Nginx負載均衡
Nginx負載均衡即爲當代理服務器將自定義的域名解析到多個指定IP時,通過upstream來保證用戶可以通過代理服務器正常訪問各個IP。
代理一臺機器叫做代理,代理兩臺及兩臺服務器就能叫做負載均衡。
-
負載均衡配置
創建一個配置文件/usr/local/nginx/conf/vhost/load.con
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq.com
#藉助upstream模塊,自定義域名
{
ip_hash;
#保證同一個用戶始終保持在同一臺機器上
#即當域名指向多個IP時,保證同一個用戶始終解析到之前訪問的IP
server 61.135.157.156:80;
server 125.39.240.113:80;
#指定web服務器的IP
}
server
{
listen 80;
#定義監聽端口
server_name www.qq.com; #域名
location /
{
proxy_pass http://qq.com;
#不支持再proxy_pass中寫多個ip。代理中可以寫成ip,但是再負載中不能寫ip,要寫入和upstream 對應
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}測試並重載配置:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload -
測試
設置代理前:
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
This is the default directory.設置代理後:
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
......
#會顯示網頁的源碼。
注意: Nginx不支持代理https,只能代理http,新版本的Nginx可以代理tcp。
- dig命令
dig 命令是常用的域名解析工具。
安裝dig 命令
[root@localhost ~]# yum install -y bind-utils
www.qq.com解析到了3個ip
[root@localhost ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36583
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.qq.com. IN A
;; ANSWER SECTION:
www.qq.com. 97 IN A 14.17.32.211
www.qq.com. 97 IN A 14.17.42.40
www.qq.com. 97 IN A 59.37.96.63
;; Query time: 60 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 一 1月 08 21:-
http、https、tcp
- HTTP超文本傳輸協議(HyperText Transfer Protocol)是互聯網上應用最爲廣泛的一種網絡協議。
- HTTPS(全稱:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全爲目標的HTTP通道,簡單講是HTTP的安全版。HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議要比http協議安全。如果不加密,中間傳輸數據包的有時候會被截到,就會導致信息泄露,https就是對這個通信的數據包進行加密。
- HTTP默認的端口號爲80,HTTPS的端口號爲443。
- TCP(Transmission Control Protocol 傳輸控制協議)是一種面向連接的、可靠的、基於字節流的傳輸層通信協議,由IETF的RFC 793定義。默認監聽80端口。
SSL原理
SSL(Secure Sockets Layer 安全套接層)協議,及其繼任者TLS(Transport Layer Security傳輸層安全)協議,是爲網絡通信提供安全及數據完整性的一種安全協議。
-
安裝ssl
[root@localhost ~]# yum install -y openssl
-
ssl工作流程
![pnJ72F.jpg]()
- 瀏覽器發送一個https的請求給服務器;
- 服務器要有一套數字證書,可以自己製作(後面的操作就是阿銘自己製作的證書),也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,纔可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
- 服務器會把公鑰傳輸給客戶端;
- 客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
- 客戶端把加密後的隨機字符串傳輸給服務器;
- 服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密爲對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起,這樣除非知道私鑰,否則無法獲取數據內容);
- 服務器把加密後的數據傳輸給客戶端;
- 客戶端收到數據後,再用自己的私鑰也就是那個隨機字符串解密;
生成ssl密鑰對
ssl證書就是一對公鑰和私鑰
-
創建私鑰
切換目錄,密鑰對會保存在該目錄下:
[root@localhost ~]# cd /usr/local/nginx/conf/[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
#生成rsa格式的密鑰對,2048是長度。
Generating RSA private key, 2048 bit long modulus
.....+++
..................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
#生成密鑰時要指定密碼。 -
轉換key,取消密碼
[root@localhost conf]# openssl rsa -in tmp.key -out huang.key
#in指定哪個密鑰要被轉換,out指定輸出密鑰的 名稱。
Enter pass phrase for tmp.key:
writing RSA key
#需要輸入上一個tmp.key 的密碼。這時候,tmp.key和huang.key其實是一個,只是huang.key沒密碼。 -
刪除密鑰文件
[root@localhost conf]# rm -f tmp.key
#刪除有密碼的key - 生成證書請求文件
生成請求文件目的是爲了讓請求文件和私鑰一起去生成一個公鑰。
[root@localhost conf]# openssl req -new -key huang.key -out huang.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //國家
State or Province Name (full name) []:Beijing //省或州
Locality Name (eg, city) [Default City]:Beijing //城市
Organization Name (eg, company) [Default Company Ltd]:Beijing //公司
Organizational Unit Name (eg, section) []:Beijing //組織
Common Name (eg, your name or your server's hostname) []:centos 03 //主機名
Email Address []:[email protected] //郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 //一個可選的公司名稱
An optional company name []:123456說明: 該部分內容如果不購買證書可以自定義;如果是正式應用在網站上,需要規範填寫對應信息。
-
創建公鑰
[root@localhost conf]# openssl x509 -req -days 365 -in huang.csr -signkey huang.key -out huang.crt
#365是密鑰生效的天數。
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Beijing/OU=Beijing/CN=centos 03/[email protected]
Getting Private key
[root@localhost conf]# ls /usr/local/nginx/conf/huang*
/usr/local/nginx/conf/huang.crt /usr/local/nginx/conf/huang.csr /usr/local/nginx/conf/huang.keycrt是公鑰,key是私鑰。
Nginx配置SSL
創建新的配置文件:
[root@localhost conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name abc.com;
index index.html index.php;
root /data/wwwroot/abc.com;
ssl on;
#開啓ssl
ssl_certificate huang.crt;
#配置公鑰
ssl_certificate_key huang.key;
#配置私鑰
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#配置協議,一般情況三種都配置上。
}
檢測配置:
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#檢測報錯,爲時便ssl配置,需要重新編譯Nginx。
重新編譯Nginx:
[root@localhost conf]# cd /usr/local/src/nginx-1.8.0/
[root@localhost nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
.....
[root@localhost nginx-1.8.0]# echo $?
0
[root@localhost nginx-1.8.0]# make
......
[root@localhost nginx-1.8.0]# echo $?
0
[root@localhost nginx-1.8.0]# make install
......
[root@localhost nginx-1.8.0]# echo $?
0
#./configure --hlep 查看可以安裝的模塊
測試配置文件,並重啓nginx服務:
[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 確定 ]
[root@localhost nginx-1.8.0]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4905/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1243/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2121/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4905/nginx: master
......
#nginx 監聽了443和80端口-
測試
添加本地域名
root@localhost nginx-1.8.0]# vim /etc/hosts
127.0.0.1 abc.com[root@localhost nginx-1.8.0]# curl https://abc.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.#因爲該證書是自己創建的,所以提示證書不被信任!!!
使用瀏覽器訪問
需要先在hosts文件中添加本地域名,並清空或添加防火牆規則。
192.168.159.132 abc.com
購買正規證書:沃通等