12.17 nginx負載均衡
一個代理服務器下有多個web服務器的情況即可被稱爲負載均衡
若沒有代理,用戶訪問web服務器時只能一臺一臺的請求內容;
若不使用代理:
需要指定一個ip 或者
將域名指定到多臺服務器上,用戶1訪問web1,用戶2訪問web2,此時若web1故障,則用戶1無法繼續訪問網站
使用代理服務器時,若web1故障,則代理服務器不會繼續把用戶1的請求發給web1而是發給其他服務器;
代理服務器用到了upstream模塊;
代理配置中的proxy pass字段不支持寫多個ip;
可以使用upstream模塊定義多個server(ip+端口);
dig命令:
需要安裝的包:
[root@hyc-01-01 ~]# yum install -y bind-utils
[root@hyc-01-01 ~]# dig qq.com 用於域名解析
…
;; ANSWER SECTION:
qq.com. 143 IN A 59.37.96.63
qq.com. 143 IN A 180.163.26.39
qq.com. 143 IN A 58.60.9.21
…
使用dig命令解析出了域名qq.com對應的3個ip
配置:
[root@hyc-01-01 vhost]# pwd
/usr/local/nginx/conf/vhost
[root@hyc-01-01 vhost]# vim load.conf
upstream qq 此處名稱可以隨便寫
{
ip_hash; ip哈希的目的是讓同一個用戶始終保持在同一臺機器上(假如用戶在一臺服務器上已登錄,此時用戶刷新頁面,如果不配置ip哈希,則有可能用戶刷新的請求會被髮到另一臺服務器,而在另一臺服務器上用戶狀態爲未登錄,則需要重新登錄)
server 59.37.96.63:80;
server 180.163.26.39:80;
server 58.60.9.21:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq; 這裏http://後的字段需要與上面upstream後跟的字段保持一致,這裏qq即代表upstream模塊中定義的三個server地址
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
測試:
未重啓配置:
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 www.qq.com
hello nginx 沒喲對應servername,訪問默認虛擬主機
重啓配置後:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hyc-01-01 vhost]# curl -x127.0.0.1:80 www.qq.com
再次訪問www.qq.com,返回了qq.com的頁面
Nginx不支持代理https(https端口號443)
Nginx代理服務器代理https:
用戶訪問時必須爲https,不能是http(80),此時可以讓代理服務器監聽443端口,但代理服務器訪問後端時必須訪問後端的80端口,不支持訪問443
12.18 ssl原理
https:
通信加密,數據在網絡傳遞時可能被截取或偵聽,×××會拿到傳遞的數據,若使用http則對方可以很容易看到傳遞的信息,https對傳遞的數據進行加密,即使對方獲取了數據也無法解密;
https數據傳遞過程:
1 瀏覽器發送https請求給服務端
2 服務器將數字證書中的公鑰(用於加密)傳遞給客戶端
3 瀏覽器判斷公鑰是否合法,無效會警告,有效則生成一串隨機字符串
4 將隨機字符串用公鑰加密,將加密的隨機字符串傳遞給服務端
5 服務端用私鑰將將加密的隨機字符串解密
6 將要傳遞的網站內容通過隨機字符串加密,並傳遞給客戶端
7 客戶端使用隨機字符串解密,得到網站內容
12.19 生成ssl密鑰對
頒發的數字證書實際上就是公鑰和私鑰
查看一個命令用哪個包安裝:
[root@hyc-01-01 conf]# which openssl
/usr/bin/openssl
[root@hyc-01-01 conf]# rpm -qf `which openssl`
openssl-1.0.2k-12.el7.x86_64
[root@hyc-01-01 conf]# yum install -y openssl-1.0.2k-12.el7.x86_64
生成私鑰:
[root@hyc-01-01 conf]# openssl genrsa -des3 -out tmp.key 2048
genrsa:生成rsa格式的私鑰
2048:設置生成密鑰的長度
Generating RSA private key, 2048 bit long modulus
....................+++
...+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key: 將相同的密碼重複輸入兩次
爲了讓用戶不用在訪問https網站時輸入密碼,需要去掉密碼
轉換key,取消密碼:
[root@hyc-01-01 conf]# openssl rsa -in tmp.key -out hyc.key
指定要被轉換的密鑰爲tmp.key,指定輸出的密鑰
此處輸出的hyc.key和tmp.key實際是同一個密鑰,只是tmp.key有密碼,hyc.key沒有密碼
生成請求文件(.csr)(用於和私鑰一起作用生成公鑰):
[root@hyc-01-01 conf]# openssl req -new -key hyc.key -out hyc.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:shanxi 生成請求文件需要填寫部分信息
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:BSAA
Organizational Unit Name (eg, section) []:1
Common Name (eg, your name or your server's hostname) []:2
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:hyc940421
An optional company name []:hanyuchen
用私鑰與請求文件一起生成公鑰(.crt):
[root@hyc-01-01 conf]# openssl x509 -req -days 365 -in hyc.csr -signkey hyc.key -out hyc.crt
Signature ok
subject=/C=11/ST=shanxi/L=xian/O=BSAA/OU=1/CN=2
Getting Private key 生成公鑰
[root@hyc-01-01 conf]# ls hyc.*
hyc.crt hyc.csr hyc.key
生成了公鑰、私鑰、請求文件
12.20 nginx配置ssl
編譯安裝nginx支持ssl:
[root@hyc-01-01 vhost]# vim ssl.conf
server
{
listen 443;
server_name hyc.com;
index index.html index.php;
root /data/wwwroot/hyc.com;
ssl on;
ssl_certificate hyc.crt
ssl certificate_key hyc.key
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
檢測nginx配置報錯:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
由於在編譯nginx時沒有指定支持ssl
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
configure arguments: --prefix=/usr/local/nginx
解決:
重新編譯nginx:
[root@hyc-01-01 nginx-1.12.2]# ./configure --prefix=/usr/local/nginx ---with-http_ssl_module
編譯時增加模塊--with-http_ssl_module
[root@hyc-01-01 nginx-1.12.2]# make
[root@hyc-01-01 nginx-1.12.2]# make install
[root@hyc-01-01 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
編寫配置文件:
[root@hyc-01-01 vhost]# vim ssl.conf
server
{
listen 443;
server_name hyc.com;
index index.html index.php;
root /data/wwwroot/hyc.com;
ssl on;
ssl_certificate hyc.crt;
ssl_certificate_key hyc.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 支持的ssl協議版本
}
重啓nginx:
[root@hyc-01-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hyc-01-01 vhost]# /etc/init.d/nginx restart 重啓nginx服務
Restarting nginx (via systemctl): [ 確定 ]
[root@hyc-01-01 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 63980/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 886/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1185/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 63980/nginx: master
tcp6 0 0 :::22 :::* LISTEN 886/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1185/master
tcp6 0 0 :::3306 :::* LISTEN 1155/mysqld
此時nginx分別監聽了80和443端口
測試:
[root@hyc-01-01 vhost]# cd /data/wwwroot/hyc.com
[root@hyc-01-01 hyc.com]# vim index.html
編輯hosts文件後訪問:
[root@hyc-01-01 hyc.com]# vim /etc/hosts
[root@hyc-01-01 hyc.com]# curl https://hyc.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
證書是自己頒發的,是不可信任,不可信任的
如果需要正規頒發的受信任證書可以到沃通等站點購買