squid / 负载均衡高可用

lvs+HA+squid搭建稳定上网服务[原创]

今天有人在群里喊谁做过lvs+squid,正好以前做过一个,我就把过程整理下来,供大家参考。首先看看拓扑图如下
说下我写这篇文章所用的测试环境,vmvare6.0,模拟两个linux,用的是centos5.1
squid-1(192.168.211.128)
squid-2(192.168.211.130)
Vip(192.168.211.135)
实现方式lvs-dr
1,lvs配置部分
安装lvs所需要的软件

yum -y install heartbeat

yum y install heartbeatldirectord

yum -y install heartbeat-devel

yum y install ipvsadm

配置Ldirector
vi /etc/ha.d/ldirectord.cf设置如下内容,两台机器文件内容相同

# Global Directives

checktimeout=3

checkinterval=1

autoreload=yes

logfile=“/var/log/ldirectord.log”

logfile=“local0”

#emailalert=“admin@x.y.z”

#emailalertfreq=3600

#emailalertstatus=all

quiescent=yes

# Sample for an http virtual service

virtual=192.168.211.135:3128

real=192.168.211.128:3128 gate

real=192.168.211.130:3128 gate

scheduler=rr

#persistent=600

#netmask=255.255.255.255

protocol=tcp

checktype=negotiate

checkport=3128

配置heartbeat

vi /etc/ha.d/ha.cf

debugfile /var/log/ha-debug

logfile /var/log/ha-log

logfacility local0

keepalive 2

deadtime 30

warntime 10

initdead 120

udpport 694

ucast eth0 192.168.211.130 #另外一台这里要设置成另外的ip

auto_failback on

node contos5-1-1 #通过uanme -n得到

node contos5-1-2

ping_group group1 192.168.211.128 192.168.211.130

respawn hacluster /usr/lib/heartbeat/ipfail

这里之所以使用ucast而不用bcast是因为,如果同网段你还有另外的一套lvs的话,bcast广播也会发到这套lvs里,虽说应用上不会给另外一套lvs带来影响,但日志里会出现很多错误

cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/

vi /etc/ha.d/authkeys,将如下两行的注释去掉

# crc adds no security , except from packet corruption.

# Use only on physically secure networks.

#

auth 1

1 crc

#2 sha1

#3 md5

chomd 600 /etc/ha.d/authkeys

vi /etc/ha.d/haresources文件,加入

contos5-1-1 closelo 192.168.211.135 ldirectord::ldirectord.cf startlo

在/etc/ha.d/resource.d下建立closelo脚本,内容如下

#!/bin/sh

VIP=192.168.211.135

case “$1” in

start)

# close lo:0 interface

echo $“Close lo:0 interface”

/sbin/route del -host $VIP dev lo:0

/sbin/ifconfig lo:0 down

echo “0” > /proc/sys/net/ipv4/conf/all/arp_announce

echo “0” > /proc/sys/net/ipv4/conf/all/arp_ignore

echo “0” > /proc/sys/net/ipv4/conf/lo/arp_announce

echo “0” > /proc/sys/net/ipv4/conf/lo/arp_ignore

;;

stop)

# start lo:0 interface

echo $“Start lo:0 interface”

/sbin/ifconfig lo:0 $VIP/32 broadcast $VIP up

/sbin/route add -host $VIP dev lo:0

echo “2” > /proc/sys/net/ipv4/conf/all/arp_announce

echo “1” > /proc/sys/net/ipv4/conf/all/arp_ignore

echo “2” > /proc/sys/net/ipv4/conf/lo/arp_announce

echo “1” > /proc/sys/net/ipv4/conf/lo/arp_ignore

;;

*)

echo $“Usage: $0 (start|stop)”

exit 1

;;

esac

/etc/ha.d/resource.d下建立startlo脚本

# ! /bin/sh

VIP=192.168.211.135

case “$1” in

stop)

# close lo:0 interface

echo $“Close lo:0 interface”

/sbin/route del host $VIP dev lo:0

/sbin/ifconfig lo:0 down

echo “0” > /proc/sys/net/ipv4/conf/all/arp_announce

echo “0” > /proc/sys/net/ipv4/conf/all/arp_ignore

echo “0” > /proc/sys/net/ipv4/conf/lo/arp_announce

echo “0” > /proc/sys/net/ipv4/conf/lo/arp_ignore

; ;

start)

# start lo:0 interface

echo $“Start lo:0 interface”

/sbin/ifconfig lo:0 $VIP/32 broadcast $VIP up

/sbin/route add host $VIP dev lo:0

echo “2” > /proc/sys/net/ipv4/conf/all/arp_announce

echo “1” > /proc/sys/net/ipv4/conf/all/arp_ignore

echo “2” > /proc/sys/net/ipv4/conf/lo/arp_announce

echo “1” > /proc/sys/net/ipv4/conf/lo/arp_ignore

; ;

* )

echo $“Usage: $0 (start|stop)”

exit 1

; ;

esac

到此,lvs部分就全部完成了,接下来说squid的设置,具体配置我就不写了,网上这方面的文章很多,我仅仅完成一个可以做正向代理的出来

squid我使用的是3.0stable8
./configure –prefix=/usr/local/squid
make && make install
完成安装后,配置文件内容如下

visible_hostname 2

acl manager proto cache_object

acl localhost src 127.0.0.1/32

acl to_localhost dst 127.0.0.0/8

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network

acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl purge method PURGE

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow purge localhost

http_access allow localnet

http_access deny all

icp_access allow localnet

icp_access deny all

htcp_access allow localnet

htcp_access deny all

#always_direct allow all

#http_port 80 accel vhost vport

http_port 3128

hierarchy_stoplist cgi-bin ?

access_log /usr/local/squid/var/logs/access.log squid

cache_dir ufs /usr/local/squid/cache 10 2 4

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern (cgi-bin|?) 0 0% 0

refresh_pattern . 0 20% 4320

cache_effective_user squid

cache_effective_group squid

然后启动squid,接下来就可以测试了,到此一个可用的而且强健的双机squid就完成了(除非两台机器同时挂掉)

注:每次启动heartbeat前,请先执行 /etc/ha.d/resource.d/closelo脚本,使得lo:o网卡启动,不然这套配置将不起作用了,我目前还没有找到更好的解决办法

如对以上配置有何不明了的还请提出共同讨论

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.