12.17 Nginx負載均衡 12.18 ssl原理 12.19 生成ssl密鑰對12.20 Nginx配置ssl
阿新 • • 發佈:2017-10-25
12.17 nginx負載均衡 12.18 ssl原理 12.19 生成ssl密鑰對12.20 nginx配置ssl
12.17 Nginx負載均衡
12.18 ssl原理
12.19 生成ssl密鑰對
12.20 Nginx配置ssl
擴展
針對請求的uri來代理 http://ask.apelearn.com/question/1049
根據訪問的目錄來區分後端的web http://ask.apelearn.com/question/920
nginx長連接 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
12.17 Nginx負載均衡
使用dig命令 如果沒有需要用yum安裝bind-utils包
[root@localhost ~]# dig-bash: dig: 未找到命令[root@localhost ~]# yum install -y bind-utils已安裝: bind-utils.x86_64 32:9.9.4-51.el7 作為依賴被安裝: bind-libs.x86_64 32:9.9.4-51.el7 作為依賴被升級: bind-libs-lite.x86_64 32:9.9.4-51.el7 bind-license.noarch 32:9.9.4-51.el7 完畢![root@localhost ~]# dig qq.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> qq.com;; global options: +cmd;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47359
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A;; ANSWER SECTION:qq.com. 455 IN A 61.135.157.156qq.com. 455 IN A 125.39.240.113;; Query time: 34 msec;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 一 10月 23 20:34:36 CST 2017
;; MSG SIZE rcvd: 67[root@localhost ~]#
使用dig qq.com 反饋回來出倆個ip 61.135.157.156, 125.39.240.113
使用dig ask.aplearn.com 反饋回來一個ip 121.201.9.155
[root@localhost ~]# dig ask.apelearn.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> ask.apelearn.com;; global options: +cmd;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1701
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ask.apelearn.com. IN A;; ANSWER SECTION:ask.apelearn.com. 600 IN A 121.201.9.155;; Query time: 126 msec;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 一 10月 23 20:37:29 CST 2017
;; MSG SIZE rcvd: 61[root@localhost ~]#
這其實就是域名解析,ping qq.com dig qq.com 反饋了倆個ip,qq.com 解析到了倆個ip上 ,其實這時候就可以用這個做負載均衡
新建一個
[root@localhost ~]# vi ld.confupstream qq
{
ip_hash; 讓你適中訪問到一個服務器
server 61.135.157.156:80; 定義倆個server
server 125.39.240.113:80;
}server
{ listen 80; 定義監聽端口
server_name www.qq.com;
location /
{
proxy_pass http://qq; 定義upstream的名字
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
~
~
~
~
:wq
[root@localhost ~]# vi ld.conf[root@localhost ~]# curl -x127.0.0.1:80 www.qq.comThis is the default site.
[root@localhost ~]#
正常情況下訪問www.qq.com 是訪問默認虛擬主機
重新加載下
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
This is the default site.
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]#
});
//--> </script>
<!-- 1·1· a -->
<script type="text/javascript" src="//mat1.gtimg.com/www/qq_index/js/hot_word_sogou_v1.4.min.js" charset="utf-8"></script>
<!--<script type="text/javascript" src="http://mat1.gtimg.com/www/js/qq2012/hot_word_sogou.min1.2.js" charset="utf-8"></script> -->
<script type="text/javascript">
// 3ˉ1·′
initSogouHotWord(document.forms[‘soso_search_box‘], document.getElementById(‘sougouTxt‘)); </script>
<!-- 1· -->
<script>
// ·
var _mtac = {};
(function() { var mta = document.createElement("script");
mta.src = "http://pingjs.qq.com/h5/stats.js?v2.0.2";
mta.setAttribute("name", "MTAH5");
mta.setAttribute("sid", "500460529"); var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(mta, s);
})(); </script></body></html><!--[if !IE]>|xGv00|ca219cb3eab302806f8b762500c512cb<![endif]-->[root@localhost vhost]#
重新加載後,再來訪問就變成www.qq.com的主頁了
[root@localhost vhost]# cat ld.confupstream qq
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}server
{ listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@localhost vhost]#這就時負載均衡
12.18 ssl原理
SSL 原理
瀏覽器發送一個https的請求給服務器;
服務器要有一套數字證書,可以自己制作(後面的操作就是阿銘自己制作的證書),也可向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
服務器會把公鑰傳輸給客戶端;
客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
客戶端把加密後的隨機字符串傳輸給服務器;
服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密為對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起,這樣除非知道私鑰,否則無法獲取數據內容);
服務器把加密後的數據傳輸給客戶端;
客戶端收到數據後,再用自己的私鑰也就是那個隨機字符串解密;
12.19 生產ssl密鑰對
把公鑰和私鑰放到這個目錄下/usr/local/nginx/conf/
[root@localhost ~]# cd /usr/local/nginx/conf/[root@localhost conf]# 需要openssl這個命令,怎麽樣去查看一個命令是用哪個包安裝的嗎?需要安裝那個包 rpm -qf which openssl [root@localhost conf]# rpm -qf `which openssl`openssl-1.0.2k-8.el7.x86_64[root@localhost conf]# yum install -y openssl-1.0.2k-8.el7.x86_64已加載插件:fastestmirrorLoading mirror speeds from cached hostfile * base: mirrors.163.com * epel: ftp.riken.jp * extras: mirrors.163.com * updates: mirrors.163.com軟件包 1:openssl-1.0.2k-8.el7.x86_64 已安裝並且是最新版本 無須任何處理[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 命令解釋:找到 rsa格式的私鑰,長度2048,名字叫tmp.key key文件為私鑰 [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus .............................+++ ...........................................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: [root@localhost conf]# 第二步 轉換key,取消密碼 openssl rsa -in tmp.key -out aminglinux.key ,rm -f tpm.key [root@localhost conf]# openssl rsa -in tmp.key -out aminglinux.keyEnter pass phrase for tmp.key: writing RSA key [root@localhost conf]# [root@localhost conf]# rm -f tmp.key 第三步,生成一個證書請求的文件 生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件 [root@localhost conf]# openssl req -new -key aminglinux.key -out aminglinux.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:chinastring is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:11State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:aming Organizational Unit Name (eg, section) []:aming Common Name (eg, your name or your server‘s hostname) []:aminglinux Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []:lishiming An optional company name []:aming [root@localhost conf]# [root@localhost conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crtSignature ok subject=/C=11/ST=BeiJing/L=BeiJing/O=aming/OU=aming/CN=aminglinux/[email protected] Getting Private key [root@localhost conf]# [root@localhost conf]# ls aminglinux.aminglinux.crt aminglinux.csr aminglinux.key 這裏的aminglinux.crt為公鑰 12.20 Nginx配置ssl 有了公鑰私鑰之後,就可以來配置nginx 生成一個新的配置文件 [root@localhost conf]# vim ssl.conf [1]+ 已停止 vim ssl.conf [root@localhost conf]# mkdir /data/wwwroot/aming.com [root@localhost conf]# fg vim ssl.confserver{ listen 443; server_name aming.com; index index.html index.php; root /data/wwwroot/aming.com; ssl on; ssl_certificate aminglinux.crt; ssl_certificate_key aminglinux.