keepalived高可用+nginx证书代理

安装nginx

yum -y install gcc pcre-devel openssl-devel        #安装依赖包

wget   http://nginx.org/download/nginx-1.12.2.tar.gz     （也可配置阿里源用yum安装）

tar -xf nginx-1.12.2.tar.gz                 

     ./configure  \

     --prefix=/usr/local/nginx \                #指定安装路径

     --user=nginx \                            #指定用户

     --group=nginx \                            #指定组

     --with-http_ssl_module                    #开启SSL加密功能

make && make install     #编译并安装  (如果没有安装make请自行安装)

       nginx命令的用法

cat /etc/nginx/conf.d/default.conf        （此路径为正式环境156的路径）  conf.d/的意思为附加文件同源文件效果一样

• <span>server <span>{</span></span>
• <span> listen <span>80<span>;                          这个是80端口的<br /></span></span></span>
• <span> server_name www<span>.<span>chengshizhichuang<span>.<span>com cszc<span>.<span>top<span>;      （域名）<br /></span></span></span></span></span></span></span></span>
• <span> client_max_body_size <span>100M<span>;</span></span></span>
• <span> location <span>/<span> <span>{</span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.134/;                  访问<span><code><span>www<span>.<span>chengshizhichuang<span>.<span>com cszc<span>.<span>top转到此ip</span></span></span></span></span></span></span>
  
• <span>}</span>
• <span>proxy_set_header <span>Host<span> $host<span>;</span></span></span></span>
• <span>proxy_set_header X<span>-<span>Real<span>-<span>IP $remote_addr<span>;</span></span></span></span></span></span>
• <span>proxy_set_header X<span>-<span>Forwarded<span>-<span>For<span> $proxy_add_x_forwarded_for<span>;</span></span></span></span></span></span></span>
• <span> location <span>/<span>pay<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.212:21612/pay/;             访问<span><code><span><span><span><span><code><span>www<span>.<span>chengshizhichuang<span>.<span>com cszc<span>.<span>top/pay   转到此ip</span></span></span></span></span></span></span>
  
• <span>}</span>
• <span> location <span>/<span>publicgood<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.212:21612/publicgood/;       同上<br /></span></span></span>
• <span>}</span>
• <span>location <span>/<span>shared<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.212:21612/shared/;          同上<br /></span></span></span>
• <span>}</span>
• <span>location <span>/<span>zhyl<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.121:12102/zhyl/;            同上<br /></span></span></span>
• <span>}</span>
• <span># location /pay/static/ {</span>
• <span># proxy_pass http://192.168.1.212:21612/pay/static/;        同上<br /></span>
• <span># }</span>
• <span>}</span>
• <span>server <span>{</span></span>
• <span> listen <span>443<span>;                                 443端口做了证书认证加密  但是直接访问域名时是不会自动跳到https上的  要手动加https 之前做的转发因为有的80端口转发不过来所以就没做了  <br /></span></span></span>
• <span> server_name www<span>.<span>chengshizhichuang<span>.<span>com cszc<span>.<span>top<span>;</span></span></span></span></span></span></span></span>
• <span> client_max_body_size <span>100M<span>;</span></span></span>
• <span> ssl on<span>;</span></span>
• <span> ssl_certificate <span>/<span>etc<span>/<span>nginx<span>/<span>ssl<span>/<span>www<span>.<span>chengshizhichuang<span>.<span>com<span>.<span>crt<span>;</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
• <span> ssl_certificate_key <span>/<span>etc<span>/<span>nginx<span>/<span>ssl<span>/<span>www<span>.<span>chengshizhichuang<span>.<span>com<span>.<span>rsa<span>;</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
• <span> ssl_session_timeout <span>5m<span>;</span></span></span>
• <span> ssl_protocols <span>SSLv2<span> <span>SSLv3<span> <span>TLSv1<span>;</span></span></span></span></span></span></span>
• <span> ssl_ciphers ALL<span>:!<span>ADH<span>:!<span>EXPORT56<span>:<span>RC4<span>+<span>RSA<span>:+<span>HIGH<span>:+<span>MEDIUM<span>:+<span>LOW<span>:+<span>SSLv2<span>:+<span>EXP<span>;</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
• <span> ssl_prefer_server_ciphers on<span>;</span></span>
• <span>location <span>/<span> <span>{</span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.134/;</span></span></span>
• <span> <span>}</span></span>
• <span> location <span>/<span>pay<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.212:21612/pay/;</span></span></span>
• <span>}</span>
• <span>location <span>/<span>zhyl<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.121:12102/zhyl/;</span></span></span>
• <span>}</span>
• <span>location <span>/<span>shared<span>/<span> <span>{</span></span></span></span></span></span>
• <span> proxy_pass http<span>:<span>//192.168.1.212:21612/shared/;</span></span></span>
• <span>}</span>
• <span>}</span>

