HAproxy+varnish动静分离部署wordpress

author：JevonWei

版权声明：原创作品

---

实验背景：将wordpress应用部署在后端服务器上，使用HAProxy做代理服务器，Varnish做缓存服务器，后端有四台web服务器，web1和web2服务器组成一个动态资源组dynsrvs，web3和web4服务器组成静态资源组stasrvs，Varnish用来缓存静态资源组stasrvs的数据； 受条件限制，在此使用web虚拟主机做为物理主机使用，使用NFS共享wordpress文件，wordpress与mysql为同一主机

实验目的：为了提高应用的访问速度和访问承载量，使用HAProxy技术做负载均衡，使用HAProxy的ACL访问控制实现动静分离的效果，将动态资源存放在动态web组中，将静态资源存放在静态资源组中，为了提高访问速度，在静态服务器组和代理服务器之间使用了缓存服务器做数据缓存

网络拓扑图

环境：

HAProxy 172.16.252.82
dynsrvs为后端动态网页web组
    web1：172.16.252.92:80
    web2：172.16.252.92:8080
stasrvs为后端静态网页web组
    web3：172.16.253.67：80
    web4：172.16.253.67：8080
Varnish   172.16.252.100
NFS+Mysql 172.16.252.103

配置后端动态web组

[root@dynsrvs ~]# yum -y install httpd php  php-mysql
[root@dynsrvs ~]# mkdir /data/web/vhost{1,2} -pv

编辑动态php的测试页面

[root@dynsrvs ~]# vim /data/web/vhost1/index.php
<h1> Application Server 1</h1>
<?php
    phpinfo();
?>
[root@dynsrvs ~]# vim /data/web/vhost2/index.php
<h1> Application Server 2</h1>
<?php
    phpinfo();
?>

配置后端web主机

[root@dynsrvs ~]# vim /etc/httpd/conf.d/vhost1.conf
<VirtualHost *:80>
    ServerName web1.danran.com
    DocumentRoot "/data/web/vhost1"
    <Directory "/data/web/vhost1">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
Listen 8080
<VirtualHost *:8080>
    ServerName web2.danran.com
    DocumentRoot "/data/web/vhost2"
    <Directory "/data/web/vhost2">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

访问测试php动态页面

http://172.16.252.92/

http://172.16.252.92/:8080

配置后端动态web组

[root@stasrvs ~]# yum -y install httpd
[root@stasrvs ~]# iptables -F
[root@stasrvs ~]# setenforce  0
[root@stasrvs ~]#  mkdir -pv /data/web/vhost{1,2}
[root@stasrvs ~]# mkdir /data/web/vhost1/png
[root@stasrvs ~]# mkdir /data/web/vhost2/png
复制静态资源做测试
[root@stasrvs ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost1/png/ \;
[root@stasrvs ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost2/png/ \;
[root@stasrvs ~]# vim /data/web/vhost1/index.html
<h1> Image Server 1 </h1>
[root@stasrvs ~]# vim /data/web/vhost2/index.html
<h1> Image Server 2 </h1>

配置虚拟主机

[root@stasrvs ~]# vim  /etc/httpd/conf.d/vhost1.conf
<VirtualHost *:80>
    ServerName web3.danran.com
    DocumentRoot "/data/web/vhost1"
    <Directory "/data/web/vhost1">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
[root@stasrvs ~]# vim  /etc/httpd/conf.d/vhost2.conf
Listen 8080
<VirtualHost *:8080>
    ServerName web4.danran.com
    DocumentRoot "/data/web/vhost1"
    <Directory "/data/web/vhost1">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
[root@stasrvs ~]# systemctl start httpd.service

