Building HA Load Balancer with HAProxy and keepalived
来源:互联网 发布:哪款录屏软件好用 编辑:程序博客网 时间:2024/05/22 00:12
以下技术应用于最优质的水果的鲜果篮
For this tutorial I'll demonstrate how to build a simple yet scalable highly available HTTP load balancer using HAProxy [1] and keepalived [2], then later I'll show how to front-end HAProxy with Pound [5] and implement SSL termination and redirect the insecure connections from port 80 to 443.
Let's assume we have two servers LB1 and LB2 that will host HAProxy and will be made highly available through the use of the VRRP protocol [3] as implemented by keepalived. LB1 will have an IP address of 192.168.29.129 and LB2 will have an IP address of 192.168.29.130. The HAProxy will listen on the "shared/floating" IP address of 192.168.29.100, which will be raised on the active LB1. If LB1 fails that IP will be moved and raised on LB2 with the help of keepalived.
We are also going to have two back-end nodes that run apache - WEB1 192.168.29.131 and WEB2 192.168.29.132 - that will be receiving traffic from the HAProxy using round-robing load-balancing algorithm.
First let's install keepalived on both LB1 and LB2. We can either get it from the EPEL repo, or install it from source.
12
[root@lb1 ~] rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm[root@lb1 ~] yum install keepalived
Edit the configuration file on both servers to match except the priority parameter:
1234567891011121314151617181920
[root@lb1 ~] vi /etc/keepalived/keepalived.confvrrp_script chk_haproxy {script "killall -0 haproxy"interval 2weight 2}vrrp_instance VI_1 {interface eth0state MASTER # MASTER on master, BACKUP on backupvirtual_router_id 51priority 101 # 101 on master, 100 on backupvirtual_ipaddress {192.168.29.100}track_script {chk_haproxy}}
Add following firewall rule into /etc/sysconfig/iptables on both LBs.
-A INPUT -p vrrp -j ACCEPT
run "service iptables restart" on both LBs.
Save the config on both servers and start keepalived:
1
[root@lb1 ~] /etc/init.d/keepalived start
Now that keepalived is running check that LB1 has raised 192.168.29.100:
12
[root@lb1 ~] ip addr show | grep 192.168.29.100inet 192.168.29.100/32 scope global eth0
You can test if the IP will move from LB1 to LB2 by failing LB1 (shutdown or bring the network down) and running the above command on LB2.
Now that we have high availability of the IP resource we can install HAProxy on LB1 and LB2:
1
[root@lb1 ~] yum install haproxy
Edit the configuration file, and start HAProxy:
123456789101112131415161718192021222324252627282930313233343536373839
[root@lb1 ~] vi /etc/haproxy/haproxy.cfggloballog 127.0.0.1 local7 infomaxconn 4096user haproxygroup haproxydaemon#debug#quietdefaultslog globalmode httpoption httplogoption dontlognullretries 3option redispatchmaxconn 2000contimeout 5000clitimeout 50000srvtimeout 50000listen webfarm 192.168.29.100:80mode httpbalance roundrobincookie JSESSIONID prefixoption httpcloseoption forwardforoption httpchk HEAD /index.html HTTP/1.0server webA webserver1.example.net:80 cookie A checkserver webB webserver2.example.net:80 cookie B check[root@lb1 ~] vi /etc/default/haproxy# Set ENABLED to 1 if you want the init script to start haproxy.ENABLED=1# Add extra flags here.#EXTRAOPTS="-de -m 16"
This is a very simplistic configuration that uses HTTP load-balancing with cookie prefixing. This is how it works:
- LB1 is VRRP master (keepalived), LB2 is backup. Both monitor the haproxy process, and lower their prio if it fails, leading to a failover to theother node.
- LB1 will receive clients requests on IP 192.168.29.100.
- both load-balancers send their checks from their native IP.
- if a request does not contain a cookie, it will be forwarded to a validserver
- in return, if a JESSIONID cookie is seen, the server name will be prefixedinto it, followed by a delimitor ('~')
- when the client comes again with the cookie "JSESSIONID=A~xxx", LB1 will know that it must be forwarded to server A. The server name will then be extracted from the cookie before it is sent to the server.
- if server "webA" dies, the requests will be sent to another valid serverand a cookie will be reassigned.
For more information and examples see [4].
Add the following into /etc/sysctl.conf on both LBs.
net.ipv4.ip_nonlocal_bind=1
run "sysctl -p" on both LBs
Let's start HA proxy on both LB's:
1
[root@lb1 ~] /etc/init.d/haproxy start
1234567
[root@web1 ~] cat /var/www/html/index.htmlThis is Web Node 1[root@web2 ~] cat /var/www/html/index.htmlThis is Web Node 2
Now hit 192.168.29.100 in your browser and refresh few times. You should see both nodes rotating in a round-robin fashion.
Also test the HA setup by failing one of the LB servers making sure that you always get a response back from the back-end nodes. Do the same for the back-end nodes.
To send logs from HAProxy to syslog-ng add the following lines to the syslog-ng config file:
1234567891011
[root@logserver ~] vi /etc/syslog-ng/syslog-ng.confsource s_all {udp(ip(127.0.0.1) port(514));};destination df_haproxy { file("/var/log/haproxy.log"); };filter f_haproxy { facility(local7); };log { source(s_all); filter(f_haproxy); destination(df_haproxy); };
Installing pound is straight forward and can be done from a package or from source. Once installed the config file should look like this:
1234567891011121314151617181920212223242526272829
[root@lb1 ~] cat /etc/pound/pound.cfgUser "www-data"Group "www-data"LogLevel 3## check backend every X secs:Alive 5Control "/var/run/pound/poundctl.socket"ListenHTTPSAddress 192.168.29.100Port 443AddHeader "X-Forwarded-Proto: https"Cert "/etc/ssl/local.server.pem"xHTTP 0ServiceBackEndAddress 192.168.29.100Port 80EndEndEnd[root@lb1 ~] /etc/init.d/pound start
To make HAProxy forward all insecure connections from port 80 to port 443 all we need to do is create an access list that looks for the header that Pound inserts and if missing redirect the HTTP connections to Pound (listening on port 443).
The new config needs to look like this:
12345678910111213141516171819202122232425262728293031323334
[root@lb1 ~] cat /etc/haproxy/haproxy.cfggloballog 127.0.0.1 local7 infomaxconn 4096user haproxygroup haproxydaemon#debug#quietdefaultslog globalmode httpoption httplogoption dontlognullretries 3option redispatchmaxconn 2000contimeout 5000clitimeout 50000srvtimeout 50000listen webfarm 192.168.29.100:80mode httpbalance roundrobincookie JSESSIONID prefixoption httpcloseoption forwardforoption httpchk HEAD /index.html HTTP/1.0acl x_proto hdr(X-Forwarded-Proto) -i httpsredirect location https://192.168.29.100/ if !x_protoserver webA webserver1.example.net:80 cookie A checkserver webB webserver2.example.net:80 cookie B check
To generate a self-signed cert to use in Pound run this:
1
[root@lb1 ~] openssl req -x509 -newkey rsa:1024 -keyout local.server.pem -out local.server.pem -days 365 -nodes
Resources:
[1] http://haproxy.1wt.eu/
[2] http://www.keepalived.org/
[3] http://en.wikipedia.org/wiki/Virtual_Router_Redundancy_Protocol
[4] http://haproxy.1wt.eu/download/1.2/doc/architecture.txt
[5] http://www.apsis.ch/pound/
[5] http://www.apsis.ch/pound/
0 0
- Building HA Load Balancer with HAProxy and keepalived
- Setting Up A High-Availability Load Balancer With HAProxy/Keepalived On Debian Lenny
- HA之Haproxy+KeepAlived
- HAProxy Load Balancer 学习笔记
- HAproxy with session sticky and HA
- PeopleSoft and the Load Balancer
- [HA]负载均衡:HAPROXY与KEEPALIVED强强组合
- Keepalived Master and Backup for Haproxy
- haproxy+keepalived
- HAProxy+Keepalived
- haproxy+keepalived
- HAproxy+keepalived
- haproxy+keepalived
- haproxy+keepalived
- Keepalived+HA
- apache load balancer 翻译
- OpenStack Load Balancer LBaaS
- Nginx Load Balancer Config
- eclipse注释的代码仍然执行或者更改不起作用
- PS教程
- 捕获input文本框内容改变的事件(onchange,onblur,onPropertyChange比较)
- LeetCode Solutions : Remove Duplicates from Sorted List I & II
- 《用项目管理提升企业内部协作》公开课圆满结束!
- Building HA Load Balancer with HAProxy and keepalived
- 解决PLSQL developer 乱码问题
- 如何实现一个malloc
- 关于SIGPIPE导致的程序退出
- pgpool-II+Hot_standby+Streaming replication环境搭建
- webpower携手Google、Paypal举跨境电商互动享会
- SQL使用apply进行拆分列值
- 中煤集团榆林公司《项目管理实战10步法》培训记!
- 番茄工作法分享