此文章已经收录于我的blog中,转帖请注明出处谢谢
今天有人在群里喊谁做过lvs+squid,正好以前做过一个,我就把过程整理下来,供大家参考。首先看看拓扑图如下
说下我写这篇文章所用的测试环境,vmvare6.0,模拟两个linux,用的是centos5.1
squid-1(192.168.211.128)
squid-2(192.168.211.130)
Vip(192.168.211.135)
实现方式lvs-dr
1,lvs配置部分
安装lvs所需要的软件
yum -y install heartbeat
yum -y install heartbeat-ldirectord
yum -y install heartbeat-devel
yum -y install ipvsadm
| 配置Ldirector
vi /etc/ha.d/ldirectord设置如下内容,两台机器文件内容相同 # Global Directives
checktimeout=3
checkinterval=1
autoreload=yes
logfile="/var/log/ldirectord.log"
logfile="local0"
#emailalert="admin@x.y.z"
#emailalertfreq=3600
#emailalertstatus=all
quiescent=yes
# Sample for an http virtual service
virtual=192.168.211.135:3128
real=192.168.211.128:3128 gate
real=192.168.211.130:3128 gate
scheduler=rr
#persistent=600
#netmask=255.255.255.255
protocol=tcp
checktype=negotiate
checkport=3128
| 配置heartbeat
vi /etc/ha.d/ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
keepalive 2
deadtime 30
warntime 10
initdead 120
udpport 694
ucast eth0 192.168.211.130 #另外一台这里要设置成另外的ip
auto_failback on
node contos5-1-1
#通过uanme -n得到
node contos5-1-2
ping_group group1 192.168.211.128 192.168.211.130
respawn hacluster /usr/lib/heartbeat/ipfail
| 这里之所以使用ucast而不用bcast是因为,如果同网段你还有另外的一套lvs的话,bcast广播也会发到这套lvs里,虽说应用上不会给另外一套lvs带来影响,但日志里会出现很多错误cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/
| vi /etc/ha.d/authkeys,将如下两行的注释去掉# crc adds no security, except from packet corruption.
# Use only on physically secure networks.
#
auth 1
1 crc
#2 sha1
#3 md5
| chomd 600 /etc/ha.d/authkeys
vi /etc/ha.d/haresources文件,加入
contos5-1-1 closelo 192.168.211.135 ldirectord::ldirectord.cf startlo
| 在/etc/ha.d/resource.d下建立closelo脚本,内容如下
#!/bin/sh
VIP=192.168.211.135
case "$1" in
start)
# close lo:0 interface
echo $"Close lo:0 interface"
/sbin/route del -host $VIP dev lo:0
/sbin/ifconfig lo:0 down
echo "0">/proc/sys/net/ipv4/conf/all/arp_announce
echo "0">/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0">/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0">/proc/sys/net/ipv4/conf/lo/arp_ignore
;;
stop)
# start lo:0 interface
echo $"Start lo:0 interface"
/sbin/ifconfig lo:0 $VIP/32 broadcast $VIP up
/sbin/route add -host $VIP dev lo:0
echo "2">/proc/sys/net/ipv4/conf/all/arp_announce
echo "1">/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2">/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1">/proc/sys/net/ipv4/conf/lo/arp_ignore
;;
*)
echo $"Usage: $0 (start|stop)"
exit 1
;;
esac
| /etc/ha.d/resource.d下建立startlo脚本
#!/bin/sh
VIP=192.168.211.135
case "$1" in
stop)
# close lo:0 interface
echo $"Close lo:0 interface"
/sbin/route del -host $VIP dev lo:0
/sbin/ifconfig lo:0 down
echo "0">/proc/sys/net/ipv4/conf/all/arp_announce
echo "0">/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0">/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0">/proc/sys/net/ipv4/conf/lo/arp_ignore
;;
start)
# start lo:0 interface
echo $"Start lo:0 interface"
/sbin/ifconfig lo:0 $VIP/32 broadcast $VIP up
/sbin/route add -host $VIP dev lo:0
echo "2">/proc/sys/net/ipv4/conf/all/arp_announce
echo "1">/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2">/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1">/proc/sys/net/ipv4/conf/lo/arp_ignore
;;
*)
echo $"Usage: $0 (start|stop)"
exit 1
;;
esac
| 到此,lvs部分就全部完成了,接下来说squid的设置,具体配置我就不写了,网上这方面的文章很多,我仅仅完成一个可以做正向代理的出来squid我使用的是3.0stable8
./configure --prefix=/usr/local/squid
make && make install
完成安装后,配置文件内容如下
visible_hostname 2
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow purge localhost
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
#always_direct allow all
#http_port 80 accel vhost vport
http_port 3128
hierarchy_stoplist cgi-bin ?
access_log /usr/local/squid/var/logs/access.log squid
cache_dir ufs /usr/local/squid/cache 10 2 4
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_effective_user squid
cache_effective_group squid
| 然后启动squid,接下来就可以测试了,到此一个可用的而且强健的双机squid就完成了(除非两台机器同时挂掉)
注:每次启动heartbeat前,请先执行/etc/ha.d/resource.d/closelo脚本,使得lo:o网卡启动,不然这套配置将不起作用了,我目前还没有找到更好的解决办法
如对以上配置有何不明了的还请提出共同讨论
[ 本帖最后由 liuhanzhao 于 2008-9-9 19:07 编辑 ] |