环境：CentOS Linux release 7.4.1708 (Core)

1、openresty-1.11.2.4.tar.gz

2、luarocks-2.4.2.tar.gz

3、pcre-8.40.tar.gz

4、openssl-1.0.2n.tar.gz

5、kong-0.11.0.tar.gz

6、node-v8.9.4-linux-x64.tar.xz

7.  luarocks-2.4.2-1.src.rock

8. sslconfig

源码目录:/home/package

/usr/local/kong

软件目录规划:

安装目录:/usr/local/kong

日志目录:/usr/local/kong/logs

PID目录:/opt/run/kong

配置文件目录:

/usr/local/kong

机器分配

Kong：10.95.196.149/150

PostgreSQL：10.95.196.149

PostgreSQL安装过程

10.95.196.149上的操作

下载PostgreSQL，

postgresql-9.6.6.tar.gz

#创建PGSQL用户及用户组

groupadd -g 26 -o -r postgres

useradd -M -g postgres -o -r -d /home/pgsql -s /bin/bash  -u 26 postgres

#创建pgsql数据目录及日志目录

mkdir -p /home/pgsql/{data,logs}

chown -R postgres /home/pgsql

#切换用户初始化PGSQL

su postgres

#添加环境变量

vi  .bash_profile

PGHOME=/home/pgsql/postgresql-9.6.6

export PGHOME

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$PGHOME/lib

export PGLOG=/home/pgsql/logs/pgsql.log

PGDATA=/home/pgsql/data

export PGDATA

PATH=$PATH:$HOME/.local/bin:$HOME/bin:$PGHOME/bin

export PATH

初始化postgresql

initdb -E utf8 -D /home/pgsql/data -W -U postgres

注：以下操作均在postgres环境下操作

#增加PGSQL访问权限，修改/home/pgsql/data/pg_hba.conf

host    kong149            kong149            10.95.196.0/24           trust

新增的内容意思是允许10.95.196.0/24网段的机器可以使用用户kong访问数据库kong

#调整PGSQL的监听地址

sed -i "/#listen_addresses/c listen_addresses='10.95.196.149'" /home/pgsql/data/postgresql.conf

#启动PGSQL

pg_ctl start -D /home/pgsql/data -l /home/pgsql/logs/pgsql.log

#创建用户kong，根据提示设置用户kong的密码

createuser -l -E kong149 -P 

根据提示输入密码 ui8ga$No

#创建数据库kong

createdb -E utf8 -O kong149  kong149

10.95.196.149-150上的操作

安装一些另外的包

yum install devtoolset-3-gcc devtoolset-3-gcc-c++ devtoolset-3-libstdc++-devel gperftools-devel gperftools-libs

下载源码包

mkdir -p /home/package

cd  /home/package

wget https://openresty.org/download/openresty-1.11.2.4.tar.gz

wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz

wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz

wget http://luarocks.github.io/luarocks/releases/luarocks-2.4.2.tar.gz

git clone https://github.com/cloudflare/sslconfig.git

wget https://github.com/Mashape/kong/archive/0.10.3.tar.gz -O kong-0.10.3.tar.gz

以上包可以直接对对应网站下载，服务器直接下可以遇到ssl无法握手问题；

安装OpenSSL

tar -xf openssl-1.0.2n.tar.gz  #-xzvf解压安装会遇到问题，不清楚原因

cd  openssl-1.0.2n

patch -p1 </home/package/sslconfig/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102j.patch

