Nginx+Keepalived雙主架構(gòu)：消除單點(diǎn)故障的最佳實(shí)踐

一、概述

1.1 背景介紹

玩負(fù)載均衡的都知道，單臺(tái) Nginx 就是個(gè)定時(shí)炸彈。跑得再穩(wěn)，硬件故障、網(wǎng)絡(luò)抖動(dòng)、內(nèi)核 panic 這些事誰(shuí)也說(shuō)不準(zhǔn)啥時(shí)候來(lái)。我見(jiàn)過(guò)太多團(tuán)隊(duì)，業(yè)務(wù)量不大的時(shí)候單機(jī)裸奔，等出了事故才想起來(lái)要做高可用，然后手忙腳亂地上線(xiàn)，結(jié)果配置沒(méi)調(diào)好又出問(wèn)題。

傳統(tǒng)的 Nginx + Keepalived 主備模式有個(gè)明顯缺點(diǎn)：備機(jī)資源閑置。一臺(tái)幾萬(wàn)塊的服務(wù)器放在那里只等著主機(jī)掛掉才派上用場(chǎng)，這 ROI 怎么算都不劃算。雙主架構(gòu)就是為了解決這個(gè)問(wèn)題——兩臺(tái)機(jī)器都在干活，互為備份，任何一臺(tái)掛了另一臺(tái)頂上，資源利用率直接翻倍。

我在某金融科技公司就用這套架構(gòu)抗住了雙十一的流量洪峰，兩臺(tái) 16 核 64G 的機(jī)器，日常各承擔(dān) 50% 流量，峰值時(shí)任意一臺(tái)都能扛住全部流量。關(guān)鍵是成本比買(mǎi)專(zhuān)業(yè)負(fù)載均衡設(shè)備便宜太多了。

1.2 技術(shù)特點(diǎn)

雙主架構(gòu)的核心思路：

傳統(tǒng)主備模式下，VIP（虛擬 IP）只綁在主機(jī)上，備機(jī)處于等待狀態(tài)。雙主模式的思路是使用兩個(gè) VIP，每臺(tái)機(jī)器各持有一個(gè) VIP 作為主，同時(shí)作為對(duì)方 VIP 的備。

正常狀態(tài)：
 VIP1 (192.168.1.100) -> NodeA (主) <- DNS 輪詢(xún)
? VIP2 (192.168.1.101) -> NodeB (主) <- DNS 輪詢(xún)

NodeA 故障：
? VIP1 (192.168.1.100) -> NodeB (接管)
 VIP2 (192.168.1.101) -> NodeB (主)

NodeB 故障：
 VIP1 (192.168.1.100) -> NodeA (主)
 VIP2 (192.168.1.101) -> NodeA (接管)

技術(shù)優(yōu)勢(shì)：

資源利用率翻倍：兩臺(tái)服務(wù)器都在服務(wù)，沒(méi)有閑置

故障切換快：Keepalived 秒級(jí)切換，業(yè)務(wù)感知弱

擴(kuò)展性好：后續(xù)可以升級(jí)為更復(fù)雜的集群架構(gòu)

成本低：用開(kāi)源軟件實(shí)現(xiàn)商業(yè)級(jí)高可用

1.3 適用場(chǎng)景

這套架構(gòu)適合：

中小型網(wǎng)站，日 PV 在 500 萬(wàn)以下

對(duì)成本敏感但又需要高可用的場(chǎng)景

內(nèi)部系統(tǒng)入口網(wǎng)關(guān)

API 網(wǎng)關(guān)層

不適合的場(chǎng)景：

超大流量（超過(guò)單機(jī)極限），建議上 LVS + Keepalived

需要復(fù)雜流量調(diào)度的場(chǎng)景，建議用專(zhuān)業(yè) ADC 設(shè)備

1.4 環(huán)境要求

網(wǎng)絡(luò)規(guī)劃示例：

二、詳細(xì)步驟

2.1 準(zhǔn)備工作

兩臺(tái)服務(wù)器都要做的基礎(chǔ)配置

關(guān)閉 SELinux：

# 臨時(shí)關(guān)閉
setenforce 0

# 永久關(guān)閉
sed -i's/SELINUX=enforcing/SELINUX=disabled/'/etc/selinux/config

配置防火墻：

# 開(kāi)放 Nginx 端口
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp

# 開(kāi)放 VRRP 協(xié)議（Keepalived 通信用）
firewall-cmd --permanent --add-rich-rule='rule protocol value="vrrp" accept'

# 重載防火墻
firewall-cmd --reload

內(nèi)核參數(shù)優(yōu)化：

cat > /etc/sysctl.d/99-nginx-keepalived.conf <

	

	配置 hosts（可選，方便管理）：

	
cat >> /etc/hosts <

	

	安裝 Nginx

	方法一：官方倉(cāng)庫(kù)安裝（推薦）

	
# 添加 Nginx 官方倉(cāng)庫(kù)
cat > /etc/yum.repos.d/nginx.repo <

	

	方法二：編譯安裝（需要特定模塊時(shí)）

	
# 安裝依賴(lài)
dnf install -y gcc make pcre2-devel openssl-devel zlib-devel 
  libxml2-devel libxslt-devel gd-devel GeoIP-devel

