinsi SSL/TLS ti a kọ fun awọn oju opo wẹẹbu oju opo ọja ti o ga pupọ. O n ṣiṣẹ ni igbẹkẹle daradara lori Linux, Solaris, FreeBSD, OpenBSD ati awọn ọna ṣiṣe AIX.
Itọsọna yii fihan bii o ṣe le ṣeto iwọntunwọnsi fifuye wiwa giga ti ifiṣootọ pẹlu HAProxy lori CentOS 8 lati ṣakoso ijabọ ni iṣupọ ti awọn olupin ayelujara NGINX. O tun ṣe afihan bi o ṣe le tunto ifopinsi SSL/TLS ni HAProxy.
Lapapọ awọn olupin 4 pẹlu fifi sori ẹrọ CentOS 8 ti o kere ju.
----------- HAProxy Server Setup ----------- HA Proxy Server - hostname: haproxy-server.tecmint.lan; IP: 10.42.0.247 Test Site Domain: www.tecmint.lan ----------- Client Web Servers Setup ----------- Web Server #1 - hostname: websrv1.tecmint.lan; IP: 10.42.0.200 Web Server #2 - hostname: websrv2.tecmint.lan; IP: 10.42.0.21 Web Server #3 - hostname: websrv3.tecmint.lan; IP: 10.42.0.34
Igbesẹ 1: Ṣiṣeto olupin Nginx HTTP lori Awọn Ẹrọ Onibara
1. Buwolu wọle sinu gbogbo awọn ẹrọ alabara CentOS 8 rẹ ki o fi sori ẹrọ olupin ayelujara Nginx nipa lilo oluṣakoso package dnf bi o ti han.
# dnf install Nginx
2. Itele, bẹrẹ iṣẹ Nginx, fun bayi, jẹ ki o bẹrẹ laifọwọyi ni bata eto ki o jẹrisi pe o ti n ṣiṣẹ ati ṣiṣe nipasẹ ṣayẹwo ipo rẹ, ni lilo awọn aṣẹ systemctl (ṣe eyi lori gbogbo awọn ẹrọ alabara).
# systemctl start nginx # systemctl enable nginx # systemctl status nginx
3. Pẹlupẹlu, ti iṣẹ iṣẹ ina ba n ṣiṣẹ lori gbogbo awọn ẹrọ alabara (eyiti o le ṣayẹwo nipa ṣiṣe systemctl bẹrẹ firewalld), o gbọdọ ṣafikun awọn iṣẹ HTTP ati HTTPS ninu iṣeto ogiriina lati gba awọn ibeere lọwọ oluṣowo fifuye kọja nipasẹ ogiriina si awọn olupin ayelujara Nginx. Lẹhinna tun gbe iṣẹ iṣẹ ina pada lati ni ipa awọn ayipada tuntun (ṣe eyi lori gbogbo awọn ẹrọ alabara).
# firewall-cmd --zone=public --permanent --add-service=http # firewall-cmd --zone=public --permanent --add-service=https # firewall-cmd --reload
4. Itele, ṣii ẹrọ lilọ kiri lori wẹẹbu lori awọn ero agbegbe rẹ ki o ṣe idanwo ti fifi sori Nginx ba ṣiṣẹ daradara. Lo alabara IP's lati lilö kiri, ni kete ti o ba wo oju-iwe idanwo Nginx, o tumọ si pe olupin wẹẹbu ti a fi sori ẹrọ ẹrọ alabara n ṣiṣẹ daradara.
5. Nigbamii ti, a nilo lati ṣẹda awọn oju-iwe idanwo lori awọn ẹrọ alabara ti a yoo lo nigbamii lati ṣe idanwo iṣeto HAProxy naa.
----------- Web Server #1 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv1.tecmint.lan"> /usr/share/nginx/html/index.html ----------- Web Server #2 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv2.tecmint.lan"> /usr/share/nginx/html/index.html ----------- Web Server #3 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv3.tecmint.lan"> /usr/share/nginx/html/index.html
Igbesẹ 2: Fifi sori ati tunto Server HAProxy lori CentOS 8
6. Bayi fi package HAProxy sori ẹrọ olupin HAProxy nipasẹ ṣiṣe pipaṣẹ atẹle.
# dnf install haproxy
7. Itele, bẹrẹ iṣẹ HAProxy, jẹ ki o bẹrẹ ni adaṣe ni bata eto ki o jẹrisi ipo rẹ.
# systemctl start haproxy # systemctl enable haproxy # systemctl status haproxy
8. Bayi a yoo tunto HAProxy nipa lilo faili iṣeto atẹle.
# vi /etc/haproxy/haproxy.cfg
Faili iṣeto ni a pin si awọn apakan pataki mẹrin.