./config threads shared

make depend

make && make install

默认安装到 /usr/local/ssl 对应下面编译中ssl环境目录需要相应变更

安装OpenResty

#创建用户及用户组  也可以不创建

groupadd websuite

useradd -g websuite -M -s /sbin/nologin websuite

#编译安装openresty

tar -xf 

openresty-1.11.2.4.tar.gz

tar -xf pcre-8.40.tar.gz

#创建OpenResty所需目录

mkdir -p /usr/local/kong/{run,logs,conf}

mkdir -p /usr/local/kong/temp/{client,proxy}

cd  openresty-1.11.2.4

./configure --prefix=/usr/local/kong -j24 \

--with-http_iconv_module \

--with-luajit \

--sbin-path=/usr/local/kong/sbin/nginx \

--conf-path=/usr/local/kong/conf/nginx.conf \

--error-log-path=/usr/local/kong/logs/error.log \

--http-log-path=/usr/local/kong/logs/access.log \

--with-threads \

--with-file-aio \

--with-http_realip_module \

--with-http_addition_module \

--with-http_auth_request_module \

--with-http_random_index_module \

--with-http_slice_module \

--with-http_stub_status_module \

--with-http_ssl_module \

--http-client-body-temp-path=/usr/local/kong/temp/client \

--http-proxy-temp-path=/usr/local/kong/temp/proxy \

--modules-path=/usr/local/kong/modules \

--with-http_v2_module \

--with-cc-opt='-w -pipe -march=native -mtune=native -m128bit-long-double -m64 -fno-builtin-malloc -I/usr/local/ssl/include' \

--with-ld-opt='-L/usr/local/ssl/lib' \

--with-pcre=../pcre-8.40 \

--with-pcre-opt=-fPIC \

--with-pcre-jit

gmake -j8 && make install

安装luarocks

tar zxf luarocks-2.4.2.tar.gz

cd luarocks-2.4.2

./configure --prefix=/usr/local/kong \

--rocks-tree=/usr/local/kong/luajit \

--sysconfdir=/usr/local/kong/conf/luarocks \

--lua-suffix=jit \

--with-lua=/usr/local/kong/luajit \

--with-lua-include=/usr/local/kong/luajit/include/luajit-2.1

make build

make install

echo 'export PATH="${PATH}:/usr/local/kong/bin:/usr/local/kong/sbin:/usr/local/kong/luajit/bin"' > /etc/profile.d/kong.sh

source /etc/profile.d/kong.sh

把下载的luarocks-2.4.2-1.src.rock 放到luarocks-2.4.2目录下执行：

luarocks install luarocks-2.4.2-1.src.rock

安装Kong

tar -xf kong-0.11.0.tar.gz

cd kong-0.11.0

sed -i '/OPENSSL_DIR ?=/c OPENSSL_DIR ?= /usr/local/ssl' Makefile

make install

cp -r bin/* /usr/local/kong/bin/

安装

HiRes组件

yum -y  install perl-Time-HiRes

建立软连接

ln -f -s /usr/local/ssl/lib/libssl.so.1.0.0 /lib64/libssl.so.1.0.0

ln -f -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0

调整Kong的配置

路径：/usr/local/kong/luajit/share/lua/5.1/kong/templates

文件：nginx.lua

return [[

> if nginx_user then

user ${{NGINX_USER}};

> end

worker_processes ${{NGINX_WORKER_PROCESSES}};

daemon ${{NGINX_DAEMON}};

pid pids/nginx.pid;

error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};

> if nginx_optimizations then

worker_rlimit_nofile ${{WORKER_RLIMIT}};

> end

events {

> if nginx_optimizations then

use                 epoll;

worker_connections  65536;

multi_accept on;

> end

}

http {

include 'nginx-kong.conf';

}

]]

文件：nginx_kong.lua

return [[

charset UTF-8;

> if anonymous_reports then

${{SYSLOG_REPORTS}}

> end

error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};

>if nginx_optimizations then

include       /usr/local/kong/conf/mime.types;

default_type  application/octet-stream;

sendfile        on;

>-- send_timeout 60s;          # default value

keepalive_timeout 120s;     # default value

keepalive_requests     10000;

server_tokens     off;

>-- client_body_timeout 60s;   # default value

>-- client_header_timeout 60s; # default value

>-- tcp_nopush on;             # disabled until benchmarked

gzip  on;

gzip_comp_level     6;

gzip_min_length     1024;

gzip_proxied           any;

gzip_vary                 on;

gzip_buffers            96 8k;

gzip_types               text/json  text/plain  text/css  application/json  application/javascript  application/x-javascript  application/rss+xml;

>-- proxy_buffer_size 128k;    # disabled until benchmarked

proxy_buffers 128 8k;      # disabled until benchmarked

>-- proxy_busy_buffers_size 256k; # disabled until benchmarked

>-- reset_timedout_connection on; # disabled until benchmarked

>end

log_format  access '$http_x_forwarded_for [$time_local] request_time[$request_time] upto $upstream_addr,'

'upresponse_time[$upstream_response_time], "$request" $status $body_bytes_sent '

'"$http_user_agent"';

client_max_body_size ${{CLIENT_MAX_BODY_SIZE}};

proxy_ssl_server_name on;

underscores_in_headers on;

lua_package_path '${{LUA_PACKAGE_PATH}};;';

lua_package_cpath '${{LUA_PACKAGE_CPATH}};;';

lua_socket_pool_size ${{LUA_SOCKET_POOL_SIZE}};

lua_max_running_timers 4096;

lua_max_pending_timers 16384;

lua_shared_dict kong                30m;

lua_shared_dict kong_cache          ${{MEM_CACHE_SIZE}};

lua_shared_dict kong_process_events 30m;

lua_shared_dict kong_cluster_events 30m;

lua_shared_dict kong_healthchecks   30m;

> if database == "cassandra" then

lua_shared_dict kong_cassandra      5m;

> end

lua_socket_log_errors off;

> if lua_ssl_trusted_certificate then

lua_ssl_trusted_certificate '${{LUA_SSL_TRUSTED_CERTIFICATE}}';

lua_ssl_verify_depth ${{LUA_SSL_VERIFY_DEPTH}};

> end

init_by_lua_block {

kong = require 'kong'

kong.init()

}

init_worker_by_lua_block {

kong.init_worker()

}

proxy_next_upstream_tries 2;

upstream kong_upstream {

server 0.0.0.1;

balancer_by_lua_block {

kong.balancer()

}

keepalive ${{UPSTREAM_KEEPALIVE}};

}

server {

    server_name localhost;

listen ${{PROXY_LISTEN}}${{PROXY_PROTOCOL}};

error_page 400 404 408 411 412 413 414 417 /kong_error_handler;

error_page 500 502 503 504 /kong_error_handler;

    access_log ${{PROXY_ACCESS_LOG}} access;

error_log ${{PROXY_ERROR_LOG}} ${{LOG_LEVEL}};

client_body_buffer_size ${{CLIENT_BODY_BUFFER_SIZE}};

> if ssl then

listen ${{PROXY_LISTEN_SSL}} ssl${{HTTP2}}${{PROXY_PROTOCOL}};

ssl_certificate ${{SSL_CERT}};

ssl_certificate_key ${{SSL_CERT_KEY}};

ssl_protocols TLSv1.1 TLSv1.2;

ssl_certificate_by_lua_block {

kong.ssl_certificate()

}

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_prefer_server_ciphers on;

ssl_ciphers ${{SSL_CIPHERS}};

> end

> if client_ssl then

proxy_ssl_certificate ${{CLIENT_SSL_CERT}};

proxy_ssl_certificate_key ${{CLIENT_SSL_CERT_KEY}};

> end

real_ip_header     ${{REAL_IP_HEADER}};

real_ip_recursive  ${{REAL_IP_RECURSIVE}};

> for i = 1, #trusted_ips do

set_real_ip_from   $(trusted_ips[i]);

> end

location / {

set $upstream_host               '';

set $upstream_upgrade            '';

set $upstream_connection         '';

set $upstream_scheme             'http';

set $upstream_uri                '';

set $upstream_x_forwarded_for    '';

set $upstream_x_forwarded_proto  '';

set $upstream_x_forwarded_host   '';

set $upstream_x_forwarded_port   '';

rewrite_by_lua_block {

kong.rewrite()

}

access_by_lua_block {

kong.access()

}

proxy_http_version 1.1;

proxy_set_header   Host              $upstream_host;

proxy_set_header   Upgrade           $upstream_upgrade;

proxy_set_header   Connection        $upstream_connection;

#proxy_set_header   X-Forwarded-For   $upstream_x_forwarded_for;

proxy_set_header   X-Forwarded-Proto $upstream_x_forwarded_proto;

proxy_set_header   X-Forwarded-Host  $upstream_x_forwarded_host;

proxy_set_header   X-Forwarded-Port  $upstream_x_forwarded_port;

        proxy_set_header   X-Real-IP         $http_x_forwarded_for;

proxy_pass_header  Server;

proxy_pass_header  Date;

proxy_ssl_name     $upstream_host;

        proxy_pass         http://kong_upstream$upstream_uri;

header_filter_by_lua_block {

kong.header_filter()

}

body_filter_by_lua_block {

kong.body_filter()

}

log_by_lua_block {

kong.log()

}

}

location = /kong_error_handler {

internal;

content_by_lua_block {

kong.handle_error()

}

}

}

server {

    server_name localhost;

listen ${{ADMIN_LISTEN}};

access_log ${{ADMIN_ACCESS_LOG}};

error_log ${{ADMIN_ERROR_LOG}} ${{LOG_LEVEL}};

client_max_body_size 10m;

client_body_buffer_size 10m;