# 下載源碼
cd/usr/local/src
wget https://nginx.org/download/nginx-1.26.2.tar.gz
tar xzf nginx-1.26.2.tar.gz
cdnginx-1.26.2

# 編譯配置
./configure 
  --prefix=/etc/nginx 
  --sbin-path=/usr/sbin/nginx 
  --modules-path=/usr/lib64/nginx/modules 
  --conf-path=/etc/nginx/nginx.conf 
  --error-log-path=/var/log/nginx/error.log 
  --http-log-path=/var/log/nginx/access.log 
  --pid-path=/run/nginx.pid 
  --lock-path=/run/nginx.lock 
  --with-threads 
  --with-file-aio 
  --with-http_ssl_module 
  --with-http_v2_module 
  --with-http_realip_module 
  --with-http_gzip_static_module 
  --with-http_stub_status_module 
  --with-stream 
  --with-stream_ssl_module 
  --with-stream_realip_module

make -j$(nproc)
make install


	

	安裝 Keepalived

	
# Rocky Linux 9
dnf install -y keepalived

# 查看版本
keepalived --version
# Keepalived v2.3.1

# 如果倉(cāng)庫(kù)版本較老，可以編譯安裝
cd/usr/local/src
wget https://www.keepalived.org/software/keepalived-2.3.1.tar.gz
tar xzf keepalived-2.3.1.tar.gz
cdkeepalived-2.3.1

./configure --prefix=/usr/local/keepalived
make -j$(nproc)
make install

# 創(chuàng)建軟鏈接
ln -sf /usr/local/keepalived/sbin/keepalived /usr/sbin/keepalived
ln -sf /usr/local/keepalived/etc/keepalived /etc/keepalived


	

	2.2 核心配置

	Nginx 配置（兩臺(tái)相同）

	
# /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
worker_cpu_affinity auto;
error_log /var/log/nginx/error.log warn;
pid /run/nginx.pid;

# 工作進(jìn)程能打開(kāi)的最大文件數(shù)
worker_rlimit_nofile 65535;

events {
  use epoll;
  worker_connections 65535;
  multi_accept on;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

 # 日志格式 - 包含真實(shí)客戶(hù)端 IP
  log_format main'$remote_addr - $remote_user [$time_local] "$request" '
         '$status $body_bytes_sent "$http_referer" '
         '"$http_user_agent" "$http_x_forwarded_for" '
         'rt=$request_time uct="$upstream_connect_time" '
         'uht="$upstream_header_time" urt="$upstream_response_time"';

  access_log /var/log/nginx/access.log main buffer=16k flush=5s;

 # 基礎(chǔ)優(yōu)化
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;

 # Gzip 壓縮
  gzip on;
  gzip_min_length 1k;
  gzip_comp_level 4;
  gzip_types text/plain text/css application/json application/javascript
       text/xml application/xml application/xml+rss text/javascript;
  gzip_vary on;

 # 代理緩沖
  proxy_buffer_size 16k;
  proxy_buffers 4 64k;
  proxy_busy_buffers_size 128k;

 # 連接超時(shí)
  proxy_connect_timeout 5s;
  proxy_send_timeout 60s;
  proxy_read_timeout 60s;

 # 上游服務(wù)器組
  upstream backend_servers {
    least_conn;
    keepalive 100;

    server 192.168.1.21:8080 weight=100 max_fails=3 fail_timeout=10s;
    server 192.168.1.22:8080 weight=100 max_fails=3 fail_timeout=10s;
    server 192.168.1.23:8080 weight=100 max_fails=3 fail_timeout=10s;
  }

 # 默認(rèn) server - 拒絕未知 Host
  server {
    listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;

    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;

   return444;
  }

 # 健康檢查端點(diǎn) - Keepalived 用
  server {
    listen 127.0.0.1:10080;
    server_name localhost;

    location /nginx_status {
      stub_status on;
      allow 127.0.0.1;
      deny all;
    }

    location /health {
     return200"OK
";
      add_header Content-Type text/plain;
    }
  }

 # 業(yè)務(wù) server
  server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com example.com;

    ssl_certificate /etc/nginx/certs/example.com.crt;
    ssl_certificate_key /etc/nginx/certs/example.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared10m;
    ssl_session_timeout 10m;

   # HSTS
    add_header Strict-Transport-Security"max-age=31536000"always;

   # 靜態(tài)文件
    location ~* .(jpg|jpeg|png|gif|ico|css|js|woff|woff2)$ {
      root /var/www/static;
      expires 30d;
      add_header Cache-Control"public, immutable";
    }

   # 動(dòng)態(tài)請(qǐng)求代理到后端
    location / {
      proxy_pass http://backend_servers;
      proxy_http_version 1.1;
      proxy_set_header Connection"";
      proxy_set_header Host$host;
      proxy_set_header X-Real-IP$remote_addr;
      proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto$scheme;

     # 健康檢查失敗時(shí)跳過(guò)問(wèn)題節(jié)點(diǎn)
      proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
      proxy_next_upstream_tries 3;
      proxy_next_upstream_timeout 10s;
    }
  }

  include /etc/nginx/conf.d/*.conf;
}


	

	Keepalived 配置 - NodeA

	
# /etc/keepalived/keepalived.conf (NodeA)

global_defs {
  router_id NGINX_HA_NODE_A

 # 腳本安全配置
  script_user root
  enable_script_security

 # 郵件告警（可選）
  notification_email {
    ops@example.com
  }
  notification_email_from keepalived@nginx-node-a
  smtp_server 127.0.0.1
  smtp_connect_timeout 30
}

