Yadda zaka saita HAProxy azaman Load Balancer na Nginx akan CentOS 8
Don tabbatar da iyakar wadatar aikace-aikacen gidan yanar gizo, daidaitawa, da babban aiki, yanzu ya zama ruwan dare a aiwatar da fasahohin da ke gabatar da ragi, kamar haɗin uwar garke da daidaita kayan aiki. Misali, kafa tarin sabobin da dukkansu suke gudanar da aikace-aikace iri daya sannan kuma tura masu adaidaita kaya a gabansu don rarraba hanyoyin.
HAProxy buɗaɗɗen tushe ne, mai ƙarfi, aiki mai kyau, abin dogaro, amintacce kuma mai amfani da wadatar TCP/HTTP mai ba da ma'auni, uwar garken wakili da mai haɗa SSL/TLS wanda aka gina don shafukan yanar gizo masu zirga-zirga sosai. Yana aiki da kyau sosai akan Linux, Solaris, FreeBSD, OpenBSD da kuma tsarin aiki na AIX.
Wannan jagorar yana nuna yadda za'a saita babban wadataccen ma'aunin nauyi tare da HAProxy akan CentOS 8 don sarrafa zirga-zirga a cikin tarin samfuran gidan yanar gizo na NGINX. Hakanan yana nuna yadda za'a saita ƙarewar SSL/TLS a cikin HAProxy.
Jimlar sabobin 4 tare da ƙaramin shigarwa na CentOS 8.
----------- HAProxy Server Setup ----------- HA Proxy Server - hostname: haproxy-server.tecmint.lan; IP: 10.42.0.247 Test Site Domain: www.tecmint.lan ----------- Client Web Servers Setup ----------- Web Server #1 - hostname: websrv1.tecmint.lan; IP: 10.42.0.200 Web Server #2 - hostname: websrv2.tecmint.lan; IP: 10.42.0.21 Web Server #3 - hostname: websrv3.tecmint.lan; IP: 10.42.0.34
Mataki 1: Kafa Sabbin HTTP na Nginx akan Mashinan Abokin Ciniki
1. Shiga cikin duk injunan kwastomomin ku na CentOS 8 ku girka sabar yanar gizo ta Nginx ta amfani da manajan kunshin dnf kamar yadda aka nuna.
# dnf install Nginx
2. Na gaba, fara sabis na Nginx, a yanzu, ba shi damar farawa ta atomatik a tsarin boot kuma tabbatar da cewa yana aiki da gudana ta hanyar bincika matsayinta, ta amfani da umarnin systemctl (yi haka akan duk injunan abokin ciniki).
# systemctl start nginx # systemctl enable nginx # systemctl status nginx
3. Hakanan, idan sabis na kashe gobara yana gudana akan dukkan masarrafan abokin ciniki (wanda zaku iya bincika ta hanyar tafiyar da systemctl fara firewalld), dole ne ku ƙara sabis na HTTP da HTTPS a cikin daidaitattun Firewall don ba da damar buƙatu daga mai auna ɗaukar kaya su wuce ta bangon. zuwa ga sabobin yanar gizo na Nginx. Bayan haka saika loda sabis na firewalld don aiwatar da sabbin canje-canje (yi wannan akan duk injunan abokin ciniki).
# firewall-cmd --zone=public --permanent --add-service=http # firewall-cmd --zone=public --permanent --add-service=https # firewall-cmd --reload
4. Na gaba, bude burauzar yanar gizo a kan injunan gida ka gwada idan nginx shigarwa yana aiki lafiya. Yi amfani da IP na abokin ciniki don kewaya, da zarar ka ga shafin gwajin Nginx, yana nufin cewa sabar yanar gizo da aka sanya akan mashin ɗin abokin ciniki tana aiki da kyau.
5. Na gaba, muna buƙatar ƙirƙirar shafukan gwaji akan injunan abokan cinikin da zamuyi amfani dasu anan gaba don gwada saitin HAProxy.
