目录
实现 Nginx 四层负载均衡
- 负载均衡建立在现有网络结构之上,它提供了一种廉价有效透明的方法扩展网络设备和服务器的带宽、增加吞吐量、加强网络数据处理能力、提高网络的灵活性和可用性。
- 负载均衡(Load Balance)其意思就是分摊到多个操作单元上进行执行,例如Web服务器、FTP服务器、企业关键应用服务器和其它关键任务服务器等,从而共同完成工作任务。
如果编译安装,需要指定 –with-stream 选项才能支持ngx_stream_proxy_module模块
vim /apps/nginx/conf/nginx.conf
include /apps/nginx/conf/tcp/*.conf; 加在最外面
mysql redis 在俩服务器的两个里面上注释掉仅主机链接
[mysqld]
default_authentication_plugin= mysql_native_password 在mysql配置文件里加上他这样有一些老程序才能链,不然他过不去
若是端口可用,服务器不可用则依然调度,他是靠tcp的三次握手的探测机制来判断
[root@ubuntu2004 tcp]#cat tcp.conf     跳转
stream{
    upstream mysql {
   hash $remote_addr consistent;一次性哈希算法之距离近得的优先,服务器可用有效,不可用则别家
       server 10.0.0.101:3306;
       server 10.0.0.102:3306;
}
     upstream redis {
        server 10.0.0.102:6379;
        server 10.0.0.101:6379;
}
server {
    listen 3306;
    proxy_pass mysql;
}
server {
        listen 6379;
        proxy_pass redis;
}
}
[root@centos7 ~]# mysql -utest -p123456 -h10.0.0.100
mysql> set globai server_id=101;        在101里改下ip
[root@centos7 ~]# mysql -utest -p123456 -h10.0.0.100 -e 'select @@server_id';  看看·
案例: LN M P
vim /apps/nginx/conf/nginx.conf
user www-data; 因为php是用www-data启动的,在同一台机器上尽量用一样的
worker_processes 1;
pid /apps/nginx/logs/nginx.pid; 下面自行改
vim /lib/systemd/system/nginx.service 自定义安装和系统安装有的日志位置不一样,需要手动改 PIDFile=/apps/nginx/logs/nginx.pid
chown -R www-data:www-data /apps/nginx/ 修改路径后也需要修改用户权限
systemctl restart nginx.service 重启·一下
vim /etc/php/7.4/fpm/pool.d/www.conf 需要改一下
listen = 127.0.0.1:9000
pm.status_path = /php-status 开启在之后可以显示指定状态页
ping.path = /ping 开启之后可以用ping来探测好坏
ping.response = pongpong 自定义返回
access.log = /var/log/$pool.access.log 开启访问日志#默认路径/usr/log不存在,服务启动失败
slowlog = log/$pool.log.slow 开启慢查询
[root@ubuntu2004 ~]#cat /apps/nginx/conf/nginx.conf 加上路径
http
…..
include /apps/nginx/conf.d/*.conf;
}
[root@ubuntu2004 ~]#cat /apps/nginx/conf.d/php.conf 测试
[root@ubuntu2004 ~]#cat /apps/nginx/conf.d/php.conf
server {
listen 80;
server_name www.wang.org;
root /data/php;
index index.php;
location ~ \.php$|ping|php-status {
root /data/php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@ubuntu2004 ~]#cat /data/html/index.html
www.wang.org
[root@ubuntu2004 ~]#cat /data/php/test.php
phpinfo();
?>
[root@ubuntu2004 ~]#cat /data/php/mysql.php
mysql> create user test@’10.0.0.%’ identified by ‘123456’; 在102上创建此账号用来测试
http://www.wang.org/php-status 访问 显示状态页 ?full (每个进程单独统计) php-json(等都支持)
可道云
nginx 安装
包安装
[root@ubuntu2004 ~]#apt install php7.4-fpm php7.4-mysql php7.4-json php7.4-xml php7.4-mbstring php7.4-zip php7.4-gd php7.4-curl php-redis
[root@ubuntu2004 ~]#grep -Ev “^;|^$” /etc/php/7.4/fpm/pool.d/www.conf
[www]
user = www-data #默认值
group = www-data #默认值
listen = 127.0.0.1:9000
pm.status_path = /php-status
ping.path = /ping
ping.response = duoduo
access.log = /var/log/$pool.access.log #默认路径/usr/log不存在,服务启动失败
slowlog = log/$pool.log.slow
[root@ubuntu2004 ~]#cat /apps/nginx/conf/nginx.conf
http
…..
include /apps/nginx/conf.d/*.conf;
}
[root@ubuntu2004 ~]#cat /apps/nginx/conf.d/php.conf
server {
listen 80;
server_name www.wang.org;
root /data/php;
index index.php;
location ~ .php$|ping|php-status {
root /data/php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; #如果是前端代理采用https,当前后端http服务器需要
include fastcgi_params;
}
}
vim /apps/nginx/conf/conf.d/www.wang.org.conf 转发的
upstream rrup {
server 10.0.0.101;
server 10.0.0.102;
}
server {
listen 80;
server_name mm.wang.com;
root /data/nginx/html/pc;
index index.php;
access_log /apps/nginx/logs/www.wang.org_access.log main;
location / {
proxy_pass http://rrup;
proxy_set_header Host $http_host;
}
}
chown -R www-data. /data/php
[root@centos8 ~]#yum -y install mysql-server
[root@centos8 ~]#systemctl enable –now mysqld
[root@centos8 ~]#mysql
mysql> create database kodbox;
Query OK, 1 row affected (0.00 sec)
mysql> create user kodbox@’10.0.0.%’ identified by ‘123456’;
Query OK, 0 rows affected (0.00 sec)
mysql> grant all on kodbox.* to kodbox@’10.0.0.%’;
Query OK, 0 rows affected (0.00 sec)
rsync -a /data/php 10.0.0.101:/data/php 把数据传过去。以防数据覆盖
ln -s /apps/nginx/sbin/nginx /usr/local/sbin/ 不知啥原因链接用不了;但是软件没问题
nfs服务器
[root@ubuntu2004 ~]#apt -y install mysql-server redis nfs-kernel-server
[root@ubuntu2004 ~]#vim /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
default_authentication_plugin=mysql_native_password
bind-address = 127.0.0.1
mysqlx-bind-address = 127.0.0.1
[root@ubuntu2004 ~]#vim /etc/redis/redis.conf
bind 0.0.0.0
[root@ubuntu2004 ~]#cat /etc/exports
/data/www *(rw) #/data/www创建这个目录已www-data下授权(因为1和2都是他)
rsync -av /data/php/data/files/ 10.0.0.103:/data/www/ 将其数据文件拷过去av保留属性hosts文件解析
web1和web2
[root@ubuntu2004 ~]#apt install nfs-common -y #挂在用
[root@ubuntu2004 ~]#cat /etc/fstab
nfs.wang.org:/data/www/ /data/php/data/files/ nfs _netdev 0 0 #指定挂在12
root@ubuntu2004 ~]#mount -a #执行挂在
在两台web服务器上添加phpMyAdmin
[root@ubuntu2004 ~]#mkdir /data/php2
[root@ubuntu2004 ~]#wget https://files.phpmyadmin.net/phpMyAdmin/5.2.0/phpMyAdmin-5.2.0-all-languages.zip
[root@ubuntu2004 php2]#unzip phpMyAdmin-5.2.0-all-languages.zip -d /data/php2/
[root@ubuntu2004 php2]#mv phpMyAdmin-5.2.0-all-languages/* .
[root@ubuntu2004 data]#chown -R www-data. php2
[root@Ubuntu2004 php2]#cp config.sample.inc.php config.inc.php
[root@Ubuntu2004 php2]#vim config.inc.php
$cfg['Servers'][$i]['host'] = '10.0.0.204';
[root@Ubuntu2004 data]#vim /etc/php/7.4/fpm/pool.d/www.conf
php_value[session.save_handler] = redis
php_value[session.save_path] = "tcp://10.0.0.204:6379"
[root@Ubuntu2004 data]#systemctl restart php7.4-fpm.service
[root@ubuntu2004 conf.d]#vim mydaim.conf
server {
listen 80;
server_name www.shuhong.vip;
root /data/php2;
client_max_body_size 200M;
index index.php index.html;
location ~ \.php$|ping|php-status {
root /data/php2;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@ubuntu2004 conf.d]#nginx -s reload
#10.0.0.201修改配置,添加代理和负载均衡
[root@Ubuntu2004 ~]#vim /etc/nginx/conf.d/proxy-www.shuhong.com.conf
server {
listen 80;
server_name www.shuhong.vip;
root /data/www/pc;
location / {
proxy_pass http://webservers;
proxy_set_header Host $http_host;
}
}
编译安装 tengine -2.1.2
注意: 不支持CentOS8
[root@centos7 ~]#yum -y install gcc pcre-devel openssl-devel
[root@centos7 ~]#useradd -r -s /sbin/nologin nginx
[root@centos7 ~]#cd /usr/local/src
[root@centos7 src]#wget http://tengine.taobao.org/download/tengine-2.1.2.tar.gz
[root@centos7 src]#tar xf tengine-2.1.2.tar.gz
[root@centos7 src]#cd tengine-2.1.2/
[root@centos7 tengine-2.1.2]#./configure –prefix=/apps/tengine-2.1.2 —
user=nginx –group=nginx –with-http_ssl_module –with-http_v2_module –with-
http_realip_module –with-http_stub_status_module –with-http_gzip_static_module
–with-pcre
[root@centos7 tengine-2.1.2]#make && make install
[root@centos7 tengine-2.1.2]#tree /apps/tengine-2.1.2/
6 directories, 101 files
[root@centos7 tengine-2.1.2]#ln -s /apps/tengine-2.1.2/sbin/ /usr/sbin/
[root@centos7 tengine-2.1.2]#nginx -v
Tengine version: Tengine/2.1.2 (nginx/1.6.2)
[root@centos7 tengine-2.1.2]#nginx
[root@centos7 ~]#ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 :80 :
LISTEN 0 128 :22 :
LISTEN 0 100 127.0.0.1:25 :
LISTEN 0 128 :::22 :::
LISTEN 0 100 [::1]:25 :::*
[root@centos7 ~]#curl 10.0.0.7
编译安装 openresty
root@centos8 ~]#dnf -yq install gcc pcre-devel openssl-devel perl
[root@centos8 ~]#groupadd –gid 666 -r nginx
[root@centos8 ~]#useradd -g nginx -u 666 -r -s /sbin/nologin nginx
[root@centos8 ~]#cd /usr/local/src
[root@centos8 src]#wget https://openresty.org/download/openresty-1.21.4.1.tar.gz
[root@centos8 src]#wget https://openresty.org/download/openresty-
1.17.8.2.tar.gz
[root@centos8 src]#tar xf openresty-1.17.8.2.tar.gz
[root@centos8 src]#cd openresty-1.17.8.2/
[root@centos8 openresty-1.17.8.2]#./configure –prefix=/apps/openresty —
user=nginx –group=nginx –with-http_ssl_module –with-http_v2_module –with-
http_realip_module –with-http_stub_status_module –with-http_gzip_static_module
–with-pcre –with-stream –with-stream_ssl_module –with-stream_realip_module
[root@centos8 openresty-1.17.8.2]#make && make install
[root@centos8 openresty-1.17.8.2]#tree /apps/openresty/
./apps/openresty/
3 directories, 313 files
[root@centos8 openresty-1.17.8.2]#
[root@centos8 openresty-1.17.8.2]#ln -s /apps/openresty/bin/ /usr/bin/
[root@centos8 openresty-1.17.8.2]#openresty -v
nginx version: openresty/1.17.8.2
[root@centos8 openresty-1.17.8.2]#openresty
[root@centos8 openresty-1.17.8.2]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer
Address:Port
LISTEN 0 128 0.0.0.0:80
0.0.0.0:
LISTEN 0 128 0.0.0.0:22
0.0.0.0:
LISTEN 0 100 127.0.0.1:25
0.0.0.0:
LISTEN 0 128 :::22
LISTEN 0 100 [::1]:25
