Nginx HA 及https配置部署
Nginx HA 整体方案架构为:(内网192.168.199.5)各软件作用:
+-----------VIP----------+
| |
| |
Master Backup
192.168.199.90 192.168.199.57
+----------+ +----------+
| HAProxy | | HAProxy |
|nginx(SSL)| |nginx(SSL)|
|keepalived| |keepalived|
+----------+ +----------+
|
v
192.168.199.88/89
+----------+
| multiple |
| NGINXs |
+----------+
|
v
+--------+---------+
| | |
| | |
v v v
+------+ +------+ +------+
| WEB1 | | WEB2 | | WEB3 |
+------+ +------+ +------+
* Keepalived:判定HAProxy存活,保证HA
* HAProxy:做HTTP Load Balance
* Nginx(SSL):与HAProxy放置在同一服务器,负责ssl offload
* Nginx(LB):load balancer for app servers & web servers 客户端访问示意图:
+--------+ HTTP :80 +----------+
| client | --------------------------------> | |
| | | haproxy, |
+--------+ +---------+ | 1 or 2 |
/ / HTTPS | Nginx | HTTP :80 | listening|
<________/ ---------> | (SSL) | ---------> | ports |
| | | |
+---------+ +----------+
HAProxy + NGINX(SSL) 使用HAProxy做HTTP的Load Balancer,使用Nginx做SSL Offload。 测试环境:
* CentOS 6.4 x86_64 (Final)
* Supermicro 2U4 Node
* 域名: l99.com IP分配:
* lb01.l99.com 192.168.199.88
* lb01.l99.com 192.168.199.89
* www.l99.com 192.168.199.5 (virtual IP)
* 192.168.199.90 做 Load Balancer (HAProxy + Nginx) 安装配置HAProxyhaproxy.cfg如下:
yum install libev-devel openssl-devel cd /usr/local/src
wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.24.tar.gz
git clone https://github.com/cbonte/haproxy-patches.git tar zxvf haproxy-1.4.24.tar.gz # 给haproxy 1.4.24 打 proxy协议补丁(haproxy 1.5之后才支持accpet-proxy, 由于我们要使用stud做ssl offload, 需要支持accept-proxy)
cd haproxy-1.4.24
patch -p1 < /usr/local/src/haproxy-patches/proxy-protocol/haproxy-1.4-proxy-protocol.patch make TARGETlinux2628 USE_EPOLL1 ARCHx86_64 && make install
cp /usr/local/src/haproxy-1.4.24/haproxy /usr/sbin/ cp examples/haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy chkconfig --add haproxy
chkconfig haproxy on vim /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#--------------------------------------------------------------------- #---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
# log 127.0.0.1 local2
log 127.0.0.1 local0
log 127.0.0.1 local1 debug chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 45000 # Total Max Connections. This is dependent on ulimit
user haproxy
group haproxy
daemon
nbproc 12 # 取决于CPU处理器核数,这里的测试机是2个6核Intel E5-2620 CPU,所以核数是12 # turn on stats unix socket
stats socket /var/lib/haproxy/stats #---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
balance roundrobin
# balance leastconn
option httplog
option dontlognull
option http-server-close
option forwardfor header X-Real-IP
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout check 10s
maxconn 45000 # Total Max Connections. This is dependent on ulimit
stats enable
stats uri /stats # Real path redacted
stats realm Haproxy\ Statistics
stats auth username:password # Real credentials redacted
monitor-uri /monitor # Returns 200 if we're up; real path redacted frontend http-in :80
reqdel X-Real-IP
reqadd X-Forwarded-Proto:\ http
default_backend http-load-balancer frontend https-in
# bind 127.0.0.1:8443 accept-proxy
bind 127.0.0.1:8443
# reqdel X-Real-IP
reqadd X-Forwarded-Proto:\ https
default_backend http-load-balancer backend http-load-balancer
server lb-1 192.168.199.88:80 maxconn 10000 check port 80
