实验目标:网站证书颁发和nginx负载均衡
实验拓扑图:
实验步骤:
1、使用xftp上传nginx-rpm包到三台主机的/root目录下
2、进入目录nginx-rpm包安装nginx服务
[root@web1 ~]# cd nginx-rpm/
[root@web1 nginx-rpm]# rpm -ivh *.rpm --nodeps –force
[root@web2~]# cd nginx-rpm/
[root@web2 nginx-rpm]# rpm -ivh *.rpm --nodeps –force
使用的是nginx做负载均衡lb也需要安装nginx
[root@lb ~]# cd nginx-rpm/
[root@lb nginx-rpm]# rpm -ivh *.rpm --nodeps –force
3、查看是否安装openssl
[root@web1 ~]# rpm -q openssl
[root@web1 ~]# yum -y install openssl #如果没有查询到openssl执行yum安装
[root@web1 ~]# openssl version #查看版本
4、创建ssl秘钥目录,并进入目录
[root@web1 ~]# mkdir -p /etc/nginx/ssl_key
[root@web1 ~]# cd /etc/nginx/ssl_key/
5、web1当CA:证书颁发机构,创建私钥
[root@web1 ssl_key]# openssl genrsa -idea -out server.key 2048 #server.key是私钥的名称
红色线标记的是创建私钥需要输入密码
6、生成证书,去掉私钥的密码
[root@web1 ssl_key]# enssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
country name:国名;国家名称;国家名;
state or province name:州或省名称;州或省名;
locality name:城市名称
organization:组织
organizational unit name:组织单位名称;
common name:常用名;
email address:邮箱地址
可以根据自己的需求进行填写,不填写一直回车直到结束,生成证书
7、进入web1主机中nginx目录,删除default.conf配置文件
[root@web1 ~]# cd /etc/nginx/conf.d/
[root@web1 conf.d]#rm -rf default.conf
8、手动创建nginx配置文件
[root@web1 ~]# vim /etc/nginx/conf.d/https.conf
server {
listen 443 ssl; #加密的网站为443
server_name www.benet.com; #名称
ssl_certificate ssl_key/server.crt; #证书
ssl_certificate_key ssl_key/server.key; #私钥
location / {
root /www; #存放网页目录
index index.html; #网页格式
}
}
9、创建网页目录/www,网页
[root@web1 ~]# mkdir /www
[root@web1 ~]# echo "web1" >/www/index.html
10、nginx配置文件和证书目录到web2
[root@web1 ~]# scp -rp /etc/nginx/conf.d/https.conf root@192.168.8.8:/etc/nginx/conf.d/
[root@web1 ~]# scp -rp /etc/nginx/ssl_key/ root@192.168.8.8:/etc/nginx/conf.d/
11、创建web2网页目录/www,网页,删除default文件
[root@web2 ~]# mkdir /www
[root@web2 ~]# echo "web1" >/www/index.html
[root@web2 ~]# rm -rf /etc/nginx/conf.d/default.conf
12、重启两台nginx服务
[root@web1 ~]# systemctl restart nginx
[root@web2 ~]# systemctl restart nginx
13、打开浏览器测试证书颁发是否生效
证书属于自己颁发会出现风险,浏览器上输入https://能出现则表示证书颁发正常
14、rewrite地址重写(http重定向到https)
[root@web1 ~]# vim /etc/nginx/conf.d/https.conf
server {
listen 443 ssl;
server_name www.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /httpsweb;
index index.html;
}
}
server {
listen 80;
server_name https.benet.com;
# rewrite .* https://https.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
[root@web2 ~]# vim /etc/nginx/conf.d/https.conf
server {
listen 443 ssl;
server_name www.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /httpsweb;
index index.html;
}
}
server {
listen 80;
server_name https.benet.com;
# rewrite .* https://https.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
用户输入https时忘记输入s 红色标记可以重定向到https
15、负载均衡搭建
1)删除/etc/nginx/conf/default.conf文件
[root@lb ~]# rm -rf /etc/nginx/conf.d/default.conf
2)创建文件
[root@lb ~]# vim /etc/nginx/conf.d/lb.conf
upstream webhttps {
server 192.168.8.7:443;
server 192.168.8.8:443;
}
server {
listen 443 ssl;
server_name www.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://webhttps;
}
}
server {
listen 80;
server_name https.benet.com;
return 302 https://$server_name$1;
}
3)把web1的证书和私钥上传到负载均衡主机上
[root@web1 ~]# scp -rp /etc/nginx/ssl_key/ root@192.168.8.6:/etc/nginx/
4)重启nginx并访问负载均衡ip地址测试
[root@lb ~]# systemctl restart nginx
刷新能看到web1和web2表示负载均衡没问题!!!