nginx負載均衡、配置ssl

12.17 Nginx負載均衡

Nginx負載均衡即爲當代理服務器將自定義的域名解析到多個指定IP時,經過upstream來保證用戶能夠經過代理服務器正常訪問各個IP。php

負載均衡配置

配置參數:html

[root@1 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream aq.com
#自定義域名
{
    ip_hash;
    #保證同一個用戶始終保持在同一臺機器上
    #即當域名指向多個IP時,保證每一個用戶始終解析到同一IP
    server 61.135.157.156:80;
    server 125.39.240.113:80;
    #指定web服務器的IP
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass      http://aq.com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

檢測

代理前

[root@1 ~]# curl -x127.0.0.1:80 www.qq.com 
This is the default directory.

使用代理前,會直接解析到默認虛擬主機。mysql

代理後

[root@1 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@1 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@1 ~]# curl -x127.0.0.1:80 www.qq.com

使用代理後會解析到代理服務器所指向的IPlinux

[root@1 ~]# dig www.qq.com

;; ANSWER SECTION:
www.qq.com.		138	IN	A	61.135.157.156
www.qq.com.		138	IN	A	125.39.240.113

;; Query time: 13 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 8月 15 16:41:11 CST 2017
;; MSG SIZE  rcvd: 71

注意: Nginx不支持代理https,只能代理http,新版本的Nginx能夠代理tcp。nginx

dig命令

dig命令是經常使用域名解析工具。web

若是服務器中沒有該命令,手動安裝:算法

[root@1 ~]# yum install -y bind-utils

語法: dig [域名]sql

http、https、tcp

HTTP超文本傳輸協議(HyperText Transfer Protocol)是互聯網上應用最爲普遍的一種網絡協議。
HTTPS(全稱:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全爲目標的HTTP通道,簡單講是HTTP的安全版。HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議要比http協議安全。
HTTP默認的端口號爲80,HTTPS的端口號爲443。
TCP(Transmission Control Protocol 傳輸控制協議)是一種面向鏈接的、可靠的、基於字節流的傳輸層通訊協議,由IETF的RFC 793定義。默認監聽80端口。vim

12.18 SSL原理

SSL(Secure Sockets Layer 安荃套接層)協議,及其繼任者TLS(Transport Layer Security傳輸層安全)協議,是爲網絡通訊提供安全及數據完整性的一種安全協議。瀏覽器

SSL工做流程

若是虛擬機中沒有此工具,手動安裝:

[root@1 ~]# yum install -y openssl

SSL工做流程

  • 瀏覽器發送一個https的請求給服務器;
  • 服務器要有一套數字證書,能夠本身製做(後面的操做就是阿銘本身製做的證書),也能夠向組織申請,區別就是本身頒發的證書須要客戶端驗證經過,才能夠繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
  • 服務器會把公鑰傳輸給客戶端;
  • 客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
  • 客戶端把加密後的隨機字符串傳輸給服務器;
  • 服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密爲對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>經過某種算法混合在一塊兒,這樣除非知道私鑰,不然沒法獲取數據內容);
  • 服務器把加密後的數據傳輸給客戶端;
  • 客戶端收到數據後,再用本身的私鑰也就是那個隨機字符串解密;

12.19 生成SSL密鑰對

SSL證書就是一對公鑰和私鑰。

建立私鑰

[root@1 ~]# cd /usr/local/nginx/conf/

[root@1 conf]# openssl genrsa -des3 -out tmp.key 2048
#生成SSL密鑰
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

說明: 在此指定密碼!

轉換key,取消密碼:

[root@1 conf]# openssl rsa -in tmp.key -out adailinux.key 

Enter pass phrase for tmp.key:
writing RSA key

刪除密鑰文件:

[root@1 conf]# rm -f tmp.key

生成證書請求文件

須要拿這個文件和私鑰一塊兒生產公鑰文件:

[root@1 conf]# openssl req -new -key adailinux.key -out adailinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:adai
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Beijing
Organizational Unit Name (eg, section) []:Beijing
Common Name (eg, your name or your server's hostname) []:adailinux
Email Address []:adai@adailinux.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456

說明: 該部份內容若是不購買證書能夠自定義;若是是正式應用在網站上,須要規範填寫對應信息(購買)。

建立公鑰:

[root@1 conf]# openssl x509 -req -days 365 -in adailinux.csr -signkey adailinux.key -out adailinux.crt

Signature ok
subject=/C=CN/ST=adai/L=Beijing/O=Beijing/OU=Beijing/CN=adailinux/emailAddress=adai@adailinux.com
Getting Private key

12.20 Nginx配置SSL

[root@1 conf]# cd vhost/

[root@1 vhost]# vim ssl.conf
server
{
    listen 443;
    server_name adai.com;
    index index.html index.php;
    root /data/wwwroot/adai.com;
    ssl on;
    #開啓ssl
    ssl_certificate adailinux.crt;
    #配置公鑰
    ssl_certificate_key adailinux.key;
    #配置私鑰
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #配置協議
}

[root@1 vhost]# mkdir /data/wwwroot/adai.com

檢測

報錯:

[root@1 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

未識別ssl配置,須要從新編譯Nginx:

[root@1 conf]# cd /usr/local/src/nginx-1.12.1/

[root@1 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module  

[root@1 conf]# make
[root@1 conf]# make install

[root@1 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@1 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  肯定  ]

[root@1 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5991/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1735/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2040/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5991/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      1990/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1735/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2040/master

nginx監聽80和443端口。

測試

[root@1 nginx-1.12.1]# cd /data/wwwroot/adai.com/

[root@1 1.com]# vim index.html

This is ssl.

添加本地域名:

[root@1 adai.com]# vim /etc/hosts
127.0.0.1  adai.com

[root@1 vhost]# curl https://adai.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

由於該證書是本身建立的,因此提示證書不被信任!!!


注: 進行該測試以前須要更改Windows的hosts文件。

相關文章
相關標籤/搜索