Nginx負載均衡
負載均衡即是代理服務器將接收的請求均衡的分發到各服務器中
編輯虛擬主機配置文件vim /usr/local/nginx/conf/vhost/ld.conf
在配置文件中添加如下內容
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
ip_hash 是讓同一個用戶始終保持在同一臺機器上
ssl原理
https和http的區別是通信是加密的,如果不加密就有可能被從中間截掉,泄露數據,而加密了的即使被人截到也是看不了內容的。
實現加密解密的流程:
生產ssl密鑰對
進入nginx 配置目錄cd /usr/local/nginx/conf
執行命令生成密鑰openssl genrsa -des3 -out tmp.key 2048
轉換key,取消密碼openssl rsa -in tmp.key -out test.key
可以刪除原來的keyrm -f tmp.key
生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件openssl req -new -key test.key -out test.csr
生成公鑰,這裏的test.crt爲公鑰openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Nginx配置ssl
生成一個新的虛擬主機配置文件vim /usr/local/nginx/conf/vhost/ssl.conf
在配置文件中添加如下內容
server
{
listen 443;
server_name lx.com;
index index.html index.php;
root /data/wwwroot/lx.com;
ssl on;
ssl_certificate test.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
創建網站的目錄mkidir /data/wwwroot/lx.com
檢查配置文件是否錯誤/usr/local/nginx/sbin/nginx -t
如果出現如下錯誤表示ssl moudle沒有安裝,那麼需要重新編譯安裝nginx
nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
進入nginx源碼包,cd /usr/local/src/nginx-1.12.1/
安裝ssl_module
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make
make install
安裝完成後再檢查下配置文件是否出現錯誤/usr/local/nginx/sbin/nginx -t
如果沒出現錯誤重啓下nginx服務/etc/init.d/nginx restart
檢查下443端口是否監聽netstat -lntp
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master
#出現這一行表示正常
再網站目錄下創建一個測試頁,內容自己寫即可vim /data/wwwroot/lx.com/index.html
訪問測試curl https://lx.com/
訪問網站,出現如下的提示,因爲證書是自己頒發的,所以不合法,但實際上已經配置成功
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.