I-VMware NSX yabancane. Ingxenye 5: Ukulungiselela Isilinganisi Somthwalo

Ingxenye yokuqala. isingeniso
Ingxenye yesibili. Ilungiselela i-Firewall kanye nemithetho ye-NAT
Ingxenye yesithathu. Ukusethwa kwe-DHCP
Ingxenye yesine. Isetha umzila

Ngesikhathi sokugcina sikhulume ngamakhono e-NSX Edge mayelana nomzila omile futhi oguquguqukayo, futhi namuhla sizobhekana nesilinganisi somthwalo.
Ngaphambi kokuba siqale ukusetha, ngithanda ukukukhumbuza kafushane mayelana nezinhlobo eziyinhloko zokulinganisa.

Umbono

Zonke izixazululo zanamuhla zokulinganisa umthwalo wokukhokha ngokuvamile zihlukaniswa zibe izigaba ezimbili: ukulinganisa ezingeni lesine (lezokuthutha) nelesikhombisa (lohlelo lokusebenza) lwemodeli. NOMA UMA. Imodeli ye-OSI ayiyona indawo eyireferensi engcono kakhulu lapho ichaza izindlela zokulinganisa. Isibonelo, uma ibhalansi ye-L4 iphinde isekele ukunqanyulwa kwe-TLS, ingabe isiba ibhalansi ye-L7? Kodwa kuyikho.

• Ibhalansi L4 ngokuvamile kuba ummeleli omaphakathi oma phakathi kweklayenti kanye nesethi yama-backend atholakalayo, enqamula ukuxhumana kwe-TCP (okungukuthi, ngokuzimele esabela ku-SYN), ikhetha i-backend futhi iqalise iseshini entsha ye-TCP ngakuyo, ithumela ngokuzimela i-SYN. Lolu hlobo lungenye yezinto eziyisisekelo; ezinye izinketho zingenzeka.
• Ibhalansi L7 isabalalisa ithrafikhi ezindaweni ezingemuva ezitholakalayo "eziyinkimbinkimbi kakhulu" kune-balancer ye-L4. Inganquma ukuthi iyiphi i-backend engakhethwa ngokusekelwe, isibonelo, okuqukethwe komlayezo we-HTTP (i-URL, ikhukhi, njll.).

Kungakhathalekile ukuthi hlobo luni, isilinganisi singasekela imisebenzi elandelayo:

• Ukutholwa kwesevisi kuyinqubo yokunquma isethi yama-backend atholakalayo (Static, DNS, Consul, Etcd, njll.).
• Ukuhlola ukusebenza kwama-backends atholiwe (i-"ping" esebenzayo ye-backend usebenzisa isicelo se-HTTP, ukutholwa kwezinkinga ekuxhumekeni kwe-TCP, ukuba khona kwamakhodi amaningana we-503 HTTP ezimpendulo, njll.).
• Ukulinganisa ngokwakho (i-robin eyindilinga, ukukhetha okungahleliwe, i-IP hashi yomthombo, i-URI).
• Ukunqanyulwa kwe-TLS nokuqinisekiswa kwesitifiketi.
• Izinketho ezihlobene nokuphepha (ukuqinisekisa, ukuvimbela ukuhlasela kwe-DoS, ukunciphisa isivinini) nokunye okuningi.

I-NSX Edge inikeza ukusekelwa kwezindlela ezimbili zokubeka ibhalansi yomthwalo:

Imodi yommeleli, noma ingalo eyodwa. Kule modi, i-NSX Edge isebenzisa ikheli layo le-IP njengekheli lomthombo lapho ithumela isicelo kwelinye lama-backend. Ngakho, isilinganisi ngesikhathi esisodwa senza imisebenzi yoMthombo kanye Nendawo okuyiwa kuyo NAT. I-backend ibona yonke ithrafikhi njengoba ithunyelwe kusuka ku-balancer futhi iphendula kuyo ngokuqondile. Kuhlelo olunjalo, isilinganisi kufanele sibe sengxenyeni yenethiwekhi efanayo namaseva angaphakathi.

