测试结果:
# curl 192.168.0.11
<html><body><h1>the is 10.0.0.13!</h1></body></html>
# curl 192.168.0.11
<html><body><h1>the is 10.0.0.10</h1></body></html>
# curl 192.168.0.11
<html><body><h1>the is 10.0.0.12!</h1></body></html>
# curl 192.168.0.11
<html><body><h1>the is 10.0.0.11</h1></body></html>
# curl 192.168.0.11
<html><body><h1>the is 10.0.0.13!</h1></body></html>
实做双网关负载均衡,使用haproxy转发请求至后端服务器,看图 已经测试,无故障运行
配置
freebsd7.2 内核不支持pfsync与carp,请重新编译内核,加入pfsync与carp支持,二台负载均衡器,四台WEB SERVER
Carp地址,对外192.168.0.11,对内10.0.0.1
fw1 ————–fw2
| pfsync |
| |
_________________________
| carp1:10.0.0.1|
|
|
web server
负载均衡器1配置:
/boot/loader.conf加入以下内容,以开机启动PF模块
pf_load=”YES”
pflog_load=”YES”
/etc/rc.conf配置
pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
#ext_if
ifconfig_le0=”inet 192.168.0.10/24″
defaultrouter=”192.168.0.1″
分别创建carp0与carp1
cloned_interfaces=”carp0 carp1″
ifconfig_carp0=”vhid 1 pass jazz 192.168.0.11/24″
#int_if
ifconfig_le1=”inet 10.0.0.3/24″
ifconfig_carp1=”vhid 2 pass jazz 10.0.0.1/24″
#pfsync
ifconfig_le2=”inet 10.1.1.2/24″
ifconfig_pfsync0=”syncdev le2 up”
gateway_enable=”YES”
安装haproxy
cd /usr/ports/net/haproxy-devel
make
make install
配置文件在/usr/local/etc
复制haproxy.conf-dist为 haproxy.conf.
haproxy.conf文件内容如下:
global
maxconn 4096
uid 65534
gid 65534
daemon
#debug
quiet
nbproc 2
pidfile /var/run/haproxy.pid
defaults
log global
mode http
option httplog
option dontlognull
log 127.0.0.1 local0 notice
retries 3
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen HTTP_SERVER 192.168.0.11:80
mode http
option dontlognull
log 127.0.0.1 local0
cookie SERVERID rewrite
option httplog
option httpchk
option httpclose
stats uri /stats
stats auth root:root
balance roundrobin #轮转算法
server app1 10.0.0.10 cookie app1inst2 check inter 2000 rise 2 fall 5
server app2 10.0.0.11 cookie app1inst2 check inter 2000 rise 2 fall 5
server app3 10.0.0.12 cookie app1inst2 check inter 2000 rise 2 fall 5
server app4 10.0.0.13 cookie app1inst2 check inter 2000 rise 2 fall 5
启动haproxy
# /usr/local/etc/rc.d/haproxy start
Starting haproxy.
FW2配置:
/etc/rc.confpf_enable=”YES”
pf_rules=”/etc/pf.conf”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
#ext_if
ifconfig_le0=”inet 192.168.0.14/24″
defaultrouter=”192.168.0.1″
cloned_interfaces=”carp0 carp1″
ifconfig_carp0=”vhid 1 pass jazz 192.168.0.11/24″
#int_if
ifconfig_le1=”inet 10.0.0.4/24″
ifconfig_carp1=”vhid 2 pass jazz 10.0.0.1/24″
#pfsync
ifconfig_le2=”inet 10.1.1.1/24″
ifconfig_pfsync0=”syncdev le2 up”
gateway_enable=”YES”
安装haproxy
# cd /usr/ports/net/haproxy-devel
# make
===> Vulnerability check disabled, database not found
=> haproxy-1.3.15.5.tar.gz doesn’t seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from http://haproxy.1wt.eu/download/1.3/src/haproxy-1.3.15.5.tar.gz
0% of 490 kB 0 Bphaproxy-1.3.15.5.tar.gz
0% of 490 kB 18 kBphaproxy-1.3.15.5.tar.gz
5% of 490 kB 25 kBphaproxy-1.3.15.5.tar.gz
13% of 490 kB 28 kBphaproxy-1.3.15.5.tar.gz
17% of 490 kB 27 kBphaproxy-1.3.15.5.tar.gz
20% of 490 kB 24 kBphaproxy-1.3.15.5.tar.gz
haproxy.conf配置文件与fw1一样
现在重启任何一台机器,他都可以接管服务
# sysctl -a|grep carp
net.inet.ip.same_prefix_carp_only: 0
net.inet.carp.allow: 1
net.inet.carp.preempt: 1
net.inet.carp.log: 1
net.inet.carp.arpbalance: 0
net.inet.carp.suppress_preempt: 0
CARP配置如上,sysctl.conf增加以上内容
运行状态可以看图,其它pf的RDR重定向可以替代HAPROXY,但是其不支持健康状况检查,所以拿HAPROXY,现在关闭fw1 与fw2其中的任意一台,另一台则接管其工作。
pf的rdr实现如下:
web_servers = “{ 10.0.0.10, 10.0.0.11, 10.0.0.13, 10.0.0.12 }”
rdr on $ext_if proto tcp from any to any port 80 -> $web_servers \
round-robin sticky-address
用PF RDR性能要比HAPROXY要好!pf是聚成到内核里的。