- Awọn eto kariaye - ṣeto awọn ipilẹṣẹ jakejado-ilana.
- awọn aiyipada - apakan yii ṣeto awọn ipilẹ aiyipada fun gbogbo awọn apakan miiran ti o tẹle ikede rẹ.
- iwaju - apakan yii ṣe apejuwe ṣeto ti awọn ibuduro ti ngbọ ti n gba awọn isopọ alabara.
- Ẹhin - apakan yii ṣe apejuwe ṣeto ti awọn olupin eyiti aṣoju yoo sopọ si lati firanṣẹ siwaju awọn isopọ ti nwọle.
Lati ni oye awọn aṣayan labẹ awọn eto kariaye ati awọn aiyipada, ka iwe HAProxy (ọna asopọ ti a pese ni opin nkan naa). Fun itọsọna yii, a yoo lo awọn aiyipada.
9. HAProxy nigba ti wọn fi ranṣẹ lẹẹkan yoo ṣe ipa pataki ninu awọn amayederun IT rẹ, nitorinaa ṣiṣatunto gedu fun o jẹ ibeere ipilẹ; eyi n gba ọ laaye lati gba awọn oye nipa asopọ kọọkan si awọn olupin wẹẹbu ẹhin rẹ.
Pọọlu log (ti a ṣe afihan ni sikirinifoto atẹle) n kede olupin Syslog kariaye kan (bii rsyslog aiyipada ni CentOS) ti yoo gba awọn ifiranṣẹ wọle. O le ju olupin diẹ sii ju ọkan lọ nibi.
Iṣeto ni aiyipada tọka si localhost (127.0.0.1) ati local2 jẹ koodu ohun elo aiyipada ti a lo lati ṣe idanimọ awọn ifiranṣẹ log HAProxy labẹ rsyslog.
10. Nigbamii, o nilo lati sọ fun olupin rsyslog bi o ṣe le gba ati ṣe ilana awọn ifiranṣẹ wọle HAProxy. Ṣii faili iṣeto rsyslog si /etc/rsyslog.conf tabi ṣẹda faili tuntun laarin itọsọna /etc/rsyslog.d, fun apẹẹrẹ /etc/rsyslog.d/haproxy.conf.
# vi /etc/rsyslog.d/haproxy.conf
Daakọ ati lẹẹ iṣeto ni atẹle lati gba log pẹlu UDP lori ibudo aiyipada 514.
$ModLoad imudp $UDPServerAddress 127.0.0.1 $UDPServerRun 514
Tun ṣafikun awọn ila wọnyi lati kọ ẹkọ rsyslog lati kọwe si awọn faili log meji ọtọtọ ti o da lori ibajẹ, nibiti agbegbe2 jẹ koodu ohun elo ti a ṣalaye ninu iṣeto HAProxy loke.
local2.* /var/log/haproxy-traffic.log local2.notice /var/log/haproxy-admin.log
11. Fipamọ faili naa ki o pa. Lẹhinna tun bẹrẹ iṣẹ rsyslog lati lo awọn ayipada to ṣẹṣẹ.
# systemctl restart rsyslog
12. Ni apakan yii, a yoo ṣe afihan bi o ṣe le tunto awọn aṣoju iwaju-ati awọn aṣoju-ẹhin. Pada si faili iṣeto HAProxy ki o ṣe atunṣe opin iwaju-aiyipada ati awọn apakan ẹhin bi atẹle. A kii yoo lọ sinu alaye alaye ti paramita kọọkan, o le tọka nigbagbogbo si iwe aṣẹ osise.
Iṣeto ni atẹle n ṣalaye apakan ti tẹtisi ti a lo lati ṣe iranṣẹ oju-iwe Awọn iṣiro HAProxy. Paramita abuda fi olutẹtisi si adirẹsi IP ti a fun ( * fun gbogbo ninu ọran yii) ati ibudo (9000).
Awọn iṣiro mu eto ṣiṣẹ jẹ ki oju-iwe awọn iṣiro eyiti yoo wọle nipasẹ lilo awọn URI/awọn iṣiro (ie http:// server_ip: 9000/stats ).
