基于防火墙的lvs配置要求:1.使用DR方式,基于RR轮询算法 2.实现同一用户的web访问和web加密访问在同一服务器上 3.基于防火墙打标签的方式配置lvs说明:由于实验条件有限,现使用3台lin
.
.基于防火墙的lvs配置.. ..要求:1.使用DR方式,基于RR轮询算法..
2.实现同一用户的web访问和web加密访问在同一服务器上..
3.基于防火墙打标签的方式配置lvs..说明:由于实验条件有限,现使用3台linux虚拟机完成实验配置,其中一台为directory,另两台为Real Server.. .
.Ip地址分配如下:..Directory:eth0---192.168.145.100 逻辑网卡eth0:0---192.168.145.101..Real Server1 eth0---192.168.145.200 eth1---192.168.2.200 lo:0---192.168.145.101..Real Server2 eth0---192.168.145.201 eth1---192.168.2.201 lo:0---192.168.145.101..Share Server eth0---192.168.2.100..在这里ip地址的添加过程不再详述。..
一、directory的配置.. .
.安装ipvsadm..[root@localhost ~]# mount /dev/cdrom /mnt/cdrom..[root@localhost ~]# cd /mnt/cdrom/Cluster..[root@localhost Cluster]# rpm -ivh ipvsadm-1.24-10.i386.rpm..配置..[root@localhost ~]# iptables -A PREROUTING -t mangle -p tcp -d 192.168.145.101/24 --dport 80 -j MARK --set-mark 10..[root@localhost ~]# iptables -A PREROUTING -t mangle -p tcp -d 192.168.145.101/24 --dport 443 -j MARK --set-mark 10.. ..[root@localhost ~]# ipvsadm -A -f 10 -s rr -p 1800..[root@localhost ~]# ipvsadm -a -f 10 -r 192.168.145.200 -g..[root@localhost ~]# ipvsadm -a -f 10 -r 192.168.145.201 -g..[root@localhost Cluster]# service ipvsadm save //保存规则表格,不然启动ipvsadm时报错..[root@localhost Cluster]# service ipvsadm start //启动ipvsadm..[root@localhost Cluster]# ipvsadm –ln //查看规则.. .
.
二、Real Server1的配置..httpd服务器的安装启动(不再详述)..地址配置如下.. .
.[root@localhost Server]# route add -host 192.168.145.101 dev lo:0..[root@localhost Server]# route –n //查看路由表.. .
.[root@localhost Server]# sysctl -a |grep arp //查看arp工具.. .
.把上面两句话追加的/etc/sysctl.conf文件中..[root@localhost Server]# echo "net.ipv4.conf.eth0.arp_ignore = 1" >>/etc/sysctl.conf..[root@localhost Server]# echo "net.ipv4.conf.all.arp_ignore = 1" >>/etc/sysctl.conf..[root@localhost Server]# echo "net.ipv4.conf.eth1.arp_announce = 2" >>/etc/sysctl.conf..[root@localhost Server]# echo "net.ipv4.conf.all.arp_announce = 2" >>/etc/sysctl.conf..[root@localhost Server]# vim /etc/sysctl.conf //开启数据转发服务..[root@localhost Server]# sysctl –p.. .
.实现https加密..[root@localhost ~]# vim /etc/pki/tls/openssl.cnf..1.修改43行把目录改为/etc/pki/CA..2.修改88—90行,把match改为optional (可选)..3.修改可选项134行开始 (可选) ..[root@localhost ~]# cd /etc/pki/CA..[root@localhost CA]# mkdir crl certs newcerts.. [root@localhost CA]# touch index.txt serial..[root@localhost CA]# echo "01" >serial.. [root@localhost CA]# openssl genrsa 1024 >private/cakey.pem..[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem..[root@localhost CA]# chmod 600 private/*.. ..[root@localhost CA]# mkdir -pv /etc/httpd/certs..[root@localhost CA]# cd /etc/httpd/certs..[root@localhost certs]# openssl genrsa 1024 >httpd.key..[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr..[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert..[root@localhost certs]# chmod 600 ./*.. ..[root@localhost CA]# yum install -y mod_ssl..[root@localhost CA]# vim /etc/httpd/conf.d/ssl.conf.. .
.[root@localhost CA]# service httpd restart.. .. .. .. ..
三、Real Server2的配置..地址配置如下.. .
.说明:其他配置和Real Server1一样,不再详述..四、在客户端浏览.. .
.查看连接.. .
.查看iptables.. .
. .. .. .. ..