# Nginx 健康檢查腳本
vrrp_script check_nginx {
  script"/etc/keepalived/scripts/check_nginx.sh"
  interval 2   # 檢查間隔 2 秒
  weight -20   # 檢查失敗時(shí)權(quán)重減 20
  fall 3     # 連續(xù) 3 次失敗判定為故障
  rise 2     # 連續(xù) 2 次成功判定為恢復(fù)
}

# VIP1 - NodeA 為主
vrrp_instance VI_1 {
  state MASTER          # 初始狀態(tài)為 MASTER
  interface eth0         # 綁定的網(wǎng)卡
  virtual_router_id 51      # 虛擬路由 ID，同一組內(nèi)必須相同
  priority 150          # 優(yōu)先級(jí)，MASTER 要比 BACKUP 高
  advert_int 1          # VRRP 通告間隔

 # 認(rèn)證配置（兩節(jié)點(diǎn)必須一致）
  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d_VIP1 # 密碼最多 8 位
  }

 # 虛擬 IP 配置
  virtual_ipaddress {
    192.168.1.100/24 dev eth0 label eth0:vip1
  }

 # 綁定健康檢查腳本
  track_script {
    check_nginx
  }

 # 狀態(tài)變更通知腳本
  notify_master"/etc/keepalived/scripts/notify.sh master VI_1"
  notify_backup"/etc/keepalived/scripts/notify.sh backup VI_1"
  notify_fault"/etc/keepalived/scripts/notify.sh fault VI_1"
}

# VIP2 - NodeA 為備
vrrp_instance VI_2 {
  state BACKUP          # 初始狀態(tài)為 BACKUP
  interface eth0
  virtual_router_id 52      # 注意要和 VI_1 不同
  priority 100          # 優(yōu)先級(jí)比 NodeB 低
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d_VIP2
  }

  virtual_ipaddress {
    192.168.1.101/24 dev eth0 label eth0:vip2
  }

  track_script {
    check_nginx
  }

  notify_master"/etc/keepalived/scripts/notify.sh master VI_2"
  notify_backup"/etc/keepalived/scripts/notify.sh backup VI_2"
  notify_fault"/etc/keepalived/scripts/notify.sh fault VI_2"
}


	

	Keepalived 配置 - NodeB

	
# /etc/keepalived/keepalived.conf (NodeB)

global_defs {
  router_id NGINX_HA_NODE_B
  script_user root
  enable_script_security

  notification_email {
    ops@example.com
  }
  notification_email_from keepalived@nginx-node-b
  smtp_server 127.0.0.1
  smtp_connect_timeout 30
}

vrrp_script check_nginx {
  script"/etc/keepalived/scripts/check_nginx.sh"
  interval 2
  weight -20
  fall 3
  rise 2
}

# VIP1 - NodeB 為備
vrrp_instance VI_1 {
  state BACKUP
  interface eth0
  virtual_router_id 51      # 和 NodeA 的 VI_1 相同
  priority 100          # 比 NodeA 低
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d_VIP1 # 密碼必須和 NodeA 一致
  }

  virtual_ipaddress {
    192.168.1.100/24 dev eth0 label eth0:vip1
  }

  track_script {
    check_nginx
  }

  notify_master"/etc/keepalived/scripts/notify.sh master VI_1"
  notify_backup"/etc/keepalived/scripts/notify.sh backup VI_1"
  notify_fault"/etc/keepalived/scripts/notify.sh fault VI_1"
}

# VIP2 - NodeB 為主
vrrp_instance VI_2 {
  state MASTER
  interface eth0
  virtual_router_id 52
  priority 150          # 比 NodeA 高
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d_VIP2
  }

  virtual_ipaddress {
    192.168.1.101/24 dev eth0 label eth0:vip2
  }

  track_script {
    check_nginx
  }

  notify_master"/etc/keepalived/scripts/notify.sh master VI_2"
  notify_backup"/etc/keepalived/scripts/notify.sh backup VI_2"
  notify_fault"/etc/keepalived/scripts/notify.sh fault VI_2"
}


	

	健康檢查腳本

	
# /etc/keepalived/scripts/check_nginx.sh
#!/bin/bash
# Nginx 健康檢查腳本

# 方法1：檢查進(jìn)程是否存在
# pidof nginx > /dev/null 2>&1 || exit 1

# 方法2：檢查端口是否監(jiān)聽(tīng)（更準(zhǔn)確）
# ss -tlnp | grep -q ':80 ' || exit 1

# 方法3：HTTP 健康檢查（最可靠）
RESPONSE=$(curl -s -o /dev/null -w"%{http_code}"http://127.0.0.1:10080/health 2>/dev/null)

if["$RESPONSE"=="200"];then
 exit0
else
 exit1
fi


	

	狀態(tài)通知腳本

	
# /etc/keepalived/scripts/notify.sh
#!/bin/bash
# Keepalived 狀態(tài)變更通知腳本

STATE=$1 # master/backup/fault
VRRP_INSTANCE=$2
HOSTNAME=$(hostname)
DATETIME=$(date'+%Y-%m-%d %H:%M:%S')

