环境:CentOS Linux release 7.4.1708 (Core)
1、openresty-1.11.2.4.tar.gz
2、luarocks-2.4.2.tar.gz
3、pcre-8.40.tar.gz
4、openssl-1.0.2n.tar.gz
5、kong-0.11.0.tar.gz
6、node-v8.9.4-linux-x64.tar.xz
7. luarocks-2.4.2-1.src.rock
8. sslconfig
源码目录:/home/package
/usr/local/kong
软件目录规划:
安装目录:/usr/local/kong
日志目录:/usr/local/kong/logs
PID目录:/opt/run/kong
配置文件目录:
/usr/local/kong
机器分配
Kong:10.95.196.149/150
PostgreSQL:10.95.196.149
PostgreSQL安装过程
10.95.196.149上的操作
下载PostgreSQL,
postgresql-9.6.6.tar.gz
#创建PGSQL用户及用户组
groupadd -g 26 -o -r postgres
useradd -M -g postgres -o -r -d /home/pgsql -s /bin/bash -u 26 postgres
#创建pgsql数据目录及日志目录
mkdir -p /home/pgsql/{data,logs}
chown -R postgres /home/pgsql
#切换用户初始化PGSQL
su postgres
#添加环境变量
vi .bash_profile
PGHOME=/home/pgsql/postgresql-9.6.6
export PGHOME
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PGHOME/lib
export PGLOG=/home/pgsql/logs/pgsql.log
PGDATA=/home/pgsql/data
export PGDATA
PATH=$PATH:$HOME/.local/bin:$HOME/bin:$PGHOME/bin
export PATH
初始化postgresql
initdb -E utf8 -D /home/pgsql/data -W -U postgres
注:以下操作均在postgres环境下操作
#增加PGSQL访问权限,修改/home/pgsql/data/pg_hba.conf
host kong149 kong149 10.95.196.0/24 trust
新增的内容意思是允许10.95.196.0/24网段的机器可以使用用户kong访问数据库kong
#调整PGSQL的监听地址
sed -i “/#listen_addresses/c listen_addresses=’10.95.196.149′” /home/pgsql/data/postgresql.conf
#启动PGSQL
pg_ctl start -D /home/pgsql/data -l /home/pgsql/logs/pgsql.log
#创建用户kong,根据提示设置用户kong的密码
createuser -l -E kong149 -P
根据提示输入密码 ui8ga$No
#创建数据库kong
createdb -E utf8 -O kong149 kong149
10.95.196.149-150上的操作
安装一些另外的包
yum install devtoolset-3-gcc devtoolset-3-gcc-c++ devtoolset-3-libstdc++-devel gperftools-devel gperftools-libs
下载源码包
mkdir -p /home/package
cd /home/package
wget https://openresty.org/download/openresty-1.11.2.4.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
wget http://luarocks.github.io/luarocks/releases/luarocks-2.4.2.tar.gz
git clone https://github.com/cloudflare/sslconfig.git
wget https://github.com/Mashape/kong/archive/0.10.3.tar.gz -O kong-0.10.3.tar.gz
以上包可以直接对对应网站下载,服务器直接下可以遇到ssl无法握手问题;
安装OpenSSL
tar -xf openssl-1.0.2n.tar.gz #-xzvf解压安装会遇到问题,不清楚原因
cd openssl-1.0.2n
patch -p1 </home/package/sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch
./config threads shared
make depend
make && make install
默认安装到 /usr/local/ssl 对应下面编译中ssl环境目录需要相应变更
安装OpenResty
#创建用户及用户组 也可以不创建
groupadd websuite
useradd -g websuite -M -s /sbin/nologin websuite
#编译安装openresty
tar -xf
openresty-1.11.2.4.tar.gz
tar -xf pcre-8.40.tar.gz
#创建OpenResty所需目录
mkdir -p /usr/local/kong/{run,logs,conf}
mkdir -p /usr/local/kong/temp/{client,proxy}
cd openresty-1.11.2.4
./configure –prefix=/usr/local/kong -j24 \
–with-http_iconv_module \
–with-luajit \
–sbin-path=/usr/local/kong/sbin/nginx \
–conf-path=/usr/local/kong/conf/nginx.conf \
–error-log-path=/usr/local/kong/logs/error.log \
–http-log-path=/usr/local/kong/logs/access.log \
–with-threads \
–with-file-aio \
–with-http_realip_module \
–with-http_addition_module \
–with-http_auth_request_module \
–with-http_random_index_module \
–with-http_slice_module \
–with-http_stub_status_module \
–with-http_ssl_module \
–http-client-body-temp-path=/usr/local/kong/temp/client \