> if admin_ssl then

listen ${{ADMIN_LISTEN_SSL}} ssl${{ADMIN_HTTP2}};

ssl_certificate ${{ADMIN_SSL_CERT}};

ssl_certificate_key ${{ADMIN_SSL_CERT_KEY}};

ssl_protocols TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_prefer_server_ciphers on;

ssl_ciphers ${{SSL_CIPHERS}};

> end

location / {

default_type application/json;

content_by_lua_block {

kong.serve_admin_api()

}

}

location /nginx_status {

internal;

access_log off;

stub_status;

}

location /robots.txt {

return 200 'User-agent: *\nDisallow: /';

}

}

]]

文件：kong_defaults.lua 

return [[

prefix = /usr/local/kong/

log_level = notice

proxy_access_log = logs/access.log

proxy_error_log = logs/error.log

admin_access_log = logs/admin_access.log

admin_error_log = logs/admin_error.log

custom_plugins = NONE

anonymous_reports = on

proxy_listen = 0.0.0.0:8000

proxy_listen_ssl = 0.0.0.0:8443

admin_listen = 0.0.0.0:5000

admin_listen_ssl = 0.0.0.0:5443

nginx_user = root

nginx_worker_processes = auto

nginx_optimizations = on

nginx_daemon = on

mem_cache_size = 1024m

http2 = off

ssl = on

ssl_cert = NONE

ssl_cert_key = NONE

client_ssl = off

client_ssl_cert = NONE

client_ssl_cert_key = NONE

ssl_cipher_suite = modern

ssl_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE

S256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

admin_http2 = off

admin_ssl = on

admin_ssl_cert = NONE

admin_ssl_cert_key = NONE

upstream_keepalive = 60

server_tokens = off

latency_tokens = on

trusted_ips = NONE

real_ip_header = X-Forwarded-For

real_ip_recursive = off

client_max_body_size = 8m

client_body_buffer_size = 8k

error_default_type = text/plain

database = postgres

pg_host = 10.95.196.149

pg_port = 5432

pg_database = kong149

pg_user = kong149

pg_password = ui8ga$No

pg_ssl = off

pg_ssl_verify = off

cassandra_contact_points = 127.0.0.1

cassandra_port = 9042

cassandra_keyspace = kong

cassandra_timeout = 5000

cassandra_ssl = off

cassandra_ssl_verify = off

cassandra_username = kong

cassandra_password = NONE

cassandra_consistency = ONE

cassandra_lb_policy = RoundRobin

cassandra_local_datacenter = NONE

cassandra_repl_strategy = SimpleStrategy

cassandra_repl_factor = 1

cassandra_data_centers = dc1:2,dc2:3

cassandra_schema_consensus_timeout = 10000

db_update_frequency = 60

db_update_propagation = 0

db_cache_ttl = 3600

dns_resolver = NONE

dns_hostsfile = /etc/hosts

dns_order = LAST,SRV,A,CNAME

dns_stale_ttl = 4

dns_not_found_ttl = 30

dns_error_ttl = 1

dns_no_sync = off

lua_socket_pool_size = 30

lua_ssl_trusted_certificate = NONE

lua_ssl_verify_depth = 1

lua_package_path = ./?.lua;./kong/init.lua;

lua_package_cpath = NONE

]]

启动Kong

kong start or kong start -vv(如果执行kong start报错，可以使用kong start -vv来进行调试)

如遇数据库表结构不兼容 执行kong migrations up

下载安装node

node-v8.9.4-linux-x64.tar.xz

wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-x64.tar.xz // 下载

tar xf node-v8.9.4-linux-x64.tar.xz

cd node-v8.9.4-linux-x64/

ln -s /home/package/kongpack/node-v8.9.4-linux-x64/bin/npm /usr/local/bin/

ln -s /home/package/kongpack/node-v8.9.4-linux-x64/bin/node  /usr/local/bin/

node -v

使用 npm安装Kong-dashboard 安装 启动运行

nohup node /usr/local/bin/kong-dashboard start -u http://127.0.0.1:5000 -p 9001 --basic-auth admin=bei}g6Th &

在浏览器中输入地址，使用用户名密码登录

再在F5层做负载均衡配置到10.96.196.149/150实现高可用