LOG_FILE="/var/log/keepalived-notify.log"

log_message() {
 echo"[$DATETIME]$1">>$LOG_FILE
}

case"$STATE"in
  master)
    log_message"[$VRRP_INSTANCE] Transition to MASTER on$HOSTNAME"
   # 可以在這里發(fā)送告警通知
   # curl -X POST "https://your-webhook.com/alert" -d "msg=$HOSTNAME became MASTER for $VRRP_INSTANCE"
    ;;
  backup)
    log_message"[$VRRP_INSTANCE] Transition to BACKUP on$HOSTNAME"
    ;;
  fault)
    log_message"[$VRRP_INSTANCE] Transition to FAULT on$HOSTNAME"
   # 故障狀態(tài)，發(fā)送緊急告警
   # curl -X POST "https://your-webhook.com/alert" -d "msg=$HOSTNAME FAULT for $VRRP_INSTANCE"
    ;;
  *)
    log_message"[$VRRP_INSTANCE] Unknown state:$STATE"
    ;;
esac


	

	設(shè)置腳本權(quán)限：

	
mkdir -p /etc/keepalived/scripts
chmod +x /etc/keepalived/scripts/*.sh


	

	2.3 啟動(dòng)和驗(yàn)證

	啟動(dòng)服務(wù)：

	
# 兩臺(tái)服務(wù)器都執(zhí)行

# 啟動(dòng) Nginx
systemctlenablenginx
systemctl start nginx
systemctl status nginx

# 啟動(dòng) Keepalived
systemctlenablekeepalived
systemctl start keepalived
systemctl status keepalived


	

	驗(yàn)證 VIP 綁定：

	
# NodeA 上查看
ip addr show eth0 | grep -E"inet.*vip"
# 應(yīng)該看到 192.168.1.100

# NodeB 上查看
ip addr show eth0 | grep -E"inet.*vip"
# 應(yīng)該看到 192.168.1.101


	

	驗(yàn)證服務(wù)可用性：

	
# 從客戶(hù)端測(cè)試兩個(gè) VIP
curl -I http://192.168.1.100/health
curl -I http://192.168.1.101/health


	

	測(cè)試故障切換：

	
# 在 NodeA 上停止 Nginx
systemctl stop nginx

# 等待幾秒后檢查 VIP 是否漂移到 NodeB
# 在 NodeB 上執(zhí)行
ip addr show eth0 | grep -E"inet.*vip"
# 應(yīng)該看到兩個(gè) VIP：192.168.1.100 和 192.168.1.101

# 恢復(fù) NodeA 的 Nginx
systemctl start nginx

# VIP1 應(yīng)該漂移回 NodeA（搶占模式）


	

	三、示例代碼和配置

	3.1 完整配置示例

	生產(chǎn)環(huán)境配置清單

	
# 目錄結(jié)構(gòu)
/etc/nginx/
├── nginx.conf
├── conf.d/
│  ├── upstream.conf   # 上游服務(wù)器配置
│  ├── ssl.conf     # SSL 通用配置
│  └── www.example.com.conf # 站點(diǎn)配置
├── certs/
│  ├── example.com.crt
│  └── example.com.key
└── snippets/
  ├── proxy-params.conf # 代理參數(shù)
  └── security-headers.conf # 安全頭

/etc/keepalived/
├── keepalived.conf
└── scripts/
  ├── check_nginx.sh
  └── notify.sh


	

	upstream.conf

	
# /etc/nginx/conf.d/upstream.conf

# Web 應(yīng)用服務(wù)器
upstream web_app {
  least_conn;
  keepalive 100;
  keepalive_requests 1000;
  keepalive_timeout 60s;

  server 10.10.1.11:8080 weight=100 max_fails=3 fail_timeout=10s;
  server 10.10.1.12:8080 weight=100 max_fails=3 fail_timeout=10s;
  server 10.10.1.13:8080 weight=100 max_fails=3 fail_timeout=10s;
  server 10.10.1.14:8080 weight=100 max_fails=3 fail_timeout=10s;
}

# API 服務(wù)
upstream api_service {
  least_conn;
  keepalive 50;

  server 10.10.2.11:3000 weight=100;
  server 10.10.2.12:3000 weight=100;
}

# WebSocket 服務(wù)
upstream websocket_service {
  ip_hash; # WebSocket 需要會(huì)話(huà)保持

  server 10.10.3.11:8000;
  server 10.10.3.12:8000;
}


	

	proxy-params.conf

	
# /etc/nginx/snippets/proxy-params.conf

proxy_http_version 1.1;
proxy_set_header Connection"";
proxy_set_header Host$host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_set_header X-Forwarded-Host$host;
proxy_set_header X-Forwarded-Port$server_port;

proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;

proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 3;
proxy_next_upstream_timeout 10s;


	

	站點(diǎn)配置

	
# /etc/nginx/conf.d/www.example.com.conf

# HTTP -> HTTPS 重定向
server {
  listen 80;
  server_name www.example.com example.com;
 return301 https://$host$request_uri;
}

# HTTPS 主站
server {
  listen 443 ssl http2;
  server_name www.example.com example.com;

 # SSL 配置
  ssl_certificate /etc/nginx/certs/example.com.crt;
  ssl_certificate_key /etc/nginx/certs/example.com.key;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared10m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;

 # 安全頭
  add_header Strict-Transport-Security"max-age=31536000; includeSubDomains"always;
  add_header X-Frame-Options"SAMEORIGIN"always;
  add_header X-Content-Type-Options"nosniff"always;
  add_header X-XSS-Protection"1; mode=block"always;

 # 靜態(tài)文件
  location /static/ {
   alias/var/www/static/;
    expires 30d;
    add_header Cache-Control"public, immutable";

