Nginx負載均衡,SSL工做流程,利用openssl生成本身的證書

負載均衡配置

查看網站對應的ip地址工具dig
安裝 yum install -y bind-utils
使用 dig www.163.com

設置163.com的兩個地址爲負債均衡

[root@test-a ~]# dig www.163.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.163.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39731
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.163.com.			IN	A

;; ANSWER SECTION:
www.163.com.		535	IN	CNAME	www.163.com.lxdns.com.
www.163.com.lxdns.com.	46	IN	A	116.242.0.145
www.163.com.lxdns.com.	46	IN	A	60.207.246.98

;; Query time: 103 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: Fri Nov 30 07:40:01 CST 2018
;; MSG SIZE  rcvd: 104

# 配置
[root@test-a vhost]# vim load_balance.conf
[root@test-a vhost]# cat load_balance.conf
upstream 163
{
    ip_hash;
    server 116.242.0.145:80;
    server 60.207.246.98:80;
}
server
{
    listen 80;
    server_name  www.163.com;
    location /
    {
        proxy_pass http://163;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
    }
}

# 測試
[root@test-a vhost]# curl -x127.0.0.1:80 www.163.com

SSL工做流程

• 瀏覽器發送一個https的請求給服務器；
• 服務器要有一套數字證書，能夠本身製做，也能夠向組織申請，區別就是本身頒發的證書須要客戶端驗證經過，才能夠繼續訪問，而使用受信任的公司申請的證書則不會彈出>提示頁面，這套證書其實就是一對公鑰和私鑰；
• 服務器會把公鑰傳輸給客戶端；
• 客戶端（瀏覽器）收到公鑰後，會驗證其是否合法有效，無效會有警告提醒，有效則會生成一串隨機數，並用收到的公鑰加密；
• 客戶端把加密後的隨機字符串傳輸給服務器；
• 服務器收到加密隨機字符串後，先用私鑰解密（公鑰加密，私鑰解密），獲取到這一串隨機數後，再用這串隨機字符串加密傳輸的數據（該加密爲對稱加密，所謂對稱加密，就是將數據和私鑰也就是這個隨機字符串>經過某種算法混合在一塊兒，這樣除非知道私鑰，不然沒法獲取數據內容）；
• 服務器把加密後的數據傳輸給客戶端；
• 客戶端收到數據後，再用本身的私鑰也就是那個隨機字符串解密；

利用openssl生成本身的證書

[root@test-a conf]# openssl genrsa -des3 -out tmp.key 2048 # 生成私鑰文件tmp.key  
Generating RSA private key, 2048 bit long modulus
.........................+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@test-a conf]# openssl rsa -in tmp.key -out mytest.key # 轉換key，取消密碼 
Enter pass phrase for tmp.key:
writing RSA key
[root@test-a conf]# rm tmp.key
rm: remove regular file ‘tmp.key’? y
[root@test-a conf]# openssl req -new -key mytest.key -out mytest.csr # 生成證書請求文件，後面須要拿這個文件和私鑰一塊兒生產公鑰文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@test-a conf]#
[root@test-a conf]# openssl x509 -req -days 365 -in mytest.csr -signkey mytest.key -out mytest.crt  # 生成公鑰
Signature ok
subject=/C=cn/L=Default City/O=Default Company Ltd
Getting Private key
[root@test-a conf]# ls mytest.*
mytest.crt  mytest.csr  mytest.key

[root@test-a vhost]# vim ssl.conf
[root@test-a vhost]# cat ssl.conf
server
{
    listen 443;
    server_name 12345.com;
    index index.html index.php;
    root /data/wwwroot/12345.com;
    ssl on;
    ssl_certificate mytest.crt;
    ssl_certificate_key mytest.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

[root@test-a vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

# 從新編譯nginx,加上--with-http_ssl_module
[root@test-a vhost]# cd /usr/local/src/nginx-1.14.1/
[root@test-a nginx-1.14.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@test-a nginx-1.14.1]# make
[root@test-a nginx-1.14.1]# make install
[root@test-a nginx-1.14.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@test-a nginx-1.14.1]# /usr/local/nginx/sbin/nginx -s reload
[root@test-a nginx-1.14.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  OK  ]
[root@test-a nginx-1.14.1]# netstat -nltp # 有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2375/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6105/nginx: master
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6105/nginx: master
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1195/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      2375/master
tcp6       0      0 :::3306                 :::*                    LISTEN      2402/mysqld
tcp6       0      0 :::22                   :::*                    LISTEN      1195/sshd

[root@test-a nginx-1.14.1]# cd /data/wwwroot/ # 建立站點目錄及文件
[root@test-a wwwroot]# mkdir 12345.com
[root@test-a wwwroot]# cd 12345.com/
[root@test-a 12345.com]# vim index.html 
[root@test-a 12345.com]# cat index.html 
SSL test.
[root@test-a 12345.com]# curl https://12345.com # 本地須要配置hosts
curl: (35) Encountered end of file
[root@test-a 12345.com]# cd /usr/local/nginx/conf/vhost/
[root@test-a vhost]# vim /etc/hosts
[root@test-a vhost]# curl https://12345.com # 訪問提示證書不被信任，本身頒發的，確定不被信任
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

• 瀏覽器訪問測試