浅谈Docker swarm+HAProxy/Nginx

就不废话了,直接画出系统逻辑架构图:docker-arch

这里有些问题简单交待一下:

  1. HAProxy/Nginx作为External network的入口
  2. Docker swarm是Internal network,不对外公开
  3. HAProxy/Nginx在配置Load Balance时,每个Server的定义仍然使用的是各Docker work nodes的IP地址(最大的提高性能),在Nginx中类似于下面的配置片断:
    upstream apache2{
    server 192.168.0.2:8080;
    server 192.168.0.3:8080;
    }
    
    server{
    listen 80;
    server_name apache.zhuoyue.me;
    location /{
    proxy_pass http://apache2;
    }
    }
  4. Docker swarm也有自己的Load Balance和Health check功能和规则,在上一项的描述中,我们也可以在Nginx中不去指定upstream,而让swarm去进行load balancing,那么在nginx就可以这样配置:
    server{
    listen 80;
    server_name apache.zhuoyue.me;
    location /{
    proxy_pass http://192.168.0.2:8080;
    }
    }

    但这种配置有一个缺点:那就是192.168.0.2这台host上的docker process不能halt。

  5. 那么整个docker swarm创建过程可能是这样的:
    1. 在docker manager node上创建了一个task:
      docker service create --name apache2 --publish 8080:80 --replicas 3 apache2

      我们创建了一个名为apache2的task,通过定义replicas=3创建了总计3个image name为apache2的containers, 并且它们暴露8080 port,用以映射container内部的apache httpd 的80端口

    2. 该service task被分配在2个work nodes上运行(IP地址分别为192.168.0.2, 192.168.0.3,其中192.168.0.2上会运行着2个container)
    3. 因为某不知名原因192.168.0.2中的2个apache2 container 都被halt,比如执行了命令
      docker stop containername

      然而在halt之前你是可以使用192.168.0.2:8080访问apache2

    4. 此时你以为无法再继续使用192.168.0.2:8080访问apache2了,但事实并非如此,因为worker node工作在swarm模式下,192.168.0.2:8080请求会被docker swarm ingress路由到一个可用的contianer上继续执行(192.168.0.3:8080),并且它不同于重定向,响应IP地址仍然是192.168.0.2:8080)

using nginx as http load balancer

Introduction

Load balancing across multiple application instances is a commonly used technique for optimizing resource utilization, maximizing throughput, reducing latency, and ensuring fault-tolerant configurations.

It is possible to use nginx as a very efficient HTTP load balancer to distribute traffic to several application servers and to improve performance, scalability and reliability of web applications with nginx.

Load balancing methods

The following load balancing mechanisms (or methods) are supported in nginx:

  • round-robin — requests to the application servers are distributed in a round-robin fashion,
  • least-connected — next request is assigned to the server with the least number of active connections,
  • ip-hash — a hash-function is used to determine what server should be selected for the next request (based on the client’s IP address).

Default load balancing configuration

The simplest configuration for load balancing with nginx may look like the following:

http {
    upstream myapp1 {
        server srv1.example.com;
        server srv2.example.com;
        server srv3.example.com;
    }

    server {
        listen 80;

        location / {
            proxy_pass http://myapp1;
        }
    }
}

In the example above, there are 3 instances of the same application running on srv1-srv3. When the load balancing method is not specifically configured, it defaults to round-robin. All requests are proxied to the server group myapp1, and nginx applies HTTP load balancing to distribute the requests. Continue reading “using nginx as http load balancer”

Nginx virtual host & php-fpm settings

共享我的当前VPS中关于nginx的一些设置,防止自己忘记了。

针对Nginx global的设置(没有写的,说明使用了默认的设置了):

#Nginx进程的用户名和用户组设置,最小权限原则
user www-data www-data;
#Nginx初始化工作进程数
worker_processes 4; 
#启用Nginx的核心安全策略,比如SQL注入,跨站之类
include /etc/nginx/naxsi_core.rules; 
#启用gzip压缩输出,对IE6禁用gzip
gzip on; 
gzip_disable "msie6";

针对Virtaul Host的设置:

首先看Reserve Proxy,

server { 
 ### server port and name ### 
 listen 443; 
 ssl on; 
 server_name ******.zhuoyue.me 
 ### SSL log files ### 
 access_log /var/log/nginx/ssl-access.log; 
 error_log /var/log/nginx/ssl-error.log; 
 
 ### SSL cert files ### 
 ssl_certificate /home/niyouzhu/nginxssl/server.crt; 
 ssl_certificate_key /home/niyouzhu/nginxssl/server.key; 
 
 ### Add SSL specific settings here ### 
 
 
 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 
 ssl_ciphers RC4:HIGH:!aNULL:!MD5; 
 ssl_prefer_server_ciphers on; 
 keepalive_timeout 60; 
 ssl_session_cache shared:SSL:10m; 
 ssl_session_timeout 10m; 
 
 ### We want full access to SSL via backend ### 
 location / {
 proxy_pass https://localhost:4200; 
 
 ### force timeouts if one of backend is died ## 
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; 
 
 ### Set headers #### 
 proxy_set_header Accept-Encoding ""; 
 proxy_set_header Host $host; 
 proxy_set_header X-Real-IP $remote_addr; 
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
 
 ### Most PHP, Python, Rails, Java App can use this header ### 
 #proxy_set_header X-Forwarded-Proto https;## 
 proxy_set_header X-Forwarded-Proto $scheme; 
 add_header Front-End-Https on; 
 proxy_redirect off; 
 }
 }

上面关于SSL自签名证书的创建,可以看我的另一篇文章:Ubuntu+LAMP+Nginx

再来看一般的Virtual Host设置, Continue reading “Nginx virtual host & php-fpm settings”

Ubuntu+LAMP+Nginx

好久没有玩linux了, 下午的时候有点时间, 搭了一套环境.

使用的VMware workstation安装的Ubuntu 12 Server, 网络连接使用的NAT, Remove掉了Floppy.

Host是Intel Core i5-4570 3.2GHz的64Bit CPU, Memory 是4G. 配置还可以, 故给VMware配置了1G的Memory, 20G的Disk.

Ubuntu的安装过程现在是越来越简单了, 过程也记不清了, 这里就不说了.  总之顺利安装成功.

Host 的IP是 192.168.82.81, Client的IP是192.168.206.129.

因为Company里有Security Audit, 所以需要通过Proxy才能上外网, 故第一步给Ubuntu设置代理服务器.

editor /etc/profile

添加:

http_proxy=http://192.168.88.80:3128
https_proxy=http://192.168.88.80:3128
ftp_proxy=http://192.168.88.80:3128
export http_proxy https_proxy ftp_proxy

然后Reboot.

OK, 可以上外网了. 现在开始更新apt源, 由于默认安装后的源是Ubuntu在国外的服务器, 非常慢, 所以先更改源地址:

editor /etc/apt/sources.list

然后在所有的archive.ubuntu.com前加上cn., 即: http://cn.archive.ubuntu.com/ubuntu/ , cn.archive.ubuntu.com 是由阿里巴巴维护的, 放在阿里云上, 速度是很快的.

下面开始 update source list:

atp-get update

下面开始安装VIM, 使用Editor编辑器实在不顺手:

apt-get install vim

下面开始安装LAMP:

tasksel install lamp-server

下面开始安装Nginx:

apt-get install nginx

下面开始安装phpMyAdmin:

apt-get install phpmyadmin

至此nginx+lamp+phpmyadmin安装结束. 现在要开始进行配置.

因为nginx会占用80端口, 所以apache将无法启动, 因为nginx是进行对外公布的load blancing, 所以nginx会占用80和443 两个端口. 所以先来修改apache的端口, 以及启用apache对于SSL的支持.

vim /etc/apache/prots.conf

将apache的监听http协议的端口改为8080, SSL协议的端口改为4433

NameVirtualHost *:8080
Listen 8080
NameVirtualHost *:4433

<IfModule mod_ssl.c>
Listen 4433
</IfModule>
<IfModule mod_gnutls.c>
Listen 4433
</IfModule>

然后切换目录到/etc/apache2/mods-enabled/

cd /etc/apache2/mods-enabled/

执行命令下面命令, 以启用apache对于SSL的支持:

ln -s ../mods-available/ssl.conf
ln -s ../mods-available/ssl.load

然后将apache自带的ssl站点进行启用:

cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl

然后对000-default和default-ssl这2个virtual host进行端口更改:

vi /etc/apache2/sites-enabled/000-default
vi /etc/apache2/sites-enabled/default-ssl

将000-default中的VirtualHost *:80改为VirtualHost *:8080, 将default-ssl中的VirtualHost *:443改为VirtualHost *:4433

在Host上使用IE打开Http://192.168.206.129:8080和https://192.168.206.129:4433, 如果都可以打开, 说明apache的配置成功.

现在来配置nginx, 使其进行反向代理和负载均衡:

vi /etc/nginx/sites-enabled/default

需要分别配置http和https的load blancing, 其中192.168.82.81是Host上安装的IIS:

upstream loadblancing{
server 192.168.82.81:80;
server 127.0.0.1:8080;
}

upstream loadblancingssl{
server 192.168.82.81:443;
server 127.0.0.1:4433;
}

然后在server节点里, 将location节点修改为:

location /{
proxy_pass http://loadblancing;
}

然后定位到文件末页, 将关于Https Server的注释符号”#” 全拿掉, 使其启用.

并且将其location节点修改为:

location / {
https://loadblancingssl;
}

另外, 需要将ssl证书和key的位置进行修改, 在后面我们需要创建open ssl 证书:

ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;

现在来创建openssl证书, 首先来创建私钥, 创建私钥的过程中会要求输入密码:

openssl
genrsa -aes256 -out server.key 1024

创完私钥, 来创建证书的请求文件:

openssl
req -new -key server.key -out server.csr

请求文件创建成功后, 我们来把私钥做个备份:

cp server.key server.key.bak

我们把带密码的key取消掉口令, 以便Nginx可以正常使用:

openssl
rsa -in server.key.bak -out server.key

然后我们使用x509来颁发证书, 得到证书文件server.crt :

openssl
x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

现在我们来重启Nginx:

/etc/init.d/nginx restart

OK, 结束. 现在可以在host上打开IE, 浏览http://192.168.206.129和https://192.168.206.129, 会发现相同的URL在点击刷新后, 不断出现不同的页面, 这是因为一个是Client上的Apache首页, 一个是Host上的IIS首页.