用HAProxy和KeepAlived构建高可用的反向代理
用HAProxy和KeepAlived构建高可用的反向代理 前言对于访问量较大的网站来说,随着流量的增加单台服务器已经无法处理所有的请求,这时候需要多台服务器对大量的请求进行分流处理,即负载均衡。而如果实 现负载均衡,必须在网站的入口部署服务器(不只是一台)对这些请求进行分发,这台服务器即反向代理。由于反向代理服务器是网站的入口,其负载压力大且易遭 到攻击,存在单点故障的风险,所以我们需要一个高可用的方案来实现当一台反向代理服务器宕机的时候,另一台服务器会自动接管服务。基于以上要求,我们使用 HAProxy,KeepAlived来构建高可用的反向代理系统。 介绍HAProxy是高性能的代理服务器,其可以提供7层和4层代理,具有healthcheck,负载均衡等多种特性,性能卓越,国内很多大的互联网公 司都在使用, KeepAlived是一个高可用方案,通过VIP(即虚拟IP)和心跳检测来实现高可用。其原理是存在一组(两台)服务器,分别赋予 Master,Backup两个角色,默认情况下Master会绑定VIP到自己的网卡上,对外提供服务。Master,Backup会在一定的时间间隔 向对方发送心跳数据包来检测对方的状态,这个时间间隔一般为2秒钟,如果Backup发现Master宕机,那么Backup会发送ARP包到网关,把 VIP绑定到自己的网卡,此时Backup对外提供服务,实现自动化的故障转移,当Master恢复的时候会重新接管服务。
部署环境准备
环境OS: CentOS Linux release 6.0 (Final) 2.6.32-71.29.1.el6.x86_64
HAProxy: 1.5.10
KeepAlived: 1.2.2
VIP: 192.168.36.100
M: 192.168.36.154
S: 192.168.36.129
架构
192.168.36.100
+-----------VIP----------+
| |
| |
Master Backup
192.168.36.129 192.168.36.154
+----------+ +----------+
| HAProxy | | HAProxy |
|keepalived| |keepalived|
+----------+ +----------+
|
v
+--------+---------+
| | |
| | |
v v v
+------+ +------+ +------+
| WEB1 | | WEB2 | | WEB3 |
+------+ +------+ +------+
安装HAProxy
安装pcre
yum install pcre
wget wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.10.tar.gz
tar -zxvf haproxy-1.5.10.tar.gz
cd haproxy-1.5.10
注意编译参数:
TARGET是指自己系统的内核版本 ARCH指定系统是32位还是64位
CPU=native: use the build machine's specific processor optimizations
更多编译参数内容见源码中的README
make TARGET=linux26 make TARGET=linux26 USE_OPENSSL=1 ADDLIB=-lz #编译支持ssl认证功能,haproxy 1.5t版本以上才支持。
make install
ln -s /usr/local/src/haproxy-1.5.10 /usr/local/haproxy
mkdir /usr/local/haproxy/etc
配置文件hparoxy
cd haproxy-1.5.10
cat etc/haproxy.cfg
global
log 127.0.0.1 local3 info
maxconn 20000
user lashourun
group lashourun
chroot /var/chroot/haproxy
daemon
nbproc 4
defaults
log 127.0.0.1 local3
mode http
option httplog
option httpclose
option dontlognull
option forwardfor
option accept-invalid-http-request
retries 2
balance roundrobin
stats enable
stats uri /admin
stats auth haadmin:lashoupay
timeout http-request 20s
timeout connect 50000
timeout client 500000
timeout server 500000
frontend lashoupay-http #支持http 80端口访问的业务
bind *:80
reqadd X-Forwarded-Proto: http
#acl lashoupay-4.90 dst 192.168.4.90
acl lashoupay-4.90 path_beg /lashoupay/lashoupay || dst 192.168.4.90
acl vs-lashoupay-index-4.94 dst 192.168.4.111
#acl vs-lsmvas-4.51 dst 192.168.4.51
#acl vs-lsmvas-4.93 dst 192.168.4.93
acl vs-pay-4.90 dst 192.168.4.114
acl vs-project-4.95 dst 192.168.4.115
use_backend lashoupay-4.90-pool if lashoupay-4.90
use_backend vs-lashoupay-index-4.94-pool if vs-lashoupay-index-4.94
#use_backend vs-lsmvas-4.51-pool if vs-lsmvas-4.51
#use_backend vs-lsmvas-4.93-pool if vs-lsmvas-4.93
use_backend vs-pay-4.90-pool if vs-pay-4.90
use_backend vs-project-4.95-pool if vs-project-4.95
frontend lashoupay-https #支持https 443 ssl认证访问的业务
bind *:443 ssl crt /usr/local/haproxy/cert.pem
option httpclose
option forwardfor
reqadd X-Forwarded-Proto: https
default_backend lashoupay-4.90-pool
frontend vs-lsmvas4.51-9002 #支持一些特殊业务端口访问
mode http
bind *:9002
reqadd X-Forwarded-Proto: http
