Foreman-porxy负载均衡搭建

本文接上篇puppet负载均衡的环境实验。

Foreman-proxy可以采用四层或者七层负载，都可以实现，在foreman的web界面添加一个smart-proxy，后端多个真实foreman-proxy处理的目的

个人采用的是haproxy实现的四层和七层代理，pm01和pm03是foreman-proxy服务器，ag01是foreman服务器，lvs是负载均衡服务器（vip在lvs01服务器上），上面代理了puppet，foreman-proxy业务。

5.1 Foreman-proxy七层负载均衡

因为七层在做https的代理时候，出现ssl证书验证问题，于是根据官方配置文件的提示，采用http代理，而不是https代理，同时将所有的ssl证书替换为lvs代理的ssl证书。

5.1.1 修改foreman-proxy配置文件

[root@pm01 puppet]# grep -v "#" /etc/foreman-proxy/settings.yml | grep -v "^$"

---

:settings_directory: /etc/foreman-proxy/settings.d

:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem

:ssl_certificate: /var/lib/puppet/ssl/certs/lvs.jq.com.pem

:ssl_private_key: /var/lib/puppet/ssl/private_keys/lvs.jq.com.pem

:trusted_hosts:

- pm01.jq.com

- pm02.jq.com

- pm03.jq.com

- ag01.jq.com

- ag02.jq.com

- ag03.jq.com

- ca01.jq.com

- ca02.jq.com

- lvs01.jq.com

- lvs02.jq.com

- pc.jq.com

- lvs.jq.com

:daemon: true

:bind_host: 0.0.0.0

:http_port: 8000 #默认此处为:https_port:8443

:virsh_network: default

:log_file: /var/log/foreman-proxy/proxy.log

:log_level: DEBUG

5.1.2 修改foreman-proxy的foreman配置文件

[root@pm01 puppet]# cat /etc/puppet/foreman.yaml

---

:url: "https://ag01.jq.com"

:ssl_ca: "/var/lib/puppet/ssl/certs/ca.pem"

:ssl_cert: "/var/lib/puppet/ssl/certs/lvs.jq.com.pem"

:ssl_key: "/var/lib/puppet/ssl/private_keys/lvs.jq.com.pem"

:user: ""

:password: ""

:puppetdir: "/var/lib/puppet"

:puppetuser: "puppet"

:facts: true

:timeout: 10

:threads: null

5.1.3 Haproxy代理配置

[root@lvs01 haproxy]# grep -v "#" /etc/haproxy/haproxy.cfg | grep -v "^$"

global

maxconn 40000

ulimit-n 500000

log 127.0.0.1 local0 info

uid 99

gid 99

chroot /tmp

daemon

defaults

log global

retries 2

option redispatch

option dontlognull

option httpclose

balance roundrobin

timeout connect 30000ms

timeout client 30000ms

timeout server 30000ms

timeout check 2000

listen admin_stats

bind 0.0.0.0:8080

mode http

stats refresh 5s

stats enable

stats hide-version

stats realm Haproxy\ Statistics

stats uri /haproxy

stats auth admin:password

listen puppetmaster *:8140

mode tcp

option ssl-hello-chk

balance source

server pm01 pm01.jq.com:8140 check inter 2000 fall 3

server pm03 pm03.jq.com:8140 check inter 2000 fall 3

frontend foremanproxy

bind 0.0.0.0:8000

mode http

log global

option httplog

reqadd X-Forwarded-Proto:\ https

default_backend web_server

backend web_server

mode http

log global

option httplog

balance source

cookie SERVERID insert indirect nocache

server pm01 pm01.jq.com:8000 check inter 2000 fall 3

server pm03 pm03.jq.com:8000 check inter 2000 fall 3

同时，foreman-proxy运行在8000端口，也是安全的，

上图可以看出，信息到了8000端口，最后还是https在处理。

5.2 Foreman-proxy四层负载均衡

四层采用的是https的代理，haproxy配置如下：

listen foreman-proxy *:8443

mode tcp

option ssl-hello-chk

option tcplog

# #balance source

balance roundrobin

# #balance source

server pm01 pm01.jq.com:8443 check inter 2000 fall 3

server pm03 pm03.jq.com:8443 check inter 2000 fall 3

5.3 foreman web添加smart_proxy

foreman web界面添加smart_proxy，只需要添加lvs服务器上的foreman-proxy即可，如下：

四层负载：

http://lvs.jq.com:8000

七层负载：

https://lvs.jq.com:8443

5.4 负载测试

采用分别停止pm01和pm03服务器上foreman-proxy进程的方式测试，每次测试之前删除foreman页面上的主机和smart_proxy，然后再在web添加foreman-proxy地址，在pm01，pm03,ag01上执行puppet agent -t，可以发现，主机成功添加到主机页面。

转载于:https://www.cnblogs.com/krainbow/p/4323195.html