Ɗaya daga cikin manyan ayyuka yayin gina manyan abubuwan more rayuwa na Zimbra OSE shine daidaita ma'aunin nauyi. Baya ga gaskiyar cewa yana haɓaka haƙurin kuskuren sabis ɗin, ba tare da daidaita nauyi ba ba zai yuwu ba don tabbatar da amsa iri ɗaya na sabis ga duk masu amfani. Don magance wannan matsala, ana amfani da ma'aunin nauyi - software da mafita na hardware waɗanda ke sake rarraba buƙatun tsakanin sabobin. Daga cikin su akwai wasu na farko, kamar RoundRobin, wanda kawai ke aika kowane buƙatun na gaba zuwa uwar garken na gaba a cikin jerin, sannan akwai kuma waɗanda suka ci gaba, misali HAProxy, wanda ake amfani da shi sosai a cikin manyan kayan aikin kwamfuta mai ɗaukar nauyi saboda yawan gagarumin abũbuwan amfãni. Bari mu kalli yadda zaku iya sanya ma'aunin nauyi na HAProxy da Zimbra OSE suyi aiki tare.
Don haka, bisa ga bayanin matsalar, an ba mu tsarin Zimbra OSE, wanda ya haɗa da Proxies guda biyu na Zimbra, sabar LDAP guda biyu, Kwafi na LDAP, ajiyar akwatin gidan waya guda huɗu tare da akwatunan wasiku 1000 kowannensu, da kuma MTA guda uku. Idan muka yi la'akari da cewa muna mu'amala da sabar wasiku, zai sami nau'ikan zirga-zirga guda uku waɗanda ke buƙatar daidaitawa: HTTP don loda abokin ciniki na yanar gizo, da kuma POP da SMTP don tura imel. Za a aika zirga-zirgar HTTP zuwa sabobin Zimbra Proxy tare da adiresoshin IP 192.168.0.57 da 192.168.0.58, kuma zirga-zirgar SMTP za ta je zuwa sabar MTA tare da adiresoshin IP 192.168.0.77 da 192.168.0.78.
Kamar yadda aka ambata a baya, don tabbatar da daidaiton rarraba buƙatu tsakanin sabar, za mu yi amfani da HAProxy load balancer, wanda zai gudana akan node ingress na tsarin Zimbra da ke gudana Ubuntu 18.04. Shigar da haproxy a cikin wannan tsarin aiki ana yin sa ne ta amfani da umarnin sudo apt-samun shigar da haproxy. Bayan wannan kuna buƙatar a cikin fayil ɗin /etc/default/haproxy canza siga ANA KARYA=0 a kan ANA KARYA=1. Yanzu, don tabbatar da cewa haproxy yana aiki, kawai shigar da umarnin sabis haproxy. Idan wannan sabis ɗin yana gudana, wannan zai bayyana daga fitowar umarnin.
Ɗaya daga cikin manyan abubuwan da HAProxy ke haifarwa shine cewa ta hanyar tsoho ba ya aika adireshin IP na abokin ciniki mai haɗawa, yana maye gurbinsa da nasa. Wannan na iya haifar da yanayi inda ba za a iya gano imel ɗin da maharan suka aika ta hanyar amfani da na'urar ba. Adireshin IPdon ƙara shi a cikin jerin sunayen da ba a saka ba. Duk da haka, ana iya magance wannan matsalar. Don yin wannan, kuna buƙatar gyara fayil ɗin /opt/zimbra/common/conf/master.cf.in akan sabobin tare da Postfix kuma ƙara layin masu zuwa gare shi:
26 inet n - n - 1 postscreen
-o postscreen_upstream_proxy_protocol=haproxy
466 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/smtps
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
588 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjustSaboda wannan, za mu buɗe tashoshin jiragen ruwa 26, 466 da 588, waɗanda za su karɓi zirga-zirga mai shigowa daga HAProxy. Bayan an adana fayilolin, yakamata ku sake kunna Postfix akan duk sabar ta amfani da umarnin sake kunnawa zmmtactl.
