12.17 Nginx负载均衡
负载均衡原理
代理服务器代理多台WEB服务器。php
负载均衡优点
使用户能够访问任意一个相同服务的服务器,避免出现用户对应的单一的服务器宕机而致使用户没法访问的状况。html
解析域名对应IP
yum -y install bind-utils //安装dig命令
[root@linux-10 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18570 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.qq.com. IN A ;; ANSWER SECTION: www.qq.com. 245 IN A 111.30.132.101
注:Nginx负载均衡不支持代理https协议,即不能够代理443端口。mysql
配置负载均衡虚拟主机
upstream qq_com
{
ip_hash;
server 111.161.64.40:80;
server 111.161.64.48:80;
}
server
{
listen 80;
server_name qq.com;
location /
{
proxy_pass http://qq_com; //与upstream的名称保持一致
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
upstream来指定多个web server,upstream的名称可自定义linux
ip_hash的做用:保持同一用户始终保持在同一台服务器上nginx
结果测试
a class=" " target="_blank" href="http://comic.qq.com/a/20180613/001062.htm">Ƞ´ºǚ±¿µ°²»ضŮIѧ½㶄Ď</a> <a class=" " target="_blank" href="http://comic.qq.com/a/20180613/001340.htm">º½º£εЄ¼;</a> </li> </ul><!--7f9a8f23e1bc4ff7ed159cdc0c02dd89--><!--[if !IE]>|xGv00|bea2c7e771585149f07f437b6d2b70a7<![endif]--> </div> <div class="contentRight"> <div class="imgArea"> <a target="_blank" href="http://view.inews.qq.com/a/20180528A0M61E00?pacclick=%2Fpac%2Frebangapi"> <img src="http://inews.gtimg.com/newsapp_ls/0/3745114531_294195/0" alt="´͢¬̷š¿˹ٷ½Ά͘°µʾ½«Ԑһ¿ط·¢±렾 </a> </div> <div class="txtArea"> <h3><a target="_blank" href="http://view.inews.qq.com/
12.18 ssl原理
一、浏览器发送一个https的请求给服务器;web
二、服务器要有一套数字证书,能够本身制做(后面的操做就是阿铭本身制做的证书),也能够向组织申请,区别就是本身颁发的证书须要客户端验证经过,才能够继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;算法
三、服务器会把公钥传输给客户端;sql
四、客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;vim
五、客户端把加密后的随机字符串传输给服务器;api
六、服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>经过某种算法混合在一块儿,这样除非知道私钥,不然没法获取数据内容);
七、服务器把加密后的数据传输给客户端;
八、客户端收到数据后,再用本身的私钥也就是那个随机字符串解密;
12.19 生成ssl密钥对
数字证书至关于ssl中的公钥和私钥
安装OpenSSL工具
[root@linux-10 ~]# rpm -qf `which openssl` openssl-1.0.2k-12.el7.x86_64 [root@linux-10 ~]# yum -y install openssl-1.0.2k-12.el7.x86_64
生成私钥
cd /usr/local/nginx/conf openssl genrsa -des3 -out tmp.key 2048//key文件为私钥
genrsa表明生成rsa格式的私钥
转换key,取消密码
[root@linux-10 conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .................................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key:
因为生成私钥须要密码,在每次访问https的网页时都须要输入密码,过于麻烦,所以能够经过转换key的方式将密码取消。
openssl rsa -in tmp.key -out lem.key //-in指定被转换的私钥
此时存在两个key,tmp.key和lem.key,两者的内容彻底相同,只是前者带有密码,后者没有密码,所以可将前者删除
rm -f tmp.key
生成证书请求文件
生成证书请求文件的目的是和私钥文件一块儿生成公钥文件
openssl req -new -key lem.key -out lem.csr
[root@linux-10 conf]# openssl req -new -key lem.key -out lem.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
生成请求文件须要一些信息,默承认不填写。
生成公钥文件
openssl x509 -req -days 365 -in lem.csr -signkey lem.key -out lem.crt
12.20 Nginx配置ssl
配置虚拟主机配置文件
vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下内容
server
{
listen 443;
server_name lemssl.com;
index index.html index.php;
root /data/wwwroot/lemssl.com;
ssl on;
ssl_certificate lem.crt;
ssl_certificate_key lem.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
检测&从新编译
[root@linux-10 conf]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/lemssl.conf:7 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
在检测时出现了报错,缘由是编译Nginx时没有添加ssl模块,所以须要从新编译Nginx,加上
--with-http_ssl_modul模块
[root@linux-10 conf]# cd /usr/local/src/nginx-1.14.0 [root@linux-10 nginx-1.14.0]# ./configure --prefix=/usr/local/nginx/ --with-http_ssl_module [root@linux-10 nginx-1.14.0]# make [root@linux-10 nginx-1.14.0]# make install
测试&&重启&&检测监听端口
[root@linux-10 nginx-1.14.0]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx//conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx//conf/nginx.conf test is successful [root@linux-10 nginx-1.14.0]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 肯定 ] [root@linux-10 nginx-1.14.0]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4335/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 875/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1285/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4335/nginx: master tcp6 0 0 :::22 :::* LISTEN 875/sshd tcp6 0 0 ::1:25 :::* LISTEN 1285/master tcp6 0 0 :::3306 :::* LISTEN 1321/mysqld
发现监听端口中新增了一个443端口
效果测试
访问443端口不能直接用curl -x选项直接访问(不然会报错400),所以须要修改hosts
vim /etc/hosts 127.0.0.1 lemssl.com
[root@linux-10 lemssl.com]# curl https://lemssl.com curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
报错的缘由是咱们的数字证书是本身颁发的,浏览器不承认,所以报错提示为不安全的网站,可是咱们的访问已经生效了。