转来的,待学习待验证,好了再放注解和结果
Keepalived+LVS+Squid
Provision of proxy with load balance and high availability
Will
Two servers squid01 and squid02 have the same config in squid, each server in load balance and HA at one time(when squid01 is master it as LVS Director server and LVS Realserver1, squid02 is LVS Realserver2 Vice versa)
Install and Configure
Same Part:
OS:RHEL4_U5_i386
Soft:
keepalived-1.1.15
ipvsadm-1.24
squid-2.6.STABLE21
1. Squid:
useradd squid –M
mkdir –p /home/cache/cachedir
chown squid.squid –R /home/cache
tar jxvf squid-2.6.STABLE21.tar.bz2 –C /usr/src
cd /usr/src/squid-2.6.STABLE21/
./configure –prefix=/usr/local/squid –enable-async-io=80 –enable-icmp –enable-snmp –enable-cache-digests –enable-poll –enable-linux-netfilter –enable-arp-acl
make && make install
2. Ipvsadm:
tar jxvf STABLE-2.1.4.tar.bz2 –C /usr/src
uname –a
#Linux squid01.2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux
ln -s /usr/src/kernels/2.6.9-55.EL-smp-i686/ /usr/src/linux
cd /usr/src/ipvsadm-1.24/
make && make install
3. Keepalived
tar zxvf keepalived-1.1.15.tar.gz –C /usr/src
cd /usr/src/keepalived-1.1.15
./configure –prefix=/
make && make install
Different Part:
Configure in Squid01
ifcfg-eth0:
DEVICE=eth0
ONBOOT=yes
BOOTPRO=static
IPADDR=192.168.1.190
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
ifcfg-lo:0:
DEVICE=lo:0
NAME=loopback
ARP=no
ONBOOT=yes
BOOTPRO=static
IPADDR=192.168.1.193
NETMASK=255.255.255.255
NETWORK=192.168.1.0
/etc/rc.d/rc.local:
ulimit -n 65535
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
/etc/sysconfig/iptables:
#add:
-A RH-Firewall-1-INPUT -s 192.168.1.195 -d 224.0.0.18 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 3130 -j ACCEPT
/etc/hosts
#add:
192.168.1.190 squid01.test squid01
192.168.1.195 squid02.test squid02
Squid.conf:
http_port 3128 transparent
icp_port 3130
acl QUERY urlpath_regex cgi-bin \?
acl all src 0.0.0.0/0.0.0.0
cache_peer squid02 sibling 3128 3130 proxy-only
acl manager proto cache_object
no_cache deny QUERY
cache_swap_high 90
cache_dir aufs /home/cache/cachedir 500 16 256
access_log /usr/local/squid/var/logs/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl our_networks src 192.168.1.0/24
acl my_proxies src 192.168.1.190 192.168.1.195
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow my_proxies
icp_access deny !my_proxies
visible_hostname squid01
always_direct allow my_proxies
coredump_dir /home/cache/cachedir
hierarchy_stoplist cgi-bin ?
cache_effective_user squid
cache_effective_group squid
keepalived.conf:
! Configuration File for keepalived
global_defs {
notification_email {
admin@yourmail.com
}
notification_email_from keepalived@VM_squid01
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_K_Squid01
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
lvs_sync_daemon_interface eth0
virtual_router_id 51
priority 150
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass P@ssWd
}
virtual_ipaddress {
192.168.1.193 dev eth0
}
notify_backup “/usr/local/etc/backup.sh BACKUP”
notify_master “/usr/local/etc/master.sh MASTER”
}
virtual_server 192.168.1.193 3128 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
protocol TCP
persistence_timeout 600
real_server 192.168.1.195 3128 {
! weight 1
TCP_CHECK {
connect_timeout 3
}
}
real_server 192.168.1.190 3128 {
! weight 2
TCP_CHECK {
connect_timeout 3
}
}
}
/usr/local/etc/backup.sh:
#!/bin/sh
RIP1=192.168.1.190
RIP2=192.168.1.195
VIP=192.168.1.193
GW=192.168.1.1
ssh $RIP2 “/sbin/arping -U -c 3 -s $VIP $GW &”
#RS
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
sysctl –p
/usr/local/etc/master.sh:
#!/bin/sh
VIP=192.168.1.193
GW=192.168.1.1
/sbin/arping -U -c 3 -s $VIP $GW &
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
#Directorserver
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
sysctl –p
Configure in Squid02
ifcfg-eth0:
DEVICE=eth0
ONBOOT=yes
BOOTPRO=static
IPADDR=192.168.1.195
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
ifcfg-lo:0:
DEVICE=lo:0
NAME=loopback
ARP=no
ONBOOT=yes
BOOTPRO=static
IPADDR=192.168.1.193
NETMASK=255.255.255.255
NETWORK=192.168.1.0
/etc/rc.d/rc.local:
ulimit -n 65535
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
/etc/sysconfig/iptables
#add:
-A RH-Firewall-1-INPUT -s 192.168.1.190 -d 224.0.0.18 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m udp -p udp –dport 3130 -j ACCEPT
/etc/hosts
#add:
192.168.1.190 squid01.test squid01
192.168.1.195 squid02.test squid02
Squid.conf:
http_port 3128 transparent
icp_port 3130
acl QUERY urlpath_regex cgi-bin \?
acl all src 0.0.0.0/0.0.0.0
cache_peer squid01 sibling 3128 3130 proxy-only
acl manager proto cache_object
no_cache deny QUERY
cache_swap_high 90
cache_dir aufs /home/cache/cachedir 500 16 256
access_log /usr/local/squid/var/logs/access.log squid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl our_networks src 192.168.1.0/24
acl my_proxies src 192.168.1.190 192.168.1.195
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow my_proxies
icp_access deny !my_proxies
visible_hostname squid01
always_direct allow my_proxies
coredump_dir /home/cache/cachedir
hierarchy_stoplist cgi-bin ?
cache_effective_user squid
cache_effective_group squid
keepalived.conf:
! Configuration File for keepalived
global_defs {
notification_email {
admin@ yourmail.com
}
notification_email_from keepalived@VM_squid02
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_K_Squid02
}
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
lvs_sync_daemon_interface eth0
virtual_router_id 51
priority 150
advert_int 1
smtp_alert
authentication {
auth_type PASS
auth_pass P@ssWd
}
virtual_ipaddress {
192.168.1.193 dev eth0
}
notify_backup “/usr/local/etc/backup.sh BACKUP”
notify_master “/usr/local/etc/master.sh MASTER”
}
virtual_server 192.168.1.193 3128 {
delay_loop 6
lb_algo rr
lb_kind DR
nat_mask 255.255.255.0
protocol TCP
persistence_timeout 600
real_server 192.168.1.195 3128 {
! weight 1
TCP_CHECK {
connect_timeout 3
}
}
real_server 192.168.1.190 3128 {
! weight 2
TCP_CHECK {
connect_timeout 3
}
}
}
/usr/local/etc/backup.sh:
#!/bin/sh
RIP1=192.168.1.190
RIP2=192.168.1.195
VIP=192.168.1.193
GW=192.168.1.1
ssh $RIP1 “/sbin/arping -U -c 3 -s $VIP $GW &”
#RS
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
sysctl –p
/usr/local/etc/master.sh:
#!/bin/sh
VIP=192.168.1.193
GW=192.168.1.1
/sbin/arping -U -c 3 -s $VIP $GW &
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
#Directorserver
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
sysctl –p
End
51CTO下载中心