12.17 Nginx負載均衡
負載均衡原理
代理服務器代理多臺WEB服務器。php
負載均衡優點
使用戶能夠訪問任意一個相同服務的服務器,避免出現用戶對應的單一的服務器宕機而致使用戶沒法訪問的狀況。html
解析域名對應IP
yum -y install bind-utils //安裝dig命令
[root@linux-10 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18570 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.qq.com. IN A ;; ANSWER SECTION: www.qq.com. 245 IN A 111.30.132.101
注:Nginx負載均衡不支持代理https協議,即不能夠代理443端口。mysql
配置負載均衡虛擬主機
upstream qq_com
{
ip_hash;
server 111.161.64.40:80;
server 111.161.64.48:80;
}
server
{
listen 80;
server_name qq.com;
location /
{
proxy_pass http://qq_com; //與upstream的名稱保持一致
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream來指定多個web server,upstream的名稱可自定義linux
ip_hash的做用:保持同一用戶始終保持在同一臺服務器上nginx
結果測試
a class=" " target="_blank" href="http://comic.qq.com/a/20180613/001062.htm">Ƞ´ºǚ±¿µ°²»ضŮIѧ½㶄Ď</a> <a class=" " target="_blank" href="http://comic.qq.com/a/20180613/001340.htm">º½º£εЄ¼;</a> </li> </ul><!--7f9a8f23e1bc4ff7ed159cdc0c02dd89--><!--[if !IE]>|xGv00|bea2c7e771585149f07f437b6d2b70a7<![endif]--> </div> <div class="contentRight"> <div class="imgArea"> <a target="_blank" href="http://view.inews.qq.com/a/20180528A0M61E00?pacclick=%2Fpac%2Frebangapi"> <img src="http://inews.gtimg.com/newsapp_ls/0/3745114531_294195/0" alt="´͢¬̷š¿˹ٷ½Ά͘°µʾ½«Ԑһ¿ط·¢±렾 </a> </div> <div class="txtArea"> <h3><a target="_blank" href="http://view.inews.qq.com/
12.18 ssl原理
一、瀏覽器發送一個https的請求給服務器;web
二、服務器要有一套數字證書,能夠本身製做(後面的操做就是阿銘本身製做的證書),也能夠向組織申請,區別就是本身頒發的證書須要客戶端驗證經過,才能夠繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;算法
三、服務器會把公鑰傳輸給客戶端;sql
四、客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;vim
五、客戶端把加密後的隨機字符串傳輸給服務器;api
六、服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密爲對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>經過某種算法混合在一塊兒,這樣除非知道私鑰,不然沒法獲取數據內容);
七、服務器把加密後的數據傳輸給客戶端;
八、客戶端收到數據後,再用本身的私鑰也就是那個隨機字符串解密;
12.19 生成ssl密鑰對
數字證書至關於ssl中的公鑰和私鑰
安裝OpenSSL工具
[root@linux-10 ~]# rpm -qf `which openssl` openssl-1.0.2k-12.el7.x86_64 [root@linux-10 ~]# yum -y install openssl-1.0.2k-12.el7.x86_64
生成私鑰
cd /usr/local/nginx/conf openssl genrsa -des3 -out tmp.key 2048//key文件爲私鑰
genrsa表明生成rsa格式的私鑰
轉換key,取消密碼
[root@linux-10 conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .................................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key:
因爲生成私鑰須要密碼,在每次訪問https的網頁時都須要輸入密碼,過於麻煩,所以能夠經過轉換key的方式將密碼取消。
openssl rsa -in tmp.key -out lem.key //-in指定被轉換的私鑰
此時存在兩個key,tmp.key和lem.key,兩者的內容徹底相同,只是前者帶有密碼,後者沒有密碼,所以可將前者刪除
rm -f tmp.key
生成證書請求文件
生成證書請求文件的目的是和私鑰文件一塊兒生成公鑰文件
openssl req -new -key lem.key -out lem.csr
[root@linux-10 conf]# openssl req -new -key lem.key -out lem.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
生成請求文件須要一些信息,默承認不填寫。
生成公鑰文件
openssl x509 -req -days 365 -in lem.csr -signkey lem.key -out lem.crt
12.20 Nginx配置ssl
配置虛擬主機配置文件
vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下內容
server
{
listen 443;
server_name lemssl.com;
index index.html index.php;
root /data/wwwroot/lemssl.com;
ssl on;
ssl_certificate lem.crt;
ssl_certificate_key lem.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
檢測&從新編譯
[root@linux-10 conf]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/lemssl.conf:7 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
在檢測時出現了報錯,緣由是編譯Nginx時沒有添加ssl模塊,所以須要從新編譯Nginx,加上
--with-http_ssl_modul模塊
[root@linux-10 conf]# cd /usr/local/src/nginx-1.14.0 [root@linux-10 nginx-1.14.0]# ./configure --prefix=/usr/local/nginx/ --with-http_ssl_module [root@linux-10 nginx-1.14.0]# make [root@linux-10 nginx-1.14.0]# make install
測試&&重啓&&檢測監聽端口
[root@linux-10 nginx-1.14.0]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx//conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx//conf/nginx.conf test is successful [root@linux-10 nginx-1.14.0]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 肯定 ] [root@linux-10 nginx-1.14.0]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4335/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 875/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1285/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4335/nginx: master tcp6 0 0 :::22 :::* LISTEN 875/sshd tcp6 0 0 ::1:25 :::* LISTEN 1285/master tcp6 0 0 :::3306 :::* LISTEN 1321/mysqld
發現監聽端口中新增了一個443端口
效果測試
訪問443端口不能直接用curl -x選項直接訪問(不然會報錯400),所以須要修改hosts
vim /etc/hosts 127.0.0.1 lemssl.com
[root@linux-10 lemssl.com]# curl https://lemssl.com curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
報錯的緣由是咱們的數字證書是本身頒發的,瀏覽器不承認,所以報錯提示爲不安全的網站,可是咱們的訪問已經生效了。