Firewall-based lvs Configuration

Requirements: 1. using DR, RR-based round robin algorithm 2. implement the same user's web access and encrypted web access on the same server 3. configuring lvs Based on the firewall label description: due to limited experimental conditions, three linux virtual machines are used to complete the experiment configuration, one of which is directory and the other two is Real Server.

The IP address is allocated as follows: Directory: eth0 --- 192.168.145.100 logical Nic eth0: 0---190000145. 101 Real Server1 eth0 --- 192.168.145.200 eth1 --- 192.168.2.200 lo: 0---190000145. 101 Real Server2 eth0 --- 192.168.145.201 eth1 --- 192.168.2.201 lo: 0---190000145. 101 Share Server eth0 --- 192.168.2.100 here the IP address addition process is not described in detail. 1. directory Configuration

Install ipvsadm [root @ localhost ~] # Mount/dev/cdrom/mnt/cdrom [root @ localhost ~] # Cd/mnt/cdrom/Cluster [root @ localhost Cluster] # rpm-ivh ipvsadm-1.24-10.i386.rpm configuration [root @ localhost ~] # Iptables-a prerouting-t mangle-p tcp-d 192.168.145.101/24 -- dport 80-j MARK -- set-mark 10 [root @ localhost ~] # Iptables-a prerouting-t mangle-p tcp-d 192.168.145.101/24 -- dport 443-j MARK -- set-mark 10 [root @ localhost ~] # Ipvsadm-A-f 10-s rr-p 1800 [root @ localhost ~] # Ipvsadm-a-f 10-r 192.168.145.200-g [root @ localhost ~] # Ipvsadm-a-f 10-r 192.168.145.201-g [root @ localhost Cluster] # service ipvsadm save // save the rule table, otherwise, an error occurs when you start ipvsadm. [root @ localhost Cluster] # service ipvsadm start // start ipvsadm [root @ localhost Cluster] # ipvsadm-ln // view the rule.

2. Configure the httpd server installation and startup address in Real Server1 (not detailed) as follows: www.2cto.com

[Root @ localhost Server] # route add-host 192.168.145.101 dev lo: 0 [root @ localhost Server] # route-n // view the route table

[Root @ localhost Server] # sysctl-a | grep arp // view arp tools

Append the above two sentences to/etc/sysctl. [root @ localhost Server] # echo "net. ipv4.conf. eth0.arp _ ignore = 1 ">/etc/sysctl. conf [root @ localhost Server] # echo "net. ipv4.conf. all. arp_ignore = 1 ">/etc/sysctl. conf [root @ localhost Server] # echo "net. ipv4.conf. eth1.arp _ announce = 2 ">/etc/sysctl. conf [root @ localhost Server] # echo "net. ipv4.conf. all. arp_announce = 2 ">/etc/sysctl. conf [root @ localhost Server] # vim/etc/sysctl. conf // enable the data forwarding service [root @ localhost Server] # sysctl-p

Implement https encryption [root @ localhost ~] # Vim/etc/pki/tls/openssl. cnf1. modify 43 rows and change the directory to/etc/pki/CA2. modify line 8-90 and change match to optional (optional. modify option 134 (optional) [root @ localhost ~] # Cd/etc/pki/CA [root @ localhost CA] # mkdir crl certs newcerts [root @ localhost CA] # touch index.txt serial [root @ localhost CA] # echo "01"> serial [root @ localhost CA] # openssl genrsa 1024> private/cakey. pem [root @ localhost CA] # openssl req-new-key private/cakey. pem-x509-out cacert. pem [root @ localhost CA] # chmod 600 private/* [root @ localhost CA] # mkdir-pv/etc/httpd/certs [root @ localhost CA] # cd/etc/ httpd/certs [root @ localhost certs] # openssl genrsa 1024> httpd. key [root @ localhost certs] # openssl req-new-key httpd. key-out httpd. csr [root @ localhost certs] # openssl ca-in httpd. csr-out httpd. cert [root @ localhost certs] # chmod 600. /* [root @ localhost CA] # yum install-y mod_ssl [root @ localhost CA] # vim/etc/httpd/conf. d/ssl. conf

[Root @ localhost CA] # service httpd restart 3. Configure the address of Real Server2 as follows:

Note: Other configurations are the same as those of Real Server1. Do not describe them in detail. 4. Browse on the client.

View connections

View iptables