50.Nginx負載均衡 ssl原理 密鑰對 配置ssl

12.17 Nginx負載均衡

12.18 ssl（https）原理

12.19 生成ssl密鑰對

12.20 Nginx配置ssl

擴展 

針對請求的uri來代理 http://ask.apelearn.com/question/1049

根據訪問的目錄來區分後端的web http://ask.apelearn.com/question/920

nginx長鏈接 http://www.apelearn.com/bbs/thread-6545-1-1.html

nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html

 

 

 

 

12.17 Nginx負載均衡：

 

 

 

跟上一節的代理服務器。一臺web服務器叫代理，兩臺web服務器就叫負載均衡。代理服務器的後端能夠有多個web服務器，多個服務器去提供服務的時候，就可以實現負載均衡的功能。

若是不加代理這一層的話，那用戶訪問的時候只能一臺一臺的去請求。假如用戶1去訪問web1，web1掛掉了，那麼代理服務器就不會把請求發給web1.那麼這就是Nginx負載均衡的優勢

 

 

 

~1.

vim /usr/local/nginx/conf/vhost/load.conf // 寫入以下內容

upstream baidu_com 用到了upstream模塊。這個名字能夠隨便寫，表明如下模塊的名字

{

ip_hash; 使用戶始終在同一個服務器上。好比輸入了帳號密碼，結果一會就沒有了，緣由是被解析到了另外一臺服務器上了，這樣是不被容許的

server 182.61.200.6:80; 只能從這定義多個IP

server 182.61.200.7:80;

}

server

{

listen 80;

server_name www.baidu.com; 域名

location /

{

proxy_pass http://baidu_com; 指定ip，這裏是前面upstream配置的名字，這裏不能定義多個ip

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

~2.

upstream來指定多個web server

 

 

 

知識點：

~1.怎麼查到baidu.com解析的IP是哪一個呢

 yum install -y bind-utils

dig baidu.com（下面會反饋兩個IP。也就是baidu.com被解析到了這兩個IP上

~2.Nginx不支持代理https（也就是端口不能寫443）

若是用戶只能訪問443怎麼辦

只能用戶代理監聽443，後面的web服務器爲80 (不明白)

 

 

實例：

1.

[root@localhost ~]# vim /usr/local/nginx/conf/vhost/load.conf 新建一個load.conf

upstream baidu_com
{
    ip_hash;
    server 182.61.200.6:80;
    server 182.61.200.7:80;
}
server
{
    listen 80;
    server_name www.baidu.com;
    location /
    {
        proxy_pass      http://baidu_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

[root@localhost ~]# curl -x192.168.30.134:80 www.qq.com 不-t reload，先測試一下

「This is a default site.」 結果顯示默認頁

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

[root@localhost ~]#  curl -x127.0.0.1:80 www.baidu.com -I -t reload以後再測試就能夠了

HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 25 Jul 2019 07:26:26 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

12.18 ssl原理（https）：

 

 

http與https有什麼區別？首先https是加密的，好比訪問的信息被黑客抓到，可是他拿到的是加密的，也就是亂碼的

 

SSL工做流程：

~1.瀏覽器發送一個https的請求給服務器；

~2.服務器要有一套數字證書，能夠本身製做（後面的操做就是阿銘本身製做的證書），也能夠向組織申請，區別就是本身頒發的證書須要客戶端驗證經過，才能夠繼續訪問，而使用受信任的公司申請的證書則不會彈出>提示頁面，這套證書其實就是一對公鑰和私鑰；

~3. 服務器會把公鑰傳輸給客戶端；

~4.客戶端（瀏覽器）收到公鑰後，會驗證其是否合法有效，無效會有警告提醒，有效則會生成一串隨機數，並用收到的公鑰加密；

~5.客戶端把加密後的隨機字符串傳輸給服務器；

~6.服務器收到加密隨機字符串後，先用私鑰解密（公鑰加密，私鑰解密），獲取到這一串隨機數後，再用這串隨機字符串加密傳輸的數據（該加密爲對稱加密，所謂對稱加密，就是將數據和私鑰也就是這個隨機字符串>經過某種算法混合在一塊兒，這樣除非知道私鑰，不然沒法獲取數據內容）；

~7.服務器把加密後的數據傳輸給客戶端；

~8.客戶端收到數據後，再用本身的私鑰也就是那個隨機字符串解密；

 

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

12.19 生成ssl密鑰對：

 

咱們在虛擬機上頒發一個證書，其實就是一對私鑰和公鑰：

yum install -y openssl

~1.cd /usr/local/nginx/conf

~2.openssl genrsa -des3 -out tmp.key 2048//key文件爲私鑰

genrsa 生成rsa格式的私鑰

-out 指定輸出的

2048 長度

tmp.key 名字就叫tmp.key

~3.openssl rsa -in tmp.key -out axin.key //轉換key，取消密碼。axin.key實際爲轉換後的沒密碼的私鑰

-in 指定哪個密碼要被轉換

~4.rm -f tmp.key //以前的舊的key就能夠刪掉了

~5.openssl req -new -key axin.key -out axin.csr//生成證書請求文件，須要拿這個文件和私鑰一塊兒生產公鑰文件

~6.openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt //以前生成的私鑰和私鑰來生成公鑰文件

