目录

1.整体架构

2.配置步骤

    2.1 配置dns代理转发

    2.2 配置云服务代理转发

    2.3配置代理ECS系统配置

    2.3 配置ELB转发

    2.4配置内网DNS解析

    2.5配置云下主机

    2.6 配置双region VPN通道（略）

3. 测试验证

2.1 配置dns代理转发

使用root登录待安装代理的ECS机器，确保ECS可以出公网访问，执行如下命令：

•安装yum-utils工具

yum install -y yum-utils

•添加OpenResty仓库

yum-config-manager --add-repo

https://openresty.org/package/centos/openresty.repo

•修改baseurl

若使用的EulerOs，则需手动修改一下/etc/yum.repos.d/openresty.repo中的baseurl

baseurl=https://openresty.org/package/centos/$releasever/$basearch

修改为

baseurl=https://openresty.org/package/centos/7/$basearch

•安装OpenResty

yum install -y openresty

•配置OpenResty自启动

systemctl enable openresty

•代理OpenResty控制命令

systemctl start openresty：启动openresty

systemctl stop openresty：停止openresty

systemctl reload openresty：重载openresty，热重启，不中断业务

•配置文件均位于/usr/local/openresty/nginx/conf/目录下，

nginx.conf：主配置文件

vhosts/ingress.conf：云下连云上，APIG代理配置文件

vhosts/dns.conf：云下连云上，DNS代理配置文件

•nginx.conf：主配置文件

user root;

worker_processes auto;

worker_cpu_affinity auto;

error_log  logs/error.log error;

pid        logs/nginx.pid;

worker_rlimit_nofile 25000;

events {

    use epoll;

    multi_accept on;

    accept_mutex off;

        worker_connections 20000;

}

stream {

    log_format proxy '$remote_addr:$remote_port [$time_local] $connection '

        '$protocol $server_port $status $bytes_sent $bytes_received '

        '$session_time "$upstream_addr" '

        '"$upstream_bytes_sent" "$upstream_bytes_received" '

        '"$upstream_connect_time" "$upstream_first_byte_time" "$upstream_session_time"';

    tcp_nodelay on;

    proxy_buffer_size 64k;

    proxy_connect_timeout 15s;

    proxy_next_upstream on;

    proxy_next_upstream_timeout 0;

    proxy_next_upstream_tries 0;

    proxy_timeout 300s;

    include vhosts/*.conf;

}

配置/usr/local/openresty/nginx/conf/vhosts/dns.conf

upstream dns{

    #server

address:port max_fails=3 fail_timeout=10s;

  server100.125.1.250:53max_fails=3 fail_timeout=10s;

   server 100.125.129.250:53max_fails=3 fail_timeout=10s;

}

server {

    listen 53 udp;

    access_loglogs/access-dns.log proxy;

    error_loglogs/error-dns.log error;

    proxy_pass dns;

}

DNS的地址根据ECS主机(北京4)的/etc/resolv.conf里的地址来配置。

2.2 配置云服务代理转发

配置/usr/local/openresty/nginx/conf/vhosts/ingress.conf

server {

    listen 443

reuseportbacklog=10000;

access_loglogs/access-ingress.logproxy;

error_loglogs/error-ingress.log error;

proxy_pass {APIGW服务POD入口地址}:443;

}

北京4

server {

   listen 443reuseportbacklog=10000;

   access_loglogs/access-ingress.log proxy;

   error_loglogs/error-ingress.log error;

   proxy_pass 100.125.2.39:443;

}

云下连云上代理，后端地址为APIGW服务的POD入口地址。

可以通过在ECS主机上ping ecs.{region-id}.myhuaweicloud.com获得。 北京4region-id 为cn-north-4

2.3 配置ECS系统配置

配置toa

rpm -Uvh--force ipvs-toa-1.0-4.x86_64.rpm

modprobe toalsmod |grep toa

监控toa

function monitor_toa()

{

    process=`

lsmod | awk'{print $1}' | egrep '^toa$'`

    if [ "X${process}" ="X" ]; then

grep -q "2\.0.*SP1" /etc/euleros-release

        if [ $? -

eq0]; then

            if [ -e /opt/

toa/toa.ko];then

insmod/opt/toa/toa.ko

            else

insmod `ls/lib/modules/*/kernel/net/toa/toa.ko|head -n 1`

            fi

        else

modprobe toa

        fi

    else

        echo "module

toaexists"

    fi

}

配置/usr/local/openresty/logrotate.conf

/usr/local/openresty/nginx/logs/*.log {

size 500M

rotate 10

nocopynocopytruncatemissingoknotifempty

compress

delaycompresscompressoptions-1

sharedscriptspostrotate

bash -c 'kill -SIGUSR1 $(cat /

usr/local/openresty/nginx/logs/nginx.pid)'

endscript}

配置/etc/crontab

*/5 * * * *  root /usr/sbin/logrotate /usr/local/openresty/logrotate.conf  >/dev/null 2>&1

修改完/etc/crontab配置文件后，使用systemctl

restart crond重启crond服务

配置/etc/sysctl.conf

net.ipv4.conf.all.rp_filter=1

net.ipv4.tcp_syncookies=0

net.ipv4.tcp_tw_reuse=1

net.ipv4.tcp_tw_recycle=0

net.ipv4.tcp_timestamps=1

net.ipv4.tcp_fin_timeout=5

net.ipv4.tcp_max_tw_buckets=2000

net.ipv4.tcp_mem=1048576 1310720 1572864

net.ipv4.tcp_rmem=4096 87380 16777216

net.ipv4.tcp_wmem=4096 87380 16777216

net.core.rmem_max=16777216

net.core.wmem_max=16777216

net.core.somaxconn=65500

net.core.netdev_max_backlog=262144

net.ipv4.tcp_max_syn_backlog=3240000

net.ipv4.tcp_synack_retries=3

net.ipv4.tcp_syn_retries=3

net.ipv4.ip_local_port_range=102465535

net.ipv4.ip_local_reserved_ports=8000-8100

fs.file-max=210000

fs.nr_open=200000

kernel.hung_task_panic=1

追加到/etc/sysctl.conf配置文件中，并使用sysctl -p命令使其生效

配置/etc/security/limits.conf

* soft nofile200000

* hard

nofile200000

2.4 配置ELB转发

2.5 配置dns代理转发

2.6 配置云下dns解析

[root@ecs-10-10-10-x ~]# cat /etc/resolv.conf

# Generated by NetworkManager

search openstacklocal

nameserver 10.10.2.102

#nameserver 100.125.1.250

#nameserver 100.125.64.250

options single-request-reopen

3. 测试验证

curl -sk -H

"Content-Type:application/json;charset=utf8" -d

'{"auth":{"identity":{"methods":["password"],"password":{"user":{"name":"your_account","password":“{password}","domain":{"name":"your_account"}}}},"scope":{"domain":{"name":"your_account"}}}}' https://iam.cn-north-4.myhuaweicloud.com/v3/auth/tokens