ProHoster > Blog > Ulamuliro > Tsegulani kusanja mu Zimbra Open-Source Edition pogwiritsa ntchito HAProxy

Tsegulani kusanja mu Zimbra Open-Source Edition pogwiritsa ntchito HAProxy

Imodzi mwantchito zazikulu pomanga zida zazikulu za Zimbra OSE ndikuwongolera moyenera katundu. Kuwonjezera pa mfundo yakuti kumawonjezera vuto kulolerana utumiki, popanda katundu kugwirizanitsa n'zosatheka kuonetsetsa kuyankha chimodzimodzi utumiki kwa onse ogwiritsa. Kuti athetse vutoli, zolemetsa zolemetsa zimagwiritsidwa ntchito - mapulogalamu ndi mapulogalamu a hardware omwe amagawiranso zopempha pakati pa maseva. Pakati pawo pali akale kwambiri, monga RoundRobin, omwe amangotumiza pempho lililonse ku seva yotsatira pamndandanda, komanso pali zina zapamwamba kwambiri, mwachitsanzo HAProxy, yomwe imagwiritsidwa ntchito kwambiri pamakompyuta olemetsa kwambiri chifukwa cha chiwerengero cha ubwino waukulu. Tiyeni tiwone momwe mungapangire HAProxy load balancer ndi Zimbra OSE kugwirira ntchito limodzi.

Tsegulani kusanja mu Zimbra Open-Source Edition pogwiritsa ntchito HAProxy

Chifukwa chake, malinga ndi zomwe zafotokozedwa pankhaniyi, tapatsidwa Zimbra OSE infrastructure, yomwe ili ndi Zimbra Proxies ziwiri, ma seva awiri a LDAP, LDAP Replica, malo osungira ma mailbox anayi okhala ndi ma mailbox 1000 iliyonse, ndi ma MTA atatu. Popeza tikugwira ntchito ndi seva ya makalata, idzalandira mitundu itatu ya anthu omwe amafunika kulinganiza: HTTP yokweza kasitomala wa pa intaneti, komanso POP ndi SMTP yotumizira maimelo. Anthu omwe amadutsa pa HTTP adzatumizidwa ku maseva Zimbra Proxy yokhala ndi ma IP address 192.168.0.57 ndi 192.168.0.58, ndipo traffic ya SMTP idzapita ku ma seva a MTA okhala ndi ma IP address 192.168.0.77 ndi 192.168.0.78.

Monga tanenera kale, kuti tiwonetsetse kuti zopempha pakati pa ma seva zikugawidwa mofanana, tidzagwiritsa ntchito HAProxy load balancer, yomwe idzayenda pa node yolowera ya zomangamanga za Zimbra zomwe zikuyenda. Ubuntu 18.04. Kuyika haproxy mu dongosolo logwiritsira ntchito kumachitika pogwiritsa ntchito lamulo sudo apt-get kukhazikitsa haproxy. Pambuyo pa izi muyenera mu fayilo /etc/default/haproxy kusintha parameter ZOTHANDIZA=0 pa ZOTHANDIZA=1. Tsopano, kuti muwonetsetse kuti haproxy ikugwira ntchito, ingolowetsani lamulo service haproxy. Ngati ntchitoyi ikugwira ntchito, izi zidzamveka bwino kuchokera ku zotsatira za lamulo.

Chimodzi mwa zovuta zazikulu za HAProxy ndichakuti sichitumiza adilesi ya IP ya kasitomala wolumikizira mwachisawawa, ndikuyiyika m'malo mwake. Izi zitha kubweretsa zochitika pomwe maimelo otumizidwa ndi owukira sangadziwike ndi IP adilesikuti muyiike pamndandanda wakuda. Komabe, vutoli likhoza kuthetsedwa. Kuti muchite izi, muyenera kusintha fayilo /opt/zimbra/common/conf/master.cf.in pa maseva omwe ali ndi Postfix ndikuwonjezera mizere yotsatirayi:

26      inet  n       -       n       -       1       postscreen
        -o postscreen_upstream_proxy_protocol=haproxy
 
466    inet  n       -       n       -       -       smtpd
%%uncomment SERVICE:opendkim%%  -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_client_restrictions=
        -o smtpd_data_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o syslog_name=postfix/smtps
        -o milter_macro_daemon_name=ORIGINATING
        -o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
 
588 inet n      -       n       -       -       smtpd
%%uncomment SERVICE:opendkim%%  -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_data_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_recipient_restrictions=
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o syslog_name=postfix/submission
        -o milter_macro_daemon_name=ORIGINATING
        -o smtpd_upstream_proxy_protocol=haproxy
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust

Chifukwa cha izi, tidzatsegula madoko 26, 466 ndi 588, omwe adzalandira magalimoto obwera kuchokera ku HAProxy. Mafayilo atasungidwa, muyenera kuyambitsanso Postfix pa maseva onse pogwiritsa ntchito zmmtactl restart command.

