add

2-生产环境4.0/负载均衡服务器/to-do.md

@@ -0,0 +1,2 @@
+1. 证书
+2. 去掉IP

2-生产环境4.0/负载均衡服务器/update-nginx.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+
+if [[ $( ip addr | grep -c "192.168.148.131") -eq 1 ]]; then
+    echo "当前主机为 主loadbalancer节点！ 当前时间为 $(date) "
+
+    chown -R nginx:nginx /etc/nginx/
+
+
+    cd /etc/nginx/ && nginx -t
+    cd /etc/nginx/conf.d/ && nginx -t
+
+    if [[  $? -ne  0 ]]; then
+
+        echo "nginx conf is wrong ! please check !"
+        return 23
+    fi
+
+    echo "start to sync nginx conf to another nginx node"
+    rclone sync /etc/nginx/ loadbalancer:/etc/nginx/
+
+
+    echo "start to restart this-self and another nginx conf"
+    systemctl restart nginx
+    ssh loadbalancer "systemctl restart nginx"
+
+
+else
+
+    echo "can't modify nginx conf in this host !"
+fi
+

2-生产环境4.0/负载均衡服务器/配置/131-oss-nginx.conf

@@ -0,0 +1,88 @@
+upstream minio_prod {
+  server 192.168.148.139:39000;
+  server 192.168.148.137:39000;
+  server 192.168.148.140:39000;
+}
+
+server {
+    listen 443  ssl ;
+    #listen [::]:443 ssl    ;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    #include /etc/nginx/conf.d/ssl_settings/error-template.conf;
+    server_name oss.uavcmlc.com ;
+    #add_header 'Access-Control-Allow-Origin' "www.uavcmlc.com";
+    location / {
+        #valid_referers none *.uavcmlc.com;
+        #if ($invalid_referer) {
+        #    return 403;
+        #}
+
+        port_in_redirect off;
+        client_max_body_size                    5120m;
+        proxy_connect_timeout                   20s;
+        proxy_send_timeout                      120s;
+        proxy_read_timeout                      120s;
+        proxy_buffering                         off;
+        proxy_buffer_size                       4k;
+        proxy_buffers                           4 4k;
+        proxy_max_temp_file_size                1024m;
+        proxy_request_buffering                 on;
+        proxy_http_version                      1.1;
+        proxy_cookie_domain                     off;
+        proxy_cookie_path                       off;
+        proxy_next_upstream                     error timeout;
+        proxy_next_upstream_timeout             0;
+        proxy_next_upstream_tries               3;
+        proxy_redirect                          off;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        proxy_pass http://minio_prod;
+    }
+    location /minio/ {
+        allow 112.19.8.120/29;
+        allow 183.220.149.16/28;
+        deny  all;
+        proxy_pass http://minio_prod/minio/;
+    }
+    location /crossdomain.xml {
+        allow 112.19.8.120/29;
+        allow 183.220.149.16/28;
+        deny  all;
+    }
+
+    error_page 404 /404.html;
+}
+
+server {
+    listen 443 ssl    ;
+    listen [::]:443 ssl    ;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    server_name soss.uavcmlc.com;
+
+    ignore_invalid_headers off;
+    proxy_buffering off;
+    client_max_body_size 1024m;
+    client_body_buffer_size 1024m;
+    sendfile            on;
+    send_timeout 600;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   600;
+    types_hash_max_size 2048;
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout 300;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        chunked_transfer_encoding off;
+
+        proxy_pass http://192.168.148.141:9000;
+    }
+}

2-生产环境4.0/负载均衡服务器/配置/131-web-nginx.conf

@@ -0,0 +1,105 @@
+server {
+    listen 443 ssl   ;
+    listen [::]:443 ssl    ;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    include /etc/nginx/conf.d/ssl_settings/error-template.conf;
+    server_name uavcmlc.com;
+    rewrite ^(.*)$ https://www.uavcmlc.com:443$1 permanent;
+    error_page 497 301 https://www.uavcmlc.com:443$1;
+}
+upstream  k8s_cluster {
+    ip_hash;
+    server 192.168.148.130:30500;
+    server 192.168.148.160:30500;
+    server 192.168.148.161:30500;
+    server 192.168.148.162:30500;
+}
+server {
+    listen 443 ssl    backlog=1024;
+    listen [::]:443 ssl    backlog=1024;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    include /etc/nginx/conf.d/ssl_settings/error-template.conf;
+    server_name www.uavcmlc.com s.uavcmlc.com;
+    location / {
+        proxy_pass http://k8s_cluster/;
+        client_max_body_size 5120m;
+        client_body_buffer_size 5120m;
+        client_body_timeout 6000s;
+        proxy_send_timeout 10000s;
+        proxy_read_timeout 10000s;
+        proxy_connect_timeout 600s;
+        proxy_max_temp_file_size 5120m;
+        proxy_request_buffering on;
+        proxy_buffering off;
+        proxy_buffer_size 4k;
+        proxy_buffers 4 12k;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location ~ ^/.*/(actuator|swagger-resources|api-docs|env|ping|health)(/|$) {
+        return 403;
+    }
+    error_page 404 /404.html;
+
+}
+
+server {
+    listen 443 ssl    ;
+    listen [::]:443 ssl    ;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    include /etc/nginx/conf.d/ssl_settings/error-template.conf;
+
+    #add_header Access-Control-Allow-Origin *;
+    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
+    add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+
+    server_name live.uavcmlc.com;
+    proxy_ignore_client_abort on;
+
+    location / {
+        proxy_pass http://192.168.148.130:30080/;
+    }
+    location /api/ {
+        allow 112.19.8.120/29;
+        allow 183.220.149.16/28;
+        deny  all;
+        proxy_pass http://192.168.148.130:30985/api/;
+    }
+    location /console/ {
+        return 403;
+    }
+    location /rtc/v1/ {
+        proxy_pass http://192.168.148.130:30985/rtc/v1/;
+    }
+    location /api/hubs/live/ {
+        proxy_set_header Host "live-op.uavcmlc.com";
+        proxy_pass http://k8s_cluster/api/hubs/live/;
+    }
+
+    error_page 404 /404.html;
+}
+server {
+    listen 443 ssl    ;
+    listen [::]:443 ssl    ;
+    include /etc/nginx/conf.d/ssl_settings/ssl-x-uavcmlc.conf;
+    server_name slive.uavcmlc.com;
+
+    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
+    add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+
+    #proxy_ignore_client_abort on;
+
+    location / {
+        proxy_pass http://k8s_cluster/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_pass http://192.168.148.130:38080/;
+    }
+}