[root@centos8 openresty-1.17.8.2]#ps -ef |grep nginx
root 16682 1 0 13:50 ? 00:00:00 nginx: master process
openresty
nginx 16683 16682 0 13:50 ? 00:00:00 nginx: worker process
root 16692 1195 0 13:51 pts/1 00:00:00 grep –color=auto nginx
[root@centos8 ~]#curl 10.0.0.18
在线安装JumpServer:
跳板机概述
- 跳板机就是一台服务器,开发或运维人员在维护过程中首先要统一登录到这台服务器,然后再登录到目标设备进行维护和操作。
跳板机缺点:没有实现对运维人员操作行为的控制和审计,使用跳板机的过程中还是会出现误操作、违规操作导致的事故,一旦出现操作事故很难快速定位到原因和责任人;
堡垒机概述:
- 堡垒机,即在一个特定的网络环境下,为了保障网络和数据不受来自外部和内部用户的入侵和破坏,而运用各种技术手段实时收集和监控网络环境中每一个组成部分的系统状态、安全事件、网络活动,以便集中报警、及时处理及审计定责。
总结:堡垒机比跳板机多了实时收集、监控网络环境、集中报警等功能。
- 准备一台 2核4G (最低)且可以访问互联网的 64 位 Linux 主机;
- 以 root 用户执行如下命令一键安装 JumpServer。
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v2.25.4/quick_start.sh | bash
https://docs.jumpserver.org/zh/master/install/setup_by_fast/
[root@ubuntu2004 ~]#echo ‘{“registry-mirrors”: [“https://frc3mkbl.mirror.aliyuncs.com”]}’> /etc/docker/daemon.json #加速器
[root@ubuntu2004 ~]#cat /etc/docker/daemon.json
{“registry-mirrors”: [“https://frc3mkbl.mirror.aliyuncs.com”]}
[root@ubuntu2004 ~]#docker info 查看是否成功(加速)
docker run --rm --name mysql -e MYSQL_ROOT_PASSWORD=123456 -e MYSQL_DATABASE=jumpserver -e MYSQL_USER=jumpserver -e MYSQL_PASSWORD=123456 -d -p 3306:3306 mysql:5.7.30
[root@ubuntu2004 ~]#apt install mysql-client
MySQL
[root@ubuntu2004 ~]#mkdir -p /etc/mysql/mysql.conf.d/
[root@ubuntu2004 ~]#mkdir -p /etc/mysql/conf.d/
生成服务器配置文件,指定字符集
[root@ubuntu2004 ~]#tee /etc/mysql/mysql.conf.d/mysqld.cnf <
生成客户端配置文件,指定字符集
[root@ubuntu2004 ~]#tee /etc/mysql/conf.d/mysql.cnf <
docker run -d -p 3306:3306 –name mysql –restart always \
-e MYSQL_ROOT_PASSWORD=123456 \
-e MYSQL_DATABASE=jumpserver \
-e MYSQL_USER=jumpserver \
-e MYSQL_PASSWORD=123456 \
-v /data/mysql:/var/lib/mysql \
-v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf mysql:5.7.30
docker rm -f mysql
Redis
[root@ubuntu2004 ~]#docker run -d -p 6379:6379 –name redis –restart always redis:6.2.7
Jumpserver
if [ ! "$SECRET_KEY" ]; then
SECRET_KEY=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50;
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
echo SECRET_KEY=$SECRET_KEY;
else
echo SECRET_KEY=$SECRET_KEY;
fi
if [ ! "$BOOTSTRAP_TOKEN" ]; then
BOOTSTRAP_TOKEN=cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16;
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc;
echo BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN;
else
echo BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN;
fi
生成的复制下来
SECRET_KEY=Qy4tINeDjnfMl4EImTQtUOfPsFAEA8vNNOhhNdZRiH7ogENsZr
BOOTSTRAP_TOKEN=87UrzD4vmNYr1MnO 把下面的替换掉 这俩
docker run --name jms_all -d \
-v /opt/jumpserver/core/data:/opt/jumpserver/data \
-v /opt/jumpserver/koko/data:/opt/koko/data \
-v /opt/jumpserver/lion/data:/opt/lion/data \
-p 80:80 \
-p 2222:2222 \
-e SECRET_KEYSECRET_KEYSECRET_KEY=Qy4tINeDjnfMl4EImTQtUOfPsFAEA8vNNOhhNdZRiH7ogENsZr \
-e BOOTSTRAP_TOKEN=87UrzD4vmNYr1MnO \
-e LOG_LEVEL=ERROR \
-e DB_HOST=10.0.0.100 \
-e DB_PORT=3306 \
-e DB_USER=jumpserver \
-e DB_PASSWORD=123456 \
-e DB_NAME=jumpserver \
-e REDIS_HOST=10.0.0.100 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD='' \
--privileged=true \
jumpserver/jms_all:v2.25.5 #不写默认最新版
做个域名解析用IP地址,这样用ip地址访问
[root@ubuntu2004 ~]#docker logs -f jms_all 用这个命令来结果 (密码自己输,复制用是错)
Original: https://blog.csdn.net/cp_dvd/article/details/126940474
Author: 老wang你好
Title: nginx实现四层反向代和FASTCGI反向代理及Nginx二次开发版-JumpServer架构和安装
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/813437/
转载文章受原作者版权保护。转载请注明原作者出处!