2019-02-13笔记—Nginx功能配置（反向代理、SSL）

反向代理

反向代理（Reverse Proxy）指的是以代理服务器来接受公网上的连接请求，然后将请求转发给内部网络上的服务器，并将从服务器上得到的结果返回给公网上请求连接的客户端。

使用场景

1. 访问不带公网的内网机器
2. 解决两台机器之间通信有障碍的问题

配置文件添加配置

location /
    {
        proxy_pass http://ip;   #实际需要访问的内网IP
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

实验设定：

1. 有两台机器A和B，其中A只有内网，B有内网和外网的环境
2. A的内网IP为192.168.85.129
3. B的内网IP为192.168.85.132，外网IP为192.168.48.132
4. C为客户端，C只能访问B的外网IP，不能访问A或者B的内网IP

最终需要实现的目的：C要访问到A机器内网上的网站

添加网卡：
B虚拟机添加网卡设备文件后，执行dhclient命令获取第二块网卡的IP地址，拷贝网卡配置文件ifcfg-ens33至ifcfg-ens38，修改配置：

• 删除dns配置
• 删除网关配置
• 修改网卡名称
• 修改IP地址

[root@dxg ~]# cd /etc/yum.repos.d/
[root@dxg yum.repos.d]# vi nginx.repo 
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

[root@dxg yum.repos.d]# yum install -y nginx
[root@dxg yum.repos.d]# cd /etc/nginx/conf.d/
[root@dxg conf.d]# vi default.conf
deny all;   #添加配置

[root@dxg conf.d]# vi bbs.aibenwoniu.xyz.conf
server
{

        listen 80;
        server_name bbs.aibenwoniu.xyz;

location /
    {
        proxy_pass http://192.168.85.129;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

[root@dxg conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@dxg conf.d]# nginx -s reload
[root@dxg conf.d]# firewall-cmd --add-port=80/tcp --permanent #添加访问端口防火墙规则，要不然无法访问
[root@dxg conf.d]# firewall-cmd --reload

访问验证

[root@dxg conf.d]# vi /etc/hosts
192.168.48.132	bbs.aibenwoniu.xyz

[root@dxg conf.d]# curl -I bbs.aibenwoniu.xyz
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 11 Feb 2019 06:52:07 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

nginx负载均衡

负载均衡就是把前端的请求均衡地分发到后端的各个机器上面

[root@dxg conf.d]# vi qq.com.conf 
 upstream qq.com
    {
	ip_hash; 
	server 111.161.64.48:80; 
	server 180.163.26.39:80; 
    }
    server
    {
	listen 80;
	server_name www.qq.com;
	location /
	{
	    proxy_pass http://qq.com;
	    proxy_set_header Host $host;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
    }

验证

[root@dxg conf.d]# curl -x111.161.64.48:80 www.qq.com -I
HTTP/1.1 200 OK
Server: squid/3.5.24
Date: Mon, 11 Feb 2019 09:07:35 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Mon, 11 Feb 2019 09:08:35 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: MISS from shenzhen.qq.com

配置ssl

配置ssl来让Nginx实现用https（是一种加密的http）来访问网站，http默认是80端口，https默认是443端口。

1. 申请证书

• 生产：www.wosign.com （沃通）
• 免费：freessl.org

实验使用免费的freessl.org来申请证书，需要先注册账户，之后输入之前申请使用的域名（aibenwoniu.xyz）去创建证书，根据提示将dns验证信息在dnspod上新建一条txt类型的记录，验证成功后会生成三个文件（ca/crt/key）

2. 创建证书配置文件

[root@linux2019 nginx]# mkdir ssl
[root@linux2019 nginx]# cd ssl/
[root@linux2019 ssl]# vi ca
[root@linux2019 ssl]# vi crt
[root@linux2019 ssl]# vi key
#将之前申请的证书文件代码复制到相应的文件中

3. 配置虚拟主机配置文件

[root@linux2019 conf.d]# vi bbs.aibenwoniu.xyz.conf 
listen       443 ssl;
    server_name  bbs.aibenwoniu.xyz;
    ssl on;
    ssl_certificate /etc/nginx/ssl/bbs.crt;
    ssl_certificate_key /etc/nginx/ssl/bbs.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
[root@linux2019 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@linux2019 conf.d]# nginx -s reload
[root@linux2019 conf.d]# firewall-cmd --add-port=443/tcp --permanent
success
[root@linux2019 conf.d]# firewall-cmd --reload
success
[root@linux2019 conf.d]# systemctl restart nginx

验证

[root@linux2019 conf.d]# curl  -H "host:bbs.aibenwoniu.xyz" https://192.168.85.129/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
 
[root@linux2019 conf.d]# curl -k -H "host:bbs.aibenwoniu.xyz" https://192.168.85.129/index.php

PS1: curl -k #允许curl使用非安全的ssl连接并且传输数据（证书不受信）

PS2:SSL相关扩展学习—https://github.com/aminglinux/nginx/tree/master/ssl