nginx负载均衡
- vi /usr/local/nginx/conf/vhost/load.conf upstream qq_com { ip_hash; server 61.135.157.156:80; server 125.39.240.113:80; } server { listen 80; server_name www.qq.com; location / { proxy_passhttp://qq.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
- upstream来制定多个web server
[root@node15 ~]# vim /usr/local/nginx/conf/vhost/load.conf
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/load.conf
upstream qq
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@node15 ~]# curl -x127.0.0.1:80 www.qq.com
“This is a default site.”
[root@node15 ~]# cat /usr/local/nginx/conf/vhost/load.conf
upstream qq
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@node15 ~]# curl -x127.0.0.1:80 www.qq.com
“This is a default site.”
[root@node15 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@node15 ~]# /usr/local/nginx/sbin/nginx -s reload
SSL原理
生成ssl密钥对
- cd /usr/local/nginx/conf
- openssl genrsa -des3 -out tmp.key 2048 #key文件为私钥
- openssl rsa -in tmp.key -out aminglinux.key #转换key,取消密码
- rm -f tmp.key
- openssl req -new -key aminglinux.key -out aminglinux.csr #生成证书请求文件,需要拿这个文件和密钥一起生产公钥文件
- openssl x609 -req -days 365 -in aminglinux.csr -singkey aminglinux.key -out aminglinux.crt
- 这里的aminglinux.crt为公钥
[root@node15 ~]# cd /usr/local/nginx/conf
[root@node15 conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64
[root@node15 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@node15 conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64
[root@node15 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@node15 conf]# openssl rsa -in tmp.key -out user.key
Enter pass phrase for tmp.key:
writing RSA key
Enter pass phrase for tmp.key:
writing RSA key
[root@node15 conf]# rm -f tmp.key
[root@node15 conf]# openssl req -new -key user.key -out user.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:aa
Organizational Unit Name (eg, section) []:aabb
Common Name (eg, your name or your server's hostname) []:aaa^Hlinux
Email Address []:adim@admin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wagskun
An optional company name []:wang
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:aa
Organizational Unit Name (eg, section) []:aabb
Common Name (eg, your name or your server's hostname) []:aaa^Hlinux
Email Address []:adim@admin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wagskun
An optional company name []:wang
[root@node15 conf]# openssl x509 -req -days 365 -in user.csr -signkey user.key -out user.crt
Signature ok
subject=/C=11/ST=shanghai/L=shanghai/O=aa/OU=aabb/CN=aaa\x08linux/emailAddress=adim@admin.com
Getting Private key
Signature ok
subject=/C=11/ST=shanghai/L=shanghai/O=aa/OU=aabb/CN=aaa\x08linux/emailAddress=adim@admin.com
Getting Private key
nginx配置ssl
- vi /usr/local/nginx/conf/vhost/ssl.conf server { listen 443; server_name aming.com; index index.html index.php; root /data/wwwroot/aming.com ssl on; ssl_certificate aminglinux.crt; ssl_certificate_key aminglinux.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
- -t && -s reload #
- mkdir /data/wwwroot/aming.com
- echo "ssl test page." > /data/wwwroot/aming.com/index.html
- 编辑hosts,增加127.0.0.1 aming.com
- curl https://aming.com/
[root@node15 conf]# mkdir /data/wwwroot/aming.com
[root@node15 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@node15 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
[root@node15 conf]# /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.12.1
[root@node15 conf]# cd /usr/local/src/nginx-1.12.1
[root@node15 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@node15 conf]# /usr/local/nginx/sbin/nginx -v
nginx version: nginx/1.12.1
[root@node15 conf]# cd /usr/local/src/nginx-1.12.1
[root@node15 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@node15 nginx-1.12.1]# make && make install
编辑hosts,增加127.0.0.1 aming.com
[root@node15 nginx-1.12.1]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
#192.168.88.15 node15
127.0.0.1 aming.com
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
#192.168.88.15 node15
127.0.0.1 aming.com
Windows
在Windows上C:\windows\system32\drivers\etc的hosts文件中添加Linux主机IP
[root@node15 nginx-1.12.1]# iptables -F