   # 靜態(tài)文件直接返回，不走代理
    try_files$uri=404;
  }

 # API 接口
  location /api/ {
    include /etc/nginx/snippets/proxy-params.conf;
    proxy_pass http://api_service;
  }

 # WebSocket
  location /ws/ {
    proxy_pass http://websocket_service;
    proxy_http_version 1.1;
    proxy_set_header Upgrade$http_upgrade;
    proxy_set_header Connection"upgrade";
    proxy_set_header Host$host;
    proxy_set_header X-Real-IP$remote_addr;

   # WebSocket 超時(shí)要設(shè)長(zhǎng)一些
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
  }

 # 默認(rèn)走 Web 應(yīng)用
  location / {
    include /etc/nginx/snippets/proxy-params.conf;
    proxy_pass http://web_app;
  }

 # 健康檢查端點(diǎn)（給上層負(fù)載均衡用）
  location /health {
    access_log off;
   return200"OK
";
    add_header Content-Type text/plain;
  }
}


	

	3.2 實(shí)際應(yīng)用案例

	案例一：多站點(diǎn)雙主架構(gòu)

	某公司有三個(gè)域名需要高可用：

	
# DNS 配置（兩個(gè) VIP 都解析到每個(gè)域名）
www.site-a.com A 192.168.1.100
www.site-a.com A 192.168.1.101
www.site-b.com A 192.168.1.100
www.site-b.com A 192.168.1.101
api.company.com A 192.168.1.100
api.company.com A 192.168.1.101


	

	Nginx 配置多個(gè) server 塊，每個(gè)域名對(duì)應(yīng)不同的后端：

	
# /etc/nginx/conf.d/multi-site.conf

# Site A
server {
  listen 80;
  server_name www.site-a.com;
  location / {
    proxy_pass http://site_a_backend;
  }
}

# Site B
server {
  listen 80;
  server_name www.site-b.com;
  location / {
    proxy_pass http://site_b_backend;
  }
}

# API
server {
  listen 80;
  server_name api.company.com;
  location / {
    proxy_pass http://api_backend;
  }
}


	

	案例二：非搶占式雙主

	有些場(chǎng)景下不希望 VIP 來(lái)回漂移（減少切換帶來(lái)的抖動(dòng)），可以配置非搶占模式：

	
# NodeA - VI_1 配置
vrrp_instance VI_1 {
  state BACKUP        # 兩邊都設(shè)置為 BACKUP
  nopreempt         # 關(guān)鍵：禁止搶占
  interface eth0
  virtual_router_id 51
  priority 150        # 優(yōu)先級(jí)高的會(huì)先成為 MASTER
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d
  }

  virtual_ipaddress {
    192.168.1.100/24
  }

  track_script {
    check_nginx
  }
}

# NodeB - VI_1 配置
vrrp_instance VI_1 {
  state BACKUP
  nopreempt
  interface eth0
  virtual_router_id 51
  priority 100
  advert_int 1

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d
  }

  virtual_ipaddress {
    192.168.1.100/24
  }

  track_script {
    check_nginx
  }
}


	

	這樣配置后，即使 NodeA 恢復(fù)了，VIP 也不會(huì)從 NodeB 搶回來(lái)，減少不必要的切換。

	案例三：與云廠商 SLB 配合

	在云環(huán)境下，通常前面還有云廠商的 SLB（如 AWS ALB、阿里云 SLB）。這時(shí)候雙主架構(gòu)變成：

	
SLB (云廠商)
  ├── NodeA (真實(shí) IP)
  └── NodeB (真實(shí) IP)


	

	這種場(chǎng)景不需要 Keepalived 做 VIP 漂移，但可以利用其健康檢查能力：

	
# 簡(jiǎn)化版 keepalived.conf - 只做健康檢查
global_defs {
  router_id NGINX_HEALTH
}

vrrp_script check_nginx {
  script"/etc/keepalived/scripts/check_nginx.sh"
  interval 2
  weight -20
  fall 3
  rise 2
}

# 使用單播避免影響云網(wǎng)絡(luò)
vrrp_instance VI_HEALTH {
  state BACKUP
  interface eth0
  virtual_router_id 99
  priority 100
  advert_int 1
  nopreempt

 # 單播配置
  unicast_src_ip 10.0.1.11
  unicast_peer {
    10.0.1.12
  }

  track_script {
    check_nginx
  }

  notify_master"/etc/keepalived/scripts/notify_slb.sh register"
  notify_fault"/etc/keepalived/scripts/notify_slb.sh deregister"
}


	

	notify_slb.sh 腳本通過(guò)云 API 來(lái)注冊(cè)/注銷(xiāo)節(jié)點(diǎn)。

	四、最佳實(shí)踐和注意事項(xiàng)

	4.1 最佳實(shí)踐

	1. 健康檢查要檢查業(yè)務(wù)，不要只檢查進(jìn)程

	我見(jiàn)過(guò)很多配置只檢查 Nginx 進(jìn)程是否存在，這是不夠的。Nginx 進(jìn)程在，但后端全掛了，或者配置錯(cuò)誤導(dǎo)致返回 500，這種情況進(jìn)程檢查是發(fā)現(xiàn)不了的。

