lvs+keepalived生产环境中使用[转]

这是生产环境中一个项目,该公司的网站经常受到同行的ddos攻击,故需要搭建一个环境让攻击者攻击时候转到公司的假网站上。我的任务就是搭建抗攻击的假网站。
我的设计这样的lvs(+keepalived组成高可用)+LNMP+组成公司的假网站。总过8台机器6台web服务器2台lvs
为了保密,ip和真正地web都不。。。web只用两台代替。
1,配置准备
centos下的yum环境,keepalived-1.1.17.tar.gz,ipvsadm-1.24.tar.gz(这两个包可用在网上下载,也可以在下面的链接上下http://www.kuaipan.cn/file/id_4516853896446486.html
2,安装配置
配置时候要确保下面的连接正常ln -sv /usr/src/kernels/2.6.32-220.el6.i686/ linux,因为keepalived-1.1.17.tar.gz,ipvsadm-1.24.tar.gz这两个包的编译都依赖开发的内核。如果出现以下情况:

[root@localhost src]# ll
total 8
drwxr-xr-x 7 root root 4096 Mar 1 03:01 redhat
[root@localhost src]#
因为在装系统的时候没有装kernels的开发包这时候需要自己装
yum install kernel*
安装ipvsadm-1.24.tar.gz
tar xf ipvsadm-1.24.tar.gz
cd ipvsadm-1.24
make && make install
安装keepalived-1.1.17.tar.gz
tar xf keepalived-1.1.17.tar.gz
cd keepalived-1.1.17
./configure
确保./configure的结果是下面样子
Keepalived configuration
————————
Keepalived version : 1.1.17
Compiler : gcc
Compiler flags : -g -O2
Extra Lib : -lpopt -lssl -lcrypto
Use IPVS Framework : Yes
IPVS sync daemon support : Yes
Use VRRP Framework : Yes
Use LinkWatch : No
Use Debug flags : No
make && make install
cp /usr/local/etc/rc.d/init.d/keepalived /etc/rc.d/init.d/
cp /usr/local/etc/sysconfig/keepalived /etc/sysconfig/
mkdir /etc/keepalived
cp /usr/local/etc/keepalived/keepalived.conf /etc/keepalived/
cp /usr/local/sbin/keepalived /usr/sbin/
3,配置keepalived的主备配置文件
vim /etc/keepalived/keepalived.conf
#######MASTER#####################
! Configuration File for keepalived
global_defs {
notification_email {
470499989@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.200
}
}
virtual_server 192.168.1.200 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP

real_server 192.168.1.117 80 {
weight 3
TCP_CHECK {
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.1.118 80 {
weight 3
TCP_CHECK {
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
#################BACKUP#########################
! Configuration File for keepalived
global_defs {
notification_email {
470499989@qq.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.1.200
}
}
virtual_server 192.168.1.200 80 {
delay_loop 6
lb_algo rr
lb_kind DR
persistence_timeout 50
protocol TCP

real_server 192.168.1.117 80 {
weight 3
TCP_CHECK {
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 192.168.1.118 80 {
weight 3
TCP_CHECK {
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
如果在执行service keepalived start,启动不起来需要看日志
# tail /var/log/messages
Mar 30 12:05:15 localhost Keepalived_vrrp: bogus VRRP packet received on eth0 !!!
Mar 30 12:05:15 localhost Keepalived_vrrp: VRRP_Instance(VI_1) Dropping received VRRP packet…
Mar 30 12:05:16 localhost Keepalived_vrrp: ip address associated with VRID not present in received packet : -939415360
Mar 30 12:05:16 localhost Keepalived_vrrp: one or more VIP associated with VRID mismatch actual MASTER advert
#######如果是以上日志就是因为你所在的环境还有其他人在做keepalived,需要修改虚拟路由标识,因为默认是51.
#######如果还启动不了,那么你要是用的虚拟机做的实验的话,看看你虚拟机的时间date,这一点对虚拟机很重要的哟。
附加keepalived配置文件的解读
#####配置文件解读#####
! Configuration File for keepalived
global_defs {
notification_email { ###定义接收信息的邮件地址
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1 ####定义用于监控的smtp地址
smtp_connect_timeout 30
router_id LVS_DEVEL ###定义lvs负载均衡标示
}
vrrp_instance VI_1 { ###定义一个vrrp组
state MASTER ###本机在该组中的所属的角色,只有MASTER和BACKUP两种状态,并且需要大写这些单词。
interface eth0 ###对外提供服务的网络接口
virtual_router_id 51 ###虚拟路由标识
priority 100 ###本机的在vrrp组的优先级
advert_int 1 ###主备同步检查时间间隔
authentication { ###主备之间通信验证设置
auth_type PASS
auth_pass 1111
}
virtual_ipaddress { ###虚拟ip地址,也就是vip地址。
192.168.200.16
}
}
virtual_server 192.168.200.100 443 { ###虚拟服务器定义,注意是ip+端口号
delay_loop 6 ###健康检查时间间隔,单位是秒。
lb_algo rr ###负载均衡调度算法,互联网应用常使用wlc。
lb_kind NAT ###负载均衡转发规则,一般包括DR、NAT、TUN3种。常用DR模型。
nat_mask 255.255.255.0 ###DR模式这项没有
persistence_timeout 50 ###会话保持时间,单位是秒。
protocol TCP ###转发协议
real_server 192.168.201.100 443 { ###定义realserver,real_server的值包括ip地址和端口号
weight 1 ###该realserver的权重
SSL_GET {
url {
path /
digest ff20ad2481f97b1754ef3e12ecd3a9cc
}
url {
path /mrtg/
digest 9b3a0c85a887a256d6939da88aabd8cd
}
connect_timeout 3
nb_get_retry 3
delay_before_retry 3
}
}
}

本文出自 “gabylinux” 博客,请务必保留此出处http://gabylinux.blog.51cto.com/1593644/822168

发表评论

电子邮件地址不会被公开。 必填项已用 * 标注


*

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>