Created
April 23, 2014 03:20
-
-
Save liuyu/11201808 to your computer and use it in GitHub Desktop.
Puppet LB负载均衡器部署
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 15.3.3 Puppet LB负载均衡器部署 | |
| 负载均衡器puppetlb.domain.com负责转发请求,为此只需要配置Nginx,通过location 处理Catalog相关的请求。配置Nginx的虚拟主机内容如下: | |
| upstream puppet-production { | |
| server 10.210.213.217:8140; | |
| } | |
| server { | |
| listen 8140 ssl; | |
| server_name puppet.domain.com; | |
| access_log /var/log/nginx/puppet_access.log; | |
| error_log /var/log/nginx/puppet_error.log; | |
| ssl_protocols SSLv3 TLSv1; | |
| ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP; | |
| proxy_set_header X-SSL-Subject $ssl_client_s_dn; | |
| proxy_set_header X-Client-DN $ssl_client_s_dn; | |
| proxy_set_header X-Client-Verify $ssl_client_verify; | |
| client_max_body_size 100m; | |
| client_body_buffer_size 1024k; | |
| proxy_buffer_size 100m; | |
| proxy_buffers 8 100m; | |
| proxy_busy_buffers_size 100m; | |
| proxy_temp_file_write_size 100m; | |
| proxy_read_timeout 500; | |
| ssl on; | |
| ssl_session_timeout 5m; | |
| ssl_certificate /var/lib/puppet/ssl/certs/puppet.domain.com.pem; | |
| ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem; | |
| ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; | |
| ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; | |
| ssl_verify_client optional; | |
| ssl_prefer_server_ciphers on; | |
| ssl_verify_depth 1; | |
| ssl_session_cache shared:SSL:128m; | |
| location / { | |
| proxy_redirect off; | |
| proxy_pass https://puppet-production; | |
| } | |
| } | |
| 以上代码的详解如下: | |
| • upstream, 定义负载均衡设备IP,如果后端有多台时还可以通过(down、weight、max_fails、fail_timeout、backup)设置不同后端设备的状态 | |
| • proxy, 将服务器上接收到的用户信息传到后端服务器 | |
| • ssl ,配置证书相关文件,这里的证书由CA服务器生成 | |
| • l ocation,代理转发所有请求,需要注意proxy_pass是转发HTTPS请求 | |
| 如果负载均衡服务器与CA服务器部署在同一台,Nginx的配置需要代理CA请求至本地puppet master。配置文件参考如下: | |
| location /production/certificate/{ | |
| proxy_pass http://local'ip:8141; | |
| types { } | |
| default_type application/x-raw; | |
| } | |
| location /production/certificate_request/{ | |
| proxy_pass http://local'ip:8141; | |
| types { } | |
| default_type application/x-raw; | |
| } | |
| location /production/certificate_revocation_list/{ | |
| proxy_pass http://local'ip:8141; | |
| types { } | |
| default_type application/x-raw; | |
| } | |
| location /{ | |
| proxy_store off; | |
| proxy_pass http://puppet-production; | |
| } | |
| 注意,修改local'ip为生产环境中的本地服务器IP。 | |
| 这时proxy_pass只需要配置http代理即可,后端所有Puppet Master服务器也不需要配置ssl等。配置参考如下: | |
| server{ | |
| listen local'ip:8140; | |
| root /etc/puppet/rack/public; | |
| passenger_enabled on; | |
| passenger_use_global_queue on; | |
| } | |
| 15.3.4 Puppet Master服务器部署 | |
| Puppet Master服务器部署时需要在主配置文件puppet.conf添加客户端ssl header配置选项,以便能获取到客户端的请求信息。同时还需要配置关闭ca请求。 | |
| 1) Puppet主配置文件puppet.conf: | |
| [master] | |
| certname = puppet.domain.com | |
| ca = false | |
| ssl_client_verify_header = HTTP_X_CLIENT_VERIFY | |
| ssl_client_header = HTTP_X_CLIENT_DN | |
| 2) 增加Nginx虚拟主机: | |
| server { | |
| listen 8140 ssl; | |
| server_name puppet.domain.com; | |
| passenger_enabled on; | |
| passenger_use_global_queue on; | |
| passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; | |
| passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; | |
| proxy_buffer_size 4000k; | |
| proxy_buffering on; | |
| proxy_buffers 32 1280k; | |
| proxy_busy_buffers_size 17680k; | |
| client_max_body_size 10m; | |
| client_body_buffer_size 4096k; | |
| access_log /var/log/nginx/puppet_access.log; | |
| error_log /var/log/nginx/puppet_error.log; | |
| root /etc/puppet/rack/public; | |
| ssl off; | |
| ssl_session_timeout 5m; | |
| ssl_certificate /var/lib/puppet/ssl/certs/puppet.domain.com.pem; | |
| ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.domain.com.pem; | |
| ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; | |
| ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; | |
| ssl_verify_client optional; | |
| ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; | |
| ssl_prefer_server_ciphers on; | |
| ssl_verify_depth 1; | |
| ssl_session_cache shared:SSL:128m; | |
| # File sections | |
| location /production/file_content/files/ { | |
| types { } | |
| default_type application/x-raw; | |
| alias /etc/puppet/files/; | |
| } | |
| } | |
| 配置完成后启动Nginx: | |
| /etc/init.d/nginx start | |
| 15.3.5 Puppet客户端配置 | |
| 在Puppet客户端需要指定CA服务器与Puppet Master请求的域名。证书域名为puppetca.domain.com,在获取证书与授权认证时通过该域名发起请求。Master的域名是puppet.domain.com,此域名通过CA服务器授权证书在负载均衡器与后端Puppet Master上都存在,负载均衡器通过转发请求至不同的Puppet Master处理。 | |
| 1) Puppet主配置文件puppet.conf: | |
| [agent] | |
| masterport = 8140 | |
| environment = production | |
| server = puppet.domain.com | |
| ca_server = puppetca.domain.com | |
| 2) 执行puppet命令 | |
| $ puppet agent --test --server puppet.domain.com | |
| 15.3.6 验证架构 | |
| 为验证请求可以分别在负载均衡器与后端Puppet Master上通过抓包查看请求过程,分别在Puppet LB和Puppet Master上运行命令如下: | |
| tcpdump -s 1024 -l -A port 8140 -i eth0 -vvvv | |
| 如果要想验证Puppet Agent认证过程,可以先取消客户端的认证,重新发起认证请求即可。 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment