LNMP架构负载均衡及HTTPS相关配置
11月29日任务javascript
12.17 Nginx负载均衡php
12.18 ssl原理css
12.19 生成ssl密钥对html
12.20 Nginx配置ssljava
Nginx负载均衡
负载均衡原理上就是代理,只不过经过设置多个代理服务器来实现多用户访问时的负载均衡。同时也能够在某个代理服务器没法访问时,切换到另外的代理服务器,从而实现访问不间断的目的。mysql
下面以qq.com为例,配置负载均衡nginx
- 先经过dig命令查看域名及其ip
# dig命令由bind-utils包安装 [root@localhost ~]# yum install -y bind-utils [root@localhost ~]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65328 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 404 IN A 61.135.157.156 qq.com. 404 IN A 125.39.240.113 ;; Query time: 40 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 四 1月 04 22:02:25 CST 2018 ;; MSG SIZE rcvd: 67
- 配置虚拟主机配置文件
[root@localhost ~]# mv /usr/local/nginx/conf/vhost/load.conf
# 经过upstream来指定多个web服务器
upstream qq_com
{
# ip_hash的目的是让同一个用户始终保持在同一个机器上
ip_hash;
# 这里是负载均衡时使用的多个server的ip
# server http://61.135.157.157:80;
# 上述表示也行,对应的server块内的proxy_pass内直接写qq_com便可,不须要写http://
server 61.135.157.157:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
# 这里使用的是upstream名即qq_com
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X_Real_IP $remote_addr;
proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for;
}
}
验证效果
配置未生效时,本地访问www.qq.com,获得的将是默认主机的内容web
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com this is default web server
重启服务后,获取到了www.qq.com网页的源码算法
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="baidu-site-verification" content="cNitg6enc2">
<title><CC><DA>Ѷ<CA><D7>ҳ</title>
<script type="text/javascript">
if(window.location.toString().indexOf('pref=padindex') != -1){
}else{
if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /\(Android.*Mobile.+\).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){
if(window.location.href.indexOf("?mobile")<0){
try{
if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){
window.location.href="http://xw.qq.com/index.htm";
}else if(/iPad/i.test(navigator.userAgent)){
//window.location.href="http://www.qq.com/pad/"
}else{
...
nginx不支持代理https,即server语句内的端口没法使用443。sql
ssl原理
- 客户端向服务器发送https请求;
- 服务器上存储了一套数字证书,其实质为一对公私钥。数字证书能够本身制做,也能够向组织申请。前者在客户端访问时须要验证才能继续访问;后者不会弹出验证提示;
- 服务器将公钥传输给客户端;
- 客户端验证公钥是否合法:无效(本身制做的)会弹出警告,有效的则生成一串随机数,用此随机数加密公钥;
- 客户端将加密后的字符串传输给服务器
- 服务器收到字符串后,先使用私钥进行解密,获取加密使用的随机数,并以此随机数加密传输的数据(对称机密);
- 服务器将加密后的数据传输给客户端;
- 客户端收到数据后,使用本身的私钥(即随机字符串)进行解密。
对称加密:将数据和私钥(随机字符串)经过某种算法混合在一块儿,除非知道私钥,不然没法解密。
生成SSL密钥对
- 建立私钥key
[root@localhost ~]# cd /usr/local/nginx/conf # 建立私钥key文件,必须输入密码,不然没法生成key文件 [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key:
- 转换key,取消密码
[root@localhost conf]# openssl rsa -in tmp.key -out test.key Enter pass phrase for tmp.key: writing RSA key [root@localhost conf]# rm -f tmp.key
- 生成证书
[root@localhost conf]# openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZheJiang Locality Name (eg, city) [Default City]:QuZhou Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 须要使用csr文件与私钥一块儿生成.crt文件 [root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt Signature ok subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd Getting Private key
Nginx配置SSL
- 建立新虚拟主机配置文件
[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/www/test.com;
ssl on;
ssl_certificate test.crt;
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLS1.1 TLS1.2;
}
- 建立对应目录及文件
[root@localhost conf]# mkdir -p /data/www/test.com [root@localhost conf]# vim /data/www/test.com/index.php ssl test page.
- 重启服务
/usr/local/nginx/sbin/nginx -t /usr/local/nginx/sbin/nginx -s reload
设置时报错 -- unknown directive “ssl”
这时因为一开始编译时未将http_ssl_module模块编译进nginx,须要从新编译安装
[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/ [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost nginx-1.12.2]# make && make install
从新编译后将致使以前配置的虚拟主机配置文件丢失,最后在从新编译前对有用的nginx虚拟主机文件进行备份
- 编译完成后查看
[root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips ... TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module
- 重启nginx服务
# 从新编译后的nginx必须使用/etc/init.d/nginx脚本进行重启 [root@localhost conf]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 肯定 ] # 查看443端口是否开放 [root@localhost conf]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1354/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2116/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master tcp6 0 0 :::3306 :::* LISTEN 2156/mysqld tcp6 0 0 :::22 :::* LISTEN 1354/sshd tcp6 0 0 ::1:25 :::* LISTEN 2116/master
- 效果验证
- curl验证
# 若是不想使用-x指定ip,能够在/etc/hosts内添加以下代码 [root@localhost conf]# vim /etc/hosts 127.0.0.1 test.com # curl测试 [root@localhost conf]# curl https://test.com curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
- 浏览器验证 一样的要修改客户端上的hosts文件,添加一行代码以下:
192.168.65.133 test.com
同时要检查服务器端的防火墙是否开放443端口,这里为了测试方便,直接清空了iptables规则表
[root@localhost conf]# iptables -F
在浏览器内输入https://test.com,测试效果以下:
点击“仍要继续”,页面内容显示以下:
网页说明描述,证书不合法
相关文章
- 1. lnmp架构-负载均衡
- 2. LNMP架构——Nginx负载均衡
- 3. LNMP架构(五)Nginx负载均衡-ssl
- 4. LNMP 负载均衡
- 5. LNMP——nginx负载均衡/nginx配置ssl
- 6. Nginx+Tomcat+Https负载均衡配置
- 7. 负载均衡相关
- 8. Nginx--负载均衡及相关策略
- 9. 180108 LNMP nginx负载均衡
- 10. 【Nginx】负载均衡 upstream 以及相关指令 配置优化
- 更多相关文章...
- • XML 相关技术 - XML 教程
- • Maven 构建配置文件 - Maven教程
- • NewSQL-TiDB相关
- • IntelliJ IDEA 代码格式化配置和快捷键
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