----------- Web Server #1 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv1.tecmint.lan"> /usr/share/nginx/html/index.html ----------- Web Server #2 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv2.tecmint.lan"> /usr/share/nginx/html/index.html ----------- Web Server #3 ----------- # cp /usr/share/nginx/html/index.html /usr/share/nginx/html/index.html.orig # echo "Showing site from websrv3.tecmint.lan"> /usr/share/nginx/html/index.html
Mataki na 2: Shigar da Sanya HaProxy Server akan CentOS 8
6. Yanzu shigar da kunshin HAProxy akan sabar HAProxy ta hanyar bin umarnin nan.
# dnf install haproxy
7. Na gaba, fara sabis ɗin HAProxy, ba shi damar farawa ta atomatik a tsarin boot kuma tabbatar da matsayinsa.
# systemctl start haproxy # systemctl enable haproxy # systemctl status haproxy
8. Yanzu zamu saita HAProxy ta hanyar amfani da fayil din daidaitawa mai zuwa.
# vi /etc/haproxy/haproxy.cfg
Fayil din sanyi ya kasu kashi hudu.
- saitunan duniya - saita sigogin aiwatar-faɗi.
- lafuffuka - wannan ɓangaren yana saita tsoffin sigogi ga duk sauran sassan da ke bin bayanansa.
- gabanin - wannan ɓangaren yana bayanin saitunan akwatin sauraro suna karɓar haɗin abokan ciniki.
- Baya - wannan ɓangaren yana bayanin saitin sabobin da wakili zai haɗu da su don tura haɗin mai shigowa.
Don fahimtar zaɓuɓɓuka a ƙarƙashin saitunan duniya da laifofi, karanta takaddun HAProxy (hanyar haɗin da aka bayar a ƙarshen labarin). Don wannan jagorar, zamuyi amfani da tsoffin bayanan.
9. HAProxy lokacinda aka turashi zai taka muhimmiyar rawa a cikin kayan aikin IT dinka, saboda haka saita log for it is a basic basic; wannan yana ba ka damar samun fahimta game da kowane haɗi zuwa sabobin gidan yanar gizonku na baya.
Saitin shigar da bayanan (wanda aka haskaka a cikin hoton mai zuwa) yana ba da sanarwar sabar Syslog ta duniya (kamar su rsyslog na tsoho a CentOS) wanda zai karɓi saƙonnin shiga. Fiye da sabar ɗaya za a iya bayyana nan.
Tsarin daidaitaccen tsoho ya nuna localhost (127.0.0.1) da local2 lambar tsohuwa ce wacce ake amfani da ita don gano sakonnin shiga HAProxy a karkashin rsyslog.
10. Na gaba, kana bukatar fadawa uwar garken rsyslog yadda zaka karba da aiwatar da sakonnin HAProxy. Buɗe fayil ɗin daidaitawar rsyslog zuwa /etc/rsyslog.conf ko ƙirƙirar sabon fayil a cikin kundin adireshin /etc/rsyslog.d, misali /etc/rsyslog.d/haproxy.conf.
# vi /etc/rsyslog.d/haproxy.conf
Kwafa da liƙa wannan saitin don tattara log tare da UDP akan tashar tashar 514 ta asali.
$ModLoad imudp $UDPServerAddress 127.0.0.1 $UDPServerRun 514
Hakanan ƙara waɗannan layukan don umurtan rsyslog don rubutawa zuwa fayilolin log guda biyu daban dangane da tsananin, inda local2 shine lambar kayan aiki da aka bayyana a cikin tsarin HAProxy da ke sama.
local2.* /var/log/haproxy-traffic.log local2.notice /var/log/haproxy-admin.log
11. Ajiye file din ka rufe shi. Sannan sake kunna sabis na rsyslog don amfani da canje-canje kwanan nan.
# systemctl restart rsyslog
12. A wannan ɓangaren, za mu nuna yadda za a daidaita wakilan gaba da ƙarewa. Koma zuwa fayil ɗin sanyi na HAProxy kuma gyara ƙarshen ƙarshen-ƙarshen da sassan baya kamar haka. Ba za mu shiga cikin cikakken bayani game da kowane ma'auni ba, koyaushe kuna iya komawa zuwa takaddun hukuma.