Bayan haka, bari mu fara kafa HAProxy. Don yin wannan, da farko ƙirƙirar kwafin madadin fayil ɗin saituna cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak. Sannan buɗe fayil ɗin tushen a cikin editan rubutu /etc/haproxy/haproxy.cfg kuma fara ƙara masa saitunan da suka dace mataki-mataki. Toshe na farko zai kasance yana ƙara uwar garken da ke ɗaukar rajistan ayyukan, yana saita matsakaicin adadin da aka ba da izini na haɗin kai lokaci guda, da kuma ƙididdige suna da ƙungiyar mai amfani wanda tsarin aiwatarwa zai kasance.
global
user daemon
group daemon
daemon
log 127.0.0.1 daemon
maxconn 5000
chroot /var/lib/haproxyAdadin haɗin kai 5000 na lokaci ɗaya ya bayyana saboda dalili. Tunda muna da akwatunan wasiku 4000 a cikin abubuwan more rayuwa, muna buƙatar yin la'akari da yuwuwar cewa duk za su sami damar imel ɗin aikin su a lokaci guda. Bugu da kari, wajibi ne a bar wani karamin ajiyar idan adadin su ya karu.
Yanzu bari mu ƙara toshe tare da saitunan tsoho:
defaults
timeout client 1m
log global
mode tcp
timeout server 1m
timeout connect 5sWannan toshe yana saita iyakar lokacin ƙarewa ga abokin ciniki da uwar garken don rufe haɗin gwiwa lokacin da ya ƙare, kuma yana saita yanayin aiki na HAProxy. A cikin yanayinmu, ma'aunin nauyi yana aiki a yanayin TCP, wato, kawai yana watsa fakitin TCP ba tare da nazarin abubuwan da ke ciki ba.
Na gaba za mu ƙara dokoki don haɗin kai a kan tashoshin jiragen ruwa daban-daban. Misali, idan ana amfani da tashar jiragen ruwa 25 don haɗin SMTP da wasiku, to yana da ma'ana don tura haɗin kai zuwa MTAs ɗin da ke cikin kayan aikin mu. Idan haɗin yana kan tashar jiragen ruwa 80, to wannan buƙatun http ce da ke buƙatar turawa zuwa Zimbra Proxy.
Dokokin tashar jiragen ruwa 25:
frontend smtp-25
bind *:27
default_backend backend-smtp-25
backend backend-smtp-25
server mta1 192.168.0.77:26 send-proxy
server mta2 192.168.0.78:26 send-proxyDokokin tashar jiragen ruwa 465:
frontend smtp-465
bind *:467
default_backend backend-smtp-465
backend backend-smtp-465
server mta1 192.168.0.77:466 send-proxy
server mta2 192.168.0.78:466 send-proxyDokokin tashar jiragen ruwa 587:
frontend smtp-587
bind *:589
default_backend backend-smtp-587
backend backend-smtp-587
server mail1 192.168.0.77:588 send-proxy
server mail2 192.168.0.78:588 send-proxyDokokin tashar jiragen ruwa 80:
frontend http-80
bind *:80
default_backend http-80
backend http-80
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 checkDokokin tashar jiragen ruwa 443:
frontend https
bind *:443
default_backend https-443
backend https-443
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 checkLura cewa a cikin ƙa'idodin tura fakitin TCP zuwa MTA, kusa da adiresoshin su akwai siga. aika-wakila. Wannan ya zama dole saboda, daidai da canje-canjen da muka yi a baya zuwa saitunan Postfix, ana aika ainihin adireshin IP na mai aikawa tare da fakitin TCP.
Yanzu da an yi duk canje-canjen da ake buƙata zuwa HAProxy, zaku iya sake kunna sabis ta amfani da umarnin sabis haproxy sake farawa kuma fara amfani da shi.
Don duk tambayoyin da suka shafi Zextras Suite, zaku iya tuntuɓar Wakilin Zextras Ekaterina Triandafilidi ta imel katerina@zextras.com
source: www.habr.com