Nakhu ukuthi kuhamba kanjani:
1. Umsebenzisi uthumela isicelo ekhelini le-VIP (ikheli lebhalansi) elilungiselelwe e-Edge.
2. I-Edge ikhetha enye ye-backends futhi yenza i-NAT okuyiwa kuyo, esikhundleni sekheli le-VIP nekheli le-backend ekhethiwe.
3. U-Edge wenza umthombo we-NAT, esikhundleni sekheli lomsebenzisi othumele isicelo ngesaso.
4. Iphakheji ithunyelwa ku-backend ekhethiwe.
5. I-backend ayiphenduli ngokuqondile kumsebenzisi, kodwa ku-Edge, njengoba ikheli langempela lomsebenzisi lishintshiwe ekhelini lokulinganisa.
6. I-Edge idlulisela impendulo yeseva kumsebenzisi.
Umdwebo ungezansi.


Imodi esobala, noma emgqeni. Kulesi simo, isilinganisi sinokuxhumana kumanethiwekhi angaphakathi nangaphandle. Ngesikhathi esifanayo, akukho ukufinyelela okuqondile kunethiwekhi yangaphakathi kusuka kweyangaphandle. Isilinganisi somthwalo esakhelwe ngaphakathi sisebenza njengesango le-NAT lemishini ebonakalayo kunethiwekhi yangaphakathi.

Indlela yokwenza imi kanje:
1. Umsebenzisi uthumela isicelo ekhelini le-VIP (ikheli lebhalansi) elilungiselelwe e-Edge.
2. I-Edge ikhetha enye ye-backends futhi yenza i-NAT okuyiwa kuyo, esikhundleni sekheli le-VIP nekheli le-backend ekhethiwe.
3. Iphakheji ithunyelwa ku-backend ekhethiwe.
4. I-backend ithola isicelo esinekheli langempela lomsebenzisi (umthombo we-NAT awenziwanga) futhi uphendula kuso ngokuqondile.
5. I-traffic iphinda yamukelwe yi-balancer yomthwalo, njengoba ohlelweni olusemgqeni ngokuvamile isebenza njengesango elizenzakalelayo lepulazi leseva.
6. I-Edge yenza umthombo we-NAT ukuthumela ithrafikhi kumsebenzisi, isebenzisa i-VIP yayo njengekheli le-IP eliwumthombo.
Umdwebo ungezansi.

Hlanganisa

Ibhentshi lami lokuhlola linamaseva angu-3 asebenzisa i-Apache, elungiselelwe ukusebenza nge-HTTPS. U-Edge uzokwenza ukulinganisa kwe-robin okuyindilinga kwezicelo ze-HTTPS, enze ummeleli wesicelo esisha ngasinye kuseva entsha.
Ake siqale.

Ukukhiqiza isitifiketi se-SSL esizosetshenziswa yi-NSX Edge
Ungangenisa isitifiketi se-CA esivumelekile noma usebenzise esizisayinele wena. Kulokhu kuhlolwa ngizosebenzisa ukuzisayina.

1. Ku-vCloud Director interface, iya kuzilungiselelo zezinsizakalo ze-Edge.
   
2. Iya kuthebhu ethi Izitifiketi. Kusukela kuhlu lwezenzo, khetha ukwengeza i-CSR entsha.
   
3. Gcwalisa izinkambu ezidingekayo bese uchofoza Gcina.
   
4. Khetha i-CSR esanda kwakhiwa bese ukhetha inketho ye-CSR yokuzisayina.
   
5. Khetha isikhathi sokuqinisekisa sesitifiketi bese uchofoza Gcina
   
6. Isitifiketi esizisayinise ngokwaso siyavela ohlwini lwabatholakalayo.
   

Isetha Iphrofayili Yohlelo Lokusebenza
Amaphrofayili ohlelo lokusebenza akunikeza ukulawula okuphelele ngaphezulu kwethrafikhi yenethiwekhi futhi akwenze ukuyiphatha kube lula futhi kuphumelele. Angasetshenziselwa ukuchaza ukuziphatha kwezinhlobo ezithile zethrafikhi.

