Nginx功能配置（反向代理、SSL）

反向代理

反向代理（Reverse Proxy）指的是以代理服务器来接受公网上的链接请求，而后将请求转发给内部网络上的服务器，并将从服务器上获得的结果返回给公网上请求链接的客户端。

使用场景 访问不带公网的内网机器 解决两台机器之间通讯有障碍的问题

配置文件添加配置

location /
    {
        proxy_pass http://ip;   #实际须要访问的内网IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

实验设定：

有两台机器A和B，其中A只有内网，B有内网和外网的环境 A的内网IP为192.168.85.129 B的内网IP为192.168.85.132，外网IP为192.168.48.132 C为客户端，C只能访问B的外网IP，不能访问A或者B的内网IP 最终须要实现的目的：C要访问到A机器内网上的网站

添加网卡： B虚拟机添加网卡设备文件后，执行dhclient命令获取第二块网卡的IP地址，拷贝网卡配置文件ifcfg-ens33至ifcfg-ens38，修改配置：

删除dns配置 删除网关配置 修改网卡名称 修改IP地址

[root@feature1 ~]# cd /etc/yum.repos.d/
[root@feature1 yum.repos.d]# vim nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
 gpgcheck=0
 enabled=1

[root@feature1 yum.repos.d]# yum install -y nginx

[root@feature1 yum.repos.d]# vim /etc/nginx/conf.d/default.conf
 default.conf
deny all;

添加配置

[root@feature1 conf.d]# vim bbs.feature.com.conf

server {
    listen       80 default_server ;
    server_name  bbs.feature.com;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /data/wwwroot/bbs.feature.com;
        index  index.html index.htm index.php;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
 #   error_page   500 502 503 504  /50x.html;
 #   location = /50x.html {
 #       root   /usr/share/nginx/html;
 #   }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    location ~ \.php$ {
        root           /data/wwwroot/bbs.feature.com;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.feature.com$fastcgi_sc                                                                             ript_name;
        include        fastcgi_params;
    }

}



[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

[root@feature1 conf.d]# firewall-cmd --add-port=80/tcp --permanent
 #添加访问端口防火墙规则，要否则没法访问
[root@feature1 conf.d]# firewall-cmd --reload
success

访问验证

[root@dxg conf.d]# vi /etc/hosts
192.168.48.132	bbs.aibenwoniu.xyz

[root@feature1 conf.d]# curl -I bbs.feature.com
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Fri, 15 Feb 2019 04:04:38 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

nginx负载均衡

负载均衡就是把前端的请求均衡地分发到后端的各个机器上面

[root@feature1 conf.d]# vi qq.com.conf

 upstream qq.com
    {
	ip_hash; 
	server 111.161.64.48:80; 
	server 180.163.26.39:80; 
    }
    server
    {
	listen 80;
	server_name www.qq.com;
	location /
	{
	    proxy_pass http://qq.com;
	    proxy_set_header Host $host;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
    }
    
[root@feature1 conf.d]#  nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload

验证

[root@feature1 conf.d]# curl -x111.161.64.48:80 www.qq.com -I
HTTP/1.1 200 OK
Server: squid/3.5.24
Date: Fri, 15 Feb 2019 04:07:27 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Fri, 15 Feb 2019 04:08:27 GMT
Cache-Control: max-age=60
X-Cache: from www-hy
Vary: Accept-Encoding
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: MISS from shenzhen.qq.com

配置ssl

配置ssl来让Nginx实现用https（是一种加密的http）来访问网站，http默认是80端口，https默认是443端口。

申请证书

生产：www.wosign.com （沃通） 免费：freessl.org 实验使用免费的freessl.org来申请证书，须要先注册帐户，以后输入以前申请使用的域名（aibenwoniu.xyz）去建立证书，根据提示将dns验证信息在dnspod上新建一条txt类型的记录，验证成功后会生成三个文件（ca/crt/key）

建立证书配置文件

[root@feature1 nginx]# mkdir ssl
[root@feature1 nginx]# cd ssl
[root@feature1 ssl]# vi ca
[root@feature1 ssl]# vi crt
[root@feature1 ssl]# vi key

#将以前申请的证书文件代码复制到相应的文件中

配置虚拟主机配置文件

[root@feature1 conf.d]# vim bbs.feature.com.conf

listen       443 ssl;
    server_name  bbs.feature.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/bbs.crt;
    ssl_certificate_key /etc/nginx/ssl/bbs.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
[root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@feature1 conf.d]# nginx -s reload
[root@feature1 conf.d]#  firewall-cmd --add-port=443/tcp --permanent

success
[root@feature1 conf.d]# firewall-cmd --reload
success

[root@feature1 conf.d]# systemctl restart nginx

验证

[root@feature1 conf.d]#
 curl  -H "host:bbs.feature.com" https://192.168.85.129/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

[root@feature1 conf.d]# curl -k -H "host:bbs.feature.com" https://192.168.85.129/index.php

备注1： curl -k #容许curl使用非安全的ssl链接而且传输数据（证书不受信）

备注2：SSL相关扩展学习—https://github.com/aminglinux/nginx/tree/master/ssl