目录
1.整体架构
2.配置步骤
2.1 配置dns代理转发
2.2 配置云服务代理转发
2.3配置代理ECS系统配置
2.3 配置ELB转发
2.4配置内网DNS解析
2.5配置云下主机
2.6 配置双region VPN通道(略)
3. 测试验证
2.1 配置dns代理转发
使用root登录待安装代理的ECS机器,确保ECS可以出公网访问,执行如下命令:
•安装yum-utils工具
yum install -y yum-utils
•添加OpenResty仓库
yum-config-manager --add-repo
https://openresty.org/package/centos/openresty.repo
•修改baseurl
若使用的EulerOs,则需手动修改一下/etc/yum.repos.d/openresty.repo中的baseurl
baseurl=https://openresty.org/package/centos/$releasever/$basearch
修改为
baseurl=https://openresty.org/package/centos/7/$basearch
•安装OpenResty
yum install -y openresty
•配置OpenResty自启动
systemctl enable openresty
•代理OpenResty控制命令
systemctl start openresty:启动openresty
systemctl stop openresty:停止openresty
systemctl reload openresty:重载openresty,热重启,不中断业务
•配置文件均位于/usr/local/openresty/nginx/conf/目录下,
nginx.conf:主配置文件
vhosts/ingress.conf:云下连云上,APIG代理配置文件
vhosts/dns.conf:云下连云上,DNS代理配置文件
•nginx.conf:主配置文件
user root;
worker_processes auto;
worker_cpu_affinity auto;
error_log logs/error.log error;
pid logs/nginx.pid;
worker_rlimit_nofile 25000;
events {
use epoll;
multi_accept on;
accept_mutex off;
worker_connections 20000;
}
stream {
log_format proxy '$remote_addr:$remote_port [$time_local] $connection '
'$protocol $server_port $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" '
'"$upstream_connect_time" "$upstream_first_byte_time" "$upstream_session_time"';
tcp_nodelay on;
proxy_buffer_size 64k;
proxy_connect_timeout 15s;
proxy_next_upstream on;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 0;
proxy_timeout 300s;
include vhosts/*.conf;
}
配置/usr/local/openresty/nginx/conf/vhosts/dns.conf
upstream dns{
#server
address:port max_fails=3 fail_timeout=10s;
server100.125.1.250:53max_fails=3 fail_timeout=10s;
server 100.125.129.250:53max_fails=3 fail_timeout=10s;
}
server {
listen 53 udp;
access_loglogs/access-dns.log proxy;
error_loglogs/error-dns.log error;
proxy_pass dns;
}
DNS的地址根据ECS主机(北京4)的/etc/resolv.conf里的地址来配置。
2.2 配置云服务代理转发
配置/usr/local/openresty/nginx/conf/vhosts/ingress.conf
server {
listen 443
reuseportbacklog=10000;
access_loglogs/access-ingress.logproxy;
error_loglogs/error-ingress.log error;
proxy_pass {APIGW服务POD入口地址}:443;
}
北京4
server {
listen 443reuseportbacklog=10000;
access_loglogs/access-ingress.log proxy;
error_loglogs/error-ingress.log error;
proxy_pass 100.125.2.39:443;
}
云下连云上代理,后端地址为APIGW服务的POD入口地址。
可以通过在ECS主机上ping ecs.{region-id}.myhuaweicloud.com获得。 北京4region-id 为cn-north-4
2.3 配置ECS系统配置
配置toa
rpm -Uvh--force ipvs-toa-1.0-4.x86_64.rpm
modprobe toalsmod |grep toa
监控toa
function monitor_toa()
{
process=`
lsmod | awk'{print $1}' | egrep '^toa$'`
if [ "X${process}" ="X" ]; then
grep -q "2\.0.*SP1" /etc/euleros-release
if [ $? -
eq0]; then
if [ -e /opt/
toa/toa.ko];then
insmod/opt/toa/toa.ko
else
insmod `ls/lib/modules/*/kernel/net/toa/toa.ko|head -n 1`
fi
else
modprobe toa
fi
else
echo "module
toaexists"
fi
}
配置/usr/local/openresty/logrotate.conf
/usr/local/openresty/nginx/logs/*.log {
size 500M
rotate 10
nocopynocopytruncatemissingoknotifempty
compress
delaycompresscompressoptions-1
sharedscriptspostrotate
bash -c 'kill -SIGUSR1 $(cat /
usr/local/openresty/nginx/logs/nginx.pid)'
endscript}
配置/etc/crontab
*/5 * * * * root /usr/sbin/logrotate /usr/local/openresty/logrotate.conf >/dev/null 2>&1
修改完/etc/crontab配置文件后,使用systemctl
restart crond重启crond服务
配置/etc/sysctl.conf
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=0
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=0
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_fin_timeout=5
net.ipv4.tcp_max_tw_buckets=2000
net.ipv4.tcp_mem=1048576 1310720 1572864
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 87380 16777216
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.core.somaxconn=65500
net.core.netdev_max_backlog=262144
net.ipv4.tcp_max_syn_backlog=3240000
net.ipv4.tcp_synack_retries=3
net.ipv4.tcp_syn_retries=3
net.ipv4.ip_local_port_range=102465535
net.ipv4.ip_local_reserved_ports=8000-8100
fs.file-max=210000
fs.nr_open=200000
kernel.hung_task_panic=1
追加到/etc/sysctl.conf配置文件中,并使用sysctl -p命令使其生效
配置/etc/security/limits.conf
* soft nofile200000
* hard
nofile200000
2.4 配置ELB转发
2.5 配置dns代理转发
2.6 配置云下dns解析
[root@ecs-10-10-10-x ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search openstacklocal
nameserver 10.10.2.102
#nameserver 100.125.1.250
#nameserver 100.125.64.250
options single-request-reopen
3. 测试验证
curl -sk -H
"Content-Type:application/json;charset=utf8" -d
'{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"your_account","password":“{password}","domain":{"name":"your_account"}}}},"scope":{"domain":{"name":"your_account"}}}}' https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens
网友评论