1. Iya kuthebhu Yebhalansi Yokulayisha bese uvula isilinganisi. Inketho enikwe amandla ye-Acceleration lapha ivumela isilinganisi ukuthi sisebenzise ukulinganisa kwe-L4 ngokushesha esikhundleni se-L7.
   
2. Yiya kuthebhu yephrofayela yohlelo lokusebenza ukuze usethe iphrofayili yohlelo lokusebenza. Chofoza +.
   
3. Setha igama lephrofayela bese ukhetha uhlobo lwethrafikhi lapho iphrofayela izosetshenziswa khona. Ake ngichaze amapharamitha athile.
   ukuphikelela – izitolo futhi ilandelela idatha yeseshini, isibonelo: iyiphi iseva ethile echibini ehlinzeka ngesicelo somsebenzisi. Lokhu kuqinisekisa ukuthi izicelo zomsebenzisi zidluliselwa kulungu lephuli elifanayo impilo yonke yeseshini noma amaseshini alandelayo.
   Nika amandla ukudlula kwe-SSL - Uma le nketho ikhethiwe, i-NSX Edge iyayeka ukunqamula i-SSL. Kunalokho, ukunqanyulwa kwenzeka ngokuqondile kumaseva alinganiswayo.
   Faka unhlokweni we-X-Forwarded-For HTTP - ikuvumela ukuthi unqume ikheli le-IP eliwumthombo weklayenti elixhuma kuseva yewebhu ngokusebenzisa isilinganisi somthwalo.
   Nika amandla i-Pool side SSL - ikuvumela ukuthi ucacise ukuthi ichibi elikhethiwe liqukethe amaseva e-HTTPS.
   
4. Njengoba ngizobe ngilinganisa ithrafikhi ye-HTTPS, ngidinga ukunika amandla i-Pool Side SSL futhi ngikhethe isitifiketi esakhiwe ngaphambilini kokuthi Izitifiketi Zeseva Ebonakalayo -> Ithebhu yesitifiketi Sesevisi.
   
5. Ngokufanayo Izitifiketi Zasephuli -> Isitifiketi Sesevisi.
   

Sakha inqwaba yamaseva, ithrafikhi okuzoba kuyo Amachibi alinganiselayo

1. Iya kuthebhu ethi Amachibi. Chofoza +.
   
2. Sisetha igama le-pool, sikhethe i-algorithm (ngizosebenzisa i-round robin) kanye nohlobo lokuqapha ukuze uthole i-backend yokuhlola impilo. Inketho ethi Transparent ibonisa ukuthi ama-IP omthombo wokuqala wamaklayenti ayabonakala yini kumaseva angaphakathi.
   • Uma inketho ikhutshaziwe, ithrafikhi yamaseva angaphakathi ivela kumthombo we-IP wesilinganisi.
   • Uma inketho inikwe amandla, amaseva angaphakathi abona i-IP yomthombo wamaklayenti. Kulokhu kucushwa, i-NSX Edge kufanele isebenze njengesango elizenzakalelayo lokuqinisekisa ukuthi amaphakethe abuyisiwe adlula ku-NSX Edge.