Eto awọn iṣiro auth ni a lo lati ṣafikun ijẹrisi ipilẹ nigbati o wọle si oju-iwe naa (rọpo haproxy ati [imeeli ni idaabobo] pẹlu orukọ olumulo ati ọrọ igbaniwọle ti o fẹ).
listen stats
bind *:9000
stats enable
stats hide-version
stats uri /stats
stats admin if LOCALHOST
stats auth haproxy:[email
13. Iṣeto atẹle n ṣalaye apakan iwaju ti a pe ni TL (o le fun orukọ ti o fẹran rẹ). Paramita ipo n ṣalaye ipo HAProxy n ṣiṣẹ ninu.
Paramita acl (Akojọ Iṣakoso Wiwọle) ti lo lati ṣe ipinnu da lori akoonu ti a fa jade lati ibere naa. Ni apẹẹrẹ yii, a ka ibeere naa ni HTTP lasan ti o ko ba ṣe lori SSL.
Lẹhinna a lo eto ṣeto akọsori ti a beere fun http-ìbéèrè lati ṣafikun akọsori HTTP si ibeere naa. Eyi ṣe iranlọwọ fun iwifun Nginx pe ibeere akọkọ ni a ṣe lori HTTP (tabi nipasẹ ibudo 80).
Ilana aiyipada-pada tabi lilo_backend ṣalaye awọn olupin ẹhin, ninu ọran yii, tọka nipasẹ TL_web_servers.
Akiyesi pe HAProxy yoo da\"503 Iṣẹ Aṣeṣe Iṣẹ kan pada" ti o ba jẹ pe ibere kan ko ni itọsọna nipasẹ aṣẹ_backend tabi itọsọna default_backend.
frontend TL
bind *:80
mode http
acl http ssl_fc,not
http-request set-header X-Forwarded-Protocol http if http
default_backend TL_web_servers
14. Lẹhinna a nilo lati ṣalaye apakan ẹhin ẹhin kan nibiti eto dọgbadọgba n ṣalaye bi HAProxy ṣe yan awọn olupin ẹhin lati ṣe ilana ibeere kan ti ko ba si ọna itẹramọja ti bori yiyan yẹn.
Ilana Kuki jẹ ki itẹramọṣẹ kuki, o kọ HAProxy lati fi kuki kan ti a npè ni SERVERID ranṣẹ si alabara ati lati ṣepọ rẹ pẹlu ID olupin ti o fun ni idahun akọkọ.
A lo itọsọna olupin lati ṣalaye awọn olupin oke ni ọna kika sever_name (fun apẹẹrẹ websrv1), server_IP: ibudo ati awọn aṣayan.
Aṣayan bọtini kan ni ṣayẹwo eyiti o sọ fun HAProxy lati tọju ṣayẹwo lori wiwa olupin kan ki o ṣe ijabọ lori oju-iwe awọn iṣiro naa.
backend TL_web_servers
mode http
balance roundrobin
option httpchk HEAD /
cookie SERVERUID insert indirect nocache
server websrv1 10.42.0.200:80 cookie websrv1 check
server websrv2 10.42.0.21:80 cookie websrv2 check
server websrv3 10.42.0.34:80 cookie websrv3 check
Ọrọìwòye jade eyikeyi iwaju iwaju ati awọn abala ẹhin bi o ṣe han ninu sikirinifoto ti o tẹle. Fipamọ faili naa ki o pa.
15. Bayi tun bẹrẹ iṣẹ HAProxy lati lo awọn ayipada tuntun.
# systemctl restart haproxy
16. Nigbamii, rii daju pe awọn iṣẹ HTTP (ibudo 80) ati HTTPS (ibudo 433) ṣii ni ogiriina lati gba awọn ibeere alabara bi atẹle. Pẹlupẹlu, ṣii ibudo 9000 ni ogiriina fun iraye si oju-iwe awọn iṣiro ki o tun gbe awọn eto ogiri naa pada.
# firewall-cmd --zone=public --permanent --add-service=http # firewall-cmd --zone=public --permanent –add-service=https # firewall-cmd --zone=public --permanent --add-port=9000/tcp # firewall-cmd --reload
Igbesẹ 3: Ṣiṣayẹwo Eto HAProxy ati Wiwo Awọn iṣiro
17. Bayi akoko rẹ lati ṣe idanwo iṣeto HAPrxoy. Lori ẹrọ tabili tabili agbegbe nibiti o ti n wọle si gbogbo awọn olupin lati, ṣafikun ila atẹle ni faili/ati be be/awọn ọmọ-ogun lati jẹ ki a lo aaye aaye ahon.
10.42.0.247 www.tecmint.lan
18. Lẹhinna ṣii ẹrọ lilọ kiri ayelujara kan ki o lilö kiri ni lilo boya adirẹsi olupin tabi aaye aaye.
http://10.42.0.247/ OR http://www.tecmint.lan/
19. Lati wọle si oju-iwe awọn iṣiro HAProxy, lo adirẹsi atẹle.
http://10.42.0.247:9000/stats
Lẹhinna lo orukọ olumulo ati ọrọ igbaniwọle ti o ṣalaye ninu faili iṣeto HAProxy (tọka si paramita auth paramita).
Lẹhin iwọle ti aṣeyọri, iwọ yoo de ni oju-iwe awọn iṣiro HAProxy ti o fihan ọ awọn iṣiro ti o bo ilera awọn olupin rẹ, awọn oṣuwọn ibeere lọwọlọwọ, awọn akoko idahun, ati pupọ diẹ sii.
Lati ṣe afihan bi ijabọ ipo ṣe n ṣiṣẹ nipa awọn koodu awọ ṣiṣẹ, a ti fi ọkan ninu awọn olupin-ẹhin pada.
Igbesẹ 4: Tito leto HTTPS ni HAProxy Lilo Ijẹrisi SSL ti Iforukọsilẹ ti Ara ẹni
20. Ni apakan ikẹhin yii, a yoo ṣe afihan bi a ṣe le tunto SSL/TLS lati ni aabo gbogbo awọn ibaraẹnisọrọ laarin olupin HAProxy ati alabara. HAProxy ṣe atilẹyin awọn ipo atunto HTTPS pataki mẹrin, ṣugbọn fun itọsọna yii, a yoo lo gbigbejade SSL/TLS.
Ni ipo fifisilẹ SSL/TLS, HAProxy n sọ ọna ijabọ si alabara jẹ ki o ni asopọ ni ijabọ pipe si awọn olupin ẹhin
A yoo bẹrẹ nipasẹ ṣiṣẹda ijẹrisi ati bọtini bi o ti han (dahun awọn ibeere ni ibamu da lori awọn alaye ile-iṣẹ rẹ lakoko ẹda ijẹrisi, bi a ṣe afihan lori sikirinifoto).
# mkdir /etc/ssl/tecmint.lan # cd /etc/ssl/tecmint.lan/ # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/tecmint.lan.key -out /etc/ssl/tecmint.lan.crt # cd /etc/ssl/tecmint.lan/ # cat tecmint.crt tecmint.key >tecmint.pem # ls -l
21. Itele, ṣii faili iṣeto HAProxy (/etc/haproxy/haproxy.cfg) ati satunkọ abala opin-iwaju.
frontend TL
bind *:80
bind *:443 ssl crt /etc/ssl/tecmint.lan/tecmint.pem
redirect scheme https if !{ ssl_fc }
mode http
acl http ssl_fc,not
acl https ssl_fc
http-request set-header X-Forwarded-Protocol http if http
http-request set-header X-Forwarded-Protocol https if https
default_backend TL_web_servers
Fipamọ faili naa ki o pa.
22. Lẹhinna tun bẹrẹ iṣẹ HAProxy lati lo awọn ayipada tuntun.
# systemctl restart haproxy.service
23. Nigbamii, ṣii ẹrọ lilọ kiri lori ayelujara kan ki o gbiyanju lati wọle si aaye lẹẹkan si. Ẹrọ aṣawakiri naa yoo fi aṣiṣe kan han nitori ti ijẹrisi ijẹrisi ti ara ẹni, tẹ To ti ni ilọsiwaju lati tẹsiwaju.
Iyẹn ni gbogbo fun bayi! Gbogbo ohun elo wẹẹbu ni awọn ibeere tirẹ, o nilo lati ṣe apẹrẹ ati tunto iwọntunwọnsi fifuye lati ba awọn amayederun IT rẹ ati awọn ibeere ohun elo mu.
Lati ni awọn oye diẹ sii lori diẹ ninu awọn aṣayan iṣeto ti a lo ninu itọsọna yii, ati ni gbogbogbo bi o ṣe le lo HAProxy, wo iwe aṣẹ ẹya ile-iṣẹ HAProxy osise. O le firanṣẹ eyikeyi awọn ibeere tabi awọn ero nipasẹ fọọmu esi ni isalẹ.