	
# 更完善的健康檢查腳本
#!/bin/bash

# 檢查 Nginx 進(jìn)程
if! pidof nginx > /dev/null;then
 echo"Nginx process not found"
 exit1
fi

# 檢查端口監(jiān)聽(tīng)
if! ss -tlnp | grep -q':80 ';then
 echo"Port 80 not listening"
 exit1
fi

# 檢查 HTTP 響應(yīng)
HTTP_CODE=$(curl -s -o /dev/null -w"%{http_code}"
  --connect-timeout 2 
  --max-time 5 
  http://127.0.0.1:10080/health 2>/dev/null)

if["$HTTP_CODE"!="200"];then
 echo"Health check returned$HTTP_CODE"
 exit1
fi

# 可選：檢查后端連通性
BACKEND_STATUS=$(curl -s -o /dev/null -w"%{http_code}"
  --connect-timeout 2 
  --max-time 5 
  http://127.0.0.1/api/health 2>/dev/null)

if["$BACKEND_STATUS"-ge 500 ];then
 echo"Backend unhealthy, status:$BACKEND_STATUS"
 exit1
fi

exit0


	

	2. 合理設(shè)置優(yōu)先級(jí)差值

	優(yōu)先級(jí)差值要大于 weight 的絕對(duì)值，否則可能出現(xiàn)腦裂：

	
# 假設(shè) weight = -20
# NodeA priority = 150
# NodeB priority = 100
# 差值 = 50 > 20，OK

# 如果設(shè)置成
# NodeA priority = 110
# NodeB priority = 100
# 差值 = 10 < 20
# 當(dāng) NodeA 健康檢查失敗時(shí)，priority 變成 90，低于 NodeB 的 100
# VIP 會(huì)漂移到 NodeB，但如果此時(shí) NodeA 恢復(fù)了
# priority 又變回 110，VIP 又漂移回來(lái)
# 導(dǎo)致 VIP 來(lái)回跳


	

	3. 配置組播/單播

	默認(rèn) Keepalived 使用 224.0.0.18 組播地址通信。在某些網(wǎng)絡(luò)環(huán)境下組播不通，需要改用單播：

	
vrrp_instance VI_1 {
  state MASTER
  interface eth0
  virtual_router_id 51
  priority 150
  advert_int 1

 # 本機(jī) IP
  unicast_src_ip 192.168.1.11

 # 對(duì)端 IP
  unicast_peer {
    192.168.1.12
  }

  authentication {
    auth_type PASS
    auth_pass K33pAl1v3d
  }

  virtual_ipaddress {
    192.168.1.100/24
  }
}


	

	4. 日志分離

	Keepalived 默認(rèn)日志混在系統(tǒng)日志里，建議單獨(dú)配置：

	
# /etc/rsyslog.d/keepalived.conf
if$programnamestartswith'Keepalived'then/var/log/keepalived.log
& stop


	

	4.2 注意事項(xiàng)

				問(wèn)題類(lèi)型
			

				現(xiàn)象
			

				原因分析
			

				解決方案
		

				腦裂
			

				兩臺(tái)都持有同一個(gè) VIP
			

				網(wǎng)絡(luò)故障導(dǎo)致心跳檢測(cè)失敗
			

				1. 檢查網(wǎng)絡(luò)連通性 2. 使用單播替代組播 3. 增加心跳檢測(cè)網(wǎng)絡(luò)
		

				VIP 不漂移
			

				主機(jī)掛了 VIP 不切換
			

				1. 防火墻阻止 VRRP 2. virtual_router_id 不一致
			

				1. 開(kāi)放 VRRP 協(xié)議 2. 檢查配置一致性
		

				VIP 來(lái)回跳
			

				頻繁切換
			

				1. 優(yōu)先級(jí)差值設(shè)置不當(dāng) 2. 網(wǎng)絡(luò)抖動(dòng)
			

				1. 增大優(yōu)先級(jí)差值 2. 增加 fall/rise 次數(shù)
		

				切換后服務(wù)不可用
			

				VIP 切換成功但訪(fǎng)問(wèn)失敗
			

				1. 連接跟蹤殘留 2. ARP 緩存
			

				1. 切換時(shí)清理 conntrack 2. 發(fā)送 GARP
		

				健康檢查誤判
			

				服務(wù)正常但被判定故障
			

				檢查腳本超時(shí)或邏輯錯(cuò)誤
			

				1. 增加超時(shí)時(shí)間 2. 優(yōu)化檢查邏輯
		

	踩坑經(jīng)歷：

	有一次生產(chǎn)環(huán)境出現(xiàn)了詭異的問(wèn)題——VIP 切換了，但客戶(hù)端還是連不上。排查發(fā)現(xiàn)是上層交換機(jī)的 ARP 緩存沒(méi)有及時(shí)更新。解決方案是在 notify 腳本里主動(dòng)發(fā)送免費(fèi) ARP：

	
# 在 notify.sh 的 master 分支里添加
arping -c 3 -A -I eth0 192.168.1.100


	

	五、故障排查和監(jiān)控

	5.1 故障排查

	Keepalived 狀態(tài)檢查：

	
# 查看 Keepalived 進(jìn)程
ps aux | grep keepalived

# 查看 VIP 綁定情況
ip addr show | grep -E"inet.*vip"

# 查看 Keepalived 日志
journalctl -u keepalived -f

# 或者
tail -f /var/log/keepalived.log

# 查看 VRRP 狀態(tài)
cat /proc/net/netfilter/nf_conntrack | grep vrrp


	

