LNMP架構負載均衡及HTTPS相關配置

時間 2019-11-06

標籤 lnmp 架構負載均衡 https 相關配置欄目 PHP 简体版

原文原文鏈接

11月29日任務javascript

12.17 Nginx負載均衡php

12.18 ssl原理css

12.19 生成ssl密鑰對html

12.20 Nginx配置ssljava

Nginx負載均衡

負載均衡原理上就是代理，只不過經過設置多個代理服務器來實現多用戶訪問時的負載均衡。同時也能夠在某個代理服務器沒法訪問時，切換到另外的代理服務器，從而實現訪問不間斷的目的。mysql

下面以qq.com爲例，配置負載均衡nginx

先經過dig命令查看域名及其ip

# dig命令由bind-utils包安裝
[root@localhost ~]# yum install -y bind-utils
[root@localhost ~]# dig qq.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65328
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.				IN	A

;; ANSWER SECTION:
qq.com.			404	IN	A	61.135.157.156
qq.com.			404	IN	A	125.39.240.113

;; Query time: 40 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 四 1月 04 22:02:25 CST 2018
;; MSG SIZE  rcvd: 67

配置虛擬主機配置文件

[root@localhost ~]# mv /usr/local/nginx/conf/vhost/load.conf
# 經過upstream來指定多個web服務器
upstream qq_com
{
    # ip_hash的目的是讓同一個用戶始終保持在同一個機器上
    ip_hash;
    
    # 這裏是負載均衡時使用的多個server的ip
    # server http://61.135.157.157:80;
    # 上述表示也行，對應的server塊內的proxy_pass內直接寫qq_com便可，不須要寫http://
    server 61.135.157.157:80;
    server 125.39.240.113:80;
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        # 這裏使用的是upstream名即qq_com
        proxy_pass http://qq_com;
        proxy_set_header Host               $host;
        proxy_set_header X_Real_IP          $remote_addr;
        proxy_set_header X-Forwarded_For    $proxy_add_x_forwarded_for;
    }
}

驗證效果

配置未生效時，本地訪問www.qq.com，獲得的將是默認主機的內容web

[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
this is default web server

重啓服務後，獲取到了www.qq.com網頁的源碼算法

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="baidu-site-verification" content="cNitg6enc2">
<title><CC><DA>Ѷ<CA><D7>ҳ</title>
<script type="text/javascript">
if(window.location.toString().indexOf('pref=padindex') != -1){
}else{
        if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /\(Android.*Mobile.+\).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){  
      if(window.location.href.indexOf("?mobile")<0){
                try{
                        if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){
                                window.location.href="http://xw.qq.com/index.htm";
                        }else if(/iPad/i.test(navigator.userAgent)){
              //window.location.href="http://www.qq.com/pad/"
                        }else{
...

nginx不支持代理https，即server語句內的端口沒法使用443。sql

ssl原理

客戶端向服務器發送https請求；
服務器上存儲了一套數字證書，其實質爲一對公私鑰。數字證書能夠本身製做，也能夠向組織申請。前者在客戶端訪問時須要驗證才能繼續訪問；後者不會彈出驗證提示；
服務器將公鑰傳輸給客戶端；
客戶端驗證公鑰是否合法：無效（本身製做的）會彈出警告，有效的則生成一串隨機數，用此隨機數加密公鑰；
客戶端將加密後的字符串傳輸給服務器
服務器收到字符串後，先使用私鑰進行解密，獲取加密使用的隨機數，並以此隨機數加密傳輸的數據（對稱機密）；
服務器將加密後的數據傳輸給客戶端；
客戶端收到數據後，使用本身的私鑰（即隨機字符串）進行解密。

對稱加密：將數據和私鑰（隨機字符串）經過某種算法混合在一塊兒，除非知道私鑰，不然沒法解密。

生成SSL密鑰對

建立私鑰key

[root@localhost ~]# cd /usr/local/nginx/conf

# 建立私鑰key文件，必須輸入密碼，不然沒法生成key文件
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

轉換key，取消密碼

[root@localhost conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key

[root@localhost conf]# rm -f tmp.key

生成證書

[root@localhost conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:QuZhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 須要使用csr文件與私鑰一塊兒生成.crt文件
[root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd
Getting Private key

Nginx配置SSL

建立新虛擬主機配置文件

[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
    listen 443;
    server_name test.com;
    index index.html index.php;
    root /data/www/test.com;
    ssl on;
    ssl_certificate test.crt;
    ssl_certificate_key test.key;
    ssl_protocols TLSv1 TLS1.1 TLS1.2；
}

[root@localhost conf]# mkdir -p /data/www/test.com
[root@localhost conf]# vim /data/www/test.com/index.php
ssl test page.

重啓服務

/usr/local/nginx/sbin/nginx -t
/usr/local/nginx/sbin/nginx -s reload

設置時報錯 -- unknown directive 「ssl」

這時因爲一開始編譯時未將http_ssl_module模塊編譯進nginx，須要從新編譯安裝

[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost nginx-1.12.2]# make && make install

從新編譯後將致使以前配置的虛擬主機配置文件丟失，最後在從新編譯前對有用的nginx虛擬主機文件進行備份

編譯完成後查看

[root@localhost conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  ...
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module

重啓nginx服務

# 從新編譯後的nginx必須使用/etc/init.d/nginx腳本進行重啓
[root@localhost conf]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  肯定  ]

# 查看443端口是否開放
[root@localhost conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1354/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2116/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4953/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      2156/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1354/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2116/master

效果驗證

curl驗證

# 若是不想使用-x指定ip，能夠在/etc/hosts內添加以下代碼
[root@localhost conf]# vim /etc/hosts
127.0.0.1 test.com

# curl測試
[root@localhost conf]# curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.