標籤:lamp nginx lvs
web伺服器架構:
1.最簡單的web服務實現:搭建httpd服務和nginx服務提供靜態HTML和php頁面的訪問服務,搭建lamp環境,搭建WordPress部落格;實驗需求1台伺服器完成lanmp
2.多台獨立伺服器實現複雜web架構:單獨搭建httpd服務和nginx服務,將mysql和檔案分享權限設定服務獨立為單獨的伺服器;
實現冗餘web架構,通過lvs,nginx代理來調度多台web伺服器,實現負載平衡;實驗需求2台web伺服器(1台httpd,1台nginx),1台mysql+nfs伺服器,1台Proxy 伺服器(lvs,httpd,nginx三合一),1台路由器,1台測試用戶端,共6台
3.前端構建快取服務器varnish實現高並發量負載。實驗需求在上述基礎上,加1台快取服務器。
4.實現dns解析和https訪問。實驗需求在上述基礎上,增加2台(dns伺服器和認證伺服器)
###########################
1.單台伺服器實現lanmp-centos7.3
安裝相關軟體包
yum install httpd php php-mysql mariadb-server
啟動服務並測試
systemctl start httpd
systemctl start mariadb
mysql //測試登入資料庫
echo "apache server page" > /var/www/html/index.html
vi /var/www/html/index.php
<?php
phpinfo();
?>
curl 192.168.10.71 //測試httpd服務
設定mysql的root密碼和其他安全配置
mysql_secure_installation
登入mysql建立資料庫和遠程登入賬戶
mysql -uroot -p
MariaDB [(none)]> create database wpdb;
MariaDB [(none)]> grant all on wpdb.* to [email protected]‘192.168.10.%‘ identified by "redhat";
安裝WordPress
tar -xf wordpress-xxx.tar.gz
cp -p wp-config-sample.php wp-config.php
vi wp-config.php //更改如下內容
define(‘DB_NAME‘, ‘wpdb‘);
define(‘DB_USER‘, ‘wpuser‘);
define(‘DB_PASSWORD‘, ‘redhat‘);
define(‘DB_HOST‘, ‘192.168.10.71‘);
配置epel源安裝nginx
yum install nginx
systemctl stop httpd
systemctl start nginx
echo "nginx server page" > /usr/share/nginx/html/index.html
curl 192.168.10.71
##################################
2.增加一台lvs調度伺服器,共4台主機,並修改IP地址如下
Apache server IP:10.71
Nginx server IP: 10.72
lvs,nginx proxy server IP: 10.73,80.162
client IP:10.74
Apache server配置:
ifdown eth1 //關閉其他連接埠
ip route add default via 192.168.10.73 //添加預設路由到lvs
ip route
default via 192.168.10.73 dev eth0
Nginx server配置:
ifdown eth1
ip route add default via 192.168.10.73
ip route
lvs server-10.73配置:
配置epel源,安裝ipvsadm
yum install ipvsadm
vi /etc/sysctl.conf //配置lvs允許路由轉寄
net.ipv4.ip_forward = 1
sysctl -p //應用配置
配置lvs
ipvsadm -A -t 192.168.80.162:80 -s rr
ipvsadm -a -t 192.168.80.162:80 -r 192.168.10.71 -m
ipvsadm -a -t 192.168.80.162:80 -r 192.168.10.72 -m
ipvsadm -Ln
ipvsadm -Ln --stats
用戶端測試:
for i in {1..10};do curl 192.168.80.162;done
ipvsadm -E -t 192.168.80.162:80 -s wrr
ipvsadm -e -t 192.168.80.162:80 -r 192.168.10.71 -m -w 3
ipvsadm -Ln
client配置:
ip route add default via 192.168.80.162
for i in {1..10};do curl 192.168.80.162;done //測試
##############################
環境和IP規劃同上,配置nginx proxy server-10.73,80.162
yum install nginx
vi /etc/nginx/nginx.conf //注意stream和http配置段有衝突,需要刪除http配置,否則無法啟動nginx
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
stream {
upstream mysrv {
server 192.168.10.71:80 weight=3;
server 192.168.10.72:80;
least_conn;
}
server {
listen 192.168.80.162:80;
proxy_pass mysrv;
}
}
systemctl start nginx //啟動nginx服務
nginx -t //測試nginx的配置
nginx -s reload //重新載入配置
用戶端測試:
for i in {1..10};do curl 192.168.80.162;done
###############################
3.構建varnish快取服務--未完成
varnish IP:10.61
yum install varnish
service varnish start
vi /etc/varnish/default.vcl //自訂vcl配置
varnishadm -S /etc/varnish/secret -T 127.0.0.1:6082 # 登入管理命令列
vcl.list # 列出所有的配置
vcl.load test1 /etc/varnish/default.vcl # 載入編譯新配置,test1是配置名,test.vcl是設定檔
vcl.use test1 # 使用配置,需指定配置名,當前使用的配置以最後一次vcl.use為準
vcl.show test1 # 顯示配置內容,需指定配置名
##############################
4.配置nginx的ssl訪問
配置CA伺服器-10.75(Centos7.3)
openssl的設定檔:more /etc/pki/tls/openssl.cnf
CA的重要參數配置
dir = /etc/pki/CA # 預設CA父目錄,代指以下的$dir
certs = $dir/certs # 已簽署的認證存放目錄,認證尾碼為.crt
crl_dir = $dir/crl # 已撤銷憑證存放目錄,尾碼為.crl
database = $dir/index.txt # 認證索引檔案,包括已簽署和已撤銷憑證
new_certs_dir = $dir/newcerts # 新簽署的認證,和已簽署的認證目錄檔案相同
certificate = $dir/cacert.pem # CA的認證檔案
serial = $dir/serial # 下一個簽署認證的序號,首次需手動指定,後續系統自動更新
crlnumber = $dir/crlnumber # 下一個吊銷認證的序號
crl = $dir/crl.pem # 吊銷認證列表檔案
private_key = $dir/private/cakey.pem # CA的私密金鑰檔案
RANDFILE = $dir/private/.rand # private random number file
CA伺服器配置
cd /etc/pki/CA
touch index.txt
echo 01 > serial
(umask 077; openssl genrsa -out private/cakey.pem 2048)
openssl req -new -x509 –key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
提示輸入國家,省,市,公司名稱,部門名稱,CA主機名稱(頒發者名稱)
C=CN, ST=HA, L=ZZ, O=c73, OU=IT, CN=ca.baidu.com
查看產生的認證
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
在web伺服器(nginx-10.72)上產生認證請求檔案,並發送給CA伺服器
(umask 077; openssl genrsa -out /app/service.key 2048)
openssl req -new -key /app/service.key -out /app/service.csr
同樣提示輸入國家,省,市等資訊。注意:國家,省,公司名稱三項必須和CA一致。主機名稱必須和網站網域名稱相同,如www.baidu.com。或者使用泛網域名稱,即*.baidu.com,匹配所有。
scp /app/service.csr 192.168.10.75:/etc/pki/CA/certs/
CA伺服器簽署認證,並將憑證發行給web伺服器,注意認證檔案尾碼為*.crt
openssl ca -in /etc/pki/CA/certs/service.csr –out /etc/pki/CA/certs/service.crt -days 365
scp /etc/pki/CA/certs/service.crt 192.168.10.72:/app/
nginx-ssl配置,需要更改認證檔案的路徑,取消預設配置中關於ssl的注釋符#:
vi /etc/nginx/nginx.conf
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name www.baidu.com;
root /usr/share/nginx/html;
ssl_certificate "/app/service.crt";
ssl_certificate_key "/app/service.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
###################################
配置httpd的ssl訪問:
httpd-web伺服器端產生認證請求檔案,並發送給CA伺服器
(umask 077; openssl genrsa -out /app/httpd.key 2048)
openssl req -new -key /app/httpd.key -out /app/httpd.csr
scp /app/httpd.csr 192.168.10.75:/etc/pki/CA/certs/
CA伺服器簽署認證,並發送給httpd伺服器
openssl ca -in /etc/pki/CA/certs/httpd.csr –out /etc/pki/CA/certs/httpd.crt -days 365
scp /etc/pki/CA/certs/httpd.crt 192.168.10.71:/app/
httpd伺服器端配置ssl:
yum install mod_ssl
vi /etc/httpd/conf.d/ssl.conf //更改認證和key的檔案路徑
100 SSLCertificateFile /app/httpd.crt
107 SSLCertificateKeyFile /app/httpd.key
systemctl restart httpd
本文出自 “rackie” 部落格,請務必保留此出處http://rackie386.blog.51cto.com/11279229/1959592
web服務架構綜合實驗