CN116094903A - SSLVPN high availability method and system - Google Patents

SSLVPN high availability method and system Download PDF

Info

Publication number
CN116094903A
CN116094903A CN202211721092.3A CN202211721092A CN116094903A CN 116094903 A CN116094903 A CN 116094903A CN 202211721092 A CN202211721092 A CN 202211721092A CN 116094903 A CN116094903 A CN 116094903A
Authority
CN
China
Prior art keywords
openvpn
sslvpn
service
udp
high availability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211721092.3A
Other languages
Chinese (zh)
Inventor
谢绍宁
李长春
袁勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Cloud Technology Co Ltd
Original Assignee
Tianyi Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Cloud Technology Co Ltd filed Critical Tianyi Cloud Technology Co Ltd
Priority to CN202211721092.3A priority Critical patent/CN116094903A/en
Publication of CN116094903A publication Critical patent/CN116094903A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability
    • H04L41/0836Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability to enhance reliability, e.g. reduce downtime
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a high availability method and a system of SSLVPN, which relate to the field of network technical safety and comprise the following steps: creating 1 OpenVPN configuration file; starting 4 OpenVPN processes; setting the overtime time of IPVS UDP connection to 30 seconds; binding ports needing load balancing; adding back-end service; and periodically detecting whether UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored. After the master node is down, under the condition that manual intervention is not needed, the functions of the SSLVPN can be automatically and rapidly switched to the standby node, the automatic fault transfer is realized, the operation and maintenance investment is reduced, and meanwhile, the high availability of the SSLVPN can be ensured.

