一、KEEPALIVED的NAT方式配置方法:
! Configuration File for keepalived
# 192.168.211.30 虚拟出来的IP
# 11.0.0.7 虚拟出来的IP
# 11.0.0.1 真实服务器
global_defs {
router_id LVS_MYSQL
}
vrrp_sync_group VG_1 {
group {
VI_1
VI_GATEWAY
}
}
#定义外网虚拟IP
vrrp_instance VI_1 {
state MASTER # 备份服务器上将MASTER改为BACKUP
interface eth0
virtual_router_id 1
priority 150 # 备份服务上将150改为149 nopreempt
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.211.30
}
}
#定义内网虚拟IP
vrrp_instance VI_GATEWAY {
state MASTER
interface eth3
lvs_sync_daemon_interface eth3
virtual_router_id 2
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
11.0.0.7
}
}
#具体定义策略
virtual_server 192.168.211.30 80 {
delay_loop 6 # (每隔6秒查询realserver状态)
lb_algo wlc # (lvs 算法)
lb_kind NAT # (NAT方式)
nat_mask 255.0.0.0 # (子网掩码)
persistence_timeout 50 # (同一IP的连接50秒内被分配到同一台realserver)
protocol TCP # (用TCP协议检查realserver状态)
#真实服务器定义
real_server 11.0.0.1 80 {
weight 1 # (权重)
TCP_CHECK {
connect_timeout 10 # (10秒无响应超时)
connect_port 80
}
}
}
二、KEEPALIVED的ROUTE方式配置方法:
! Configuration File for keepalived
# 123.123.123.165 虚拟出来的服务器
# 123.123.123.65 真实服务器1
# 123.123.123.64 真实服务器2
global_defs
{
notification_email
{
Dominic
}
notification_email_from
smtp_server 192.168.38.28
smtp_connect_timeout 30
router_id LVS_DEVEL
}
# VIP1
vrrp_instance VI_1
{
state MASTER # 备份服务器上将MASTER改为BACKUP
# state BACKUP
interface eth0
virtual_router_id 51
priority 100 # 备份服务上将100改为99 nopreempt
nopreempt
advert_int 1
authentication
{
auth_type PASS
auth_pass txsns
}
virtual_ipaddress
{
123.123.123.165
#(如果有多个VIP,继续换行填写.)
}
}
virtual_server 123.123.123.165 80
{
delay_loop 6 # (每隔10秒查询realserver状态)
lb_algo wrr # (lvs 算法)
lb_kind DR # (Direct Route)
# persistence_timeout 60 # (同一IP的连接60秒内被分配到同一台realserver)
protocol TCP # (用TCP协议检查realserver状态)
real_server 123.123.123.63 80
{
weight 3 # (权重)
TCP_CHECK
{
connect_timeout 10 # (10秒无响应超时)
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
real_server 123.123.123.64 80
{
weight 3
TCP_CHECK
{
connect_timeout 10
nb_get_retry 3
delay_before_retry 3
connect_port 80
}
}
}
使用ROUTE方式的LVS配置需要在realserver上执行脚本realserver.sh脚本。
#!/bin/bash
# description: Config realserver lo and apply noarp
SNS_VIP=123.123.123.165
/etc/rc.d/init.d/functions
case "$1" in
start)
/sbin/ifconfig lo:0 $SNS_VIP netmask 255.255.255.255 broadcast $SNS_VIP
/sbin/route add -host $SNS_VIP dev lo:0
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p >/dev/null 2>&1
echo "RealServer Start OK"
;;
stop)
/sbin/ifconfig lo:0 down
/sbin/route del $SNS_VIP >/dev/null 2>&1
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "RealServer Stoped"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
我来分析下,这两个方式都有明显的优缺点;
1.在公网IP地址紧缺时,NAT可以节省外网IP数量,内网真实服务器不需要配公网IP,因此不能直接与外面的客户端连接,需要通过LVS服务器做NAT转换才能返回结果给客户端,相当于AB之间无法传达信息,必须由C在中间做传达人才能沟通,这种方式的安全程度高。但缺点明显,所有请求都要通过LVS服务器转发到真实服务器上,在高并发的情况下会导致效率降低,成为性能瓶颈。
2.ROUTE方式,其优势在于用户访问请求被LVS服务器转发到真实服务器上,待真实服务器处理完,可直接返回到客户端,因而整个处理过程一般比NAT要快,LVS服务器压力也小,但由于真实服务器上都需要配置公网IP,ROUTE方式需要消耗更多公网IP,而且安全性没有NAT高,所要付出的安全成本肯定要高些。
阅读(2482) | 评论(0) | 转发(0) |
