- Nginx编译安装
下载最新的nginx源码
nginx官网下载nginx-1.24.0.tar.gz
解压 tar zxvf nginx-1.24.0.tar.gz
下载最新的安装nginx依赖
yum -y install gcc zlib zlib-devel pcre-devel openssl openssl-devel
进入编译安装目录
cd nginx-1.24.0
./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-stream
make && make install
- Nginx配置
配置内核
# grep "TPROXY" /boot/config-`uname -r`
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
临时添加
# sysctl -w net.ipv4.ip_forward=1
# sysctl -w net.ipv4.ip_nonlocal_bind=1
永久添加
vi /etc/sysctl.conf
新增如下两行
net.ipv4.ip_forward=1
net.ipv4.ip_nonlocal_bind=1
配置nginx 的策略路由:
iptables -F
iptables -F -t mangle
iptables -t mangle -A PREROUTING -p tcp --sport 10018 -j MARK --set-mark 1
ip rule add fwmark 1 lookup 100
ip route flush table 100
ip route add local 0.0.0.0/0 dev lo table 100
添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效
Nginx的配置文件:
#配置work的进程数量,最好把这个值设置成CPU核数
worker_processes 4;
#配置Nginx worker进程最大打开文件数,最好与ulimit -n的值保持一致
worker_rlimit_nofile 65536;
events {
#单个进程允许的客户端最大连接数
worker_connections 65536;
}
http {
upstream http-sdwan {
server 192.168.1.3:8181;
server 192.168.1.4:8181;
}
server {
listen 8181;
server_name 192.168.1.44;
access_log /var/log/nginx/access_neimeng_sdwan.log;
error_log /var/log/nginx/error_neimeng_sdwan.log;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://http-sdwan;
proxy_buffer_size 1024k;
proxy_buffers 8 1024k;
proxy_busy_buffers_size 1024k;
proxy_temp_file_write_size 1024k;
proxy_max_temp_file_size 0;
proxy_intercept_errors on;
}
}
}
stream {
upstream callhome {
server 192.168.1.3:10018 max_fails=3 fail_timeout=30s;
server 192.168.1.4:10018 max_fails=3 fail_timeout=30s;
}
server {
listen 8008;
proxy_pass callhome;
proxy_bind $remote_addr transparent;
proxy_connect_timeout 2s;
proxy_timeout 900s;
}
}
keepalived配置
! Configuration File for keepalived
global_defs {
router_id 192.168.1.120
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_odl.sh 8008"
interval 2
weight 0
}
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 201
priority 100
advert_int 1
mcast_src_ip 192.168.1.120
# 设置为非抢占模式
nopreempt
authentication {
auth_type PASS
auth_pass 10002000
}
track_script {
chk_nginx
}
virtual_ipaddress {
192.168.1.44
}
}
check_odl.sh
#!/bin/sh
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
后端服务器配置策略路由
添加到 vi /etc/rc.d/init.d/network 的exit $rc前面 使其永久生效
#后端服务器192.168.1.3设置
iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.3 –sport 8008-j MARK --set-xmark 1
ip rule add fwmark 1 lookup 100
ip route add default via 192.168.1.10 table 100
#后端服务器192.168.1.4设置
iptables -t mangle -A OUTPUT -p tcp --src 192.168.1.4 --sport 8008 -j MARK --set-xmark 1
ip rule add fwmark 1 lookup 100
ip route add default via 192.168.1.10 table 100