Description

SSLVPN high availability method and system
Technical Field
Relates to the field of network technology and security, in particular to an SSLVPN high availability method and system.
Background
The SSLVPN based on the OpenVPN does not have a high-availability scheme and framework, and when the OpenVPN service process is offline or a virtual machine deploying the OpenVPN is down, the SSLVPN is not available, so that the availability and stability of the service are affected.
Based on the above description, the technical problems to be solved in the prior art are as follows: a set of high availability schemes is designed based on OpenVPN, and the availability of SSLVPN can be improved during single-machine and double-machine deployment. In other words, no system exists in the prior art, which can automatically recover or quickly transfer when the OpenVPN service process fails or the host is down, so as to continuously provide available services.
Disclosure of Invention
The embodiment of the invention provides a high-availability method and a system for SSLVPN, which can automatically and rapidly switch the function of the SSLVPN to a standby node under the condition of no need of manual intervention after a main node is down, realize automatic fault transfer, reduce operation and maintenance investment and simultaneously ensure the high availability of the SSLVPN.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in a first aspect, there is provided a SSLVPN high availability method, the method comprising: creating 1 OpenVPN configuration file; starting 4 OpenVPN processes; setting the overtime time of IPVS UDP connection to 30 seconds; binding ports needing load balancing; adding back-end service; and periodically detecting whether UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored.
With reference to the first aspect, in one possible design, the creating 1 OpenVPN configuration file includes: the same parameters of the 4 OpenVPN processes are placed inside.
With reference to the first aspect, in one possible design, the starting 4 OpenVPN processes includes: corresponding ports and virtual subnets are designated, respectively.
With reference to the first aspect, in one possible design, the setting the timeout period of the IPVS UDP connection to be 30 seconds includes: the connection timeout time is 3 times of the heartbeat interval between the VPN client and the server.
With reference to the first aspect, the adding a backend service includes: the backend services include ipvssadm-a-u 10.10.0.1:1194-r 10.10.0.1:1195-m.
With reference to the first aspect, in one possible design, the method further includes: the initial state selects a virtual machine deployed by a first station as a master node master; asynchronous stream replication is configured among the 2 PostgreSQL databases; 2 virtual machines are installed and configured with rsync and inotify, and a configuration file is started to synchronize in real time; the keepalive configures a detection activity script, and periodically detects a VPN console and a PostgreSQL database; keepalive configuration triggers actions upon active-standby switching.
With reference to the first aspect, in one possible design, the initial state selects a virtual machine deployed by the first platform as a master node master, including: and configuring keepalive, and binding the network card with the VIP.
With reference to the first aspect, in one possible design, the configuration of asynchronous stream replication among the 2 PostgreSQL databases includes: asynchronous stream replication is configured between the 2 PostgreSQL databases.
In a second aspect, there is provided an SSLVPN high availability system, the system comprising: the creating unit is used for creating 1 OpenVPN configuration file; the starting unit is used for starting 4 OpenVPN processes; the setting unit is used for setting the overtime time of the IPVS UDP connection to be 30 seconds; the binding unit is used for binding the ports needing load balancing; the adding unit is used for adding the back-end service; and the monitoring unit is used for periodically detecting whether the UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored.
In a third aspect, an embodiment of the present invention provides an electronic device. Comprising the following steps: one or more processors; a memory; one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of the first aspect.
According to the high-availability method for the SSLVPN, after the master node is down, under the condition that manual intervention is not needed, the function of the SSLVPN can be automatically and rapidly switched to the standby node, the automatic fault transfer is realized, the operation and maintenance investment is reduced, and meanwhile, the high availability of the SSLVPN can be guaranteed.
Drawings
Fig. 1 is a method flowchart of an SSLVPN high availability method provided in an embodiment of the present application;
fig. 2 is a schematic diagram of a local structure of an SSLVPN high availability system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a high availability architecture provided by an embodiment of the present application;
fig. 4 is a schematic diagram of the overall structure of the SSLVPN high availability system according to the embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Description of the drawings: SSLVPN high availability system-400; -an electronic device-2000; processor-2001; memory-2002.
Detailed Description
The technical scheme of the invention is described below with reference to the accompanying drawings.
In embodiments of the invention, words such as "exemplary," "such as" and the like are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term use of an example is intended to present concepts in a concrete fashion. Furthermore, in embodiments of the present invention, the meaning of "and/or" may be that of both, or may be that of either, optionally one of both.
In the embodiments of the present invention, "image" and "picture" may be sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized. "of", "corresponding" and "corresponding" are sometimes used in combination, and it should be noted that the meaning of the expression is consistent when the distinction is not emphasized.
In the embodiment of the invention, sometimes the subscript is W 1 May be misidentified as a non-subscripted form such as W1, the meaning it is intended to express being consistent when de-emphasizing the distinction.
Aiming at the problem of access control authorization among micro-service applications, no effective solution is proposed at present. The existing manual configuration method cannot be suitable for a large-scale and frequently iterated micro-service application scene. Therefore, in order to solve the problem, the invention aims to provide the high-availability method of the SSLVPN, which can realize efficient and safe authorization of the access control calling relation among the micro-service applications, effectively reduce the manpower investment and avoid human errors.
Referring to fig. 1, fig. 1 shows a SSLVPN high availability method provided in an embodiment of the application, which specifically includes steps S110 to S160.
Step S110: 1 OpenVPN configuration file is created.
Step S120: 4 OpenVPN processes are started.
Step S130: the IPVS UDP connection timeout time was set to 30 seconds.
Step S140: binding requires load balanced ports.
Step S150: adding back-end services.
Step S160: and periodically detecting whether UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored.