server lb-2 192.168.199.89:80 maxconn 10000 check port 80
安装配置Nginx(SSL) /usr/local/nginx/conf/nginx.conf
user nginx;/usr/local/nginx/conf/l99.com/www.l99.com.conf
worker_processes 12; error_log logs/error.log crit; pid logs/nginx.pid;
worker_rlimit_nofile 30000; events {
use epoll;
worker_connections 51200;
} http {
include mime.types;
default_type application/octet-stream; # include common options #
include options.conf; # include proxy settings #
include proxy.conf; # domain config #
include l99.com/*.conf; }
server {
listen 443; ssl on;
ssl_certificate /usr/local/nginx/conf/l99.com/lifeix-l99.crt;
ssl_certificate_key /usr/local/nginx/conf/l99.com/lifeix-l99.key;
ssl_client_certificate /usr/local/nginx/conf/l99.com/lifeix-dvroot.crt;
ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on; default_type text/plain; access_log logs/access.www.ssl.l99.com.log main;
error_log logs/error.www.ssl.l99.com.log;
server_name www.l99.com; if ($request_uri ~ update.php) {
rewrite /(.*)$ http://www.L99.com/timeline.action last;
} location / {
proxy_cache off;
proxy_next_upstream http_502 http_504 error timeout invalid_header;
proxy_ignore_headers Expires Cache-Control;
proxy_store off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
more_clear_headers "Cache-Control";
add_header Cache-Control "no-cache,max-age0"; proxy_pass http://127.0.0.1:8443;
} }
启动并测试Nginx(LB)配置修改 修改options.conf (主要是由于使用HAProxy作为代理后,需要记录来源IP)
service haproxy restart
service nginx restart # 测试 HTTPS
openssl s_client -connect 192.168.199.90:443 -servername l99.com # 测试HTTP
telnet 192.168.199.90 80
GET / HTTP/1.1
Host: www.L99.com
重启nginx后,通过haproxy访问立方网日志如下:
log_format main '$http_x_forwarded_proto $http_x_real_ip $remote_addr $host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe "$gzip_ratio"';
HAProxy + Keepalived /etc/keepalived/keepalived.conf
https 192.168.199.15 192.168.199.90 www.l99.com - [04/Oct/2013:17:02:33 +0800] "GET /skin/recharge/images/paybtn_bg.jpg HTTP/1.1" 304 0 "https://www.l99.com/Recharge_pay.action" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36" 0.007 0.006 . "-"
! Configuration File for keepalived global_defs {
router_id LVS_DEVEL
} vrrp_script chk_haproxy {
script "killall -0 haproxy" # verify the pid existance
interval 2 # check every 2 seconds
weight 2 # add 2 points of prio if OK
} vrrp_script chk_nginx {
script "killall -0 nginx" # verify the pid existance
interval 2 # check every 2 seconds
weight 2 # add 2 points of prio if OK
} vrrp_instance VI_1 {
interface eth0 # interface to monitor
state MASTER
virtual_router_id 51 # Assign one ID for this route
priority 101 # 101 on master, 100 on backup
virtual_ipaddress {
192.168.199.5 # the virtual IP
}
track_script {
chk_haproxy
chk_nginx
}
}
Nginx HA 及https配置部署的更多相关文章
- Nginx下的https配置
https: https(Secure Hypertext Transfer Protocol) 安全超文本传输协议 它是以安全为目标的http通道,即它是http的安全版.它使用安全套接字层(SSL ...
- [技术博客]ubuntu+nginx+uwsgi+Django+https的部署
ubuntu+nginx+uwsgi+Django+https部署文档 配置机器介绍 操作系统:Ubuntu 18.04.2 LTS 64位 python版本:Python 3.6.7 Django版 ...
- nginx http跳https配置
为了数据传输的安全性以及防止网页被恶意篡改,现在大多数网站都配置了https. 如何保证用户都是通过https进行访问呢? 如果有用到nginx,我们可以配置强制跳转. 在nginx配置中添加: se ...
- nginx 1.14.0 配置部署 thinkphp 5.1
开始接触NGINX,配置tp5配了半天,找不到具体原因,于是用网上搜索到的配置复制粘贴搞定. 感谢 https://blog.csdn.net/qq_36431213/article/details/ ...
- tomcat 安装配置部署到nginx+tomcat+https
目录 1 Tomcat简介 2.下载并安装Tomcat服务 2.2 部署java环境 2.3 安装Tomcat 2.4 Tomcat目录介绍 (关注点 bin conf logs webapps) 2 ...
- centos7.2环境nginx+mysql+php-fpm+svn配置walle自动化部署系统详解
centos7.2环境nginx+mysql+php-fpm+svn配置walle自动化部署系统详解 操作系统:centos 7.2 x86_64 安装walle系统服务端 1.以下安装,均在宿主机( ...
- nginx+tomat https ssl 部署 完美解决方案
关于nginx+tomcat https的部署之前网上一直有2种说法: 1.nginx和tomcat都要部署ssl证书 2.nginx部署ssl证书,tomcat增加ssl支持 在实际的部署过程中ng ...
- Nginx自建SSL证书部署HTTPS网站
一.创建SSL相关证书 1.安装Nginx(这里为了测试使用yum安装,实际看具体情况) [root@localhost ~]# yum install nginx -y #默认yum安装已经支持SS ...
- Nginx负载均衡和HTTPS配置及集群搭建
Nginx的高可用(HA)配置 1.高可用配置结构(画图说明) 2.KeepAlived的安装和配置 1.安装 yum install keepalived 2.keepalived.conf配置文件 ...
随机推荐
- Fedora 12 环境搭建
又来折腾发行版了. 这一回是Fedora12,搞的挺艰难的 下载了Fedora-12-i386-DVD.iso,无论使用ultraiso还是dd都无法安装. 后来下载了一个ImageWriter.ex ...
- 20145208《Java程序设计》第2周学习总结
2015208 <Java程序设计>第2周学习总结 教材学习内容总结 本章内容主要讲了类型.变量与运算符的一些知识,也讲了一些基本的流程语法. 类型 基本类型 整数:short整数(占2字 ...
- flatbuffers 使用问题记录
1. 命名空间的问题 ----------------------------- namespace 1.0.3 版本包含文件类型前面不需要加命名空间,但是1.1.0 中包含需要在类型前加命名空间 i ...
- [渣翻译] 在ASP.NET MVC WebAPI项目中使用 AngularJS
原文地址http://blog.technovert.com/2013/12/setting-up-angularjs-for-asp-net-mvc-n-webapi-project/ 我们最近发布 ...
- Socket网络编程--FTP客户端(1)(Windows)
已经好久没有写过博客进行分享了.具体原因,在以后说. 这几天在了解FTP协议,准备任务是写一个FTP客户端程序.直接上干货了. 0.了解FTP作用 就是一个提供一个文件的共享协议. 1.了解FTP协议 ...
- [转]C#创建服务及使用程序自动安装服务,.NET创建一个即是可执行程序又是Windows服务的exe
写在前面 原文地址:C#创建服务及使用程序自动安装服务,.NET创建一个即是可执行程序又是Windows服务的exe 这篇文章躺在我的收藏夹中有很长一段时间了,今天闲着没事,就自己动手实践了一下.感觉 ...
- Linq之求和,平均值,最大值,最小值
写在前面 最近一直在弄统计的内容,和统计相关的操作,就需要用到了,而有些在数据库中操作起来非常不方便,没办法就用c#中的linq来实现了. 代码 一个例子 using System; using Sy ...
- 第一章:javascript: 数据结构与算法
在前端工程师中,常常有一种声音,我们为什么要学数据结构与算法,没有数据结构与算法,我们一样很好的完成工作.实际上,算法是一个宽泛的概念,我们写的任何程序都可以称为算法,甚至往冰箱里放大象,也要通过开门 ...
- Java中唯一数的生成
唯一数的生成很简单,基本上以时间为基础进行生成.在JDK里面已经有java.util.UUID类可以生成唯一的随机数.如果希望生成的唯一数为特定的格式,那么就需要自己来生成唯一数了.生成唯一数时有两个 ...
- JavaWeb 项目开发中的技术总结
前言: 在项目开发过程中的一点点指导思想 1.环境准备 win系统 Eclipse 开发平台 maven tomcat Mysql 数据库,mysql5.6 操作数据库的jar 包 JDBC 连接数据 ...