集羣架構-https

時間  2019-11-08
標籤 集羣 架構 https 欄目 負載均衡 简体版
原文   原文鏈接

1.什麼是Https
2.爲何要使用Https
3.模擬不使用Https的劫持和篡改?
4.Https通信是如何肯定雙方的身份?
5.Https證書類型、購買指南、注意事項?php

Https不支持續費,證書到期需從新申請新並進行替換。
Https不支持三級域名解析,如 test.m.oldboy.com。
Https顯示綠色,說明整個網站的url都是https的,而且都是安全的。
Https顯示黃色,說明網站代碼中有部分URL地址是http不安全協議的。
Https顯示紅色,要麼證書是假的,要麼證書已通過期。html


6.如何實現單臺Https、又如何實現集羣Https?node

#建立存放ssl證書的路徑
[root@Nginx ~]# mkdir -p /etc/nginx/ssl_key
[root@Nginx ~]# cd /etc/nginx/ssl_keynginx

實驗:web

1.生成證書 (密碼1234)
[root@Nginx ~]# openssl genrsa -idea -out server.key 2048後端

2.生成自簽證書,同時去掉私鑰的密碼
openssl req -days 36500 -x509 \
-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt瀏覽器

配置nginx安全

[root@web01 conf.d]# cat s.oldux.com.conf 
server {
    listen 443 ssl;
    server_name s.oldxu.com;
    root /code;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;

    location / {
        index index.html;
    }
}
server {
    listen 80;
    server_name s.oldxu.com;
    return 302 https://$http_host$request_uri;    
}

雲主機配置服務器

[root@yanghh conf.d]# cat blog-yang.conf 
server {
    listen 443 ssl;
    server_name wq.yanghuanhuan.top;
    root /code/wordpress;
    ssl_certificate ssl_key/2861173_wq.yanghuanhuan.top.pem;
    ssl_certificate_key ssl_key/2861173_wq.yanghuanhuan.top.key;
    client_max_body_size 100m;

    location / {
        index index.php;
    }
    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

}

server {
        listen 80;
        server_name wq.yanghuanhuan.top;
        return 302 https://$http_host$request_uri;
}

7.如何將Https集成集羣架構實現全站Https?session

流程:

1.先配置好後端的web節點
2.在負載均衡上申請證書(若是以前申請過也能夠推送) <----
3.配置nginx負載均衡--->http協議
4.配置域名劫持
5.配置nginx負載均衡--->轉爲https協議

配置

[root@lb01 conf.d]# cat proxy_s.oldxu.com.conf 
upstream webs {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

server {
    listen 443 ssl;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;

    server_name s.oldxu.com;
    location / {
        proxy_pass http://webs;
        include proxy_params;
    }
}

server {
    listen 80;
    server_name s.oldxu.com;
    return 302 https://$http_host$request_uri;
}

我的博客

[root@lb01 conf.d]# cat proxy_blog.oldxu.com.conf 
upstream blog {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

server {
    listen 443 ssl;
    server_name blog.oldxu.com;
    
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;

    location / {
        proxy_pass http://blog;
        proxy_next_upstream error timeout http_500 http_502 http_503;
        include proxy_params;
    }
}

server {
    listen 80;
    server_name blog.oldxu.com;
    return 302 https://$http_host$request_uri;
}

web服務器

[root@web02 conf.d]# cat blog.oldxu.com.conf 
server {
    listen 80;
    server_name blog.oldxu.com;
    root /code/wordpress;

    client_max_body_size 100m;
    location / {
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param HTTPS on;
        include fastcgi_params;
    }
}

.需求: 部分URL走https,部分不走https?

 s.oldxu.com/login  ---> https
 
[root@lb01 conf.d]# cat proxy_s.oldxu.com.conf 
upstream webs {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

server {
    listen 443 ssl;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;

    server_name s.oldxu.com;
    location / {
        proxy_pass http://webs;
        include proxy_params;
    }
}
server {
    listen 80;
    server_name s.oldxu.com;
    
    if ($request_uri ~* "^/login") {
        return 302 https://$http_host$request_uri;
    }

    location / {
        proxy_pass http://webs;
        include proxy_params;
    }
}

需求: 當用戶請求s.oldxu.com/abc時走http,其餘的全部都走https?

s.oldxu.com/ ---> https
s.oldxu.com/abc ---> http

[root@lb01 conf.d]# cat proxy_s.oldxu.com.conf 
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}

server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;

server_name s.oldxu.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.oldxu.com;

if ($request_uri !~* "^/abc") {
return 302 https://$http_host$request_uri;
}

location / {
proxy_pass http://webs;
include proxy_params;
}
}

https優化相關的參數?

erver {
    listen 443 ssl;
    server_name nginx.bjstack.com;
    
    ssl_certificate ssl_key/1524377920931.pem;
    ssl_certificate_key ssl_key/1524377920931.key;
    ssl_session_cache shared:SSL:10m;     #在創建完ssl握手後若是斷開鏈接,在session_timeout時間內再次鏈接,是不須要在次創建握手,能夠複用以前的鏈接
    ssl_session_timeout 1440m;           #ssl鏈接斷開後的超時時間
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用的TLS版本協議
    ssl_prefer_server_ciphers on;        #Nginx決定使用哪些協議與瀏覽器進行通信
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套間

l    ocation / {
        root /soft/code;
        index index.html index.htm;
    }
}
server {
        listen 80;
        server_name nginx.bjstack.com;
        return 302 https://$server_name$request_uri;
}

負載均衡配https流程

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程