acl vs-lsmvas-4.51 dst 192.168.4.51
acl vs-lsmvas-4.93 dst 192.168.4.93
use_backend vs-lsmvas-4.51-pool if vs-lsmvas-4.51
use_backend vs-lsmvas-4.93-pool if vs-lsmvas-4.93
backend lashoupay-4.90-pool
redirect scheme https if !{ ssl_fc }
balance roundrobin
stats refresh 2
server lashoupay-4.73 192.168.4.73:80 weight 3 maxconn 10000 check
backend vs-lashoupay-index-4.94-pool
balance roundrobin
stats refresh 2
server lashoupay-index-16-26 192.168.4.16:9002 weight 3 maxconn 10000 check
backend vs-lsmvas-4.51-pool
balance roundrobin
stats refresh 2
#server vs-lsmvas-4.16 192.168.4.16:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.18 192.168.4.18:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.26 192.168.4.26:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.28 192.168.4.28:9002 weight 3 maxconn 10000 check
backend vs-lsmvas-4.93-pool
balance roundrobin
stats refresh 2
server vs-lsmvas-4.18 192.168.4.18:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.28 192.168.4.28:9002 weight 3 maxconn 10000 check
backend vs-pay-4.90-pool
balance roundrobin
stats refresh 2
#server vs-lsmvas-4.16 192.168.4.16:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.18 192.168.4.18:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.26 192.168.4.26:9002 weight 3 maxconn 10000 check
server vs-lsmvas-4.28 192.168.4.28:9002 weight 3 maxconn 10000 check
backend vs-project-4.95-pool
balance roundrobin
stats refresh 2
server project-4.17 192.168.4.17:9002 weight 3 maxconn 10000 check
server project-4.27 192.168.4.27:9002 weight 3 maxconn 10000 check
查看HAProxy的状态:http://192.168.36.100/haproxy-stats,这个页面会显示HAProxy本身以及后端服务器的状态。
日志haproxy会把日志记录发送到syslog server(CentOS6下是rsyslogd,UDP514端口), 编辑/etc/rsyslog.conf文件,添加如下内容:
ModLoad imudp
UDPServerRun 514
UDPServerAddress 127.0.0.1
local3.* /var/log/haproxy.log
重启rsyslog
/etc/init.d/rsyslog restart
自动轮转日志,编辑/etc/logrotate.d/haproxy.cfg,添加如下内容:
/var/log/haproxy.log
{
rotate 4
daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
reload rsyslog > /dev/null 2>&1 || true
endscript
}
启动脚本
wget -O haproxy https://raw.github.com/gist/3665034/4125bd5b81977a72e5eec30650fb21f3034782a0/haproxy-init.d
cp haproxy /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
#使用方式
/etc/init.d/haproxy start|stop|restart
安装KeepAlived
安装依赖库
yum install popt popt-devel
wget http://www.keepalived.org/software/keepalived-1.2.2.tar.gz
tar -zxvf keepalived-1.2.2.tar.gz
cd keepalived-1.2.2
./configure --prefix=/usr/local/keepalived
make && make install
cp /usr/local/keepalived/etc/rc.d/init.d/keepalived /etc/init.d/keepalived
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
mkdir -p /etc/keepalived/
cp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf
chmod +x /etc/init.d/keepalived
使用方式
/etc/init.d/keepalived start|stop|restart
Master服务器上的配置
cat etc/keepalived/keepalived.conf
global_defs {
notification_email {
user@example.com
}
notification_email_from mail@example.org
smtp_server 192.168.x.x
smtp_connect_timeout 30
router_id LVS_DEVEL
}
#监测haproxy进程状态,每2秒执行一次
vrrp_script chk_haproxy {
script "/usr/local/keepalived/chk_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER #标示状态为MASTER
