海运的博客

Centos配置LVS Keepalived高可用负载均衡服务器

发布时间:July 18, 2012 // 分类:高可用 // No Comments

LVS IP信息:

主LVS:192.168.1.2
备LVS:192.168.1.3
虚拟IP:192.168.1.6
应用服务器1:192.168.1.12
应用服务器2:192.168.1.13

查看内核是否支持LVS模块:

modprobe -l |grep ipvs
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_dh.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_ftp.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_lblc.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_lblcr.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_lc.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_nq.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_rr.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_sed.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_sh.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_wlc.ko
/lib/modules/2.6.18-274.17.1.el5/kernel/net/ipv4/ipvs/ip_vs_wrr.ko

根据内核版本下载安装相应的ipvsadm:

ln -s /usr/src/kernels/2.6.18-274.17.1.el5-x86_64/ /usr/src/linux
wget http://www.linuxvirtualserver.org/software/kernel-2.6/ipvsadm-1.24.tar.gz
tar zxvf ipvsadm-1.24.tar.gz
cd ipvsadm-1.24
make
make install

也可使用yum直接安装:

yum install ipvsadm

安装Keepalived:

wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz
tar zxvf keepalived-1.1.19.tar.gz 
cd keepalived-1.1.19
./configure --sysconf=/etc/ --with-kernel-dir=/usr/src/kernels/2.6.18-274.17.1.el5-x86_64/
make
make install
ln -s /usr/local/sbin/keepalived /sbin/keepalived

主LVS配置keepalived:

! Configuration File for keepalived

global_defs {
   notification_email {
     admin@www.haiyun.me
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.1.6
    }
}

virtual_server 192.168.1.6 80 {
    delay_loop 6
    lb_algo rr
    lb_kind NAT
    nat_mask 255.255.255.0
    persistence_timeout 50
    protocol TCP

    real_server 192.168.1.12 80 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    }

    real_server 192.168.1.13 80 {
        weight 1
        TCP_CHECK {
            connect_timeout 3
            nb_get_retry 3
            delay_before_retry 3
        }
    } 
}

启动keepalived,同时会在主LVS绑定VIP:

/etc/init.d/keepalived start
ip add show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:e7:cc:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0
    inet 192.168.1.6/32 scope global eth0

查看当前LVS参数:

ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.6:http rr
  -> 192.168.1.12:http            Route   1      0          0         
  -> 192.168.1.13:http            Route   1      0          0      

复制主keepalived到备LVS,修改以下参数:

state BACKUP
priority 90

应用服务器增加虚拟VIP:

#!/bin/bash
VIP=192.168.1.6
. /etc/rc.d/init.d/functions
case "$1" in
start)
ifconfig lo:0 $VIP netmask 255.255.255.255 broadcast $SNS
echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
sysctl -p >/dev/null 2>&1
echo "RealServer Start OK"
;;
stop)
ifconfig lo:0 down
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "0" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "0" >/proc/sys/net/ipv4/conf/all/arp_announce
echo "RealServer Stoped"
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
esac

测试LVS故障切换,停止主LVS上keepalived服务:

/etc/init.d/keepalived stop

查看备LVS已经接管为主LVS:

tail -n 10 /var/log/message
Jul 14 20:30:28 centos5 Keepalived_vrrp: VRRP_Instance(VI_1) Transition to MASTER STATE
Jul 14 20:30:29 centos5 Keepalived_vrrp: VRRP_Instance(VI_1) Entering MASTER STATE
Jul 14 20:30:29 centos5 Keepalived_vrrp: VRRP_Instance(VI_1) setting protocol VIPs.
Jul 14 20:30:29 centos5 Keepalived_vrrp: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 192.168.1.6

应用服务器故障测试,停止其中之一httpd服务:

/etc/init.d/httpd stop

查看keepalved日志已将出错服务器移除并邮件报警:

tail -n 10 /var/log/message
Jul 14 21:36:18 centos5 Keepalived_healthcheckers: TCP connection to [192.168.1.12:80] failed !!!
Jul 14 21:36:18 centos5 Keepalived_healthcheckers: Removing service [192.168.1.12:80] from VS [192.168.1.6:80]
Jul 14 21:36:18 centos5 Keepalived_healthcheckers: Remote SMTP server [127.0.0.1:25] connected.
ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.1.6:http rr
  -> 192.168.1.13:http            Route   1      0          0    

