1 nginx负载均衡
编辑配置文件:
[root@linux01 ~]# vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容
upstream qq_com
{
ip_hash;
server 111.161.64.40:80;
server 111.161.64.48:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
重新加载配置文件:
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@linux01 ~]# /usr/local/nginx/sbin/nginx -s reload
curl测试:
[root@linux01 ~]# curl -x127.0.0.1:80 www.qq.com -I
HTTP/1.1 200 OK
Server: nginx/1.15.5
Date: Sun, 25 Nov 2018 01:54:21 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sun, 25 Nov 2018 01:55:23 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: MISS from shenzhen.qq.com
状态码返回200,成功访问
nginx默认不支持代理https服务,https的服务端口是443
upstream来指定多个web server
2 ssl原理
SSL工作流程
浏览器发送一个https的请求给服务器;
服务器要有一套数字证书,可以自己制作,也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
服务器会把公钥传输给客户端;
客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
客户端把加密后的随机字符串传输给服务器;
服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
服务器把加密后的数据传输给客户端;
客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
3 生产ssl密钥对(yum install -y openssl)
生成密钥:
[root@linux01 ~]# cd /usr/local/nginx/conf
[root@linux01 conf]# openssl genrsa -des3 -out tmp.key 2048 //key文件为私钥,genrsa表示生成rsa格式的密钥,名字为tmp.key,长度为2048
Generating RSA private key, 2048 bit long modulus
...................+++
...................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
如果直接使用,访问网站时候需要输入密码,这会导致用户体验不好,不适合,将密码文件转换key,取消密码
[root@linux01 conf]# openssl rsa -in tmp.key -out alan.key //转换key,取消密码
Enter pass phrase for tmp.key:
writing RSA key
这个alan.key与 tmp.key是一样的,只是tmp.key是需要密码,alan.key不需要密码
可以把要输入密码的key删掉,使用无密码的key
[root@linux01 conf]# rm -f tmp.key
生成证书的请求文件:
[root@linux01 conf]# openssl req -new -key alan.key -out alan.csr //生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:gz
State or Province Name (full name) []:guanghzou
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:hello
Organizational Unit Name (eg, section) []:hello
Common Name (eg, your name or your server's hostname) []:linux
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:hello
测试时候,以上输入的信息可以随便写
生成公钥文件:
[root@linux01 conf]# openssl x509 -req -days 365 -in alan.csr -signkey alan.key -out alan.crt
Signature ok
subject=/C=gz/ST=guanghzou/L=guangzhou/O=hello/OU=hello/CN=linux/[email protected]
Getting Private key
这里的alan.crt为公钥
查看生成的文件:
[root@linux01 conf]# ls alan.
alan.crt alan.csr alan.key
4 nginx配置ssl
编辑配置文件:
[root@linux01 vhost]# vim /usr/local/nginx/conf/vhost/ssl.conf //加入如下内容
server
{
listen 443; //监听端口
server_name alan.com; //域名
index index.html index.php;
root /data/wwwroot/alan.com; //访问的目录
ssl on;
ssl_certificate alan.crt; //公钥
ssl_certificate_key alan.key; //私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //通信协议
}
创建文件和目录:
[root@linux01 vhost]# mkdir /data/wwwroot/alan.com
[root@linux01 vhost]# vim /data/wwwroot/alan.com/index.html
<?php
echo "ssl web.";
?>
重新加载配置文件:
[root@linux01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
出现报错了,因为nginx还不支持ssl模块,需要添加
进入nginx的源码文件,查看编译的ssl模块参数:
[root@linux01 nginx-1.15.5]# ./configure --help | grep -i ssl
编译增加ssl模块:
configure编译:
[root@linux01 nginx-1.15.5]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@linux01 nginx-1.15.5]# echo $?
0
编译成功
进行make和make install操作:
[root@linux01 nginx-1.15.5]# make -j2 && make install
[root@linux01 nginx-1.15.5]# echo $?
0
查看编译好的模块:
[root@linux01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.5
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
再次加载配置文件:
[root@linux01 nginx-1.15.5]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
出现了一个警告:是因为nginx1.15后的版本,配置文件ssl 这个指令不再使用了(配置文件中的 ssl on; 这行去掉即可)
重新启动nginx服务:
[root@linux01 nginx-1.15.5]# /etc/init.d/nginx restart
查看监听端口有没有增加443:
[root@linux01 nginx-1.15.5]# netstat -lntp
编辑hosts文件,在最后一行添加增加127.0.0.1 alan.com
[root@linux01 nginx-1.15.5]# vim /etc/hosts
127.0.0.1 alan.com
curl测试:
[root@linux01 nginx-1.15.5]# curl https://alan.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
因为这个数字证书是自己颁发的,所以显示不信任
在windows测试,现在hosts文件添加
192.168.139.111 alan.com
实验过程中出现的问题:
1)没有安装到–with-http_ssl_module
原因是:nginx的目录写错了
./configure --prefix=/usr/local/ngnix --with-http_ssl_module
2)重启nginx服务后,没有出现443端口
原因是:
/usr/local/nginx/conf/vhost/ssl.conf 配置文件有问题,编辑错误
扩展
针对请求的uri来代理 http://ask.apelearn.com/question/1049
根据访问的目录来区分后端的web http://ask.apelearn.com/question/920
nginx长连接 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html