Keepalived的安装及配置yum  -y  install keepliaved vim /etc/keepliaved/keepliaved.conf

• <span>global_defs <span>{</span></span>
• <span> notification_email <span>{</span></span>
• <span> <span>.<span>loc</span></span></span>
• <span> <span>}</span></span>
• <span> notification_email_from <span>Alexandre<span>.<span><span>.<span>loc</span></span></span></span></span></span>
• <span> smtp_server <span>192.168<span>.<span>200.1</span></span></span></span>
• <span> smtp_connect_timeout <span>30</span></span>
• <span> router_id <span>112</span></span>
• <span> vrrp_skip_check_adv_addr</span>
• <span> vrrp_strict</span>
• <span> vrrp_garp_interval <span>0</span></span>
• <span> vrrp_gna_interval <span>0</span></span>
• <span>}</span>
• <span>vrrp_script chk_http_port <span>{</span></span>
• <span> script <span>"/opt/chk_nginx.sh"        设定一个监控nginx脚本链接nginx<br /></span></span>
• <span> interval <span>2</span></span>
• <span> weight <span>-<span>5</span></span></span>
• <span> fall <span>2</span></span>
• <span> rise <span>1</span></span>
• <span>}</span>
• <span>vrrp_instance VI_1 <span>{</span></span>
• <span> state MASTER              从服务改为<code><span>BACKUP</span>
  
• <span> <span>interface<span> eth0              用ip  a    查看自己的网卡名<br /></span></span></span>
• <span> virtual_router_id <span>51</span></span>
• <span> priority <span>100              优先值 从服务不能高于主<br /></span></span>
• <span> advert_int <span>1</span></span>
• <span> authentication <span>{</span></span>
• <span> auth_type PASS</span>
• <span> auth_pass <span>1111</span></span>
• <span> <span>}</span></span>
• <span> virtual_ipaddress <span>{</span></span>
• <span> <span>192.168<span>.<span>1.157<span>/<span>24<span>             <span># 虚拟vip</span></span></span></span></span></span></span></span>
• <span> <span>}</span></span>
• <span>track_script <span>{</span></span>
• <span> chk_http_port</span>
• <span>}</span>
• <span>}</span>

@@@分别在主备服务器/etc/keepalived目录下创建nginx_check.sh脚本，并为其添加执行权限chmod +x /opt/chk_nginx.sh。用于keepalived定时检测nginx的服务状态，如果nginx停止了，会尝试重新启动nginx，如果启动失败，会将keepalived进程杀死，将vip漂移到备份机器上。

vim /opt/chk_nginx.sh#!/bin/bashcounter=$(ps -C nginx --no-heading|wc -l)if [ "${counter}" = "0" ]; then    /usr/sbin/nginx                                        #尝试重新启动nginx    sleep 2                                                #睡眠2秒    counter=$(ps -C nginx --no-heading|wc -l)    if [ "${counter}" = "0" ]; then    killall keepalived                                      #启动失败，将keepalived服务杀死。将vip漂移到其它备份节点    fifi

chmod +x /opt/chk_nginx.sh。systemctl start  keepalived.service   启动keepalived ip  a  查看vip有没有和本地ip绑定如下

 如果把keepalived关掉 vip就会调到另一个服务上