nginx负载均衡
nginx不支持代理https,不支持443端口
查看域名解析的地址
[root@hanlin ~]# yum install bind-utils.x86_64
[root@hanlin ~]# dig www.baidu.com (相当于是ping域名解析,但是dig可以返回多个ip)
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20133
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 118 IN CNAME www.a.shifen.com.
www.a.shifen.com. 249 IN A 180.97.33.107
www.a.shifen.com. 249 IN A 180.97.33.108
;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: 三 11月 28 16:35:44 CST 2018
;; MSG SIZE rcvd: 101
[root@hanlin vhost]# vim ld.conf
upstream baidu.com (相当于是一个模块,集成了两个ip)
{
ip_hash;
server 180.97.33.107:80; (端口如果是80可以省略掉)
server 180.97.33.108:80;
}
server
{
listen 80;
server_name www.baidu.com; (域名)
location /
{
proxy_pass http://baidu.com; (跟上面upstream相对应的,在代理配置里填写的是ip,因为有多个ip只能填写uostraeam的模块名)
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin vhost]# curl -x127.0.0.1:80 www.baidu.com (通过访问,如果不重新加载配置,会访问默认站点)
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always name=referrer><link rel=stylesheet type=text/css href=http://s1.bdstatic.com/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src=//www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come v
[root@hanlin vhost]# curl -x127.0.0.1:80 www.baidu.com
this is the default site.
ssl原理和生成密钥对
[root@hanlin conf]# yum install -y openssl
[root@hanlin conf]# openssl genrsa -des3 -out tmp.key 2048 (生成2048长度rsa类型的密钥,名字是tmp.key)
Generating RSA private key, 2048 bit long modulus
.................+++
....................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@hanlin conf]# openssl rsa -in tmp.key -out aminglinux.key (转换key,取消密码)
-
Enter pass phrase for tmp.key:
writing RSA key
[root@hanlin conf]# openssl req -new -key aminglinux.key -out aminglinux.csr(成成证书请求文件,需要这个文件和私钥一起生成公钥)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:jiangsu
Locality Name (eg, city) [Default City]:suzhou
Organization Name (eg, company) [Default Company Ltd]:xuyao
Organizational Unit Name (eg, section) []:xuyao
Common Name (eg, your name or your server's hostname) []:xuyao
Email Address []:xuyao
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd-1234
An optional company name []:xuyao
[root@hanlin conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt (生成crt公钥)
Signature ok
subject=/C=11/ST=jiangsu/L=suzhou/O=xuyao/OU=xuyao/CN=xuyao/emailAddress=xuyao
Getting Private key
[root@hanlin conf]# ls
aminglinux.crt fastcgi_params mime.types scgi_params vhost
aminglinux.csr fastcgi_params.default mime.types.default scgi_params.default win-utf
aminglinux.key htpasswd nginx.conf tmp.key
fastcgi.conf koi-utf nginx.conf.bak uwsgi_params
fastcgi.conf.default koi-win nginx.conf.default uwsgi_params.default
nginx配置ssl
[root@hanlin conf]# cd vhost/
[root@hanlin vhost]# vim ssl.conf
[root@hanlin vhost]# mkdir /data/wwwroot/aming.com
[root@hanlin vhost]# vim ssl.conf
server
{
listen 443; (监听https端口)
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on; (开启)
ssl_certificate aminglinux.crt; (公钥)
ssl_certificate_key aminglinux.key; (密钥)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -t (报错,nginx不支持ssl,要重新编译)
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hanlin vhost]# /usr/local/nginx/sbin/nginx -V (查看编译内容)
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@hanlin nginx-1.12.1]# ./configure --help |grep ssl (到源码包里查看关于ssl的配置参数)
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@hanlin nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module (重新编译nginx支持ssl)
[root@hanlin nginx-1.12.1]# make && make install
[root@hanlin nginx-1.12.1]# echo $?
0
[root@hanlin nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanlin nginx-1.12.1]# /usr/local/nginx/sbin/nginx -s reload
[root@hanlin nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@hanlin nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7411/nginx: master
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1641/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1182/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1187/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1570/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7411/nginx: master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 1182/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1187/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1570/master
tcp6 0 0 :::3306 :::* LISTEN 1526/mysqld
[root@hanlin nginx-1.12.1]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 aming.com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
[root@hanlin nginx-1.12.1]# curl https://aming.com/ (其实已经访问成功了,只不过证书是自己颁发的,提示证书不合法,可以在widows上测试,添加hosts,提示非法链接,但是还是可以进去的)
C:\Windows\System32\drivers\etc\hosts 添加192.168.0.12 aming.com就可以浏览器访问了
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
买合法证书去下面链接
https://www.wosign.com/
扫一扫
416
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