–http-proxy-temp-path=/usr/local/kong/temp/proxy \
–modules-path=/usr/local/kong/modules \
–with-http_v2_module \
–with-cc-opt=’-w -pipe -march=native -mtune=native -m128bit-long-double -m64 -fno-builtin-malloc -I/usr/local/ssl/include’ \
–with-ld-opt=’-L/usr/local/ssl/lib’ \
–with-pcre=../pcre-8.40 \
–with-pcre-opt=-fPIC \
–with-pcre-jit
gmake -j8 && make install
安装luarocks
tar zxf luarocks-2.4.2.tar.gz
cd luarocks-2.4.2
./configure –prefix=/usr/local/kong \
–rocks-tree=/usr/local/kong/luajit \
–sysconfdir=/usr/local/kong/conf/luarocks \
–lua-suffix=jit \
–with-lua=/usr/local/kong/luajit \
–with-lua-include=/usr/local/kong/luajit/include/luajit-2.1
make build
make install
echo ‘export PATH=”${PATH}:/usr/local/kong/bin:/usr/local/kong/sbin:/usr/local/kong/luajit/bin”‘ > /etc/profile.d/kong.sh
source /etc/profile.d/kong.sh
把下载的luarocks-2.4.2-1.src.rock 放到luarocks-2.4.2目录下执行:
luarocks install luarocks-2.4.2-1.src.rock
安装Kong
tar -xf kong-0.11.0.tar.gz
cd kong-0.11.0
sed -i ‘/OPENSSL_DIR ?=/c OPENSSL_DIR ?= /usr/local/ssl’ Makefile
make install
cp -r bin/* /usr/local/kong/bin/
安装
HiRes组件
yum -y install perl-Time-HiRes
建立软连接
ln -f -s /usr/local/ssl/lib/libssl.so.1.0.0 /lib64/libssl.so.1.0.0
ln -f -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0
调整Kong的配置
路径:/usr/local/kong/luajit/share/lua/5.1/kong/templates
文件:nginx.lua
return [[
> if nginx_user then
user ${{NGINX_USER}};
> end
worker_processes ${{NGINX_WORKER_PROCESSES}};
daemon ${{NGINX_DAEMON}};
pid pids/nginx.pid;
error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
> if nginx_optimizations then
worker_rlimit_nofile ${{WORKER_RLIMIT}};
> end
events {
> if nginx_optimizations then
use epoll;
worker_connections 65536;
multi_accept on;
> end
}
http {
include ‘nginx-kong.conf’;
}
]]
文件:nginx_kong.lua
return [[
charset UTF-8;
> if anonymous_reports then
${{SYSLOG_REPORTS}}
> end
error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
>if nginx_optimizations then
include /usr/local/kong/conf/mime.types;
default_type application/octet-stream;
sendfile on;
>– send_timeout 60s; # default value
keepalive_timeout 120s; # default value
keepalive_requests 10000;
server_tokens off;
>– client_body_timeout 60s; # default value
>– client_header_timeout 60s; # default value
>– tcp_nopush on; # disabled until benchmarked
gzip on;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_proxied any;
gzip_vary on;
gzip_buffers 96 8k;
gzip_types text/json text/plain text/css application/json application/javascript application/x-javascript application/rss+xml;
>– proxy_buffer_size 128k; # disabled until benchmarked
proxy_buffers 128 8k; # disabled until benchmarked
>– proxy_busy_buffers_size 256k; # disabled until benchmarked
>– reset_timedout_connection on; # disabled until benchmarked
>end
log_format access ‘$http_x_forwarded_for [$time_local] request_time[$request_time] upto $upstream_addr,’
‘upresponse_time[$upstream_response_time], “$request” $status $body_bytes_sent ‘
‘”$http_user_agent”‘;
client_max_body_size ${{CLIENT_MAX_BODY_SIZE}};
proxy_ssl_server_name on;
underscores_in_headers on;
lua_package_path ‘${{LUA_PACKAGE_PATH}};;’;
