[toc]

nginx高可用

keepalive的作用

keepalive高可用软件

什么是高可用

  1. 一般是指2台机器启动着完全相同的业务系统,当有一台机器down机了,另外一台服务器就能快速的接管,对于访问的用户是无感知的。
  2. lb01负载均衡,lb02就是lb01的备机,lb01挂了,lb02会快速接管

高可用软件

  • 硬件
    • F5
  • 软件
    • keepalive
    • heartbeat
  • reids
    • redis-Cluster
    • sentinel
  • mysql
    • MHA
    • MGR

keepalive工作原理

keepalived软件是基于VRRP协议实现的,VRRP虚拟路由冗余协议,主要用于解决单点故障问题

image-20230616221732078

1
2
3
4
5
问题一:假设用户将指向都修改为backup路由器,那么master路由器修好了怎么办?
答:使用keepalive可以在用户无感知状态下进行切换

问题二:假设Master网关故障,我们将backup网关配置为master网关的ip是否可以?
答:不可以,因为ARP是将IP和MAC地址映射起来存放在文件中,修改IP后MAC地址仍不一致;可以使用keepalive创建一个相同的VIP和VMAC组合

image-20230616221747197

keepalive的核心概念

  1. 如何确定谁是主节点谁是备节点(选举投票,优先级)
  2. 如果Master故障,Backup自动接管,那么Master回复后会夺权吗(抢占式、非抢占式)
  3. 如果两台服务器都认为自己是Master会出现什么问题(脑裂)

实践部署keepalive

环境准备

主机名 WanIP LanIP 角色 应用
lb01 10.0.0.5 172.16.1.5 Master keepalived keepalive
lb02 10.0.0.6 172.16.1.6 Backup keepalived keepalive

部署抢占式keepalive(lb01 lb02)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# 安装keepalive
yum install -y keepalived

# 查找keepalived配置文件
rpm -ql keepalived
/etc/keepalived/keepalived.conf

# 修改master配置文件
vim /etc/keepalived/keepalived.conf

global_defs {				# 全局配置
	router_id lb01 			# 标识身份->名称
}

vrrp_instance VI_1 {
	state MASTER			# 标识角色状态
	interface eth0			# 网卡绑定接口
	virtual_router_id 50	# 虚拟路由id
	priority 150			# 优先级(数字越大优先级越高)
	advert_int 1			# 监测间隔时间(s)
	authentication {		# 认证
		auth_type PASS		# 认证方式
		auth_pass 1111		# 认证密码
	}
	virtual_ipaddress {
		10.0.0.3			# 虚拟的VIP地址
	}
}

## 修改backup配置文件
vim /etc/keepalived/keepaslived.conf

global_defs {
	router_id lb02
}

vrrp_instance VI_1 {
	state BACKUP
	interface eth0
	virtual_router_id 50
	priority 100
	advert_int 1
	authentication {
		auth_type PASS
		auth_pass 1111
	}
	virtual_ipaddress {
		10.0.0.3
	}
}

# 启动keepalived(master backup)
systemctl start keepalived
systemctl enable keepalived

# 验证虚拟IP(VIP)是否生效
ip -a

## 当lb01服务停止后lb02接替服务,lb01回复后会夺回lb02的服务并继续允许

Keepalived中Master和Backup配置的区别

Keepalived配置 Master节点配置 Backup节点配置
route_id(唯一标识) router_id lb01 router_id lb02
state(角色状态) state MASTER state BACKUP
priority(竞选优先级) priority 150 priority 100

非抢占式keepalive概念

1.两个节点的stste都是backup
2.两个阶段都必须加上配置nopreempt
3.其中一个节点优先级必须高于另一个优先级

配置非抢占式keepalive(lb01 lb02)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# 修改master的配置文件
vim /etc/keepalived/keepalived.conf

global_defs {				# 全局配置
	router_id lb01			# 标识身份->名称
}
vrrp_instance VI_1 {
	state backup			# 标识角色状态
	interface eth0			# 网卡绑定接口
	nopreempt
	virtual_router_id 50	# 虚拟路由id
	priority 150			# 优先级(数字越大优先级越高)
	advert_int 1			# 监测间隔时间(s)
	authentication {		# 认证
		auth_type PASS		# 认证方式
		auth_pass 1111		# 认证密码
	}
	virtual_ipaddress {
		10.0.0.3			# 虚拟的VIP地址
	}
}

# 修改backup的配置文件
vim /etc/keepalived/keepalived.conf

global_defs {
	router_id lb02
}

vrrp_instance VI_1 {
	state BACKUP
	interface eth0
	nopreempt
	virtual_router_id 50
	priority 100
	advert_int 1
	authentication {
		auth_type PASS
		auth_pass 1111
	}
	virtual_ipaddress {
		10.0.0.3
	}
}

脑裂

脑裂故障原因

1、服务器网线松动等网络故障
2、服务器硬件故障发生损坏现象而崩溃
3、主备都开启firewalld防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat check_split_brain.sh

#!/bin/sh
vip=10.0.0.3
lb01_ip=10.0.0.5
while true;do
	ping -c 2 $lb01_ip &>/dev/null
	if [ $? -eq 0 -a `ip add|grep "$vip"|wc -l` -eq 1 ];then
		echo "ha is split brain.warning."
	else
		echo "ha is ok"
	fi
sleep 5
done

keepalived结合nginx做高可用

环境准备

主机名 WanIP LanIP 角色 应用
lb01 10.0.0.5 172.16.1.5 master keepalive主节点,nginx负载均衡 keepalived nignx
lb02 10.0.0.6 172.16.1.6 master keepalive备节点,nginx负载均衡 keepalived nignx
web01 10.0.0.7 172.16.1.7 web网站 nginx php
web02 10.0.0.8 172.16.1.8 web网站 nginx php

检查nginx存活脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 检测nginx健康状态的脚本(公司使用)
vim check_web.sh

## 1.创建变量
#!/bin/sh
nginx_count=$(ps -ef|grep [n]ginx|wc -l)
## 2.判断Nginx是否存活,如果不存活则尝试启动Nginx
if [ $nginx_count -eq 0 ];then
	systemctl start nginx
## 3.等待3秒后再次获取一次Nginx状态
	sleep 3
## 4.再次进行判断, 如Nginx还不存活则停止Keepalived,让地址进行漂移,并退出脚本
	nginx_count=$(ps -ef|grep [n]ginx|wc -l)
	if [ $nginx_count -eq 0 ];then
	systemctl stop keepalived
	fi
fi

# 检测nginx健康状态的脚本(上课使用)
vim check_web.sh

## 1.创建变量
#!/bin/sh
nginx_count=$(ps -ef|grep [n]ginx|wc -l)
## 2.判断Nginx是否存活,如果不存活则停止Keepalived,让地址进行漂移
if [ $nginx_count -eq 0 ];then
	systemctl stop keepalived
fi

wordpress加证书

1
2
3
4
5
6
7
8
9
10
11
12
# CA机构申请证书
openssl genrsa -idea -out 20230112_blog.xxx.com.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
................................................................................
...............+++
e is 65537 (0x10001)
Enter pass phrase for 20230112_blog.xxx.com.key: 1234
Verifying - Enter pass phrase for 20230112_blog.xxx.com.key: 1234

# 跟ca机构填写个人信息,签发证书
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout 20230112_blog.xxx.com.key -out 20230112_blog.xxx.com.pem

配置两台负载均衡(lb01 lb02)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 配置负载均衡
vim /etc/nginx/conf.d/blog_proxy.conf

upstream blog.xxx.com{
	server 172.16.1.7;
	server 172.16.1.8;
}
server {
	listen 80;
	server_name blog.xxx.com;
	rewrite (.*) https://blog.xxx.com;
}

server {
	listen 443 ssl;
	server_name blog.xxx.com;
	ssl_certificate ssl/20230112_blog.xxx.com.pem;
	ssl_certificate_key ssl/20230112_blog.xxx.com.key;

	location / {
		proxy_pass http://blog.xxx.com;
		proxy_set_header HOST $host;
	}
}

# 检查并重启nginx
nginx -t
systemctl restrat nginx

keepalived和nginx做结合

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# 修改keepalive的配置文件
vim /etc/keepalived/keepalived.conf

global_defs {			# 全局配置
	router_id lb01		# 标识身份->名称
}

vrrp_script check_web {		# 运行检查nginx健康状态脚本
	script "/root/check_web.sh"
	interval 5
}

vrrp_instance VI_1 {
	state backup			# 标识角色状态
	interface eth0			# 网卡绑定接口
	nopreempt
	virtual_router_id 50	 # 虚拟路由id
	priority 150			# 优先级
	advert_int 1			# 监测间隔时间
	
	authentication {		# 认证
		auth_type PASS		# 认证方式
		auth_pass 1111		# 认证密码
	}
	virtual_ipaddress {
		10.0.0.3			# 虚拟的VIP地址
	}
	track_script{
		check_web
	}
}

# 给脚本添加执行权限
chmod +x /root/check_web.sh

# 域名解析在VIP
10.0.0.3 blog.xxx.com

解决php破图问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# wordpress配置文件 加上 fastcgi_param HTTPS on;
vim /etc/nginx/conf.d/blog.conf

server {
	listen 80;
	server_name blog.xxx.com;
	root /code/wordpress;
	index index.php index.html;

	location / {
		if ( -f $request_filename/index.html ){
			rewrite (.*) $1/index.html break;
		}
		if ( -f $request_filename/index.php ){
			rewrite (.*) $1/index.php;
		}
		if ( !-f $request_filename ){
			rewrite (.*) /index.php;
		}
	}
	
	location ~ \.php$ {
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param HTTPS on;				# 加上这一条
		include /etc/nginx/fastcgi_params;
	}
}