Persistent connection of LVS and examples of its application

The meaning of the LVS persistent connection:

All requests from the same client to the VIP are directed to the same RS within a fixed time, and no longer dispatched according to the scheduling algorithm within the specified duration, the request of the same client is directed to the same back-end RS According to the record information in the Ipvs connection template of the memory;

Types of persistent connections:

1.PCC: Persistent client connection, all requests from the same client to the VIP are directed to the same RS (only according to the VIP, all services are clustered services, different services are directed to the same RS);

2.PPC: Persistent port connection, all requests from the same client to a certain port to a VIP are all directed to the same RS (depending on the VIP and port number, different services will no longer be directed to the same RS);

3.PFMC: Persistent firewall tag connection, based on firewall tag, binds two or more than two ports to the same service (scenario is HTTP service and HTTPS service needs to be directed to the same RS);

How to direct the VIP request of the same client to the same RS when providing HTTP service and HTTPS service in the e-commerce website???

1. First solution: Use PCC, but one drawback of this approach is that all cluster services requested by the same client are directed to the same RS;

2. The second solution: using PFMC, you can bind two cluster services to the same service, with requests for two different ports directed to the same back-end RS;

1.PPC Demo (This is based on the LVS-DR model architecture, no more on its configuration)

#ipvsadm-A-T 192.168.10.120:80-s rr-p # # # #使用持久连接, specified two minutes

#ipvsadm-T 192.168.10.120:80-r 192.168.10.11-g

#ipvsadm-T 192.168.10.120:80-r 192.168.10.12-g

#ipvsadm-L-N

2. Test on the host to see if it is directed to the same RS (if yes, the configuration is correct)

3. Use the SSH 192.168.10.120 command in Xshell to access director, use the Ifconfig command to see that IP is Director native IP is not a VIP, when we access the VIP SSH service, And this service is not defined as a Cluster service will be directly responded to by the Director;

4. Add the SSH Cluster service

#ipvsadm-A-T 192.168.10.120:22-s rr-p 1200

#ipvsadm-T 192.168.10.120:22-r 192.168.10.11-g

#ipvsadm-T 192.168.10.120:22-r 192.168.10.12-g

#ipvsadm-L-N

Test Again (Xshell)

SSH 192.168.10.120

#ifconfig # # # #再次查看会看到这时的ip是192.168.10.12 RS2 and has already implemented a persistent connection; disconnects or RS2 within a specified length of time;

2.PCC Demo (This is based on the LVS-DR model architecture, no more on its configuration)

#ipvsadm-C

#ipvsadm-A-T 192.168.10.120:0-S Rr-p # # # # #0 refers to adding all of the cluster services

#ipvsadm-T 192.168.10.120:0-R 192.168.10.11-G

#ipvsadm-T 192.168.10.120:0-R 192.168.10.12-G

#ipvsadm-L-N

Test (Xshell)

SSH 192.168.10.120

#ifconfig # # # #再次查看会看到这时的ip是192.168.10.12 RS2 and has already implemented a persistent connection; disconnects or RS2 within a specified length of time;

3.PFMC Demo (This is based on the LVS-DR model architecture, no more on its configuration)

1. Configure SSL on all RS

#yum-y Install Mod_ssl

2. Configure the director as a CA on top of it

#cd/etc/pki/ca

#vim: /tls/openssl.cnf

[Req_distinguished_name]

Countryname_default = CN

Stateorprovincename_default = HB

Localityname_default = WUHAN

0.organizationname_default = COLLEGE

Organizationalunitname_default = Tech

# (Umask 077; OpenSSL genrsa 2048 > Private/cakey.pem)

 openssl req -new -x509 -key private/cakey.pem -out cacert.pem - days 3650

#touch index.txt Serial Crlnumber

#echo > Serial

3. Set up an SSL directory on the RS

#mkdir/etc/httpd/ssl

#cd/etc/httpd/ssl

# (Umask 077; OpenSSL genrsa 2048 > Httpd.key)

#openssl Req-new-key httpd.key-out HTTPD.CSR

#scp HTTPD.CSR 192.168.10.120:/tmp

4. Signing a certificate issuance request on the Director

#openssl CA-IN/TMP/HTTPD.CSR-OUT/TMP/HTTPD/CRT

#scp/TMP/HTTPD.CRT 192.168.10.12:/etc/httpd/ssl/

5. Copy the certificate file and the private key file from the RS2 to the other back-end RS

#cd/etc/httpd/ssl

#mkdir/etc/httpd/ssl # # # #在RS1上建立相应目录

#scp-P HTTPD.CRT httpd.key 192.168.10.11:/etc/httpd/ssl/

#chmod 600/etc/httpd/ssl/https.key

6. Edit the SSL configuration file on each RS

#vim/etc/httpd/conf.d/ssl.conf

DocumentRoot "/var/www/html"

ServerName www.luochen.com:443

Sslcertificatefile/etc/httpd/ssl/httpd.crt

Sslcertificatekeyfile/etc/httpd/ssl/httpd.key

7. Copy the modified SSL configuration file to each node on the backend

#scp/etc/httpd/conf.d/ssl.conf 192.168.10.12:/etc/httpd/conf.d/

8. Restart the Web service on all nodes

#servicehttpd restart

9. See if port 443 is being monitored

#netstat-tnulp | grep 443

10. Define the SSL Cluster service

#ipvsadm-A-T 192.168.10.120:443-s RR

#ipvsadm-T 192.168.10.120:443-r 192.168.10.11-g

#ipvsadm-T 192.168.10.120:443-r 192.168.10.12-g

#ipvsadm-L-N

11. Test on the host

12. Define PFMC on the director

#ipvsadm-C

#ipvsadm-T mangle-a prerouting-d 192.168.10.120-p tcp-dport 80-j MARK--set-mark 10

#ipvsadm-T mangle-a prerouting-d 192.168.10.120-p tcp-dport 443-j MARK--set-mark 10

#service Ipvsadm Save

#ipvsadm-A-F 10-s RR

#ipvsadm-F 10-r 192.168.10.11-g

#ipvsadm-F 10-r 192.168.10.12-g

#ipvsadm-L-N

#service Ipvsadm Save

13. Test on the host

14. Modify the Cluster service to use persistent connections

#ipvsadm-e-F 10-s rr-p 1200

#service Ipvsadm Save

15. Finally, test on the host

The value of Ps:mark is any integer value between 0--99 ....

This article is from "Luo Chen's blog" blog, please be sure to keep this source http://luochen2015.blog.51cto.com/9772274/1702899

Persistent connection of LVS and examples of its application