lua_package_cpath ‘${{LUA_PACKAGE_CPATH}};;’;
lua_socket_pool_size ${{LUA_SOCKET_POOL_SIZE}};
lua_max_running_timers 4096;
lua_max_pending_timers 16384;
lua_shared_dict kong 30m;
lua_shared_dict kong_cache ${{MEM_CACHE_SIZE}};
lua_shared_dict kong_process_events 30m;
lua_shared_dict kong_cluster_events 30m;
lua_shared_dict kong_healthchecks 30m;
> if database == “cassandra” then
lua_shared_dict kong_cassandra 5m;
> end
lua_socket_log_errors off;
> if lua_ssl_trusted_certificate then
lua_ssl_trusted_certificate ‘${{LUA_SSL_TRUSTED_CERTIFICATE}}’;
lua_ssl_verify_depth ${{LUA_SSL_VERIFY_DEPTH}};
> end
init_by_lua_block {
kong = require ‘kong’
kong.init()
}
init_worker_by_lua_block {
kong.init_worker()
}
proxy_next_upstream_tries 2;
upstream kong_upstream {
server 0.0.0.1;
balancer_by_lua_block {
kong.balancer()
}
keepalive ${{UPSTREAM_KEEPALIVE}};
}
server {
server_name localhost;
listen ${{PROXY_LISTEN}}${{PROXY_PROTOCOL}};
error_page 400 404 408 411 412 413 414 417 /kong_error_handler;
error_page 500 502 503 504 /kong_error_handler;
access_log ${{PROXY_ACCESS_LOG}} access;
error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};
client_body_buffer_size ${{CLIENT_BODY_BUFFER_SIZE}};
> if ssl then
listen ${{PROXY_LISTEN_SSL}} ssl${{HTTP2}}${{PROXY_PROTOCOL}};
ssl_certificate ${{SSL_CERT}};
ssl_certificate_key ${{SSL_CERT_KEY}};
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate_by_lua_block {
kong.ssl_certificate()
}
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ${{SSL_CIPHERS}};
> end
> if client_ssl then
proxy_ssl_certificate ${{CLIENT_SSL_CERT}};
proxy_ssl_certificate_key ${{CLIENT_SSL_CERT_KEY}};
> end
real_ip_header ${{REAL_IP_HEADER}};
real_ip_recursive ${{REAL_IP_RECURSIVE}};
> for i = 1, #trusted_ips do
set_real_ip_from $(trusted_ips[i]);
> end
location / {
set $upstream_host ”;
set $upstream_upgrade ”;
set $upstream_connection ”;
set $upstream_scheme ‘http’;
set $upstream_uri ”;
set $upstream_x_forwarded_for ”;
set $upstream_x_forwarded_proto ”;
set $upstream_x_forwarded_host ”;
set $upstream_x_forwarded_port ”;
rewrite_by_lua_block {
kong.rewrite()
}
access_by_lua_block {
kong.access()
}
proxy_http_version 1.1;
proxy_set_header Host $upstream_host;
proxy_set_header Upgrade $upstream_upgrade;
proxy_set_header Connection $upstream_connection;
#proxy_set_header X-Forwarded-For $upstream_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $upstream_x_forwarded_proto;
proxy_set_header X-Forwarded-Host $upstream_x_forwarded_host;
proxy_set_header X-Forwarded-Port $upstream_x_forwarded_port;
proxy_set_header X-Real-IP $http_x_forwarded_for;
proxy_pass_header Server;
proxy_pass_header Date;
proxy_ssl_name $upstream_host;
proxy_pass http://kong_upstream$upstream_uri;
header_filter_by_lua_block {
kong.header_filter()
}
body_filter_by_lua_block {
kong.body_filter()
}
log_by_lua_block {
kong.log()
}
}
location = /kong_error_handler {
internal;
content_by_lua_block {
kong.handle_error()
}
}
}
server {
server_name localhost;
listen ${{ADMIN_LISTEN}};
access_log ${{ADMIN_ACCESS_LOG}};
error_log ${{ADMIN_ERROR_LOG}} ${{LOG_LEVEL}};
client_max_body_size 10m;
client_body_buffer_size 10m;
> if admin_ssl then
