Nginx負載均衡即爲當代理服務器將自定義的域名解析到多個指定IP時,經過upstream來保證用戶能夠經過代理服務器正常訪問各個IP。php
配置參數:html
[root@1 ~]# vim /usr/local/nginx/conf/vhost/load.conf upstream aq.com #自定義域名 { ip_hash; #保證同一個用戶始終保持在同一臺機器上 #即當域名指向多個IP時,保證每一個用戶始終解析到同一IP server 61.135.157.156:80; server 125.39.240.113:80; #指定web服務器的IP } server { listen 80; server_name www.qq.com; location / { proxy_pass http://aq.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
[root@1 ~]# curl -x127.0.0.1:80 www.qq.com This is the default directory.
使用代理前,會直接解析到默認虛擬主機。mysql
[root@1 ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@1 ~]# /usr/local/nginx/sbin/nginx -s reload [root@1 ~]# curl -x127.0.0.1:80 www.qq.com
使用代理後會解析到代理服務器所指向的IPlinux
[root@1 ~]# dig www.qq.com ;; ANSWER SECTION: www.qq.com. 138 IN A 61.135.157.156 www.qq.com. 138 IN A 125.39.240.113 ;; Query time: 13 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 二 8月 15 16:41:11 CST 2017 ;; MSG SIZE rcvd: 71
注意: Nginx不支持代理https,只能代理http,新版本的Nginx能夠代理tcp。nginx
dig命令是經常使用域名解析工具。web
若是服務器中沒有該命令,手動安裝:算法
[root@1 ~]# yum install -y bind-utils
語法: dig [域名]sql
HTTP超文本傳輸協議(HyperText Transfer Protocol)是互聯網上應用最爲普遍的一種網絡協議。
HTTPS(全稱:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全爲目標的HTTP通道,簡單講是HTTP的安全版。HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議要比http協議安全。
HTTP默認的端口號爲80,HTTPS的端口號爲443。
TCP(Transmission Control Protocol 傳輸控制協議)是一種面向鏈接的、可靠的、基於字節流的傳輸層通訊協議,由IETF的RFC 793定義。默認監聽80端口。vim
SSL(Secure Sockets Layer 安荃套接層)協議,及其繼任者TLS(Transport Layer Security傳輸層安全)協議,是爲網絡通訊提供安全及數據完整性的一種安全協議。瀏覽器
若是虛擬機中沒有此工具,手動安裝:
[root@1 ~]# yum install -y openssl
SSL證書就是一對公鑰和私鑰。
[root@1 ~]# cd /usr/local/nginx/conf/ [root@1 conf]# openssl genrsa -des3 -out tmp.key 2048 #生成SSL密鑰 Generating RSA private key, 2048 bit long modulus ....................................................................................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key:
說明: 在此指定密碼!
[root@1 conf]# openssl rsa -in tmp.key -out adailinux.key Enter pass phrase for tmp.key: writing RSA key
刪除密鑰文件:
[root@1 conf]# rm -f tmp.key
須要拿這個文件和私鑰一塊兒生產公鑰文件:
[root@1 conf]# openssl req -new -key adailinux.key -out adailinux.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:adai Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Beijing Organizational Unit Name (eg, section) []:Beijing Common Name (eg, your name or your server's hostname) []:adailinux Email Address []:adai@adailinux.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456
說明: 該部份內容若是不購買證書能夠自定義;若是是正式應用在網站上,須要規範填寫對應信息(購買)。
[root@1 conf]# openssl x509 -req -days 365 -in adailinux.csr -signkey adailinux.key -out adailinux.crt Signature ok subject=/C=CN/ST=adai/L=Beijing/O=Beijing/OU=Beijing/CN=adailinux/emailAddress=adai@adailinux.com Getting Private key
[root@1 conf]# cd vhost/ [root@1 vhost]# vim ssl.conf server { listen 443; server_name adai.com; index index.html index.php; root /data/wwwroot/adai.com; ssl on; #開啓ssl ssl_certificate adailinux.crt; #配置公鑰 ssl_certificate_key adailinux.key; #配置私鑰 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #配置協議 } [root@1 vhost]# mkdir /data/wwwroot/adai.com
報錯:
[root@1 conf]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
未識別ssl配置,須要從新編譯Nginx:
[root@1 conf]# cd /usr/local/src/nginx-1.12.1/ [root@1 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@1 conf]# make [root@1 conf]# make install [root@1 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@1 nginx-1.12.1]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 肯定 ] [root@1 nginx-1.12.1]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5991/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2040/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5991/nginx: master tcp6 0 0 :::3306 :::* LISTEN 1990/mysqld tcp6 0 0 :::22 :::* LISTEN 1735/sshd tcp6 0 0 ::1:25 :::* LISTEN 2040/master
nginx監聽80和443端口。
[root@1 nginx-1.12.1]# cd /data/wwwroot/adai.com/ [root@1 1.com]# vim index.html This is ssl.
添加本地域名:
[root@1 adai.com]# vim /etc/hosts 127.0.0.1 adai.com [root@1 vhost]# curl https://adai.com/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
由於該證書是本身建立的,因此提示證書不被信任!!!
注: 進行該測試以前須要更改Windows的hosts文件。