LVS + Keepalived + LNMP constitute anti-attack false websites

This is a project in the production environment. The company's website is often under ddos attacks from its peers. Therefore, we need to set up an environment for attackers to transfer the attack to the company's fake website. My task is to build a false website to defend against attacks.
I designed this lvs (+ keepalived to form a high availability) + LNMP + to form a company's fake website. Over 8 machines, 6 web servers, 2 lvs
For the sake of confidentiality, neither the ip address nor the Real web address are allowed... Only two web servers are used.
1. Configuration preparation
In the yumenvironment under centos, keepalived-1.1.17.tar.gz,?sadm-1.24.tar.gz (these two packages can be downloaded online)
2. install and configure
During configuration, make sure that the following connection is normal ln-sv/usr/src/kernels/2.6.32-220. el6.i686/linux, because keepalived-1.1.17.tar.gz, the compilation of sadm-1.24.tar.gz both packages depends on the developed kernel. If:
 
[Root @ localhost src] # ll
Total 8
Drwxr-xr-x 7 root 4096 Mar 1 redhat
[Root @ localhost src] #
Because no kernels Development Kit is installed when the system is installed, you need to install it yourself.
Yum install kernel *
Install ipvsadm-1.24.tar.gz
Tar xf ipvsadm-1.24.tar.gz
Cd ipvsadm-1.24
Make & make install
Install keepalived-1.1.17.tar.gz
Tar xf keepalived-1.1.17.tar.gz
Cd keepalived-1.1.17
./Configure
Make sure that the./configure result is as follows:
Keepalived configuration
------------------------
Keepalived version: 1.1.17
Compiler: gcc
Compiler flags:-g-O2
Extra Lib:-lpopt-lssl-lcrypto
Use IPVS Framework: Yes
S sync daemon support: Yes
Use VRRP Framework: Yes
Use LinkWatch: No
Use Debug flags: No
Make & make install
Cp/usr/local/etc/rc. d/init. d/keepalived/etc/rc. d/init. d/
Cp/usr/local/etc/sysconfig/keepalived/etc/sysconfig/
Mkdir/etc/keepalived
Cp/usr/local/etc/keepalived. conf/etc/keepalived/
Cp/usr/local/sbin/keepalived/usr/sbin/
3. Configure the Master/Slave configuration file for keepalived.
Vim/etc/keepalived. conf
####### MASTER #####################
! Configuration File for keepalived
Global_defs {
Notification_email {
470499989@qq.com
}
Notification_email_from Alexandre.Cassen@firewall.loc
Smtp_server 127.0.0.1
Router_id LVS_DEVEL
}
Vrrp_instance VI_1 {
State MASTER
Interface eth0
Virtual_router_id 51
Priority100
Advert_int 1
Authentication {
Auth_type PASS
Auth_pass 1111
}
Virtual_ipaddress {
192.168.1.200
}
}
Virtual_server 192.168.1.200 80 {
Delay_loop 6
Lb_algo rr
Lb_kind DR
Persistence_timeout 50
Protocol TCP
 
Real_server 192.168.1.117 80 {
Weight 3
TCP_CHECK {
Connect_timeout 10
Nb_get_retry 3
Delay_before_retry 3
Connect_port 80
}
}
Real_server 192.168.1.118 80 {
Weight 3
TCP_CHECK {
Connect_timeout 10
Nb_get_retry 3
Delay_before_retry 3
Connect_port 80
}
}
}
################# BACKUP ###################### ###
! Configuration File for keepalived
Global_defs {
Notification_email {
470499989@qq.com
}
Notification_email_from Alexandre.Cassen@firewall.loc
Smtp_server 127.0.0.1
Router_id LVS_DEVEL
}
Vrrp_instance VI_1 {
State BACKUP
Interface eth0
Virtual_router_id 51
Priority 80
Advert_int 1 authentication {
Auth_type PASS
Auth_pass 1111
}
Virtual_ipaddress {
192.168.1.200
}
}
Virtual_server 192.168.1.200 80 {
Delay_loop 6
Lb_algo rr
Lb_kind DR
Persistence_timeout 50
Protocol TCP
 
Real_server 192.168.1.117 80 {
Weight 3
TCP_CHECK {
Connect_timeout 10
Nb_get_retry 3
Delay_before_retry 3
Connect_port 80
}
}
Real_server 192.168.1.118 80 {
Weight 3
TCP_CHECK {
Connect_timeout 10
Nb_get_retry 3
Delay_before_retry 3
Connect_port 80
}
}
}
If you are executing service keepalived start, you do not need to check the log to start it.
# Tail/var/log/messages
Mar 30 12:05:15 localhost Keepalived_vrrp: bogus VRRP packet already ed on eth0 !!!
Mar 30 12:05:15 localhost Keepalived_vrrp: VRRP_Instance (VI_1) Dropping stored ed VRRP packet...
Mar 30 12:05:16 localhost Keepalived_vrrp: ip address associated with VRID not present in received packet:-939415360
Mar 30 12:05:16 localhost Keepalived_vrrp: one or more VIP associated with VRID mismatch actual MASTER advert
####### If the above logs are generated because someone else is working on keepalived in your environment, you need to modify the virtual route ID because the default value is 51.
####### If it still cannot be started, if you use a virtual machine to perform an experiment, check the time date of your virtual machine. This is very important to the virtual machine.
Description of the added keepalived configuration file
##### Explanation of configuration files #####
! Configuration File for keepalived
Global_defs {
Notification_email {## define the email address for receiving information
Acassen@firewall.loc
Failover@firewall.loc
Sysadmin@firewall.loc
}
Notification_email_from Alexandre.Cassen@firewall.loc
Smtp_server 192.168.200.1 #### define the smtp address for monitoring
Smtp_connect_timeout 30
Router_id LVS_DEVEL ### define lvs Server Load balancer labels
}
Vrrp_instance VI_1 {## define a vrrp Group
State MASTER ### role of the local machine in this group, only MASTER and BACKUP statuses, and uppercase words are required.
Interface eth0 ### network interface for external service provision
Virtual_router_id 51 ### virtual route ID
Priority 100 ### priority of the local machine in the vrrp Group
Advert_int 1 ### master-slave synchronization Check Interval
Authentication {### Communication Verification settings between the master and slave
Auth_type PASS
Auth_pass 1111
}
Virtual_ipaddress {### virtual IP address, that is, the vip address.
192.168.200.16
}
}
Virtual_server 192.168.200.100 443 {### virtual server definition, note the ip + port number
Delay_loop 6 ### health check interval, in seconds. Www.2cto.com
Lb_algo rr ### Load Balancing scheduling algorithm, which is often used by Internet applications.
Lb_kind NAT ### Server Load balancer forwarding rules, including DR, NAT, and tunnel. Common DR models.
Nat_mask 255.255.255.0 ### No DR Mode
Persistence_timeout 50 ### session persistence time, in seconds.
Protocol TCP ### forwarding protocol
Real_server 192.168.201.100 443 {### define realserver. The value of real_server includes the IP address and port number.
Weight 1 ### weight of the realserver
SSL_GET {
Url {
Path/
Digest ff20ad2481f97b1754ef3e12ecd3a9cc
}
Url {
Path/mrtg/
Digest 9b3a0c85a887a256d6939da88aabd8cd
}
Connect_timeout 3
Nb_get_retry 3
Delay_before_retry 3
}
}
}