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; } ~ ~ :wq 最早編譯nginx的 並沒有指定支持ssl ,需要重新編譯下,讓大家不要去刪除源碼包,後期有可能還要進一步編譯 [root@localhost conf]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) configure arguments: --prefix=/usr/local/nginx 進入nginx源碼包下 查找需要加上這個配置才行 --with-http_ssl_module 初始化make ,make install [root@localhost conf]# cd /usr/local/src/nginx-1.12.1/ [root@localhost nginx-1.12.1]# ./configure --help |grep -i ssl --with-http_ssl_module enable ngx_http_ssl_module --with-mail_ssl_module enable ngx_mail_ssl_module --with-stream_ssl_module enable ngx_stream_ssl_module --with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module --with-openssl=DIR set path to OpenSSL library sources --with-openssl-opt=OPTIONS set additional build options for OpenSSL[root@localhost nginx-1.12.1]# [root@localhost nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module nginx path prefix: "/usr/local/nginx" nginx binary file: "/usr/local/nginx/sbin/nginx" nginx modules path: "/usr/local/nginx/modules" nginx configuration prefix: "/usr/local/nginx/conf" nginx configuration file: "/usr/local/nginx/conf/nginx.conf" nginx pid file: "/usr/local/nginx/logs/nginx.pid" nginx error log file: "/usr/local/nginx/logs/error.log" nginx http access log file: "/usr/local/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp"[root@localhost nginx-1.12.1]# [root@localhost nginx-1.12.1]# makesed -e "s|%%PREFIX%%|/usr/local/nginx|" -e "s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|" -e "s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|" -e "s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|" < man/nginx.8 > objs/nginx.8 make[1]: 離開目錄“/usr/local/src/nginx-1.12.1” [root@localhost nginx-1.12.1]# [root@localhost nginx-1.12.1]# make install || mkdir -p ‘/usr/local/nginx/logs‘test -d ‘/usr/local/nginx/html‘ || cp -R html ‘/usr/local/nginx‘test -d ‘/usr/local/nginx/logs‘ || mkdir -p ‘/usr/local/nginx/logs‘make[1]: 離開目錄“/usr/local/src/nginx-1.12.1” [root@localhost nginx-1.12.1]# 現在再看看,多了一個參數 --with-http_ssl_module [root@localhost nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost nginx-1.12.1]# [root@localhost nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost nginx-1.12.1]# [root@localhost nginx-1.12.1]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783/master tcp6 0 0 :::3306 :::* LISTEN 1578/mysqld tcp6 0 0 :::22 :::* LISTEN 874/sshd tcp6 0 0 ::1:25 :::* LISTEN 1783/master 這裏出錯了,並沒有出現 443 端口被監聽,所以 肯定是哪裏錯了, 原來是創建的 ssl.conf配置文件 不是在vhost目錄下 在conf下 創建了,所以失效,後面刪除掉conf目錄下的 ssl.conf文件,到vhost目錄下重新創建配置文件ssl.conf 就好了 把之前的 conf目錄下的 ssl.conf 文件刪掉, 去vhost目錄下 重新創建配置文件 vim ssl.conf 加入下面的配置 [root@localhost conf]# cd vhost/ [root@localhost vhost]# vim ssl.conf [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost vhost]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 確定 ] [root@localhost vhost]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5682/nginx: master tcp6 0 0 :::3306 :::* LISTEN 1578/mysqld tcp6 0 0 :::22 :::* LISTEN 874/sshd tcp6 0 0 ::1:25 :::* LISTEN 1783/master [root@localhost vhost]# 到aming.com目錄下創建一個1.txt測試文件 用curl訪問下,這樣就不對了 [root@localhost vhost]# cd /data/wwwroot/aming.com/[root@localhost aming.com]# ls[root@localhost aming.com]# vim 1.txtThis is ssl. ~ ~ ~ :wq [root@localhost aming.com]# mv 1.txt index.html[root@localhost aming.com]# curl -x12.0.0.1:443 https://aming.com/curl: (7) Failed connect to 12.0.0.1:443; 拒絕連接 [root@localhost aming.com]# 這樣訪問是不對的,改下hosts文件 [root@localhost aming.com]# vi /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.202.131 www.qq123.com www.13.com www.aming.com127.0.0.1 www.13.com aming.com ~ ~ ~ :wq [root@localhost aming.com]# vi /etc/hosts[root@localhost aming.com]# curl https://aming.com/curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn‘t adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you‘d like to turn off curl‘s verification of the certificate, use the -k (or --insecure) option. [root@localhost aming.com]#