   I-NSX isekela ama-algorithms okulinganisa alandelayo:

   • IP_HASH - ukukhethwa kweseva okusekelwe emiphumeleni yomsebenzi we-hashi womthombo nendawo ye-IP yephakethe ngalinye.
   • LEASTCONN - ukulinganisa kokuxhumana okungenayo, kuye ngenombolo evele ikhona kuseva ethile. Uxhumano olusha luzoqondiswa kuseva ngoxhumo olumbalwa kakhulu.
   • ROUND_ROBIN - ukuxhumana okusha kuthunyelwa kuseva ngayinye ngokulandelana, ngokuhambisana nesisindo esinikezwe yona.
   • URI - ingxenye yesokunxele ye-URI (ngaphambi kophawu lombuzo) isheshisiwe futhi ihlukaniswe ngesisindo esiphelele samaseva echibini. Umphumela ubonisa ukuthi iyiphi iseva ethola isicelo, iqinisekisa ukuthi isicelo sihlala siyiswa kuseva efanayo, inqobo nje uma zonke iziphakeli zisatholakala.
   • I-HTTPHEADER - ukulinganisa ngokusekelwe kunhlokweni ethile ye-HTTP, engacaciswa njengepharamitha. Uma unhlokweni ungekho noma ungenalo inani, i-algorithm engu-ROUND_ROBIN isetshenziswa.
   • I-URL - Isicelo ngasinye se-HTTP GET sicinga ipharamitha ye-URL ecaciswe njengengxabano. Uma ipharamitha ilandelwa uphawu olulinganayo kanye nenani, inani liyasheshi futhi lihlukaniswe yisamba sesisindo samaseva asebenzayo. Umphumela ukhombisa ukuthi iyiphi iseva eyamukela isicelo. Le nqubo isetshenziselwa ukulandelela ama-ID omsebenzisi ezicelweni nokuqinisekisa ukuthi i-id efanayo yomsebenzisi ihlezi ithunyelwa kuseva efanayo, inqobo nje uma wonke amaseva ehlala etholakala.

   

3. Ebhokisini elithi Amalungu, chofoza + ukuze wengeze amaseva echibini.
   
   
   Lapha udinga ukucacisa:
   • igama leseva;
   • Ikheli le-IP leseva;
   • imbobo lapho iseva izothola khona ithrafikhi;
   • ichweba lokuhlola impilo (Qapha isheke lezempilo);
   • isisindo - usebenzisa le parameter ungakwazi ukulungisa inani elilinganiselwe lethrafikhi elitholwe ilungu elithile le-pool;
   • I-Max Connections - inombolo enkulu yokuxhumeka kuseva;
   • I-Min Connections - inombolo encane yokuxhumana okumele iseva isebenze ngaphambi kokuthi ithrafikhi idluliselwe kwelinye ilungu le-pool elilandelayo.

   
   
   Yile ndlela iqoqo lokugcina lamaseva amathathu elibukeka ngayo.
   

Yengeza i-Virtual Server

1. Iya kuthebhu ethi Amaseva Abonakalayo. Chofoza +.
   
2. Senza iseva ebonakalayo isebenze sisebenzisa i-Able Virtual Server.
   Siyinika igama, khetha Iphrofayili Yohlelo Lokusebenza edalwe ngaphambilini, Iphuli bese sikhomba ikheli lasesizindeni se-inthanethi lapho i-Virtual Server izothola khona izicelo ezivela ngaphandle. Sicacisa iphrothokholi ye-HTTPS kanye nechweba elingu-443.
   Amapharamitha angakhethwa lapha:
   Umkhawulo Wokuxhuma - inombolo enkulu yokuxhumana ngasikhathi sinye iseva ebonakalayo engacubungula;
   Umkhawulo Wesilinganiso Sokuxhuma (CPS) – inombolo enkulu yezicelo ezintsha ezingenayo ngomzuzwana.
   

Lokhu kuqeda ukucushwa kwesilinganisi; ungabheka ukusebenza kwayo. Iziphakeli zinokucushwa okulula okukuvumela ukuthi uqonde ukuthi iyiphi iseva evela echibini ecubungule isicelo. Phakathi nokusetha, sikhethe i-algorithm yokulinganisa ye-Round Robin, futhi ipharamitha Yesisindo seseva ngayinye ilingana neyodwa, ngakho isicelo ngasinye esilandelayo sizocutshungulwa yiseva elandelayo ukusuka ku-pool.
Sifaka ikheli langaphandle lesilinganisi esipheqululini bese sibona:


Ngemva kokuvuselela ikhasi, isicelo sizocutshungulwa yiseva elandelayo:


Futhi futhi - ukuhlola iseva yesithathu ukusuka echibini:


Uma ubheka, ungabona ukuthi isitifiketi esisithumelela u-Edge siyafana naleso esasenza ekuqaleni.