2-生产环境4.0/负载均衡服务器/高负载均衡/check-lb-ip.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+
+export log_file=/etc/keepalived/report.log
+
+if [[ $( ip addr | grep -c "192.168.148.131") -eq 1 ]]; then
+
+    echo "当前主机为 主loadbalancer节点！ 当前时间为 $(date) " >> ${log_file}
+
+    echo "start to sync nginx conf to another loadbalancer" >> ${log_file}
+    rclone sync /etc/nginx/ loadbalancer:/etc/nginx/ >> ${log_file}
+
+    echo "start to reload the other loadbalancer nginx" >> ${log_file}
+    ssh loadbalancer "systemctl restart nginx"
+
+    echo "" >> ${log_file}
+    echo "----------------------------" >> ${log_file}
+fi
+
+

2-生产环境4.0/负载均衡服务器/高负载均衡/crontab.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+
+nginx
+
+boge14@Level5
+
+
+*/15 * * * * /etc/keepalived/check-lb-ip.sh

2-生产环境4.0/负载均衡服务器/高负载均衡/keepalived-1.conf

@@ -0,0 +1,28 @@
+! Configuration File for keepalived
+global_defs {
+   router_id web-1  ##标识节点的字符串，通常为本机hostname
+}
+vrrp_script chk_nginx {
+    script "/etc/keepalived/nginx_check.sh"  ##执行脚本位置
+    interval 2  ##检测时间间隔
+    weight -20  ##如果条件成立则权重减20
+}
+vrrp_instance VI_1 {
+    state MASTER  ## 主节点为MASTER，备份节点为BACKUP-该配置非常重要
+    interface ens192: ## 绑定虚拟IP的网络接口（网卡可以使用ifconfig查看）
+    virtual_router_id 110  ## 虚拟路由ID号（主备节点一定要相同）-该配置非常重要
+    mcast_src_ip 192.168.148.141 ## 本机ip地址
+    priority 200  ##优先级配置（0-254的值）,一般主节点的权重大于备份节点
+    nopreempt
+    advert_int 2  ## 组播信息发送间隔，俩个节点必须配置一致，默认1s
+authentication {  ## 认证匹配
+        auth_type PASS
+        auth_pass super-cyy
+    }
+    track_script {
+        chk_nginx
+    }
+    virtual_ipaddress {
+        192.168.148.131  ## 虚拟ip
+    }
+}

2-生产环境4.0/负载均衡服务器/高负载均衡/keepalived-2.conf

@@ -0,0 +1,28 @@
+! Configuration File for keepalived
+global_defs {
+   router_id web-2  ##标识节点的字符串，通常为本机hostname
+}
+vrrp_script chk_nginx {
+    script "/etc/keepalived/nginx_check.sh"  ##执行脚本位置
+    interval 2  ##检测时间间隔
+    weight -20  ##如果条件成立则权重减20
+}
+vrrp_instance VI_2 {
+    state BACKUP  ## 主节点为MASTER，备份节点为BACKUP-该配置非常重要
+    interface ens192 ## 绑定虚拟IP的网络接口（网卡可以使用ifconfig查看）
+    virtual_router_id 110  ## 虚拟路由ID号（主备节点一定要相同）-该配置非常重要
+    mcast_src_ip 192.168.148.142 ## 本机ip地址
+    priority 100  ##优先级配置（0-254的值）,一般主节点的权重大于备份节点
+    nopreempt
+    advert_int 2  ## 组播信息发送间隔，俩个节点必须配置一致，默认1s
+authentication {  ## 认证匹配
+        auth_type PASS
+        auth_pass super-cyy
+    }
+    track_script {
+        chk_nginx
+    }
+    virtual_ipaddress {
+        192.168.148.131  ## 虚拟ip
+    }
+}

2-生产环境4.0/负载均衡服务器/高负载均衡/nginx_check.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+
+log_file=/etc/keepalived/report.log
+COUNT=$(systemctl status nginx | grep -c "active (running)")
+
+
+if [ "$COUNT" -eq 0 ];then
+
+    echo "[ERROR] moniter nginx failure ! $(date) " >> ${log_file}
+    systemctl restart nginx
+
+    sleep 2
+    if [ $(systemctl status nginx | grep -c "active (running)") -eq 0 ];then
+        echo "[ERROR] restart nginx failed ! $(date) " >> ${log_file}
+        killall keepalived
+    fi
+fi