Tsara ta gaba tana bayyana sashin sauraro da akayi amfani dashi don amfani da shafin HAProxy Stats. Matsakaicin ɗaure ya sanya mai sauraro ga adireshin IP ɗin da aka bayar ( * don duk a cikin wannan yanayin) da tashar jiragen ruwa (9000).
Enableididdiga ta ba da damar saitin damar shafin ƙididdiga wanda za a iya samun dama ta amfani da URI/stats (watau http:// server_ip: 9000/stats ).
Ana amfani da saitin stats auth don ƙara ingantaccen asali lokacin shiga shafin (maye gurbin haproxy da [email tare da sunan mai amfani da kalmar wucewa da kuka zaɓa).
listen stats
bind *:9000
stats enable
stats hide-version
stats uri /stats
stats admin if LOCALHOST
stats auth haproxy:[email
13. Saitin gaba yana bayyana sashin gaba wanda ake kira TL (zaka iya bayar da sunan abin da kake so). Yanayin yanayin yana bayyana yanayin HAProxy yana aiki a ciki.
Ana amfani da sifar acl (Samun Lissafin Samun Ilimin) don yanke hukunci bisa ga abubuwan da aka ciro daga buƙatar. A cikin wannan misalin, ana ɗaukar buƙatun a bayyane HTTP idan ba a yi akan SSL ba.
Sannan ana amfani da saitin saitin kai-http-request don ƙara taken HTTP zuwa buƙatar. Wannan yana taimakawa sanar da Nginx cewa an yi buƙatar farko akan HTTP (ko ta tashar jirgin ruwa 80).
Dokar tsoho-baya ko amfani_backend tana bayyana sabobin baya, a wannan yanayin, wanda TL_web_servers ya ambata.
Lura cewa HAProxy za ta dawo da kuskuren\"Babu sabis na 503" idan ba a juya buƙatun ta hanyar amfani_backend ko umarnin default_backend.
frontend TL
bind *:80
mode http
acl http ssl_fc,not
http-request set-header X-Forwarded-Protocol http if http
default_backend TL_web_servers
14. Sannan muna bukatar ayyana wani sashin baya kamar yadda daidaiton ma'auni yake bayanin yadda HAProxy ke zabar sabobin baya don aiwatar da wata bukata idan babu wata hanyar dagewa da ta shawo kan wannan zabin.
Umarnin kuki yana ba da damar dagewar tushen kuki, yana umartar HAProxy da ta aika kuki mai suna SERVERID ga abokin ciniki kuma ta haɗa shi da ID na sabar da ta ba da amsa ta farko.
Ana amfani da umarnin uwar garke don ayyana sabar ta sama a cikin tsarin sever_name (misali websrv1), server_IP: tashar jiragen ruwa da zaɓuɓɓuka.
Optionaya daga cikin maɓallin zaɓi shine bincika wanda ya gaya wa HAProxy don ci gaba da bincika kasancewar sabar kuma bayar da rahoto akan shafin stats.
backend TL_web_servers
mode http
balance roundrobin
option httpchk HEAD /
cookie SERVERUID insert indirect nocache
server websrv1 10.42.0.200:80 cookie websrv1 check
server websrv2 10.42.0.21:80 cookie websrv2 check
server websrv3 10.42.0.34:80 cookie websrv3 check
Yi sharhi game da kowane ɓangaren gaba da na baya kamar yadda aka nuna a cikin hoton da ke biye. Adana fayil ɗin kuma rufe shi.
15. Yanzu sake kunna sabis na HAProxy don amfani da sababbin canje-canje.
# systemctl restart haproxy
16. Na gaba, tabbatar cewa an bude ayyukan HTTP (tashar jirgin ruwa 80) da HTTPS (tashar jirgi 433) a cikin Tacewar zaɓi don karɓar buƙatun abokan ciniki kamar haka. Hakanan, buɗe tashar jiragen ruwa 9000 a cikin Tacewar zaɓi don samun dama ga shafin stats kuma sake shigar da saitunan bango.
# firewall-cmd --zone=public --permanent --add-service=http # firewall-cmd --zone=public --permanent –add-service=https # firewall-cmd --zone=public --permanent --add-port=9000/tcp # firewall-cmd --reload
Mataki na 3: Gwajin Saitin HAProxy da isticsididdigar Dubawa
17. Yanzu lokacin sa ne don gwada saitin HAPrxoy. A kan mashin ɗin tebur na gida inda kake isa ga duk sabobin daga, ƙara layi mai zuwa a cikin fayil ɗin/etc/runduna don ba mu damar amfani da yankin rukunin yanar gizo.
10.42.0.247 www.tecmint.lan
18. Daga nan sai a buda wani burauzar kuma kayi amfani da ko dai adreshin uwar garke ko yankin shafin.
http://10.42.0.247/ OR http://www.tecmint.lan/
19. Don samun damar shafin kididdigar HAProxy, yi amfani da adireshin da ke gaba.
http://10.42.0.247:9000/stats
Sannan amfani da sunan mai amfani da kalmar sirri da kuka bayyana a cikin fayil ɗin sanyi na HAProxy (koma zuwa matakan auth saiti).
Bayan samun nasarar shiga, zaku sauka a shafin ƙididdigar HAProxy wanda ke nuna muku matakan da ke rufe lafiyar sabar ku, ƙimar buƙatun yanzu, lokutan amsawa, da ƙari mai yawa.
Don nuna yadda rahoton halin yake aiki game da lambobin launi suna aiki, mun sanya ɗaya daga cikin sabobin baya.
Mataki na 4: Harhadawa HTTPS a cikin HAProxy Ta Amfani da Takaddun Shaida SSL Takaddun shaida
20. A wannan sashin na ƙarshe, zamu nuna yadda za mu saita SSL/TLS don amintar da duk hanyoyin sadarwa tsakanin uwar garken HAProxy da abokin ciniki. HAProxy tana tallafawa manyan hanyoyin daidaitawa na HTTPS guda huɗu, amma don wannan jagorar, zamuyi amfani da sauke SSL/TLS.
A cikin yanayin sauke kayan SSL/TLS, HAProxy yana lalata zirga-zirga a gefen abokin ciniki kuma ana haɗa shi cikin bayyananniyar zirga-zirga zuwa sabobin baya.
Zamu fara da kirkirar satifiket din da madannin kamar yadda aka nuna (amsa tambayoyin bisa ga bayanan kamfaninka yayin kirkirar satifiket din, kamar yadda aka haskaka akan sikirin).
# mkdir /etc/ssl/tecmint.lan # cd /etc/ssl/tecmint.lan/ # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/tecmint.lan.key -out /etc/ssl/tecmint.lan.crt # cd /etc/ssl/tecmint.lan/ # cat tecmint.crt tecmint.key >tecmint.pem # ls -l
21. Na gaba, buɗe fayil ɗin sanyi na HAProxy (/etc/haproxy/haproxy.cfg) kuma gyara sashin ƙarshen-gaba.
frontend TL
bind *:80
bind *:443 ssl crt /etc/ssl/tecmint.lan/tecmint.pem
redirect scheme https if !{ ssl_fc }
mode http
acl http ssl_fc,not
acl https ssl_fc
http-request set-header X-Forwarded-Protocol http if http
http-request set-header X-Forwarded-Protocol https if https
default_backend TL_web_servers
Adana fayil ɗin kuma rufe shi.
22. Sannan sake kunna sabis na HAProxy don amfani da sababbin canje-canje.
# systemctl restart haproxy.service
23. Abu na gaba, bude burauzar yanar gizo ka gwada shiga shafin sau daya. Mai binciken zai nuna kuskure saboda takaddun shaidar sa hannu, danna Babba don ci gaba.
Wannan kenan a yanzu! Kowane aikace-aikacen gidan yanar gizo yana da nasa tsarin buƙatun, kuna buƙatar tsarawa da daidaita daidaitattun kaya don dacewa da kayan aikin IT ɗinku da bukatun aikace-aikacen.
Don samun ƙarin haske game da wasu zaɓuɓɓukan daidaitawa waɗanda aka yi amfani da su a cikin wannan jagorar, da kuma gabaɗaya yadda ake amfani da HAProxy, duba takaddun sigar kamfanin HAProxy. Kuna iya aiko da kowace tambaya ko tunani ta hanyar hanyar mayar da martani a ƙasa.