Ɗaya daga cikin manyan ayyuka yayin gina manyan abubuwan more rayuwa na Zimbra OSE shine daidaita ma'aunin nauyi. Baya ga gaskiyar cewa yana haɓaka haƙurin kuskuren sabis ɗin, ba tare da daidaita nauyi ba ba zai yuwu ba don tabbatar da amsa iri ɗaya na sabis ga duk masu amfani. Don magance wannan matsala, ana amfani da ma'aunin nauyi - software da mafita na hardware waɗanda ke sake rarraba buƙatun tsakanin sabobin. Daga cikin su akwai wasu na farko, kamar RoundRobin, wanda kawai ke aika kowane buƙatun na gaba zuwa uwar garken na gaba a cikin jerin, sannan akwai kuma waɗanda suka ci gaba, misali HAProxy, wanda ake amfani da shi sosai a cikin manyan kayan aikin kwamfuta mai ɗaukar nauyi saboda yawan gagarumin abũbuwan amfãni. Bari mu kalli yadda zaku iya sanya ma'aunin nauyi na HAProxy da Zimbra OSE suyi aiki tare.
Don haka, bisa ga sharuɗɗan aikin, ana ba mu kayan aikin Zimbra OSE, wanda ke da Zimbra Proxy guda biyu, sabar LDAP guda biyu da LDAP Replica, ma'ajiyar wasiku huɗu tare da akwatunan wasiƙa 1000 kowanne da MTA uku. Ganin cewa muna mu'amala da sabar saƙo, za ta karɓi nau'ikan zirga-zirgar ababen hawa guda uku waɗanda ke buƙatar daidaitawa: HTTP don zazzage abokin ciniki na yanar gizo, da POP da SMTP don aika imel. A wannan yanayin, zirga-zirgar HTTP za ta je zuwa Sabar Proxy na Zimbra tare da adiresoshin IP 192.168.0.57 da 192.168.0.58, kuma zirga-zirgar SMTP za ta je sabar MTA tare da adiresoshin IP 192.168.0.77 da 192.168.0.78.
Kamar yadda aka riga aka ambata, don tabbatar da cewa an rarraba buƙatun a ko'ina tsakanin sabobin, za mu yi amfani da ma'aunin nauyi na HAProxy, wanda zai gudana akan kullin ingress na Zimbra da ke gudana Ubuntu 18.04. Ana yin shigar da haproxy akan wannan tsarin aiki ta amfani da umarnin sudo apt-samun shigar da haproxy. Bayan wannan kuna buƙatar a cikin fayil ɗin /etc/default/haproxy canza siga ANA KARYA=0 a kan ANA KARYA=1. Yanzu, don tabbatar da cewa haproxy yana aiki, kawai shigar da umarnin sabis haproxy. Idan wannan sabis ɗin yana gudana, wannan zai bayyana daga fitowar umarnin.
Ɗaya daga cikin manyan rashin amfani na HAProxy shine cewa ta hanyar tsoho ba ya watsa adireshin IP na abokin ciniki mai haɗawa, maye gurbin shi da nasa. Wannan na iya haifar da yanayi inda ba za a iya gano saƙon imel da maharan suka aika ta adireshin IP ba don ƙara shi cikin jerin baƙaƙen. Duk da haka, ana iya magance wannan batu. Don yin wannan kuna buƙatar gyara fayil ɗin /opt/zimbra/common/conf/master.cf.in akan sabobin tare da Postfix kuma ƙara layin masu zuwa gare shi:
26 inet n - n - 1 postscreen
-o postscreen_upstream_proxy_protocol=haproxy
466 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/smtps
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
588 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjustSaboda wannan, za mu buɗe tashoshin jiragen ruwa 26, 466 da 588, waɗanda za su karɓi zirga-zirga mai shigowa daga HAProxy. Bayan an adana fayilolin, yakamata ku sake kunna Postfix akan duk sabar ta amfani da umarnin sake kunnawa zmmtactl.