~7.這裏的aminglinux.crt爲公鑰

 

 

實例：

[root@localhost ~]# cd /usr/local/nginx/conf/ 先進到配置文件裏面去

[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 先生成.key私鑰

Generating RSA private key, 2048 bit long modulus

.......................+++

..................................+++

e is 65537 (0x10001)

Enter pass phrase for tmp.key: 須要輸入密碼

Verifying - Enter pass phrase for tmp.key: 再次輸入

[root@axinlinux-01 conf]# openssl rsa -in tmp.key -out axin.key 取消密碼設置，由於比較麻煩

Enter pass phrase for tmp.key: 要輸入以前設置的密碼

writing RSA key

[root@localhost conf]# rm -f tmp.key 刪掉舊的.key私鑰文件

[root@localhost conf]# openssl req -new -key axin.key -out axin.csr 生成證書

You are about to be asked to enter information that will be incorporated 如下爲須要填寫的信息。由於作實驗，因此直接爲空了

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

string is too long, it needs to be less than 2 bytes long

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:wangxin789 可是設置了密碼

An optional company name []:

[root@localhost conf]# openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt

Signature ok 生成成功

subject=/C=XX/L=Default City/O=Default Company Ltd

Getting Private key

Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

 

 

12.20 Nginx配置ssl：

 

 

~1.vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下內容

server

{

listen 443; 監聽的端口爲443，由於不能直接80

server_name axin.com;

index index.html index.php;

root /data/wwwroot/axin.com;

ssl on; 開啓ssl。支持https

ssl_certificate axin.crt; 指定公鑰

ssl_certificate_key axin.key; 指定私鑰

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 協議。通常這三種，都配置上

}

server
{
    listen 443;
    server_name axin.com;
    index index.html index.php;
    root /data/wwwroot/axin.com;
    ssl on;
    ssl_certificate axin.crt;
    ssl_certificate_key axin.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

~2.-t && -s reload //若報錯unknown directive 「ssl」 ，須要從新編譯（make&&make install）nginx，加上--with-http_ssl_module（也就是「./configure --prefix=/usr/local/nginx --with-http_ssl_module」

~3.mkdir /data/wwwroot/axin.com

~4.echo 「ssl test page.」>/data/wwwroot/axin.com/index.html

~5.編輯hosts，增長127.0.0.1 axin.com

~6.curl https://axin.com/

 

 

 

 

 

實例：

[root@localhost conf]# cd vhost/

[root@localhost vhost]# ls

aaa.com.conf  load.conf  proxy.conf  test.com.conf

[root@localhost vhost]# vim ssl.conf 新建一個.conf

[root@localhost vhost]# mkdir /data/wwwroot/axin.com

[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t 報錯。紀委他不知道ssl這個配置

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7

nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

[root@localhost vhost]# cd /usr/local/src/nginx-1.8.0/

[root@localhost nginx-1.8.0]# ./configure --help |grep -i ssl 搜一下ssl模塊

--with-http_ssl_module enable ngx_http_ssl_module 須要的是這個

--with-mail_ssl_module enable ngx_mail_ssl_module

--with-openssl=DIR set path to OpenSSL library sources

--with-openssl-opt=OPTIONS set additional build options for OpenSSL

--with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

[root@localhost nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@localhost nginx-1.8.0]# make

[root@localhost nginx-1.8.0]# make install

[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -V 看一下多了ssl模塊

nginx version: nginx/1.8.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t 從新-t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost nginx-1.8.0]# /etc/init.d/nginx restart 重啓一下nginx

Restarting nginx (via systemctl): [ 肯定 ]

[root@localhost nginx-1.8.0]# netstat -lntp 查看監聽端口，多了個443

tcp        0      0 192.168.30.134:9000     0.0.0.0:*               LISTEN      1076/php-fpm: maste 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1388/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      803/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1071/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1388/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      1059/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      803/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1071/master

[root@localhost nginx-1.8.0]# vim /data/wwwroot/axin.com/1.txt 在指定的目錄下，建立測試文件

[root@localhost nginx-1.8.0]# mv /data/wwwroot/axin.com/1.txt /data/wwwroot/axin.com/index.html 改個名字叫index.html

[root@localhost nginx-1.8.0]# vim /etc/hosts 改下hosts，加上axin.com這個目錄

192.168.30.134 www.wangxin.com axin.com

[root@localhost nginx-1.8.0]# curl https://axin.com/ 測試報錯是由於，這個證書是本身頒發的。實際上已經成功了

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

More details here: http://curl.haxx.se/docs/sslcerts.html

咱們能夠在windows上瀏覽器測試一下

首先把axin.com加入hosts>查看linux上防火牆規則有的話，直接-F>瀏覽器上搜索htps://axin.com會顯示下圖：

咱們點高級，點擊繼續前往，即成功

因此，當證書不被瀏覽器所信任的時候，就會有以上提示（有須要能夠去 沃通 購買證書）

 

知識點：咱們訪問政府的網站好比www.12306.com的時候，若是加上https://www/12306.com的時候也會顯示上圖。是由於政府網站用別人頒發的證書可能會不安全，因此要用本身頒發的。因此形成了瀏覽器不承認