[Linux] Haproxy & keepalived VIP 구성하기

안녕하세요 ~

 

오늘은 Haproxy + keepalived로 이중화 로드밸런싱을 구현해보았습니다.

 

ㅇ keepalived : VIP 관리, 이중화 구성

ㅇ haproxy   :  로드밸런싱

 

HOSTNAME	IP	PORT	DESC
VIP	192.168.1.200		haproxy Master,Backup
Haproxy_Master	192.168.1.201	80	keepalived+haproxy
Haproxy_Backup	192.168.1.202	80	keepalived+haproxy
Web_Master	192.168.1.104	80	Wordpress
Web_Backup	192.168.1.127	80	Wordpress

 

---

sysctl 설정하기

root@Haproxy_Master:~ vi /etc/sysctl.conf
root@Haproxy_Backup:~ vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1

1. Haproxy Master와 Backup sysctl.conf 파일에 위 내용을 추가해줍니다.

 

---

haproxy 설정하기

 

root@Haproxy_Master:~ apt-get install -y haproxy
root@Haproxy_Backup:~ apt-get install -y haproxy

 

2. Haproxy Master와 Backup에 haproxy를 설치해주세요.

 

root@Haproxy_Master:~ vi /etc/haproxy/haproxy.cfg

	log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend haproxy
        bind *:80
        mode http
        default_backend SERVER_WEB

backend SERVER_WEB
        balance roundrobin
        server WEB 192.168.1.104:80 check
        server WEB 192.168.1.127:80 check
        option httpchk GET /

3. Haproxy_Master의 haproxy.cfg 파일 내용을 수정해줍니다.

 

root@Haproxy_Backup:~ vi /etc/haproxy/haproxy.cfg

	log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend haproxy
        bind *:80
        mode http
        default_backend SERVER_WEB

backend SERVER_WEB
        balance roundrobin
        server WEB 192.168.1.104:80 check
        server WEB 192.168.1.127:80 check
        option httpchk GET /

4. Haproxy_Backup의 haproxy.cfg 파일 내용을 수정해줍니다.

 

root@Haproxy_Master:~ /etc/init.d/haproxy restart -f /etc/haproxy/haproxy.cfg
root@Haproxy_Backup:~ /etc/init.d/haproxy restart -f /etc/haproxy/haproxy.cfg

5. 마지막으로 Haproxy를 시작해줍니다.

 

---

keepalived 설정하기

 

root@Haproxy_Master:~ apt-get install -y keepalived
root@Haproxy_Backup:~ apt-get install -y keepalived

6. Haproxy Master와 Backup에 keepalived를 설치해주세요.

 

root@Haproxy_Master:~ vi /etc/keepalived/keepalived.conf

vrrp_instance VI_1 {
    state MASTER
    interface ens160
    virtual_router_id 50
    priority 100
    advert_int 1
    nopreempt
    authentication {
        auth_type PASS
        auth_pass Password@
    }
    virtual_ipaddress {
        192.168.1.200
    }
}

7. Haproxy Master에 keepalived 설정을 진행합니다.

 

root@Haproxy_Backup:~ cat /etc/keepalived/keepalived.conf

vrrp_instance VI_1 {
    state BACKUP
    interface ens160
    virtual_router_id 50
    priority 50
    advert_int 1
    nopreempt
    authentication {
        auth_type PASS
        auth_pass Password@
    }
    virtual_ipaddress {
        192.168.1.200
    }
}

8. Haproxy Backup에 keepalived 설정을 진행합니다.

 

여기서 중요한 점은 BACKUP priority가 MASTER 보다 낮게 설정되어야 합니다.

 

root@Haproxy_Master:~ service keepalived start
root@Haproxy_Backup:~ service keepalived start

9. 마지막으로 keepalived를 실행해줍니다.

 

---

이제 모든 설정을 완료되었습니다.

 

여기까지 설정을 마치고 IP를 보게 되면 Haproxy_Master에 192.168.1.200 VIP가 추가된 걸 볼 수 있습니다.

 

테스트로 Haproxy_Master를 재시작해보겠습니다.

 

 

정상적으로 Haproxy_Backup에 VIP가 정상적으로 동작하면서 마무리하겠습니다.

 

감사합니다.