Bayan haka, bari mu fara kafa HAProxy. Don yin wannan, da farko ƙirƙirar kwafin madadin fayil ɗin saituna cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak. Sannan buɗe fayil ɗin tushen a cikin editan rubutu /etc/haproxy/haproxy.cfg kuma fara ƙara masa saitunan da suka dace mataki-mataki. Toshe na farko zai kasance yana ƙara uwar garken da ke ɗaukar rajistan ayyukan, yana saita matsakaicin adadin da aka ba da izini na haɗin kai lokaci guda, da kuma ƙididdige suna da ƙungiyar mai amfani wanda tsarin aiwatarwa zai kasance.
global
user daemon
group daemon
daemon
log 127.0.0.1 daemon
maxconn 5000
chroot /var/lib/haproxyAdadin haɗin kai 5000 na lokaci ɗaya ya bayyana saboda dalili. Tunda muna da akwatunan wasiku 4000 a cikin abubuwan more rayuwa, muna buƙatar yin la'akari da yuwuwar cewa duk za su sami damar imel ɗin aikin su a lokaci guda. Bugu da kari, wajibi ne a bar wani karamin ajiyar idan adadin su ya karu.
Yanzu bari mu ƙara toshe tare da saitunan tsoho:
defaults
timeout client 1m
log global
mode tcp
timeout server 1m
timeout connect 5sWannan toshe yana saita iyakar lokacin ƙarewa ga abokin ciniki da uwar garken don rufe haɗin gwiwa lokacin da ya ƙare, kuma yana saita yanayin aiki na HAProxy. A cikin yanayinmu, ma'aunin nauyi yana aiki a yanayin TCP, wato, kawai yana watsa fakitin TCP ba tare da nazarin abubuwan da ke ciki ba.
Na gaba za mu ƙara dokoki don haɗin kai a kan tashoshin jiragen ruwa daban-daban. Misali, idan ana amfani da tashar jiragen ruwa 25 don haɗin SMTP da wasiku, to yana da ma'ana don tura haɗin kai zuwa MTAs ɗin da ke cikin kayan aikin mu. Idan haɗin yana kan tashar jiragen ruwa 80, to wannan buƙatun http ce da ke buƙatar turawa zuwa Zimbra Proxy.
Dokokin tashar jiragen ruwa 25:
frontend smtp-25
bind *:27
default_backend backend-smtp-25
backend backend-smtp-25
server mta1 192.168.0.77:26 send-proxy
server mta2 192.168.0.78:26 send-proxyDokokin tashar jiragen ruwa 465:
frontend smtp-465
bind *:467
default_backend backend-smtp-465
backend backend-smtp-465
server mta1 192.168.0.77:466 send-proxy
server mta2 192.168.0.78:466 send-proxyDokokin tashar jiragen ruwa 587:
frontend smtp-587
bind *:589
default_backend backend-smtp-587
backend backend-smtp-587
server mail1 192.168.0.77:588 send-proxy
server mail2 192.168.0.78:588 send-proxyDokokin tashar jiragen ruwa 80:
frontend http-80
bind *:80
default_backend http-80
backend http-80
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 checkDokokin tashar jiragen ruwa 443:
frontend https
bind *:443
default_backend https-443
backend https-443
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 checkLura cewa a cikin ƙa'idodin tura fakitin TCP zuwa MTA, kusa da adiresoshin su akwai siga. aika-wakila. Wannan ya zama dole saboda, daidai da canje-canjen da muka yi a baya zuwa saitunan Postfix, ana aika ainihin adireshin IP na mai aikawa tare da fakitin TCP.
Yanzu da an yi duk canje-canjen da ake buƙata zuwa HAProxy, zaku iya sake kunna sabis ta amfani da umarnin sabis haproxy sake farawa kuma fara amfani da shi.
Don duk tambayoyin da suka shafi Zextras Suite, zaku iya tuntuɓar Wakilin Zextras Ekaterina Triandafilidi ta imel [email kariya]
source: www.habr.com