haproxy 负载均衡 https
haproxy服务器(DR)(CA) | IP:192.168.101.200 |
httpd服务器(RS1) | IP:192.168.101.110 |
httpd服务器(RS2) | IP:192.168.101.210 |
关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@DR ~]# setenforce 0
[root@RS1 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS1 ~]# setenforce 0
[root@RS2 ~]# systemctl disable --now firewalld.service
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@RS2 ~]# setenforce 0
CA上的操作
[root@DR ~]# yum -y install openssl
##查看openssl的配置文件openssl.cnf,因为配置文件中对证书的名称和存放位置等相关信息都做了定义
图片
[root@DR ~]# openssl version -a
OpenSSL 1.1.1k FIPS 25 Mar 2021
built on: Wed Jul 21 11:11:34 2021 UTC
platform: linux-x86_64
options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
OPENSSLDIR: "/etc/pki/tls"
ENGINESDIR: "/usr/lib64/engines-1.1"
Seeding source: os-specific
engines: rdrand dynamic
##创建为根证书CA所需的目录及文件
[root@DR ~]# mkdir /etc/pki/CA
[root@DR ~]# cd /etc/pki/CA/
[root@DR CA]# touch serial
[root@DR CA]# touch index.txt
[root@DR CA]# ls
index.txt serial
[root@DR CA]# echo 01 > serial # 指明证书的开始编号
[root@DR CA]# cat serial
01
## 生成根证书的私钥(注意:私钥的文件名与存放位置要与配置文件中的设置相匹配
openssl genrsa -out private/cakey.pem 2048 #私钥默认是2048,去和根证书绑定
[root@DR CA]# mkdir private
[root@DR CA]# ls
index.txt private serial
[root@