listen ${{ADMIN_LISTEN_SSL}} ssl${{ADMIN_HTTP2}};
ssl_certificate ${{ADMIN_SSL_CERT}};
ssl_certificate_key ${{ADMIN_SSL_CERT_KEY}};
ssl_protocols TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ${{SSL_CIPHERS}};
> end
location / {
default_type application/json;
content_by_lua_block {
kong.serve_admin_api()
}
}
location /nginx_status {
internal;
access_log off;
stub_status;
}
location /robots.txt {
return 200 ‘User-agent: *\nDisallow: /’;
}
}
]]
文件:kong_defaults.lua
return [[
prefix = /usr/local/kong/
log_level = notice
proxy_access_log = logs/access.log
proxy_error_log = logs/error.log
admin_access_log = logs/admin_access.log
admin_error_log = logs/admin_error.log
custom_plugins = NONE
anonymous_reports = on
proxy_listen = 0.0.0.0:8000
proxy_listen_ssl = 0.0.0.0:8443
admin_listen = 0.0.0.0:5000
admin_listen_ssl = 0.0.0.0:5443
nginx_user = root
nginx_worker_processes = auto
nginx_optimizations = on
nginx_daemon = on
mem_cache_size = 1024m
http2 = off
ssl = on
ssl_cert = NONE
ssl_cert_key = NONE
client_ssl = off
client_ssl_cert = NONE
client_ssl_cert_key = NONE
ssl_cipher_suite = modern
ssl_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE
S256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
admin_http2 = off
admin_ssl = on
admin_ssl_cert = NONE
admin_ssl_cert_key = NONE
upstream_keepalive = 60
server_tokens = off
latency_tokens = on
trusted_ips = NONE
real_ip_header = X-Forwarded-For
real_ip_recursive = off
client_max_body_size = 8m
client_body_buffer_size = 8k
error_default_type = text/plain
database = postgres
pg_host = 10.95.196.149
pg_port = 5432
pg_database = kong149
pg_user = kong149
pg_password = ui8ga$No
pg_ssl = off
pg_ssl_verify = off
cassandra_contact_points = 127.0.0.1
cassandra_port = 9042
cassandra_keyspace = kong
cassandra_timeout = 5000
cassandra_ssl = off
cassandra_ssl_verify = off
cassandra_username = kong
cassandra_password = NONE
cassandra_consistency = ONE
cassandra_lb_policy = RoundRobin
cassandra_local_datacenter = NONE
cassandra_repl_strategy = SimpleStrategy
cassandra_repl_factor = 1
cassandra_data_centers = dc1:2,dc2:3
cassandra_schema_consensus_timeout = 10000
db_update_frequency = 60
db_update_propagation = 0
db_cache_ttl = 3600
dns_resolver = NONE
dns_hostsfile = /etc/hosts
dns_order = LAST,SRV,A,CNAME
dns_stale_ttl = 4
dns_not_found_ttl = 30
dns_error_ttl = 1
dns_no_sync = off
lua_socket_pool_size = 30
lua_ssl_trusted_certificate = NONE
lua_ssl_verify_depth = 1
lua_package_path = ./?.lua;./kong/init.lua;
lua_package_cpath = NONE
]]
启动Kong
kong start or kong start -vv(如果执行kong start报错,可以使用kong start -vv来进行调试)
如遇数据库表结构不兼容 执行kong migrations up
下载安装node
node-v8.9.4-linux-x64.tar.xz
wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-x64.tar.xz // 下载
tar xf node-v8.9.4-linux-x64.tar.xz
cd node-v8.9.4-linux-x64/
ln -s /home/package/kongpack/node-v8.9.4-linux-x64/bin/npm /usr/local/bin/
ln -s /home/package/kongpack/node-v8.9.4-linux-x64/bin/node /usr/local/bin/
node -v
使用 npm安装Kong-dashboard 安装 启动运行
nohup node /usr/local/bin/kong-dashboard start -u http://127.0.0.1:5000 -p 9001 –basic-auth admin=bei}g6Th &
在浏览器中输入地址,使用用户名密码登录
再在F5层做负载均衡配置到10.96.196.149/150实现高可用