interface eth0
virtual_router_id 51
priority 101 #MASTER权重要高于BACKUP
advert_int 1
mcast_src_ip 192.168.36.129 #Master服务器IP
authentication {
auth_type PASS #主从服务器验证方式
auth_pass 1111
}
track_script {
chk_haproxy #监测haproxy进程状态
}
#VIP
virtual_ipaddress {
192.168.36.100 #虚拟IP
}
}
Bakcup服务器上的配置
cat etc/keepalived/keepalived.conf
global_defs {
notification_email {
user@example.com
}
notification_email_from mail@example.org
smtp_server 192.168.x.x
smtp_connect_timeout 30
router_id LVS_DEVEL
}
#监测haproxy进程状态,每2秒执行一次
vrrp_script chk_haproxy {
script "/usr/local/keepalived/chk_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state BACKUP #状态为BACKUP
interface eth0
virtual_router_id 51
priority 100 #权重要低于MASTER
advert_int 1
mcast_src_ip 192.168.36.154 #Backup服务器的IP
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_haproxy #监测haproxy进程状态
}
#VIP
virtual_ipaddress {
192.168.36.100 #虚拟IP
}
}
- keepalived 配置中引用的脚本 chk_haproxy.sh内容
#!/bin/bash
#
# author: weizhifeng
# description:
# 定时查看haproxy是否存在,如果不存在则启动haproxy,
# 如果启动失败,则停止keepalived
#
status=(ps aux|grep haproxy | grep -v grep | grep -v bash | wc -l)
if [ "{status}" = "0" ]; then
/etc/init.d/haproxy start
status2=(ps aux|grep haproxy | grep -v grep | grep -v bash |wc -l)
if [ "{status2}" = "0" ]; then
/etc/init.d/keepalived stop
fi
fi
高可用测试
- 1. 在Master上停止keepalived,查看系统日志,发IP
/etc/init.d/keepalived stop
tail -f /var/log/message
Keepalived: Terminating on signal Keepalived: Stopping Keepalived v1.2.2 (11/03,2011)
Keepalived_vrrp: Terminating VRRP child process on signal
Keepalived_vrrp: VRRP_Instance(VI_1) removing protocol VIPs.
- 2. 在Backup上查看系统日志,发现Backup已经进入MASTER角色,并且绑定了VIP 192.168.36.100
tail -f /var/log/message
Keepalived_vrrp: VRRP_Instance(VI_1) Entering MASTER STATE
Keepalived_vrrp: VRRP_Instance(VI_1) setting protocol VIPs
Keepalived_vrrp: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.36.100 #在Backup上查看VIP是否已经绑定
- 3. 在Master上重新启动keepalived,查看系统日志,发现重新获得MASTER角色,并且绑定VIP 192.168.36.100
/etc/init.d/keepalived start
tail -f /var/log/message
Keepalived_vrrp: VRRP_Instance(VI_1) Transition to MASTER STATE
Keepalived_vrrp: VRRP_Instance(VI_1) Entering MASTER STATE
Keepalived_vrrp: VRRP_Instance(VI_1) setting protocol VIPs.
Keepalived_vrrp: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.36.100
- 4. 在Backup上查看系统日志,发现其重新回到BACKUP角色,并且释放VIP
tail -f /var/log/message
Keepalived_vrrp: VRRP_Instance(VI_1) Received higher prio advert
Keepalived_vrrp: VRRP_Instance(VI_1) Entering BACKUP STATE
Keepalived_vrrp: VRRP_Instance(VI_1) removing protocol VIPs.
- 并发测试我们使用webbench来对HAProxy进行并发测试
yum install ctags
wget http://home.tiscali.cz/~cz210552/distfiles/webbench-1.5.tar.gz
tar -zxvf webbench-1.5.tar.gz
cd webbench-1.5
make
mkdir -p /usr/local/man && make install
测试方法:
webbench -c 100 -t 3000 http://192.168.36.100/index.html
haproxy维护
-
1,haproxy做前端代理,出错类 -1/-1/-1/-1/0 400 187 - - PR-- 0/0/0/0/0 0/0 "
google了一下全是英文的,大概意思说原因是因为客户端发来了无效的字符,处理不了罢,说白了,就是可能不支持客户发来的字符集,
我们查了一下发来的字符串中文的,好像是gb2312的,google有牛人给出的解决办法如下:
打开haproxy.cfg配置加上如下
timeout http-request 20s
option accept-invalid-http-request