nginx+keepalived实现高可用。

在lnmp架构中，通常一台装有nginx服务器做反向代理服务器，又做内网的路由。在这台服务器上绑有一个公网ip和一个内网ip.我们把域名解析到这个公网ip上，让nginx代理到后端的web服务器上，这样我们就可以访问到我们的站点，与此同时必须让内网访问外网。这台反向代理服务器又需要做内网的路由。这台服务器，在整个应用架构中相当重要。下面我来阐述一下nginx+keepalived双机实现nginx反向代理服务的高可用。也就是说在当一台nginx挂掉之后不影响应用也不影响内网访问外网。

一、架构图





二、部署

1、在0.205和0.207上安装keepalived（略请参考/article/4349267.html）
2、keepalived配置
192.168.0.205

# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id yuangnag.com
}
vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 88
priority 100
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass yuangang.net
}
track_script {
check_run
}
virtual_ipaddress {
192.168.0.206/24 dev eth0
110.110.110.25/25 dev eth1
}
}
启动脚本写入到/etc/rc.local里
#echo "/etc/init.d/keepalived start" >> /etc/rc.local

192.168.0.207

# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id yuangang.com
}
vrrp_script check_run {
script "/root/bin/nginx_check.sh"
interval 5
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 88
priority 80
advert_int 1
authentication {
auth_type PASS
auth_pass yuangang.com
}
track_script {
check_run
}
virtual_ipaddress {
192.168.0.206/24 dev eth0
110.110.110.25/25 dev eth1
}
}
启动脚本写入到/etc/rc.local里
#echo "/etc/init.d/keepalived start" >> /etc/rc.local

分别在192.168.0.205和192.168.0.207编写检测nginx服务是否正常。脚本如下：

# cat /root/bin/nginx_check.sh
#!/bin/bash
A=`ps -C nginx --no-header |wc -l`
if [ $A -eq 0 ]
then
/usr/local/nginx/sbin/nginx
sleep 1
if [ `ps -C nginx --no-header |wc -l` -eq 0 ]
then
killall keepalived
fi
fi

3、iptables配置

192.168.0.205和192.168.0.207iptables都做如下设置

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [12001:793841]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE  -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 110.110.110.25 COMMIT

4、验证
当192.168.0.205nginx服务宕机或重启，vip会飘移到192.168.0.207上；当192.168.0.205，正常后vip会再次绑定到192.168.0.205上。

爱慕尔商城欢迎您的光临！
穿衣打扮

城市物语

本文出自 “linux运维” 博客，请务必保留此出处http://linux008.blog.51cto.com/2837805/798042