Ihlola isimo se-balancer kukhonsoli yesango le-Edge. Ukuze wenze lokhu, faka bonisa isevisi ye-loadbalancer pool.


Ilungiselela I-Service Monitor ukuhlola isimo samaseva endaweni yokubhukuda
Ngokusebenzisa i-Service Monitor singakwazi ukuqapha isimo samaseva endaweni ye-backend pool. Uma impendulo yesicelo ingalindelekile, iseva ingakhishwa echibini ukuze ingatholi izicelo ezintsha.
Ngokuzenzakalelayo, izindlela ezintathu zokuqinisekisa ziyalungiswa:

• TCP-monitor,
• Imonitha ye-HTTP,
• I-HTTPS-monitor.

Masidale entsha.

1. Iya kuthebhu ye-Service Monitoring, chofoza +.
   
2. Khetha:
   • igama lendlela entsha;
   • isikhawu lapho izicelo zizothunyelwa khona,
   • isikhathi sokulinda silinde impendulo,
   • uhlobo lokuqapha – isicelo se-HTTPS kusetshenziswa indlela ye-GET, ikhodi yesimo elindelekile – 200(OK) kanye ne-URL yokucela.
3. Lokhu kuqeda ukusethwa kwe-Service Monitor entsha; manje singayisebenzisa lapho sidala i-pool.
   

Ukusetha Imithetho Yohlelo

Imithetho yohlelo lokusebenza iyindlela yokukhohlisa ithrafikhi ngokusekelwe kuzibangeli ezithile. Ngaleli thuluzi singakha imithetho ethuthukisiwe yokulinganisa umthwalo okungenzeka ingenzeki ngamaphrofayela ohlelo noma ezinye izinkonzo ezitholakala ku-Edge Gateway.

1. Ukuze udale umthetho, hamba kuthebhu Yemithetho Yohlelo Lokusebenza yesilinganisi.
   
2. Khetha igama, iskripthi esizosebenzisa umthetho, bese uchofoza Gcina.
   
3. Ngemuva kokuthi umthetho usudaliwe, sidinga ukuhlela iseva evele imisiwe.
   
4. Kuthebhu ethi Okuthuthukile, engeza umthetho esiwudalile.
   

Esibonelweni esingenhla sinike amandla usekelo lwe-tlsv1.

Izibonelo ezimbalwa ezengeziwe:

Qondisa kabusha ithrafikhi kwenye indawo yokubhukuda.
Ngalesi sikripthi singaqondisa kabusha ithrafikhi kwenye iphuli yokulinganisa uma iphuli enkulu iphansi. Ukuze umthetho usebenze, amachibi amaningi kufanele amiswe ku-balancer futhi wonke amalungu echibi elikhulu kufanele abe sesimweni esiphansi. Udinga ukucacisa igama lephuli, hhayi i-ID yayo.

acl pool_down nbsrv(PRIMARY_POOL_NAME) eq 0
use_backend SECONDARY_POOL_NAME if PRIMARY_POOL_NAME


Qondisa kabusha ithrafikhi kusisetshenziswa sangaphandle.
Lapha siqondisa kabusha ithrafikhi kuwebhusayithi yangaphandle uma wonke amalungu echibi elikhulu ephansi.

acl pool_down nbsrv(NAME_OF_POOL) eq 0
redirect location http://www.example.com if pool_down

Izibonelo ezengeziwe lapha.

Konke lokho kimi mayelana nebhalansi. Uma unemibuzo, buza, ngilungele ukuphendula.

Source: www.habr.com