关于内网主备+https

先openssl证书

整体流程为：
1、页面访问为https，在电脑修改hosts文件，如域名为 babaozhou.com, 则配置为 ip1 babaozhou.com，ip2 babaozhou.com；
也就是说同域名关联两个ip，这样如果服务器1ping不通了则可以自动切换到ip2，避免服务器连不上问题；
2、nginx -V,查看是否支持openssl
用keepalived+nginx；当主服务进程停掉后可以立马切换到备；

更改keepalived.conf，位置在/etc/keepalived/

当前主的配置

! Configuration File for keepalivedglobal_defs {notification_email {acassen@firewall.locfailover@firewall.locsysadmin@firewall.loc}notification_email_from Alexandre.Cassen@firewall.locsmtp_server 192.168.254.136 83   //这里为需要切的ip 端口，其中254要与当前保持一致smtp_connect_timeout 30router_id LVS_DEVELvrrp_skip_check_adv_addrvrrp_garp_interval 0vrrp_gna_interval 0
}vrrp_script chk_http_port {script "/usr/local/src/nginx_check.sh"		//脚本位置interval 2weight 2
}vrrp_instance VI_1 {state MAXTER		//MAXTER  为主interface enp7s0f1		//interface要一致 ip -a 查看一下，要与当前服务器保持一直virtual_router_id 51priority 100advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.254.100 83			//虚拟ip 端口，直接暴露出来的}
}

创建文件 nginx_check.sh，内容如下，放到 /usr/local/src/

#!binbash
A=`ps -C nginx –no-header wc -l`
if [ $A -eq 0 ];thenusrlocalnginxsbinnginxsleep 2if [ `ps -C nginx --no-header wc -l` -eq 0 ];thenkillall keepalivedfi
fi

备

! Configuration File for keepalivedglobal_defs {notification_email {acassen@firewall.locfailover@firewall.locsysadmin@firewall.loc}notification_email_from Alexandre.Cassen@firewall.locsmtp_server 192.168.254.138 83		//备服务ip 端口smtp_connect_timeout 30router_id LVS_DEVELvrrp_skip_check_adv_addrvrrp_garp_interval 0vrrp_gna_interval 0
}vrrp_script chk_http_port {script "/usr/local/src/nginx_check.sh"	//脚本位置，内容位置与上面一样interval 2weight 2
}vrrp_instance VI_1 {state BACKUP		//BACKUP 为备interface enp11s0f0				//interface要一致 ip -a 查看一下，要与当前服务器保持一直	virtual_router_id 51priority 90advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.254.100 83			//虚拟IP地址  端口}
}

nginx

   server {listen       443 ssl;server_name  www.sky.com;ssl_certificate /root/CA/root/server.crt;ssl_certificate_key /root/CA/root/server.key;ssl_session_cache shared:SSL:10m;ssl_session_timeout  10m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_prefer_server_ciphers on;location / {proxy_pass http://192.168.254.100:83;  //该ip为keepalived虚拟ip}}//上面配置上一篇有讲//设置负载均衡 当86挂掉后自动切换到138； webname是随便起的upstream webname{server 192.168.254.86:9124;server 192.168.254.138:9124;}server {listen       83;server_name  _;location / {root    	/usr/local/src/dist;index 		index.html index.htm;}ssl_prefer_server_ciphers on;location ^~/api {rewrite ^/api/(.*)$ /$1 break; proxy_pass http://webname;   //对于配置的webname}}

hosts解决服务器连不上切换到备，keepalived解决 keepalived与nginx进程停止后自动切换到备，nginx负载均衡解决 后端停止自动切换到备；还有别的七七八八再记录