Linux禁止atime提高IO性能

发布时间:July 17, 2012 // 分类:系统调优 // No Comments

Linux服务器当访问文件或目录的时候会同步更新atime,如果服务器业务较大会给磁盘带来很大的负担,可以修改挂载参数不写入访问时间。

cat /etc/fstab
/dev/VolGroup00/LogVol00 /                       ext3    defaults,noatime,nodiratime        1 1

重新挂载磁盘分区:

mount -o remount /

查看当前挂载参数:

 mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,noatime,nodiratime)

Windows安全设置IIS防WebShell木马

发布时间:July 17, 2012 // 分类:IIS // No Comments

1.ASP环境禁用Webshell危险的组件:

regsvr32 /u wshom.ocx
#卸载WScript.Shell 组件 
regsvr32 /u shell32.dll
#卸载Shell.application 组件
regsvr32 /u scrrun.dll
#卸载FSO对象
regsvr32 /u msado15.dll
#卸载stream对象

2.ASPX环境调整ASP.NET信任级别,ASPX运行ASPXspy之类的木马会出现错误信息:
编辑Framework配置文件:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config

修改为:

    <location allowOverride="false"> #禁止用户自定义级别
        <system.web>
            <securityPolicy>
                <trustLevel name="Full" policyFile="internal"/>
                <trustLevel name="High" policyFile="web_hightrust.config"/>
                <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
                <trustLevel name="Low" policyFile="web_lowtrust.config"/>
                <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
            </securityPolicy>
            <trust level="High" originUrl=""/> #级别为高,默认为完全
            <identity impersonate="true" />
        </system.web>
    </location>

ASP.NET各信任级别权限如下:

完全:无限制的权限。应用程序可访问任何属于操作系统安全范围的资源。支持所有的特权操作;
高:不能调用未托管代码、不能调用服务组件、写入事件日志、访问 Microsoft 消息队列、访问 OLE DB 数据源;
中:除上述限制外,还限制访问当前应用程序目录中的文件,不允许访问注册表;
低:除上述限制外,应用程序不能与 SQL Server 连接,代码不能调用 CodeAccessPermission.Assert(无断言安全权限);
最低:仅有执行权限。

高级别禁止读取注册表,编辑高级别配置文件:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web_hightrust.config

删除注册表权限:

#https://www.haiyun.me
<SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, 
mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

然后配置IIS为net为2.0版本,重启IIS。

cd C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 
aspnet_regiis -i

iis切换net版本.png
单一禁止IISSPY还可修改以下文件权限:

/windows/system32/activeds.tlb
#去除文件Users组和Power Users组读取权限

Windows 2008R2中文及多国语言包下载

发布时间:July 17, 2012 // 分类:Windows // No Comments

Windows 2008R2语言包官方下载:http://www.microsoft.com/zh-cn/download/details.aspx?id=2634

Openwrt下安装配置wallproxy所需环境

发布时间:July 16, 2012 // 分类:OpenWrt // 1 Comment

Wallproxy类似于GoAgent部署在GAE上的代理软件,在openwrt下使用所需环境:

opkg udate
opkg install python pyopenssl python-openssl python-crypto
分类
最新文章
最近回复
  • crowjin: 你确定这能过滤??不是所有请求都返回空地址::?
  • : linux系统上单个网卡多条宽带拨号获取公网IP,外网可以访问这些IP,有偿! Q:25299...
  • 硅谷少年: 非常有用,感谢分享
  • spartan2: https://dashboard.hcaptcha.com/welcome_accessib...
  • 海运: 应该能,在购买页面先手工跳过cf机器验证,后续一定时间内不更换ip应该不会再次验证。
  • spartan: 大佬斯巴达开启了CF的机器识别验证,请问插件能自动跳过吗? 另外这个脚本有没有简单使用说明,新...
  • vincent: 膜拜大佬
  • 海运: proxy-header或proxy_protocol
  • liangjw: 如果是 内部调用 或者 中间存在 代理 而上一个代理又在内网 ,那怎么处理来自代理私有IP?
  • chainofhonor: 感谢,用dnsmasq设置自动判断BIOS和UEFI成功了