访问测试静态页面

http://172.16.252.67/png/3.jpg

http://172.16.252.67:8080/png/3.jpg

配置NFS+Mysql

Mysql

[root@mysql ~]# yum -y install mariadb-server
[root@mysql ~]# systemctl start mariadb
[root@mysql ~]# systemctl enable mariadb
[root@mysql ~]# systemctl disable firewalld
[root@mysql ~]# systemctl stop firewalld
[root@mysql ~]# iptables -F 关闭防火墙
[root@mysql ~]# setenforce 0
创建数据库账号
[root@mysql ~]# mysql_secure_installation   \\数据库安全初始化
[root@mysql ~]# mysql -uroot -hlocalhost -p
MariaDB [(none)]> create database blog;
MariaDB [(none)]> grant all on blog.* to blog@'172.16.%.%' identified by 'blog'; 
登录测试
[root@mysql ~]# mysql -ublog -h172.16.252.103 -p
添加防火墙，仅允许RS1和RS2及自己本身连接数据库
[root@mysql ~]# iptables -A INPUT -s 172.16.252.92 -p tcp --dport 3306 -j ACCEPT
[root@mysql ~]# iptables -A INPUT -s 172.16.252.67 -p tcp --dport 3306 -j ACCEPT
[root@mysql ~]# iptables -A INPUT -s 172.16.252.103 -p tcp --dport 3306 -j ACCEPT
[root@mysql ~]# iptables -A INPUT -j REJECT

NFS

[root@NFS ~]# iptables -F
[root@NFS ~]# setenforce 0
[root@NFS ~]# rpm -ql nfs-utils
package nfs-utils is not installed
[root@NFS ~]# yum -y install nfs-utils
将wordpress程序包解压缩
[root@NFS ~]# tar xf wordpress-4.8-zh_CN.tar.gz -C /app
[root@NFS ~]# cd /app/wordpress
[root@NFS wordpress]# cp wp-config-sample.php wp-config.php
[root@NFS ~]# chmod o+w /app/blog/wp-config.php
[root@NFS wordpress]# vim wp-config.php
/** WordPress数据库的名称 */
define('DB_NAME', 'blog');
/** MySQL数据库用户名 */
define('DB_USER', 'blog');
/** MySQL数据库密码 */
define('DB_PASSWORD', 'blog');
/** MySQL主机 */
define('DB_HOST', '172.16.252.103');
创建与dynsrvs和stasrvs主机上相同UID的apache用户
[root@NFS blog]# useradd -u 48 -r -s /sbin/nologin apache    \\dynsrvs和stasrvs的apache用户UID为48
修改blog目录的属组，从而使apache用户对blog有读写权限
[root@NFS app]# useradd -u 48 -r -s /sbin/nologin apache
[root@NFS app]# chown -R apache:apache blog/
[root@NFS app]# ll -d blog/
drwxr-xr-x. 2 apache apache 6 Sep  8 13:12 blog/
配置NFS
[root@NFS ~]# vim /etc/exports
/app/blog    172.16.252.0/24(rw,all_squash,anonuid=48,anongid=48)  \\all_squash为压缩所有用户名，anonuid意为压缩为UID为48的用户，anongid组压缩为GID为48的组
[root@NFS ~]# systemctl start nfs-server

dynsrvs和stasrvs服务器挂载NFS共享目录

stasrvs

[root@stasrvs ~]# yum -y install nfs-utils
[root@stasrvs ~]# cd /data/web/vhost2/
[root@stasrvs vhost2]# mkdir blog
[root@stasrvs vhost2]# chmod o+w blog
[root@stasrvs ~]# vim /etc/fstab
172.16.252.103:/app/blog  /data/web/vhost2/blog  nfs defaults 0 0
[root@stasrvs ~]# mount -a
[root@stasrvs ~]# df 
将web1的根文件路径修改为/data/web/vhost2，同web2路径一致
[root@stasrvs vhost1]# vim /etc/httpd/conf.d/vhost1.conf
<VirtualHost *:80>
    ServerName web3.danran.com
    DocumentRoot "/data/web/vhost2"
    <Directory "/data/web/vhost2">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
[root@stasrvs ~]# systemctl restart httpd

dynsrvs

[root@dynsrvs ~]# yum -y install nfs-utils
[root@dynsrvs ~]# cd /data/web/vhost2/
[root@dynsrvs vhost2]# mkdir blog
[root@dynsrvs vhost2]# chmod o+w blog
[root@dynsrvs ~]# vim /etc/fstab
172.16.252.103:/app/blog  /data/web/vhost2/blog  nfs defaults 0 0
[root@dynsrvs ~]# mount -a
[root@dynsrvs ~]# df 
将web1的根文件路径修改为/data/web/vhost2，同web2路径一致
[root@stasrvs vhost1]# vim /etc/httpd/conf.d/vhost1.conf
<VirtualHost *:80>
    ServerName web1.danran.com
    DocumentRoot "/data/web/vhost2"
    <Directory "/data/web/vhost2">
        Options FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>
[root@dynsrvs ~]# systemctl restart httpd

HAProxy

安装HAProxy

[root@haproxy ~]# yum -y install haproxy
[root@haproxy ~]# rpm -ql haproxy
[root@haproxy ~]# iptables -F
[root@haproxy ~]# setenforce 0
[root@haproxy ~]# systemctl enable haproxy
[root@haproxy ~]# cp /etc/haproxy/haproxy.cfg{,.bak}

配置HAProxy代理

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
    rspadd  X-Via:\ HAProxy-1
    rspidel Server.*
    acl static path_end .jpg .jpeg .png .gif .txt .html
    acl static path_beg -i /images /static
    use_backend staticsrvs  if static
    default_backend dynsrvs
backend dynsrvs
    balance uri
    option      forwardfor header X-Client
    server dynsrv1 172.16.252.92:80 check cookie dynsrv1
    server dynsrv2 172.16.252.92:8080 check cookie dynsrv2
    hash-type consistent
backend staticsrvs
    option      forwardfor header X-Client
    balance uri
    server staticsrv1 172.16.252.67:80 check
    server staticsrv2 172.16.252.67:8080 check
    hash-type consistent
listen status
    bind *:9009
    acl auth_admin src 172.16.251.196
    stats enable
    stats uri /myhaproxy?status
    stats realm HAProxy\ Admin\ Area
    stats auth admin:admin
    stats admin if auth_admin
[root@haproxy ~]# systemctl restart haproxy

测试HAProxy的状态页

http://172.16.252.82:9009/myhaproxy?status

Varnish

[root@varnish ~]# yum -y install varnish
[root@varnish ~]# iptables -F
[root@varnish ~]# setenforce 0
[root@varnish ~]# vim /etc/varnish/varnish.params
VARNISH_LISTEN_PORT=80 \\监听端口为80，默认为6081
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1 \\监听管理接口的IP，默认为本机
VARNISH_ADMIN_LISTEN_PORT=6082 \\管理接口的端口，默认为6082
VARNISH_SECRET_FILE=/etc/varnish/secret \\认证密码文件
#DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300" \\定义运行时参数
[root@varnish ~]# vim /etc/varnish/default.vcl
import directors;  # 导入负载均衡模块
probe healthchk {    # 配置健康状态检查
    .url = "/.healthchk.html";   # 检查状态检查的URL
    .timeout = 2s; # 超时时间
    .interval = 2s;# 每2秒检查一次
    .window = 8; # 一共检查的次数
    .threshold = 5; # 如果大于4次则为健康
}
# Default backend definition. Set this to point to your content server.
backend imgsrv1 {  # 配置后端主机
    .host = "172.16.252.67";
    .port = "80";
    .probe = healthchk;
}
backend imgsrv2 {  # 配置后端主机
    .host = "172.16.252.67";
    .port = "8080";
    .probe = healthchk;
}
sub vcl_init {  # 初始化负载均衡
    new imgsrvs = directors.round_robin();
    imgsrvs.add_backend(imgsrv1);
    imgsrvs.add_backend(imgsrv2);
}
sub vcl_recv {
    if (req.url ~ "(?i)\.(jpg|jpeg|png|gif|svg|txt|html|css|js)$") {
    set req.backend_hint = websrvs.backend();
    }
    if (req.restarts == 0) {
    if (req.http.X-Fowarded-For) {
       set req.http.X-Forwarded-For = req.http.X-Forwarded-For + "," + client.ip;
    } else {
       set req.http.X-Forwarded-For = client.ip;
    }
}
sub vcl_deliver {
    if (obj.hits > 0) {
        set resp.http.X-Cache = " Hit via " + server.ip;
    } else {
        set resp.http.X-Cache = " Miss  via " + server.ip;
    }
}
[root@varnish ~]# systemctl start varnish

修改HAproxy配置文件，使HAproxy调用Varnish服务器

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
backend staticsrvs
    option      forwardfor header X-Client
    balance uri
    server staticsrv1  172.16.252.100:80 check
    hash-type consistent
[root@haproxy ~]# systemctl restart haproxy

访问测试

http://172.16.252.82/blog/