In some embodiments, the SSLVPN high availability system may include a creation unit 410, a start unit 420, a setting unit 430, a binding unit 440, an adding unit 450, and a monitoring unit 460 (see fig. 4). The SSLVPN high availability system formed by the different units can be used as the integral structure of the SSLVPN high availability system. In some specific embodiments, the local part in the SSLVPN high-availability system may further specifically include some modules. Specifically, referring to fig. 2, fig. 2 is a schematic diagram illustrating a partial structure of an SSLVPN high availability system according to another embodiment of the present application. The whole SSLVPN high availability system comprises an OpenVPN cluster module, a load balancing module (LVS), a database synchronization module (PostgreSQL stream replication), a file synchronization module (rsync+inotify), a function management module (VPN console) and a high availability monitoring and automatic switching module (keepalive).
In other embodiments, referring to fig. 3, fig. 3 shows a schematic diagram of a high availability architecture. The complete SSLVPN high availability system includes 2 virtual machines. The database synchronization module (PostgreSQL stream replication) and the file synchronization module (rsync+inotify) are responsible for database data synchronization and configuration file synchronization between 2 virtual machines; the high availability monitoring and automatic switching module (keepalive) is responsible for monitoring the states of a VPN control console, an OpenVPN cluster, a DB database and the virtual machine on the virtual machine, sending an alarm when the components are abnormal, and automatically performing active-standby switching to complete fault transfer; the LVS load balancing module is responsible for carrying out load balancing on the client VPN connection and forwarding the request to the service corresponding to the OpenVPN cluster; the VPN control console provides a VPN management function entry and is responsible for deploying an OpenVPN cluster process, monitoring the VPN running state, managing the user on-line state conditions and the like, and meanwhile, persisting data into DB data.
Further, as shown in the architecture diagram of fig. 3, 2 virtual machines under the same VPC are prepared, one Virtual IP (VIP), and OpenVPN clusters, VPN consoles, postgreSQL databases, file synchronization modules (rsync+inotify), high availability monitoring and automatic switching modules (keepalive), and load balancing modules (LVS) are deployed on the 2 virtual machines respectively.
Creating 1 OpenVPN configuration file, and placing the same parameters of 4 OpenVPN processes in the configuration file; starting 4 OpenVPN processes, respectively designating corresponding ports (such as 1195-1198 ports) and virtual subnets (such as 172.16.1.0/24-172.16.4.0/24 subnets); setting the timeout time of IPVS UDP connection to 30 seconds, wherein the timeout time is not too large or too small, which is 3 times of the heartbeat interval (10 seconds) between the VPN client and the server, namely, 3 times of heartbeat connection fails to consider the client to be disconnected, so that misjudgment on disconnection operation can be reduced, and too many failed connections are not reserved; binding ports (10.10.0.1 is taken as an example) needing load balancing, and carrying out ipvssadm-A-u 10.10.0.1:1194-slc, wherein lc is a load balancing strategy adopting minimum Connection (Least-Connection), and the minimum Connection number strategy can keep the balanced distribution of the number of online Connection users as far as possible; adding back-end services ipvssadm-a-u 10.10.0.1:1194-r10.10.0.1:1195-m, and similarly, adding back-end services with port numbers 1195-1198; and finally, periodically detecting whether UDP service of the OpenVPN process is normal or not by using the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after recovering the OpenVPN service.
So far, the VPN multiprocess load balancing high availability can be realized.
For some implementations, openVPN clusters: because OpenVPN does not support multithreading, the advantages of multi-core CPU and network card multiple queues cannot be utilized. In order to improve the utilization rate of a CPU of a server, enhance the data processing capability and improve the total bandwidth of VPN, a plurality of independent OpenVPN working processes are deployed for the server to form an OpenVPN cluster;
wherein, openVPN cluster load balancing: load balancing is carried out based on an OSI network model 4 layer, the performance is higher, and LVS is used for UDP protocol port load balancing;
suitable load balancing strategies: LVS load balancing algorithms are various, a minimum Connection (Least-Connection) strategy is adopted, the strategy updates the online Connection quantity after the client is offline, and load balancing is carried out according to the online Connection quantity, so that the online Connection client quantity can be distributed more uniformly, and each node of the OpenVPN cluster can load the pressure of the client Connection as uniformly as possible;
session hold: because the data states of the multiple OpenVPN processes are not shared, the requests of the same session need to be all scheduled to the same OpenVPN node, so that the continuity of the service is ensured. To forward requests from the same client IP to the same RS, session maintenance can be achieved by setting the persistence time persistence_timeout of the IPVS. When the client UDP connection reaches the IPVS, the IPVS adds a connection record with UDP state in the record list. The source IP of the connection record is the client IP, the port is the client port, the timeout is the persistence time persistence_timeout described above, the timeout remaining time is gradually reduced, and if there is an interaction between the client and the server before the timeout of UDP is reduced to 0, the persistence_timeout value is refreshed to the initial value. During the existence of this UDP state connection record, messages of the same client IP will be scheduled to the same RS node. The timeout is refreshed to an initial value whenever there is an information interaction in the connection of the client and the server. If the connection is in an idle state, i.e. there is no information interaction, the UDP connection record will disappear directly after the value is timed out, and subsequent requests from the same client (ip+port) will be rescheduled. Therefore, to always load the session request of the same client to the same OpenVPN service, the VPN client needs to maintain heartbeat interaction with the VPN server, and the heartbeat interval time is smaller than the persistence time persistence_timeout of the IPVS.
So as to be highly available on stand-alone: compared with a single process, the multi-process deployment OpenVPN cluster can fully utilize the CPU, the memory and the broadband resources of the virtual machine, and the same physical configuration can provide services for more clients. And meanwhile, the single machine has higher availability, and after a certain process is offline, the client can be loaded on other processes, so that the high availability of the service is ensured. The double-machine high availability: the dual-host-standby high-availability is that data of a host node is synchronized to a standby node in real time in normal operation, and the data can be automatically switched to the standby node after virtual machine downtime of the host node or other necessary components are abnormal, so that fault transfer is realized, and high availability of SSLVPN is ensured.
For other embodiments, the method further comprises: the initial state selects a virtual machine deployed by a first station as a master node master; asynchronous stream replication is configured among the 2 PostgreSQL databases; 2 virtual machines are installed and configured with rsync and inotify, and a configuration file is started to synchronize in real time; the keepalive configures a detection activity script, and periodically detects a VPN console and a PostgreSQL database; keepalive configuration triggers actions upon active-standby switching.
The database is high in availability, data between the main database and the standby database are asynchronously synchronized by using a stream replication mechanism of the PostgreSQL database, whether the PostgreSQL database is normal or not is periodically detected through the Keepalied, if the continuous detection abnormal times exceed a specified threshold value, the VIP is drifted to the standby node, the database where the VIP node is located is also switched from the standby database to the main database, services are continuously provided externally, and in addition, the database can be automatically switched to the standby database and the data are synchronized from the new main database after the original main database is restored. When the slave library is switched to the master library, whether the data of the slave library falls behind the master library and exceeds a certain threshold value is judged, if the data of the slave library falls within the threshold value range, the switching can be performed, if the data of the slave library exceeds the threshold value, the switching is stopped, and the data loss caused by the fact that the data exceeds the threshold value under abnormal conditions is prevented. When the main library is reduced to the standby library, whether the host database where the current VIP is located is already increased to the main library is judged, if so, the standby library reducing operation is performed, and the VIP and the database main library are ensured to be on the same machine.
Furthermore, the VPN control console is high in availability, and uses rsync to synchronize configuration files, and synchronizes to the standby node in real time when detecting the change of the main node file. And detecting the VPN control platform through the keepalive, and if the number of continuous abnormal detection times exceeds a specified threshold value, drifting the VIP to the standby node. The automatic switching of the main and the standby of VPN control is realized, so that the high availability is achieved.
Therefore, the database data consistency between the two hosts and the two standby is realized through a database stream replication technology.
And the consistency of the configuration file data between the two hosts and the two standby is realized through a file synchronization technology.
And monitoring the host and the host SSLVPN component by using the keepalive, and automatically performing VIP switching when an abnormality occurs, so as to realize automatic fault transfer and quick system recovery.
In some embodiments, the initial state selects the virtual machine deployed first as the master node master. Configuring keepalive, and binding VIP by the network card; asynchronous stream replication is configured among the 2 PostgreSQL databases, and main node data are synchronized to the standby nodes in real time; 2 virtual machines are installed and configured with rsync and inotify, and a configuration file is started to synchronize in real time; the keepalive configures a detection activity script, periodically detects a VPN control console and a PostgreSQL database, and continuously detects abnormal times to 3 times to trigger the primary and standby switching of the keepalive; the keepalive configuration triggers the action when the primary and the secondary are switched, the local PostgreSQL database is updated from the secondary node to the primary node when the notify_master is used, the local PostgreSQL database is lowered from the primary node to the secondary node when the notify_backup is used, and meanwhile, the situation that the previous switching fails is compensated through the periodic detection script to switch again.
So as to realize high availability of the SSLVPN dual-host and standby.
Thus, when a certain OpenVPN process is closed, the SSLVPN client may still be connected to the VPN server for use. The virtual machine of the main node is actively closed or the PostgreSQL database or the VPN control console on the main node is closed, the VIP can drift to the standby node rapidly, and after the SSLVPN client is disconnected, the SSLVPN client can be connected with the SSLVPN server again rapidly, so that the rapid recovery of the SSLVPN service is ensured, and the expected effect of high availability of the SSLVPN is achieved. The method can realize high availability of single machine multi-process load balancing: the single machine multi-process improves the reliability of the SSLVPN, simultaneously improves the load capacity of the SSLVPN, and compared with single process deployment, the same configuration can improve the utilization rate of a CPU (Central processing Unit) of a server, enhance the data processing capacity and improve the total bandwidth of the VPN. The DB database can be automatically switched between the main and the standby: the PostgreSQL database can be automatically switched into the master database after the host is converted into the master node through the corresponding script, and can be automatically switched into the slave database after the host is specially used as the standby node. And realizing automatic switching in the case of failure. Double-machine main-standby high availability of SSLVPN can be realized: after the master node is down, under the condition that manual intervention is not needed, the functions of the SSLVPN can be automatically and rapidly switched to the standby node, the automatic fault transfer is realized, the operation and maintenance investment is reduced, and meanwhile, the high availability of the SSLVPN can be ensured.
Illustratively, fig. 4 is a schematic diagram of the overall structure of an SSLVPN high availability system 400 according to an embodiment of the present invention. As shown in fig. 4, SSLVPN high availability system 400 includes: the creation unit 410, the start-up unit 420, the setting unit 430, the binding unit 440, the addition unit 450, and the monitoring unit 460.
For ease of illustration, fig. 4 shows only the major components of the SSLVPN high availability system 400.
A creating unit 410, configured to create 1 OpenVPN configuration file.
Further, the creating unit 410 is further configured to place the same parameters of the 4 OpenVPN processes therein.
The starting unit 420 is configured to start 4 OpenVPN processes.
Further, the startup unit 420 is further configured to respectively designate a corresponding port and a virtual subnet.
A setting unit 430, configured to set the IPVS UDP connection timeout time to 30 seconds.
Further, the setting unit 430 is further configured to set the connection timeout time to be 3 times of a heartbeat interval between the VPN client and the server.
And a binding unit 440 for binding the ports requiring load balancing.
An adding unit 450, configured to add a backend service.
Further, the adding unit 450 is also used for the backend services including ipvssadm-a-u 10.10.0.1:1194-r 10.10.0.1:1195-m.
And the monitoring unit 460 is configured to periodically detect whether the UDP service of the OpenVPN process is normal by using the active script, remove the UDP service from the ipvssadm backend service list if the UDP service is abnormal, and rejoin the list after recovery.
Furthermore, the SSLVPN high availability system 400 may be further configured to select, in an initial state, a virtual machine deployed by the first station as a master node master; asynchronous stream replication is configured among the 2 PostgreSQL databases; 2 virtual machines are installed and configured with rsync and inotify, and a configuration file is started to synchronize in real time; the keepalive configures a detection activity script, and periodically detects a VPN console and a PostgreSQL database; keepalive configuration triggers actions upon active-standby switching.
Further, the SSLVPN high availability system 400 may also be used to configure keepalive, network card binding VIP.
Further, SSLVPN high availability system 400 may also be used to configure asynchronous stream replication between 2 PostgreSQL databases.
In addition, the technical effects of the SSLVPN high availability system 400 may refer to the technical effects of any of the foregoing methods, and will not be described herein.
Optionally, the embodiment of the present invention further provides a computer readable storage medium, which comprises a computer program or instructions which, when run on a computer, cause the method provided by any embodiment of the present invention to be performed.
Optionally, the embodiment of the invention further provides an electronic device, which is used for executing the method provided by any embodiment of the invention.
As shown in fig. 5, the electronic device 2000 may include a processor 2001.
Optionally, the electronic device 2000 may also include memory 2002.
The processor 2001 is coupled to the memory 2002, for example, by a communication bus.
The following describes the respective constituent elements of the electronic device 2000 in detail with reference to fig. 5:
the processor 2001 is a control center of the electronic device 2000, and may be one processor or a plurality of processing elements. For example, processor 2001 is one or more central processing units (central processing unit, CPU), but may also be an integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more microprocessors (digital signal processor, DSPs), or one or more field programmable gate arrays (field programmable gate array, FPGAs).
Alternatively, the processor 2001 may perform various functions of the electronic device 2000 by running or executing software programs stored in the memory 2002, and invoking data stored in the memory 2002.
In a particular implementation, the processor 2001 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 5, as an example.
The memory 2002 is used for storing a software program for executing the solution of the present invention, and is controlled by the processor 2001 to execute the solution, and the specific implementation may refer to the above method embodiment, which is not described herein again.
Alternatively, memory 2002 may be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, or an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (compact disc read-only memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, without limitation. Memory 2002 may be integrated with processor 2001 or may exist separately and be coupled to processor 2001 through interface circuitry of electronic device 2000 (not shown in fig. 5), as embodiments of the invention are not limited in detail.
It should be noted that the structure of the electronic device 2000 illustrated in fig. 5 is not limited to the electronic device, and an actual electronic device may include more or fewer components than illustrated, or may combine some components, or may be different in arrangement of components.
In addition, the technical effects of the electronic device 2000 may refer to the technical effects of the method described in the above method embodiments, which are not described herein.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A SSLVPN high availability method, the method comprising:
creating 1 OpenVPN configuration file;
starting 4 OpenVPN processes;
setting the overtime time of IPVS UDP connection to 30 seconds;
binding ports needing load balancing;
adding back-end service;
and periodically detecting whether UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored.
2. The method of claim 1, wherein creating 1 OpenVPN profile comprises:
the same parameters of the 4 OpenVPN processes are placed inside.
3. The method of claim 1, wherein the launching of 4 OpenVPN processes comprises:
corresponding ports and virtual subnets are designated, respectively.
4. The method of claim 1, wherein setting the IPVS UDP connection timeout time to 30 seconds comprises:
the connection timeout time is 3 times of the heartbeat interval between the VPN client and the server.
5. The method of claim 1, wherein the adding back-end services comprises:
the backend services include ipvssadm-a-u 10.10.0.1:1194-r 10.10.0.1:1195-m.
6. The method according to claim 1, wherein the method further comprises:
the initial state selects a virtual machine deployed by a first station as a master node master;
asynchronous stream replication is configured among the 2 PostgreSQL databases;
2 virtual machines are installed and configured with rsync and inotify, and a configuration file is started to synchronize in real time;
the keepalive configures a detection activity script, and periodically detects a VPN console and a PostgreSQL database;
keepalive configuration triggers actions upon active-standby switching.
7. The method of claim 6, wherein the initial state selects the first deployed virtual machine as the master node master, comprising:
and configuring keepalive, and binding the network card with the VIP.
8. The method of claim 6, wherein the configuration of asynchronous stream replication between the 2 PostgreSQL databases comprises:
asynchronous stream replication is configured between the 2 PostgreSQL databases.
9. An SSLVPN high availability system, comprising:
the creating unit is used for creating 1 OpenVPN configuration file;
the starting unit is used for starting 4 OpenVPN processes;
the setting unit is used for setting the overtime time of the IPVS UDP connection to be 30 seconds;
the binding unit is used for binding the ports needing load balancing;
the adding unit is used for adding the back-end service;
and the monitoring unit is used for periodically detecting whether the UDP service of the OpenVPN process is normal or not by the active script, removing the OpenVPN process from the ipvssadm back-end service list if the UDP service is abnormal, and re-adding the OpenVPN process into the list after the OpenVPN process is restored.
10. An electronic device, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of any of claims 1-7.
CN202211721092.3A 2022-12-30 2022-12-30 SSLVPN high availability method and system Pending CN116094903A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211721092.3A CN116094903A (en) 2022-12-30 2022-12-30 SSLVPN high availability method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211721092.3A CN116094903A (en) 2022-12-30 2022-12-30 SSLVPN high availability method and system

Publications (1)

Publication Number Publication Date
CN116094903A true CN116094903A (en) 2023-05-09

Family

ID=86187805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211721092.3A Pending CN116094903A (en) 2022-12-30 2022-12-30 SSLVPN high availability method and system

Country Status (1)

Country Link
CN (1) CN116094903A (en)

Similar Documents

Publication Publication Date Title
EP3210367B1 (en) System and method for disaster recovery of cloud applications
US9348706B2 (en) Maintaining a cluster of virtual machines
US20070180309A1 (en) System and method for mirroring data
CN103684941A (en) Arbitration server based cluster split-brain prevent method and device
CN105262820A (en) Cluster multi-computer mutual backup method based on Linux operating system
CN106850255A (en) A kind of implementation method of multi-computer back-up
CN105471622A (en) High-availability method and system for main/standby control node switching based on Galera
CN102394914A (en) Cluster brain-split processing method and device
EP3526931B1 (en) Computer system and method for dynamically adapting a software-defined network
CN108173971A (en) A kind of MooseFS high availability methods and system based on active-standby switch
CN112511326B (en) Switching method, device, equipment and storage medium
CN112612769A (en) File processing method, device and storage medium
CN110971662A (en) Two-node high-availability implementation method and device based on Ceph
CN107357800A (en) A kind of database High Availabitity zero loses solution method
CN114116912A (en) Method for realizing high availability of database based on Keepalived
CN110377487A (en) A kind of method and device handling high-availability cluster fissure
CN107181608B (en) Method for recovering service and improving performance and operation and maintenance management system
CN116795601A (en) Dual-computer hot backup method, system, device, computer equipment and storage medium
CN116094903A (en) SSLVPN high availability method and system
CN110554933A (en) Cloud management platform, and cross-cloud high-availability method and system for cloud platform service
CN113794765A (en) Gate load balancing method and device based on file transmission
Kitamura et al. Development of File Management System for a Peer-to-Peer Method Server Management System
KR100793446B1 (en) Method for processing fail-over and returning of duplication telecommunication system
CN112804077B (en) Data protection method, controller, control plane device and storage medium
CN115242701B (en) Airport data platform cluster consumption processing method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination