linux的Nginx負載均衡、ssl原理、生成ssl密鑰對、Nginx配置ssl介紹
阿新 • • 發佈:2018-01-08
block server u tlsv1 host fda 彈出 配置ssl 重新編譯 openssl Nginx的負載均衡
1. 查找www.qq.com域名對應IP做測試
[root@gary-tao ~]# yum install -y bind-utils //安裝dig命令包 [root@gary-tao ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5335 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.qq.com. IN A ;; ANSWER SECTION: www.qq.com. 5 IN A 59.37.96.63 www.qq.com. 5 IN A 14.17.42.40 www.qq.com. 5 IN A 14.17.32.211 ;; Query time: 6 msec ;; SERVER: 172.16.111.2#53(172.16.111.2) ;; WHEN: 五 1月 05 21:14:15 CST 2018 ;; MSG SIZE rcvd: 76
2.修改配置文件
[root@gary-tao ~]# cd /usr/local/nginx/conf/vhost/ [root@gary-tao vhost]# vi ld.conf 增加配置如下內容: upstream qq_com //upstream來指定多個web server { ip_hash; server 59.37.96.63; server 14.17.42.40; } server { listen 80; server_name www.qq.com; location / { proxy_pass http://qq_com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } [root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@gary-tao vhost]# /usr/local/nginx/sbin/nginx -s reload [root@gary-tao vhost]# curl -x127.0.0.1:80 www.qq.com
使用curl測試負載均衡得到如下圖結果
ssl原理
HTTPS它是一種加密的HTTPS協議,如果HTTPS通信的數據包在傳輸過程中被截獲,我們可以破譯這些數據包裏面的信息,這裏面不乏一些用戶名、密碼、手機號等敏感的信息,而如果使用HTTPS通信,即使數據包被截獲,我們也無法破譯裏面的內容。
解讀SSL的工作流程
- 瀏覽器發送一個https的請求給服務器;
- 服務器要有一套數字證書,可以自己制作(後面的操作就是阿銘自己制作的證書),也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
- 服務器會把公鑰傳輸給客戶端;
- 客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
- 客戶端把加密後的隨機字符串傳輸給服務器;
- 服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密為對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起,這樣除非知道私鑰,否則無法獲取數據內容);
- 服務器把加密後的數據傳輸給客戶端;
- 客戶端收到數據後,再用自己的私鑰(也就是那個隨機字符串)解密;
生成ssl密鑰對
1. 公鑰私鑰放到指定目錄下:
[root@gary-tao ~]# cd /usr/local/nginx/conf/
[root@gary-tao conf]# 2.生成私鑰,key文件為私鑰(2048是加密字符串長度)
[root@gary-tao conf]# rpm -qf `which openssl` //查詢缺少的openssl包,安裝命令yum install -y openssl安裝
openssl-1.0.2k-8.el7.x86_64
[root@gary-tao conf]# openssl genrsa -des3 -out tmp.key 2048 //生成私鑰,2048為加密字符串長度,密碼輸入不能太短,否則不成功
Generating RSA private key, 2048 bit long modulus
.+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:3.轉換key,取消密碼(-in指定哪個密鑰,-out輸出)
[root@gary-tao conf]# openssl rsa -in tmp.key -out aminglinux.key //這一步是把剛剛生成的tmp.key再轉換成aminglinux.key,目的是刪除剛才設置的密碼,如果key文件有密碼,就必須在Nginx加載它的時候輸入它的密碼,因此很不方便
Enter pass phrase for tmp.key:
writing RSA key4.刪除key
[root@gary-tao conf]# rm -f tmp.key5.生成證書請求文件
[root@gary-tao conf]# openssl req -new -key aminglinux.key -out aminglinux.csr //需要拿這個文件和私鑰一起生產公鑰文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:xi
State or Province Name (full name) []:tao
Locality Name (eg, city) [Default City]:xie
Organization Name (eg, company) [Default Company Ltd]:lin
Organizational Unit Name (eg, section) []:apa
Common Name (eg, your name or your server‘s hostname) []:dfd
Email Address []:adming
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:szyino-123
An optional company name []:fdaf備註:因為是頒發給自己的證書所以信息可以隨便填一下。
6.用剛才的證書請求文件和之前的私鑰文件一起生成公鑰文件
[root@gary-tao conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt //這裏的aminglinux.crt為公鑰。days為365是證書的日期是一年,這
Signature ok
subject=/C=xi/ST=tao/L=xie/O=lin/OU=apa/CN=dfd/emailAddress=adming
Getting Private keyNginx配置ssl
1. 編輯ssl配置文件
[root@gary-tao conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
增加如下內容:
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on; //開啟ssl,支持https
ssl_certificate aminglinux.crt; //指定公鑰
ssl_certificate_key aminglinux.key; //指定私鑰
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
2.創建aming.com目錄
[root@gary-tao conf]# mkdir /data/wwwroot/aming.com3. 測試語法
[root@gary-tao nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful報錯,如圖:
原因:當初編譯的時候沒有指定支持ssl,所以需要重新編譯nginx,加上–with-http_ssl_module -t && -s reload
解決:
指定到Nginx的源碼包中,重新編譯:./configure --prefix=/usr/local/nginx --with-http_ssl_module,操作如下:
[root@gary-tao conf]# cd /usr/local/src/nginx-1.12.1
[root@gary-tao nginx-1.12.1]# ./configure --help | grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@gary-tao nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@gary-tao nginx-1.12.1]# echo $?
0
[root@gary-tao nginx-1.12.1]# make
[root@gary-tao nginx-1.12.1]# make install
[root@gary-tao nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V //現在就多了http_ssl_module這個參數 ,完成後再測試語法OK
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
重啟Nginx之後就會發現多了443的監聽端口
[root@gary-tao nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 確定 ]
[root@gary-tao nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 79269/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 812/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1237/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 79269/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1166/mysqld
tcp6 0 0 :::22 :::* LISTEN 812/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1237/master 4.編輯訪問文件做測試
[root@gary-tao nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@gary-tao aming.com]# ls
[root@gary-tao aming.com]# vim index.html
增加如下內容:
This is ssl.5.編輯本地hosts文件
[root@gary-tao aming.com]# vi /etc/hosts
增加一條記錄:127.0.0.1 aming.com
6.使用curl測試
[root@gary-tao aming.com]# curl https://aming.com/
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.解釋:這個問題是被標誌為不可信任,因為這個證書是我們自己頒發的,但是實際上是配置成功了。
7.使用瀏覽器訪問
首先在要windows系統下的hosts添加解析aming.com,如果訪問不了就查看下系統是否有防火墻,查看命令iptables -nvL,有的話就清空規則,命令iptables -F,也可以添加443端口的規則。
說明:這裏顯示不安全,是因為證書不被瀏覽器認可,想繼續訪問可以點擊“高級”,然後點“添加例外”,在彈出的對話框點擊“確認安全例外”,然後就可以訪問網站內容了。
linux的Nginx負載均衡、ssl原理、生成ssl密鑰對、Nginx配置ssl介紹