核心配置:
#
interface Vlan-interface2
ip address 192.168.2.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.3.1 255.255.255.0
#
interface Vlan-interface4
ip address 192.168.4.1 255.255.255.0
#
interface Vlan-interface5
ip address 192.168.5.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port access vlan 2
interface GigabitEthernet1/0/2
port link-type trunk
port trunk permit vlan 4 5
interface GigabitEthernet1/0/3
port access vlan 3
ip route-static 61.159.4.100 32 192.168.4.2 //核心去往虚服务流量上到LB
LB配置:
接口IP地址配置
#
interface GigabitEthernet1/0/0
port link-mode route
#
interface GigabitEthernet1/0/0.4
ip address 192.168.4.2 255.255.255.0
vlan-type dot1q vid 4
#
interface GigabitEthernet1/0/0.5
ip address 192.168.5.2 255.255.255.0
vlan-type dot1q vid 5
#
健康性检测配置:
nqa template icmp t2 //这个nqa探测是因为http的探测失败为了测试才创建的
destination ip 192.168.3.2
nqa template http t1 //nqa http探测模板
expect status 200
version v1.1
创建实服务器:
real-server rs1
ip address 192.168.3.2
port 80
probe t2 //调用探测模板
success-criteria at-least 1
loadbalance snat-pool 1 //配置源地址池
ip range start 61.159.4.100 end 61.159.4.100
创建实服务器组
server-farm sf1
predictor hash address source
snat-pool 1 //调用源地址地址组
probe t2 //调用探测模板
success-criteria at-least 1
real-server rs1 port 80
success-criteria at-least 1
probe t2
配置参数模板
parameter-profile pp1 type http
rebalance per-request
配置负载均衡策略:
loadbalance class lc-http type http match-any //流量特征
match 1 url /web
loadbalance action http-https type http //负载均衡动作
redirect relocation https://61.159.4.100:8080%p
loadbalance policy lp1 type http //负载均衡策略
class lc-http action http-https
创建domain和ssl策略
可以使用设备自带的证书进行ssl解密,先将相关的证书导出,然后导入浏览器,再从浏览器中导出证书。
pki domain ca
public-key rsa general name ca
usage ssl-server
undo crl check enable
ssl server-policy ssl
pki-domain ca
ciphersuite dhe_rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha256 dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_128_gcm_sha256
ciphersuite ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_gcm_sha384 ecc_sm2_sm1_sm3 ecc_sm2_sm4_sm3 ecdhe_sm2_sm1_sm3 ecdhe_sm2_sm4_sm3 rsa_sm1_sha rsa_sm1_sm3
ciphersuite rsa_sm4_sha rsa_sm4_sm3 rsa_aes_128_gcm_sha256 rsa_aes_256_gcm_sha384 tls_aes_128_gcm_sha256 tls_aes_256_gcm_sha384 tls_chacha20_poly1305_sha256 tls_aes_128_ccm_sha256 tls_aes_128_ccm_8_sha256
certificate-chain-sending enable
version ssl3.0 disable
version tls1.0 disable
ciphersuite server-preferred enable
配置虚拟服务:
virtual-server vs1 type http
virtual ip address 61.159.4.100
parameter http pp1
lb-policy lp1
default server-farm sf1
sticky-sync enable global
service enable
virtual-server vs2 type http
port 8080
virtual ip address 61.159.4.100
parameter http pp1
default server-farm sf1
ssl-server-policy ssl
sticky-sync enable global
service enable
配置完成验证相关的配置:
使用http://61.159.4.100访问实现页面的跳转到
https://61.159.4.100:8080/web/frame/login.html
抓包进行分析
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作