	網(wǎng)絡(luò)連通性檢查：

	
# 檢查兩節(jié)點(diǎn)間的網(wǎng)絡(luò)
ping -c 3 192.168.1.12

# 檢查 VRRP 組播是否通
tcpdump -i eth0 vrrp -nn

# 檢查防火墻規(guī)則
iptables -L -n | grep vrrp
firewall-cmd --list-all


	

	Nginx 狀態(tài)檢查：

	
# 檢查 Nginx 進(jìn)程
nginx -t
systemctl status nginx

# 檢查端口監(jiān)聽(tīng)
ss -tlnp | grep nginx

# 檢查連接數(shù)
ss -s

# 檢查 stub_status
curl http://127.0.0.1:10080/nginx_status


	

	手動(dòng)觸發(fā)故障切換測(cè)試：

	
# 方法1：停止 Nginx
systemctl stop nginx

# 方法2：停止 Keepalived
systemctl stop keepalived

# 方法3：模擬網(wǎng)絡(luò)故障
iptables -A INPUT -p vrrp -j DROP

# 恢復(fù)
iptables -D INPUT -p vrrp -j DROP


	

	5.2 性能監(jiān)控

	Nginx 監(jiān)控指標(biāo)：

	
# 使用 nginx-module-vts 或者簡(jiǎn)單的 stub_status
location /nginx_status {
  stub_status on;
  allow 127.0.0.1;
  deny all;
}


	

	Prometheus + Grafana 監(jiān)控：

	
# 安裝 nginx-prometheus-exporter
docker run -d -p 9113:9113 
  nginx/nginx-prometheus-exporter:latest 
  -nginx.scrape-uri=http://192.168.1.11:10080/nginx_status


	

	關(guān)鍵監(jiān)控指標(biāo)：

	
# Nginx 指標(biāo)
nginx_connections_active:當(dāng)前活躍連接數(shù)
nginx_connections_reading:正在讀取的連接數(shù)
nginx_connections_writing:正在寫(xiě)入的連接數(shù)
nginx_connections_waiting:空閑等待的連接數(shù)
nginx_http_requests_total:請(qǐng)求總數(shù)

# Keepalived 指標(biāo)（需要自己采集）
keepalived_vrrp_state:VRRP狀態(tài)（1=MASTER,2=BACKUP,3=FAULT）
keepalived_vrrp_transitions:狀態(tài)切換次數(shù)

# 報(bào)警規(guī)則
-活躍連接數(shù)超過(guò)worker_connections*0.8
-VRRP狀態(tài)變化
-Nginx進(jìn)程不存在
-健康檢查失敗


	

	監(jiān)控腳本示例：

	
#!/bin/bash
# /usr/local/bin/nginx-keepalived-monitor.sh

# 采集 Nginx 狀態(tài)
NGINX_STATUS=$(curl -s http://127.0.0.1:10080/nginx_status)
ACTIVE=$(echo"$NGINX_STATUS"| grep'Active'| awk'{print $3}')
READING=$(echo"$NGINX_STATUS"| grep'Reading'| awk'{print $2}')
WRITING=$(echo"$NGINX_STATUS"| grep'Writing'| awk'{print $4}')

# 采集 Keepalived 狀態(tài)
VIP1_STATUS="backup"
VIP2_STATUS="backup"

ifip addr show eth0 | grep -q"192.168.1.100";then
  VIP1_STATUS="master"
fi

ifip addr show eth0 | grep -q"192.168.1.101";then
  VIP2_STATUS="master"
fi

# 輸出 Prometheus 格式
echo"# HELP nginx_connections_active Active connections"
echo"# TYPE nginx_connections_active gauge"
echo"nginx_connections_active$ACTIVE"

echo"# HELP keepalived_vip1_is_master VIP1 master status"
echo"# TYPE keepalived_vip1_is_master gauge"
if["$VIP1_STATUS"=="master"];then
 echo"keepalived_vip1_is_master 1"
else
 echo"keepalived_vip1_is_master 0"
fi


	

	5.3 備份與恢復(fù)

	配置備份腳本：

	
#!/bin/bash
# /usr/local/bin/backup-nginx-keepalived.sh

BACKUP_DIR="/backup/nginx-keepalived"
DATE=$(date +%Y%m%d_%H%M%S)
HOSTNAME=$(hostname)

mkdir -p${BACKUP_DIR}

# 備份 Nginx 配置
tar czf${BACKUP_DIR}/${HOSTNAME}_nginx_${DATE}.tar.gz 
  /etc/nginx/ 
  /etc/sysctl.d/99-nginx-keepalived.conf

# 備份 Keepalived 配置
tar czf${BACKUP_DIR}/${HOSTNAME}_keepalived_${DATE}.tar.gz 
  /etc/keepalived/

# 備份證書(shū)
tar czf${BACKUP_DIR}/${HOSTNAME}_certs_${DATE}.tar.gz 
  /etc/nginx/certs/

# 保留 30 天
find${BACKUP_DIR}-typef -mtime +30 -delete

echo"Backup completed:${DATE}"


	

	快速恢復(fù)流程：

	
# 1. 安裝軟件
dnf install -y nginx keepalived

# 2. 恢復(fù)配置
tar xzf nginx_backup.tar.gz -C /
tar xzf keepalived_backup.tar.gz -C /

# 3. 驗(yàn)證配置
nginx -t
keepalived -t

# 4. 應(yīng)用內(nèi)核參數(shù)
sysctl -p /etc/sysctl.d/99-nginx-keepalived.conf

# 5. 啟動(dòng)服務(wù)
systemctl start nginx
systemctl start keepalived

# 6. 驗(yàn)證狀態(tài)
curl -I http://127.0.0.1/health
ip addr show eth0 | grep vip


	

