Nginx負載均衡、 ssl工作流程、生產ssl密鑰對、Nginx配置ssl

Nginx負載均衡

負載均衡即是代理服務器將接收的請求均衡的分發到各服務器中
編輯虛擬主機配置文件
vim /usr/local/nginx/conf/vhost/ld.conf

在配置文件中添加如下內容

upstream qq_com
{
    ip_hash;
    server 61.135.157.156:80;
    server 125.39.240.113:80;
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass http://qq_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

ip_hash 是讓同一個用戶始終保持在同一臺機器上

---

ssl原理

https和http的區別是通信是加密的，如果不加密就有可能被從中間截掉，泄露數據，而加密了的即使被人截到也是看不了內容的。

實現加密解密的流程：

---

生產ssl密鑰對

進入nginx 配置目錄
cd /usr/local/nginx/conf

執行命令生成密鑰
openssl genrsa -des3 -out tmp.key 2048

轉換key，取消密碼
openssl rsa -in tmp.key -out test.key

可以刪除原來的key
rm -f tmp.key

生成證書請求文件，需要拿這個文件和私鑰一起生產公鑰文件
openssl req -new -key test.key -out test.csr

生成公鑰，這裏的test.crt爲公鑰
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

---

Nginx配置ssl

生成一個新的虛擬主機配置文件
vim /usr/local/nginx/conf/vhost/ssl.conf

在配置文件中添加如下內容
server

{
    listen 443;
    server_name lx.com;
    index index.html index.php;
    root /data/wwwroot/lx.com;
    ssl on;
    ssl_certificate test.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

創建網站的目錄
mkidir /data/wwwroot/lx.com

檢查配置文件是否錯誤
/usr/local/nginx/sbin/nginx -t

如果出現如下錯誤表示ssl moudle沒有安裝，那麼需要重新編譯安裝nginx
nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

進入nginx源碼包，
cd /usr/local/src/nginx-1.12.1/

安裝ssl_module

./configure --prefix=/usr/local/nginx  --with-http_ssl_module
make
make install

安裝完成後再檢查下配置文件是否出現錯誤
/usr/local/nginx/sbin/nginx -t

如果沒出現錯誤重啓下nginx服務
/etc/init.d/nginx restart

檢查下443端口是否監聽
netstat -lntp

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master #出現這一行表示正常

再網站目錄下創建一個測試頁，內容自己寫即可
vim /data/wwwroot/lx.com/index.html

訪問測試
curl https://lx.com/ 訪問網站，出現如下的提示，因爲證書是自己頒發的，所以不合法，但實際上已經配置成功
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.