Real Server 1 #ifconfig eth0 172.16.10.100/16 up #route add default gw 172.16.10.12 Real Server 2 #ifconfig eth0 172.16.10.212/16 up #route add default gw 172.16.10.12 Director Server #ifconfig eth0 192.168.1.10/24 up #ifconfig eth1 172.16.10.12/16 up #yum -y install ipvsadm #echo 1 > /proc/sys/net/ipv4/ip_forward #ipvsadm -A -t 192.168.1.10:80 -s rr #ipvsadm -a -t 192.168.1.10:80 -r 172.16.10.100 -m #ipvsadm -a -t 192.168.1.10:80 -r 172.16.10.212 -m
LVS-DR模型
上面说了NAT模型的实现方式,但NAT模型有个缺陷,因为进出的每个数据包都要经过Director Server,当集群系统负载过大的时候Director Server将会成为整个集群系统的瓶颈,而DR模型就避免了这样的情况发生,DR模型在只有请求的时候才会经过Director Server, 回应的数据包由Real Server 直接响应用户不需要经过Director Server。
Real Server 1 #ifconfig eth0 172.16.10.100/16 up #echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore #echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore #echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce #echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce #ifconfig lo:0 192.168.1.10 netmask 255.255.255.255 broadcast 192.168.1.10 up #route add -host 192.168.1.10 dev lo:0 Real Server 2 #ifconfig eth0 172.16.10.212/16 up #echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore #echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore #echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce #echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce #ifconfig lo:0 192.168.1.10 netmask 255.255.255.255 broadcast 192.168.1.10 up #route add -host 192.168.1.10 dev lo:0 Director Server #ifconfig eth0 172.16.10.12/16 up #ifconfig eth0:0 192.168.1.10 netmask 255.255.255.255 broadcast 192.168.1.10 up #echo 1 > /proc/sys/net/ipv4/ip_forward #route add -host 192.168.1.10 dev eth0:0 #yum install ipvsadm -y #ipvsadm -A -t 192.168.1.10:80 -s rr #ipvsadm -a -t 192.168.1.10:80 -r 172.16.10.100 -g #ipvsadm -a -t 192.168.1.10:80 -r 172.16.10.212 -g
基于LVS实现web服务器负载均衡
实验拓扑
环境介绍
系统环境:CentOS6.6 Director Server:192.168.1.10(VIP) 172.16.10.12(DIP) Real Server 1:192.168.1.10(VIP) 172.16.10.100(RIP) Real Server 2:192.168.1.10(VIP) 172.16.10.212(RIP)
PHP服务器:172.16.10.110
NFS服务器:172.16.10.110
数据库服务器:172.16.10.211
要求:web服务器上部署discuz,基于LVS实现负载均衡
NFS服务器配置
创建共享目录,并设置权限
编辑配置文件,设置共享目录及客户端
1 2
[root@scholar ~]# vim /etc/exports /web/discuz 172.16.10.100(rw,sync) 172.16.10.212(rw,sync)
Your new secret key is: 2YA3XXXXXXXRCEIQ Your verification code is 17XXX4 Your emergency scratch codes are: 51XXXX25 93XXXX45 87XXXX39 98XXXX31 15XXXX83 #这五个是紧急状态使用的验证码,谨当无法获取验证码时使用,注意这些紧急验证码用一次就少一个,所以这几个紧急验证码一定要保存好
Do you want me to update your "/root/.google_authenticator" file (y/n) y #你希望我更新你的“~/.google_authenticator”文件吗(y/n)?
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y #你希望禁止多次使用同一个验证令牌吗?这限制你每次登录的时间大约是30秒,但是这加大了发现或甚至防止中间人攻击的可能性(y/n)?y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y #默认情况下,令牌保持30秒有效;为了补偿客户机与服务器之间可能存在的时滞,我们允许在当前时间前后有一个额外令牌。如果你在时间同步方面遇到了问题,可以将窗口从默认大小即1分30秒加大到约4分。你希望这么做吗(y/n)?
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y #如果你登录的那台计算机没有加固,以防范暴力登录,可以对验证模块启用尝试次数限制。默认情况下,这限制攻击者每30秒试图登录的次数只有3次。你希望启用尝试次数限制吗(y/n)?
配置ssh使用两步验证模块
1.编辑/etc/pam.d/sshd,将下面的内容添加进去
1 2
vim /etc/pam.d/sshd auth required pam_google_authenticator.so
