关于内网主备+https

先openssl证书

整体流程为：
1、页面访问为https，在电脑修改hosts文件，如域名为 babaozhou.com, 则配置为 ip1 babaozhou.com，ip2 babaozhou.com；
也就是说同域名关联两个ip，这样如果服务器1ping不通了则可以自动切换到ip2，避免服务器连不上问题；
2、nginx -V,查看是否支持openssl
用keepalived+nginx；当主服务进程停掉后可以立马切换到备；

更改keepalived.conf，位置在/etc/keepalived/

当前主的配置

! Configuration File for keepalived
 
global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.254.136 83   //这里为需要切的ip 端口，其中254要与当前保持一致
   smtp_connect_timeout 30
   router_id LVS_DEVEL
   vrrp_skip_check_adv_addr
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}
 
vrrp_script chk_http_port {
 
  script "/usr/local/src/nginx_check.sh"		//脚本位置
  interval 2
  weight 2
}
 
vrrp_instance VI_1 {
    state MAXTER		//MAXTER  为主
    interface enp7s0f1		//interface要一致 ip -a 查看一下，要与当前服务器保持一直
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.254.100 83			//虚拟ip 端口，直接暴露出来的
    }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

创建文件 nginx_check.sh，内容如下，放到 /usr/local/src/

#!binbash
A=`ps -C nginx –no-header wc -l`
if [ $A -eq 0 ];then
    usrlocalnginxsbinnginx
    sleep 2
    if [ `ps -C nginx --no-header wc -l` -eq 0 ];then
        killall keepalived
    fi
fi
1
2
3
4
5
6
7
8
9

备

! Configuration File for keepalived
 
global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.254.138 83		//备服务ip 端口
   smtp_connect_timeout 30
   router_id LVS_DEVEL
   vrrp_skip_check_adv_addr
   vrrp_garp_interval 0
   vrrp_gna_interval 0
}
 
vrrp_script chk_http_port {
 
  script "/usr/local/src/nginx_check.sh"	//脚本位置，内容位置与上面一样
  interval 2
  weight 2
}
 
vrrp_instance VI_1 {
    state BACKUP		//BACKUP 为备
    interface enp11s0f0				//interface要一致 ip -a 查看一下，要与当前服务器保持一直	
    virtual_router_id 51
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.254.100 83			//虚拟IP地址  端口
    }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

nginx

   server {
		listen       443 ssl;
        server_name  www.sky.com;

        ssl_certificate /root/CA/root/server.crt;
        ssl_certificate_key /root/CA/root/server.key;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_prefer_server_ciphers on;

			location / {
				proxy_pass http://192.168.254.100:83;  //该ip为keepalived虚拟ip
			}
    }
	//上面配置上一篇有讲
	//设置负载均衡 当86挂掉后自动切换到138； webname是随便起的
	upstream webname{
	   server 192.168.254.86:9124;
	   server 192.168.254.138:9124;
	}
    server {
        listen       83;
        server_name  _;
        location / {
				root    	/usr/local/src/dist;
				index 		index.html index.htm;
			}

        ssl_prefer_server_ciphers on;

			location ^~/api {

			rewrite ^/api/(.*)$ /$1 break; 
			proxy_pass http://webname;   //对于配置的webname
		}
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

hosts解决服务器连不上切换到备，keepalived解决 keepalived与nginx进程停止后自动切换到备，nginx负载均衡解决 后端停止自动切换到备；还有别的七七八八再记录