	六、總結(jié)

	6.1 技術(shù)要點(diǎn)回顧

	雙主架構(gòu)的核心是兩個(gè) VIP，每臺(tái)機(jī)器各持有一個(gè)，互為備份

	Keepalived 的 priority 差值要大于健康檢查的 weight 絕對(duì)值

	健康檢查腳本要檢查業(yè)務(wù)層面，不能只檢查進(jìn)程

	非搶占模式可以減少 VIP 來(lái)回漂移帶來(lái)的抖動(dòng)

	在云環(huán)境下注意組播可能不通，要改用單播

	6.2 進(jìn)階學(xué)習(xí)方向

	三節(jié)點(diǎn)架構(gòu)：引入仲裁節(jié)點(diǎn)解決腦裂問(wèn)題

	跨機(jī)房高可用：BGP + ECMP 實(shí)現(xiàn)跨機(jī)房流量調(diào)度

	與 Consul/etcd 集成：實(shí)現(xiàn)服務(wù)發(fā)現(xiàn)和動(dòng)態(tài)配置

	Nginx Plus：商業(yè)版本提供更強(qiáng)大的健康檢查和監(jiān)控

	6.3 參考資料

	Nginx 官方文檔: https://nginx.org/en/docs/

	Keepalived 官方文檔: https://www.keepalived.org/manpage.html

	Keepalived GitHub: https://github.com/acassen/keepalived

	Linux Virtual Server: http://www.linuxvirtualserver.org/

	附錄

	A. 命令速查表

				命令
			

				說(shuō)明
		

				nginx -t
			

				檢查 Nginx 配置語(yǔ)法
		

				nginx -s reload
			

				平滑重載配置
		

				systemctl status keepalived
			

				查看 Keepalived 狀態(tài)
		

				ip addr show eth0
			

				查看 VIP 綁定情況
		

				tcpdump -i eth0 vrrp -nn
			

				抓取 VRRP 心跳包
		

				journalctl -u keepalived -f
			

				實(shí)時(shí)查看 Keepalived 日志
		

				arping -c 3 -A -I eth0 
			

				發(fā)送免費(fèi) ARP
		

				ss -tlnp | grep nginx
			

				查看 Nginx 監(jiān)聽(tīng)端口
		

				curl http://127.0.0.1:10080/nginx_status
			

				查看 Nginx 狀態(tài)
		

	B. 配置參數(shù)詳解

	Keepalived 關(guān)鍵參數(shù)：

				參數(shù)
			

				說(shuō)明
			

				建議值
		

				state
			

				初始狀態(tài)
			

				MASTER/BACKUP
		

				priority
			

				優(yōu)先級(jí)
			

				1-255，MASTER 要比 BACKUP 高
		

				advert_int
			

				心跳間隔
			

				1 秒
		

				virtual_router_id
			

				虛擬路由 ID
			

				1-255，同一組必須相同
		

				nopreempt
			

				禁止搶占
			

				穩(wěn)定性要求高時(shí)啟用
		

				weight
			

				健康檢查權(quán)重
			

				負(fù)數(shù)，絕對(duì)值小于 priority 差值
		

				fall
			

				失敗判定次數(shù)
			

				2-3
		

				rise
			

				恢復(fù)判定次數(shù)
			

				2
		

				interval
			

				檢查間隔
			

				2 秒
		

	Nginx 負(fù)載均衡參數(shù)：

				參數(shù)
			

				說(shuō)明
			

				建議值
		

				weight
			

				權(quán)重
			

				默認(rèn) 1
		

				max_fails
			

				最大失敗次數(shù)
			

				2-3
		

				fail_timeout
			

				失敗后暫停時(shí)間
			

				10-30s
		

				keepalive
			

				長(zhǎng)連接數(shù)
			

				50-100
		

				keepalive_requests
			

				單連接最大請(qǐng)求數(shù)
			

				1000
		

				keepalive_timeout
			

				長(zhǎng)連接超時(shí)
			

				60s
		

	C. 術(shù)語(yǔ)表

				術(shù)語(yǔ)
			

				解釋
		

				VIP
			

				Virtual IP，虛擬 IP 地址，用于高可用切換
		

				VRRP
			

				Virtual Router Redundancy Protocol，虛擬路由冗余協(xié)議
		

				MASTER
			

				主節(jié)點(diǎn)，持有 VIP 的節(jié)點(diǎn)
		

				BACKUP
			

				備節(jié)點(diǎn)，等待接管 VIP 的節(jié)點(diǎn)
		

				Priority
			

				優(yōu)先級(jí)，決定誰(shuí)成為 MASTER
		

				Preempt
			

				搶占模式，高優(yōu)先級(jí)節(jié)點(diǎn)恢復(fù)后搶回 VIP
		

				Split-Brain
			

				腦裂，兩個(gè)節(jié)點(diǎn)都認(rèn)為自己是 MASTER
		

				GARP
			

				Gratuitous ARP，免費(fèi) ARP，用于通知網(wǎng)絡(luò) VIP 漂移
		

				Health Check
			

				健康檢查，檢測(cè)服務(wù)是否正常
		

				Failover
			

				故障切換，主節(jié)點(diǎn)故障時(shí)切換到備節(jié)點(diǎn)