1. Keepalived+Haproxy高可用集群实验概述
在互联网服务架构中,高可用性(High Availability)是保障业务连续性的关键要素。本次实验将构建一个基于Keepalived+Haproxy的双节点高可用集群,通过虚拟IP漂移技术实现服务无缝切换。这套方案特别适合对服务连续性要求较高的Web应用场景,如电商平台、在线支付系统等。
实验环境采用两台物理服务器(192.168.63.208/209),分别部署Keepalived和Haproxy服务。Keepalived负责VIP(192.168.63.199)的故障转移,Haproxy实现后端Nginx服务的负载均衡。当主节点发生故障时,备用节点能在秒级完成接管,确保用户无感知。
关键设计原则:主备节点配置必须保持对称,包括软件版本、配置文件路径、检测脚本等,这是避免脑裂问题的前提条件。
2. 基础环境准备与组件安装
2.1 服务器规划与网络配置
实验采用两台CentOS 7服务器,具体角色分配如下:
| 主机IP | 角色 | 运行服务 |
|---|---|---|
| 192.168.63.208 | 主节点(Master) | Keepalived+Haproxy+Nginx |
| 192.168.63.209 | 备用节点(Backup) | Keepalived+Haproxy+Nginx |
网络配置要点:
- 确保两台服务器位于同一子网
- 关闭防火墙或放行相关端口(8099, 8100等)
- 配置SSH免密登录便于管理
- 虚拟IP 192.168.63.199未被其他设备占用
2.2 Nginx安装与配置
在两台服务器上编译安装Nginx 1.24.0作为后端服务:
bash复制#!/bin/bash
# nginx安装脚本
yum -y install gcc gcc-c++ make zlib-devel pcre-devel openssl-devel
mkdir -p /data/download/nginx
cd /data/download/nginx
wget http://nginx.org/download/nginx-1.24.0.tar.gz
tar -xzvf nginx-1.24.0.tar.gz
cd nginx-1.24.0
./configure --prefix=/usr/local/nginx
make && make install
创建Systemd服务单元文件:
ini复制[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=multi-user.target
启动验证:
bash复制systemctl daemon-reload
systemctl enable --now nginx
curl -I http://localhost # 应返回200状态码
2.3 Haproxy编译安装
使用源码编译方式安装Haproxy 2.1.12:
bash复制#!/bin/bash
mkdir -p /data/download/haproxy
cd /data/download/haproxy
wget https://www.haproxy.org/download/2.1/src/haproxy-2.1.12.tar.gz
tar xzf haproxy-2.1.12.tar.gz
cd haproxy-2.1.12
make TARGET=linux310 PREFIX=/usr/local/haproxy/
make install PREFIX=/usr/local/haproxy
创建专用用户和配置目录:
bash复制useradd -s /sbin/nologin haproxy -M
mkdir -p /etc/haproxy
touch /etc/haproxy/haproxy.cfg
3. Haproxy深度配置与优化
3.1 核心配置文件详解
/etc/haproxy/haproxy.cfg分为三个主要部分:
ini复制global
log /dev/log local0 info
log /dev/log local0 notice
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
daemon
defaults
log global
timeout connect 5000
timeout client 10m
timeout server 10m
listen admin_stats
bind 0.0.0.0:8099
mode http
stats uri /status
stats realm "Haproxy Statistics"
stats auth admin:123456
stats admin if TRUE
listen nginx
bind 0.0.0.0:8100
mode tcp
balance roundrobin
server nginx1 192.168.63.208:80 check inter 2000 fall 2 rise 2 weight 1
server nginx2 192.168.63.209:80 check inter 2000 fall 2 rise 2 weight 1
关键参数说明:
nbproc 1:单进程模式,适合低并发场景balance roundrobin:轮询调度算法check inter 2000:2秒健康检查间隔fall 2:连续2次失败判定为不可用rise 2:连续2次成功恢复服务
3.2 Systemd服务管理配置
创建服务单元文件/lib/systemd/system/haproxy.service:
ini复制[Unit]
Description=HAProxy Load Balancer
After=network.target
[Service]
ExecStart=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg
ExecReload=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -sf $(pidof haproxy)
Type=forking
Restart=always
RestartSec=2s
[Install]
WantedBy=multi-user.target
日志配置/etc/rsyslog.d/haproxy.conf:
ini复制if ($programname == 'haproxy' and $syslogseverity-text == 'info')
then -/var/log/haproxy/haproxy-info.log
&~
if ($programname == 'haproxy' and $syslogseverity-text == 'notice')
then -/var/log/haproxy/haproxy-notice.log
&~
启动命令:
bash复制systemctl daemon-reload
systemctl enable --now haproxy
tail -f /var/log/haproxy/haproxy-info.log # 监控日志
4. Keepalived高可用方案实现
4.1 Keepalived编译安装
在两台服务器上安装Keepalived 2.2.8:
bash复制#!/bin/bash
mkdir /data/download/keepalived
cd /data/download/keepalived
yum -y install gcc openssl-devel libnfnetlink-devel libnl-devel popt-devel
wget https://www.keepalived.org/software/keepalived-2.2.8.tar.gz --no-check-certificate
tar xzf keepalived-2.2.8.tar.gz
cd keepalived-2.2.8
./configure --prefix=/usr/local/keepalived --sysconf=/etc
make && make install
4.2 主节点配置详解
主节点配置文件/etc/keepalived/keepalived.conf:
ini复制! Configuration File for keepalived
vrrp_script chk_haproxy {
script "/data/sh/check_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 151
priority 100
advert_int 5
nopreempt
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
192.168.63.199
}
track_script {
chk_haproxy
}
}
4.3 备用节点配置
备用节点与主节点配置差异:
ini复制state BACKUP
priority 90 # 必须低于主节点
4.4 健康检查脚本
/data/sh/check_haproxy.sh内容:
bash复制#!/bin/bash
killall -0 haproxy
if [[ $? -ne 0 ]]; then
systemctl stop keepalived
fi
脚本原理:
killall -0检测进程是否存在- 返回非0时停止Keepalived触发VIP转移
- 需要赋予执行权限
chmod +x
5. 集群验证与故障测试
5.1 正常状态验证
- 查看VIP绑定情况:
bash复制ip addr show ens33 | grep 192.168.63.199
- 访问Haproxy统计页面:
code复制http://192.168.63.199:8099/status
认证信息:admin/123456
- 测试负载均衡:
bash复制curl http://192.168.63.199:8100
5.2 故障转移测试
- 模拟主节点Haproxy故障:
bash复制systemctl stop haproxy
- 观察VIP漂移(约3-5秒):
bash复制# 在备节点执行
ip addr show ens33 | grep 192.168.63.199
- 检查Keepalived日志:
bash复制journalctl -u keepalived -f
5.3 恢复测试
- 主节点恢复服务:
bash复制systemctl start haproxy
systemctl start keepalived
- 观察VIP是否回切(取决于nopreempt配置)
6. 生产环境优化建议
6.1 安全加固措施
- 修改默认监控端口和认证信息
- 配置Haproxy的ACL限制管理界面访问IP
- 使用SSL加密Haproxy到后端的数据传输
- 定期轮转Keepalived的认证密码
6.2 性能调优参数
ini复制global
maxconn 100000
tune.ssl.default-dh-param 2048
defaults
timeout http-request 10s
timeout queue 1m
timeout http-keep-alive 10s
6.3 高可用架构扩展
- 多VIP方案:为不同服务分配独立VIP
- 多活架构:配合DNS实现跨机房容灾
- 容器化部署:使用Kubernetes实现动态扩缩容
关键经验:在正式上线前,必须进行至少3次完整的故障转移测试,记录每次切换耗时和业务影响时间。