Pambuyo pake, tiyeni tiyambe kukhazikitsa HAProxy. Kuti muchite izi, choyamba pangani kopi yosunga zosunga zobwezeretsera cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak. Kenako tsegulani fayilo yoyambira mumkonzi wamawu /etc/haproxy/haproxy.cfg ndikuyamba kuwonjezera zoikamo zofunika kwa izo sitepe ndi sitepe. Chotchinga choyamba chidzakhala chikuwonjezera seva yomwe imatenga zipika, ndikuyika nambala yovomerezeka yolumikizira nthawi imodzi, komanso kufotokozera dzina ndi gulu la wogwiritsa ntchito lomwe lidzakhala.

global
    user daemon
    group daemon
    daemon
    log 127.0.0.1 daemon
    maxconn 5000
    chroot /var/lib/haproxy

Chiwerengero cha 5000 cholumikizira nthawi imodzi chinawonekera pazifukwa. Popeza tili ndi makalata 4000 muzomangamanga zathu, tikuyenera kulingalira za kuthekera kuti onse adzalandira imelo yawo yantchito nthawi imodzi. Kuonjezera apo, m'pofunika kusiya malo osungirako ochepa ngati chiwerengero chawo chikuwonjezeka.

Tsopano tiyeni tiwonjeze chipika chokhala ndi zosintha zosasintha:

defaults
        timeout client 1m
        log global
        mode tcp
        timeout server 1m
        timeout connect 5s

Chotchinga ichi chimakhazikitsa nthawi yochuluka kwa kasitomala ndi seva kuti atseke kugwirizanako ikatha, ndikuyikanso njira yogwiritsira ntchito HAProxy. Kwa ife, balancer yolemetsa imagwira ntchito mu TCP mode, ndiko kuti, imangotumiza mapaketi a TCP popanda kusanthula zomwe zili.

Kenako tidzawonjezera malamulo olumikizirana pamadoko osiyanasiyana. Mwachitsanzo, ngati port 25 ikugwiritsidwa ntchito polumikizana ndi ma SMTP ndi makalata, ndiye kuti ndizomveka kutumiza maulumikizidwe ake ku MTAs omwe amapezeka muzomangamanga zathu. Ngati kulumikizana kuli pa doko 80, ndiye kuti iyi ndi pempho la http lomwe liyenera kutumizidwa ku Zimbra Proxy.

Lamulo la port 25:

frontend smtp-25
bind *:27
default_backend backend-smtp-25
 
backend backend-smtp-25
server mta1 192.168.0.77:26 send-proxy
server mta2 192.168.0.78:26 send-proxy

Lamulo la port 465:

frontend smtp-465
bind *:467
default_backend backend-smtp-465

backend backend-smtp-465
server mta1 192.168.0.77:466 send-proxy
server mta2 192.168.0.78:466 send-proxy

Lamulo la port 587:

frontend smtp-587
bind *:589
default_backend backend-smtp-587
 
backend backend-smtp-587
server mail1 192.168.0.77:588 send-proxy
server mail2 192.168.0.78:588 send-proxy

Lamulo la port 80:

frontend http-80
bind    *:80
default_backend http-80
 
backend http-80
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 check

Lamulo la port 443:

frontend https
bind  *:443
default_backend https-443
 
backend https-443
mode tcp
server zproxy1 192.168.0.57:80 check
server zproxy2 192.168.0.58:80 check

Chonde dziwani kuti m'malamulo otumizira mapaketi a TCP ku MTA, pafupi ndi ma adilesi awo pali chizindikiro. kutumiza-woyimira. Izi ndizofunikira kuti, molingana ndi zosintha zomwe tidapanga kale ku zoikamo za Postfix, adilesi yoyambirira ya IP ya wotumizayo imatumizidwa limodzi ndi mapaketi a TCP.

Tsopano kuti zosintha zonse zofunikira zapangidwa ku HAProxy, mutha kuyambitsanso ntchitoyo pogwiritsa ntchito lamulo service haproxy restart ndikuyamba kugwiritsa ntchito.

Pamafunso onse okhudzana ndi Zextras Suite, mutha kulumikizana ndi Woimira Zextras Ekaterina Triandafilidi ndi imelo katerina@zextras.com

Source: www.habr.com

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster