LNMP架构(5) Nginx负载均衡，ssl原理，生成ssl密钥对，Nginx配置ssl

Nginx负载均衡

       负载均衡是当下广泛流行的web架构中极其重要的一环，为服务器稳定性提供重要保障，同时也保障了用户体验，Nginx用作负载均衡时，

Nginx用作负载均衡时，前端支持http和https，后端访问目前只支持http，暂未支持https，据说新版本将会支持代理tcp。

1、创建负载均衡脚本

[root@aliyun ~]# yum install -y bind-utils

[root@aliyun ~]# dig qq.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9431

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;qq.com. IN A

;; ANSWER SECTION:

qq.com. 23 IN A 111.161.64.40

qq.com. 23 IN A 111.161.64.48

;; Query time: 0 msec

;; SERVER: 100.100.2.136#53(100.100.2.136)

;; WHEN: Wed Jun 13 01:59:00 CST 2018

;; MSG SIZE  rcvd: 67

[root@aliyun ~]# vim /usr/local/nginx/conf/vhost/load.conf

创建负载均衡脚本，写入如下内容:

upstream qq    指定多个webserver，qq是upstream模块的名字

{

    ip_hash;       让用户始终访问在同一个web服务器上

    server 111.161.64.40:80;    两个web服务器的ip

    server 111.161.64.48:80;     两个web服务器的ip

}

server

{

    listen 80;                               监听端口

    server_name www.qq.com;  网站名称

    location /                               位置 / 目录

    {

        proxy_pass      http:// qq ;    这里必须写upstream模块的名字，如果不加http://，则需要再上面server后面的 两个IP前加上http://

        proxy_set_header Host   $host;

        proxy_set_header X-Real-IP      $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

2、测试负载均衡是否成功：

未重载前访问：

[root@aliyun ~]# curl -x127.0.0.1:80 www.qq.com

this is a test!        请求被转到了默认虚拟主机处理了

[root@aliyun ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@aliyun ~]# /usr/local/nginx/sbin/nginx -s reload  

重载之后再次访问 ：

[root@aliyun ~]# curl -x127.0.0.1:80 www.qq.com

<!DOCTYPE html>

<html lang="zh-CN">

<head>

<meta content="text/html; charset=gb2312" http-equiv="Content-Type">

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta name="baidu-site-verification" content="cNitg6enc2">

<title>͚Ѷ˗ҳ</title>

<!-- ӆ¶¯ˊƤJS½ű¾ -->

<script type="text/javascript">

    if (window.location.toString().indexOf('pref=padindex') != -1) {

    } else {

        if (/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /\(Android.*Mobile.+\).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {

            if (window.location.href.indexOf("?mobile")<0){

                try {

                    if (/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)) {

                        window.location.href="https://xw.qq.com?f=qqcom";

                    } else if (/iPad/i.test(navigator.userAgent)) {

                        //window.location.href="http://www.qq.com/pad/"

                    } else {

                        window.location.href="http://xw.qq.com/simple/s/index/"

                    }

                } catch (e) {}

            }

        }

    }

ssl原理

生成ssl密钥对

[root@aliyun ~]# cd /usr/local/nginx/conf

[root@aliyun conf]# openssl genrsa -des3 -out tmp.key 2048   生成临时私钥文件

Generating RSA private key, 2048 bit long modulus

...............+++

............+++

e is 65537 (0x10001)

Enter pass phrase for tmp.key:     为临时私钥文件输入加密密码

140415873787808:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters        如果密码小于4位会要求重新输入

Enter pass phrase for tmp.key:

Verifying - Enter pass phrase for tmp.key:  

[root@aliyun conf]# openssl rsa -in tmp.key -out testprivate.key 转换临时私钥文件为新的私钥文件

Enter pass phrase for tmp.key:     输入刚才的加密密码，即给新的私钥文件脱去密码

writing RSA key

[root@aliyun conf]# ls

fastcgi.conf          fastcgi_params          htpasswd  koi-win     mime.types.default  nginx.conf.bak      scgi_params         tmp.key        uwsgi_params.default  win-utf

testprivate.key        fastcgi.conf.default  fastcgi_params.default  koi-utf   mime.types  nginx.conf          nginx.conf.default  scgi_params.default  uwsgi_params  vhost

[root@aliyun conf]#  rm -f tmp.key                                                 删除临时私钥文件

[root@aliyun conf]# openssl req -new -key testprivate.key -out test.csr   生成证书请求文件

                                                                                        要用这个证书和私钥一起生产公钥文件

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN     填写相关信息

State or Province Name (full name) []:GuangDong 

Locality Name (eg, city) [Default City]:ShenZhen

Organization Name (eg, company) [Default Company Ltd]:TEST 

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:test

Email Address []:@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:test123

An optional company name []:test

[root@aliyun conf]#

[ root@aliyun conf]# openssl x509 -req -days 365 -in test. csr -signkey testprivate. key -out testpublic. crt               用证书请求文件和私钥 制作公钥，有效期365天

Signature ok

subject=/C=CN/ST=GuangDong/L=ShenZhen/O=TEST/OU=IT/CN=test/emailAddress=test@163.com

Getting Private key           test.csr 证书   testprivate.key 私钥   testpublic.crt  公钥

Nginx配置ssl

1、创建ssl配置脚本

[root@aliyun conf]# vim /usr/local/nginx/conf/vhost/ssl.conf

加入如下内容：

server

{

    listen 443;

    server_name test.com;

    index index.html index.php;

    root /data/wwwroot/test.com;

    ssl on;    在nginx1.15.0 的版本中这一行会报错

    ssl_certificate testpublic.crt;

    ssl_certificate_key testprivate.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

2、测试ssl是否有效：

[root@aliyun conf]# /usr/local/nginx/sbin/nginx -t

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7

nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

排错需要重新编译nginx：

[root@aliyun conf]# cd /usr/local/src/nginx-1.14.0

[root@aliyun nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@aliyun nginx-1.14.0]# make && make install

[root@aliyun nginx-1.14.0]# echo $?

0

[root@aliyun conf]# service nginx restart

[root@aliyun conf]#  /usr/local/nginx/sbin/nginx -t

[root@aliyun conf]# netstat -lntp

查看是否有443端口

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      12839/nginx: master

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1410/sshd          

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      12839/nginx: master

tcp6       0      0 :::3306                 :::*                    LISTEN      12773/mysqld       

[root@aliyun conf]# curl http s ://www.test.com 在本地测试，需要修改Windows的hosts文件

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

[root@aliyun vhost]#

测试https已经可以正常工作，只是由于时自己给自己办法的证书，各大浏览器厂商并未认可而已