Nginx功能配置（反向代理、SSL）

反向代理

反向代理（Reverse Proxy）指的是以代理服務器來接受公網上的鏈接請求，而後將請求轉發給內部網絡上的服務器，並將從服務器上獲得的結果返回給公網上請求鏈接的客戶端。

使用場景 訪問不帶公網的內網機器 解決兩臺機器之間通訊有障礙的問題

配置文件添加配置

location /
    {
        proxy_pass http://ip;   #實際須要訪問的內網IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

實驗設定：

有兩臺機器A和B，其中A只有內網，B有內網和外網的環境 A的內網IP爲192.168.85.129 B的內網IP爲192.168.85.132，外網IP爲192.168.48.132 C爲客戶端，C只能訪問B的外網IP，不能訪問A或者B的內網IP 最終須要實現的目的：C要訪問到A機器內網上的網站

添加網卡： B虛擬機添加網卡設備文件後，執行dhclient命令獲取第二塊網卡的IP地址，拷貝網卡配置文件ifcfg-ens33至ifcfg-ens38，修改配置：

刪除dns配置 刪除網關配置 修改網卡名稱 修改IP地址

[root@feature1 ~]# cd /etc/yum.repos.d/
[root@feature1 yum.repos.d]# vim nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
 gpgcheck=0
 enabled=1

[root@feature1 yum.repos.d]# yum install -y nginx

[root@feature1 yum.repos.d]# vim /etc/nginx/conf.d/default.conf
 default.conf
deny all;

添加配置

[root@feature1 conf.d]# vim bbs.feature.com.conf

server {
    listen       80 default_server ;
    server_name  bbs.feature.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /data/wwwroot/bbs.feature.com;
        index  index.html index.htm index.php;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
 #   error_page   500 502 503 504  /50x.html;
 #   location = /50x.html {
 #       root   /usr/share/nginx/html;
 #   }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /data/wwwroot/bbs.feature.com;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.feature.com$fastcgi_sc                                                                             ript_name;
        include        fastcgi_params;
    }

}



[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

[root@feature1 conf.d]# firewall-cmd --add-port=80/tcp --permanent
 #添加訪問端口防火牆規則，要否則沒法訪問
[root@feature1 conf.d]# firewall-cmd --reload
success

訪問驗證

[root@dxg conf.d]# vi /etc/hosts
192.168.48.132	bbs.aibenwoniu.xyz

[root@feature1 conf.d]# curl -I bbs.feature.com
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Fri, 15 Feb 2019 04:04:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

nginx負載均衡

負載均衡就是把前端的請求均衡地分發到後端的各個機器上面

[root@feature1 conf.d]# vi qq.com.conf

 upstream qq.com
    {
	ip_hash; 
	server 111.161.64.48:80; 
	server 180.163.26.39:80; 
    }
    server
    {
	listen 80;
	server_name www.qq.com;
	location /
	{
	    proxy_pass http://qq.com;
	    proxy_set_header Host $host;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
    }
    
[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

驗證

[root@feature1 conf.d]# curl -x111.161.64.48:80 www.qq.com -I
HTTP/1.1 200 OK
Server: squid/3.5.24
Date: Fri, 15 Feb 2019 04:07:27 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Fri, 15 Feb 2019 04:08:27 GMT
Cache-Control: max-age=60
X-Cache: from www-hy
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: MISS from shenzhen.qq.com

配置ssl

配置ssl來讓Nginx實現用https（是一種加密的http）來訪問網站，http默認是80端口，https默認是443端口。

申請證書

生產：www.wosign.com （沃通） 免費：freessl.org 實驗使用免費的freessl.org來申請證書，須要先註冊帳戶，以後輸入以前申請使用的域名（aibenwoniu.xyz）去建立證書，根據提示將dns驗證信息在dnspod上新建一條txt類型的記錄，驗證成功後會生成三個文件（ca/crt/key）

建立證書配置文件

[root@feature1 nginx]# mkdir ssl
[root@feature1 nginx]# cd ssl
[root@feature1 ssl]# vi ca
[root@feature1 ssl]# vi crt
[root@feature1 ssl]# vi key

#將以前申請的證書文件代碼複製到相應的文件中

配置虛擬主機配置文件

[root@feature1 conf.d]# vim bbs.feature.com.conf

listen       443 ssl;
    server_name  bbs.feature.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/bbs.crt;
    ssl_certificate_key /etc/nginx/ssl/bbs.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
[root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload
[root@feature1 conf.d]#  firewall-cmd --add-port=443/tcp --permanent

success
[root@feature1 conf.d]# firewall-cmd --reload
success

[root@feature1 conf.d]# systemctl restart nginx

驗證

[root@feature1 conf.d]#
 curl  -H "host:bbs.feature.com" https://192.168.85.129/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@feature1 conf.d]# curl -k -H "host:bbs.feature.com" https://192.168.85.129/index.php

備註1： curl -k #容許curl使用非安全的ssl鏈接而且傳輸數據（證書不受信）

備註2：SSL相關擴展學習—https://github.com/aminglinux/nginx/tree/master/ssl