這個證書別標記為不可信任了,因為這是我們自己頒發的 ,不合法
實際上一節成功了,不妨來編輯下windows hosts 來訪問下
保存之後,打開瀏覽器輸入地址https://aming.com
如果訪問不到,看看有沒有防火墻
[root@localhost aming.com]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8573 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 13 936 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
762 67198 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
762 67198 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
762 67198 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
21 2296 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 736 64646 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2489 packets, 320K bytes)
pkts bytes target prot opt in out source destination
7836 1311K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * ens37 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDI_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public (3 references)
pkts bytes target prot opt in out source destination
0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FWDO_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
430 35873 IN_public all -- ens37 * 0.0.0.0/0 0.0.0.0/0 [goto]
2 656 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public (3 references)
pkts bytes target prot opt in out source destination
762 67198 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
762 67198 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
762 67198 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 Chain IN_public_allow (1 references)
pkts bytes target prot opt in out source destination
4 208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain IN_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
[root@localhost aming.com]# iptables -F
[root@localhost aming.com]#有直接iptables -F 直接把規則全部清空再試下,
證書不被信任的時候就會提示這樣,紅色的,不是綠色的
要想去正常的訪問HTTPS 要去沃通買證書
擴展
針對請求的uri來代理 http://ask.apelearn.com/question/1049
nginx針對請求的uri來代理 代理 Nginx 場景:1臺nginx去代理4臺apache 需求:根據不同的請求uri 代理到不同的apache
nginx的配置文件為:
upstream aa.com {
server 192.168.0.121; server 192.168.0.122;
} upstream bb.com {
server 192.168.0.123; server 192.168.0.124;
} server { listen 80; server_name www.abc.com; location ~ aa.php
{ proxy_pass http://aa.com/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} location ~ bb.php
{ proxy_pass http://bb.com/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
根據訪問的目錄來區分後端的web http://ask.apelearn.com/question/920
nginx代理--根據訪問的目錄來區分後端的web
回復收藏 分享 配置文件 目錄 代理 Server listen 我的需求: 當請求的目錄是 /aaa/ 則把請求發送到機器a,當請求的目錄為/bbb/則把請求發送到機器b,除了目錄/aaa/與目錄/bbb/外,其他的請求發送到機器b
我的配置文件內容為:
upstream aaa.com
{
server 192.168.111.6;}
upstream bbb.com
{
server 192.168.111.20;}
server {
listen 80;
server_name li.com;
location /aaa/
{
proxy_pass http://aaa.com/aaa/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /bbb/
{
proxy_pass http://bbb.com/bbb/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /
{
proxy_pass http://bbb.com/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
說明:1 以上配置文件中的 aaa.com 以及 bbb.com 都是自定義的,隨便寫。2 upstream 中的server 可以寫多個,例如
upstream aaa.com
{
server 192.168.111.6;
server 192.168.111.4;
server 192.168.111.5;}
3 proxy_pass http://aaa.com/aaa/ 這裏必須要加這個目錄,不然就訪問到根目錄了。 4 實際上,上述配置文件中, localtion /bbb/ 部分是可以省略掉的,因為後邊的 location / 已經包含了/bbb/,所以即使我們不去定義 localtion /bbb/ 也是會訪問到 bbb.com 的。
nginx長連接 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx 代理多臺機器導致用戶登陸異常,長連接(會話保持)解決問題
用戶 排障經驗 網站使用程序 discuzx3 訪問都正常,只有用戶登陸存在異常,具體的情況是這樣的: 用戶登陸後,會馬上顯示未登陸,然後刷新一下或者多下又變成了登陸中。
這個問題很顯然是由於session導致,後臺有多個web機器,當用戶登陸後,會把登陸態session保存到當前web,但是再次發送請求時則會到另一臺機器,所以原來的session信息找不到了。解決這個問題有兩個思路:
可以把session時時同步到另外的機器。
可以讓前端的調度器保持長連接,也就是說某個用戶的請求在某一時間段內始終抓發到固定的一臺機器上。 這兩種方式,第二種更容易實現。
我使用的是nginx的代理,其中nginx有一種算法支持長連接,具體配置是這樣的:
upstream test {
ip_hash;server 192.168.109.5;server 192.168.109.3;
}
關鍵代碼: ip_hash 這樣,nginx會把用戶的請求一直轉發到後端的某臺機器。nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
12.17 Nginx負載均衡 12.18 ssl原理 12.19 生成ssl密鑰對12.20 Nginx配置ssl