LNMP架构之负载均衡及HTTPS相关配置

本文索引：

昭阳网站建设公司创新互联,昭阳网站设计制作，有大型网站制作公司丰富经验。已为昭阳千余家提供企业网站建设服务。企业网站搭建\成都外贸网站制作要多少钱，请找那个售后服务好的昭阳做网站的公司定做！Nginx负载均衡 ssl原理 生成ssl密钥对 Nginx配置ssl

---

Nginx负载均衡

负载均衡原理上就是代理，只不过通过设置多个代理服务器来实现多用户访问时的负载均衡。同时也可以在某个代理服务器无法访问时，切换到另外的代理服务器，从而实现访问不间断的目的。

下面以qq.com为例，配置负载均衡

先通过dig命令查看域名及其ip

# dig命令由bind-utils包安装 [root@localhost ~]# yum install -y bind-utils [root@localhost ~]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65328 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 404 IN A 61.135.157.156 qq.com. 404 IN A 125.39.240.113 ;; Query time: 40 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 四 1月 04 22:02:25 CST 2018 ;; MSG SIZE rcvd: 67 配置虚拟主机配置文件

[root@localhost ~]# mv /usr/local/nginx/conf/vhost/load.conf # 通过upstream来指定多个web服务器 upstream qq_com { # ip_hash的目的是让同一个用户始终保持在同一个机器上 ip_hash; # 这里是负载均衡时使用的多个server的ip # server http://61.135.157.157:80; # 上述表示也行，对应的server块内的proxy_pass内直接写qq_com即可，不需要写http:// server 61.135.157.157:80; server 125.39.240.113:80; } server { listen 80; server_name www.qq.com; location / { # 这里使用的是upstream名即qq_com proxy_pass http://qq_com; proxy_set_header Host $host; proxy_set_header X_Real_IP $remote_addr; proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for; } } 验证效果

配置未生效时，本地访问www.qq.com，得到的将是默认主机的内容

[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com this is default web server

重启服务后，获取到了www.qq.com网页的源码

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -x127.0.0.1:80 www.qq.com <!DOCTYPE html> <html lang="zh-CN"> <head> <meta content="text/html; charset=gb2312" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="baidu-site-verification" content="cNitg6enc2"> <title><CC><DA>Ѷ<CA><D7>ҳ</title> <script type="text/javascript"> if(window.location.toString().indexOf(\'pref=padindex\') != -1){ }else{ if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /(Android.*Mobile.+).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ if(window.location.href.indexOf("?mobile")<0){ try{ if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){ window.location.href="http://xw.qq.com/index.htm"; }else if(/iPad/i.test(navigator.userAgent)){ //window.location.href="http://www.qq.com/pad/" }else{ ...

nginx不支持代理https，即server语句内的端口无法使用443。

---

ssl原理

客户端向服务器发送https请求； 服务器上存储了一套数字证书，其实质为一对公私钥。数字证书可以自己制作，也可以向组织申请。前者在客户端访问时需要验证才能继续访问；后者不会弹出验证提示； 服务器将公钥传输给客户端； 客户端验证公钥是否合法：无效（自己制作的）会弹出警告，有效的则生成一串随机数，用此随机数加密公钥； 客户端将加密后的字符串传输给服务器 服务器收到字符串后，先使用私钥进行解密，获取加密使用的随机数，并以此随机数加密传输的数据（对称机密）； 服务器将加密后的数据传输给客户端； 客户端收到数据后，使用自己的私钥（即随机字符串）进行解密。

对称加密：将数据和私钥（随机字符串）通过某种算法混合在一起，除非知道私钥，否则无法解密。

---

生成SSL密钥对 创建私钥key

[root@localhost ~]# cd /usr/local/nginx/conf # 创建私钥key文件，必须输入密码，否则无法生成key文件 [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: 转换key，取消密码

[root@localhost conf]# openssl rsa -in tmp.key -out test.key Enter pass phrase for tmp.key: writing RSA key [root@localhost conf]# rm -f tmp.key 生成证书

[root@localhost conf]# openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZheJiang Locality Name (eg, city) [Default City]:QuZhou Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server\'s hostname) []: Email Address []: Please enter the following \'extra\' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 需要使用csr文件与私钥一起生成.crt文件 [root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt Signature ok subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd Getting Private key

---

Nginx配置SSL 创建新虚拟主机配置文件

[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf server { listen 443; server_name test.com; index index.html index.php; root /data/www/test.com; ssl on; ssl_certificate test.crt; ssl_certificate_key test.key; ssl_protocols TLSv1 TLS1.1 TLS1.2； } 创建对应目录及文件

[root@localhost conf]# mkdir -p /data/www/test.com [root@localhost conf]# vim /data/www/test.com/index.php ssl test page. 重启服务

/usr/local/nginx/sbin/nginx -t /usr/local/nginx/sbin/nginx -s reload 设置时报错 -- unknown directive “ssl”

这时由于一开始编译时未将http_ssl_module模块编译进nginx，需要重新编译安装

[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/ [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost nginx-1.12.2]# make && make install

---

重新编译后将导致之前配置的虚拟主机配置文件丢失，最后在重新编译前对有用的nginx虚拟主机文件进行备份

---

编译完成后查看

[root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module 重启nginx服务

# 重新编译后的nginx必须使用/etc/init.d/nginx脚本进行重启 [root@localhost conf]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 确定 ] # 查看443端口是否开放 [root@localhost conf]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1354/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2116/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master tcp6 0 0 :::3306 :::* LISTEN 2156/mysqld tcp6 0 0 :::22 :::* LISTEN 1354/sshd tcp6 0 0 ::1:25 :::* LISTEN 2116/master 效果验证 curl验证

# 如果不想使用-x指定ip，可以在/etc/hosts内添加如下代码 [root@localhost conf]# vim /etc/hosts 127.0.0.1 test.com # curl测试 [root@localhost conf]# curl https://test.com curl: (60) Peer\'s certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn\'t adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you\'d like to turn off curl\'s verification of the certificate, use the -k (or --insecure) option. 浏览器验证 同样的要修改客户端上的hosts文件，添加一行代码如下：

192.168.65.133 test.com

同时要检查服务器端的防火墙是否开放443端口，这里为了测试方便，直接清空了iptables规则表

[root@localhost conf]# iptables -F

---