Nginx負載均衡即為當代理服務器將自定義的域名解析到多個指定IP時，通過upstream來保證用戶可以通過代理服務器正常訪問各個IP。

• 編輯配置文件

#配置內容
upstream qq #名字自定義
{
    ip_hash;
        #目的：同一個用戶保持在同一個服務器上
        # #即當域名指向多個IP時，保證每個用戶始終解析到同一IP
    server 61.135.157.156:80;
    server 125.39.240.113:80;
        #指定web服務器的IP
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass http://qq;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

 

截圖如下：

• 安裝dig

#yum安裝
[root@taoyuan ~]# yum install -y bind-utils
#dig 域名解析命令，可以返回多個ip

• 測試

#curl測試
[root@taoyuan ~]# curl -x127.0.0.1:80 www.qq.com
Hello default .
#返回默認虛擬主機


#檢驗 && 加載
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -s reload


[root@taoyuan ~]# curl -x127.0.0.1:80 www.qq.com
#結果截圖如下

 

註意： Nginx不支持代理https，只能代理http，新版本的Nginx可以代理tcp。

http、https、tcp

HTTP超文本傳輸協議（HyperText Transfer Protocol)是互聯網上應用最為廣泛的一種網絡協議。
HTTPS(全稱:Hyper Text Transfer Protocol over Secure Socket Layer)，是以安全為目標的HTTP通道，簡單講是HTTP的安全版。HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議要比http協議安全。
HTTP默認的端口號為80，HTTPS的端口號為443。
TCP(Transmission Control Protocol 傳輸控制協議)是一種面向連接的、可靠的、基於字節流的傳輸層通信協議，由IETF的RFC 793定義。默認監聽80端口。

12.18 ssl原理

SSL(Secure Sockets Layer 安全套接層)協議,及其繼任者TLS（Transport Layer Security傳輸層安全）協議，是為網絡通信提供安全及數據完整性的一種安全協議。

• 工作流程

• 瀏覽器發送一個https的請求給服務器；
• 服務器要有一套數字證書，可以自己制作（後面的操作就是阿銘自己制作的證書），也可以向組織申請，區別就是自己頒發的證書需要客戶端驗證通過，才可以繼續訪問，而使用受信任的公司申請的證書則不會彈出>提示頁面，這套證書其實就是一對公鑰和私鑰；
• 服務器會把公鑰傳輸給客戶端；
• 客戶端（瀏覽器）收到公鑰後，會驗證其是否合法有效，無效會有警告提醒，有效則會生成一串隨機數，並用收到的公鑰加密；
• 客戶端把加密後的隨機字符串傳輸給服務器；
• 服務器收到加密隨機字符串後，先用私鑰解密（公鑰加密，私鑰解密），獲取到這一串隨機數後，再用這串隨機字符串加密傳輸的數據（該加密為對稱加密，所謂對稱加密，就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起，這樣除非知道私鑰，否則無法獲取數據內容）；
• 服務器把加密後的數據傳輸給客戶端；
• 客戶端收到數據後，再用自己的私鑰也就是那個隨機字符串解密；

12.19 生產ssl密鑰對

• 進入conf目錄

[root@taoyuan ~]# cd /usr/local/nginx/conf/

• 工具

1. 需要openssl工具來生成；
2. 可以用 rpm -qf which openssl 來查詢該命令哪個包的

#如果過沒有可以安裝一下
[root@taoyuan conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64


#安裝
[root@taoyuan conf]# yum install -y openssl-1.0.2k-8.el7.x86_64

• key文件為私鑰

#生成命令
[root@taoyuan conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
Verify failure
User interface error
140423990957984:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:385:
#2048 為長度，需要輸入密碼

• 轉換key,取消密碼

[root@taoyuan conf]# openssl rsa -in tmp.key -out taoyuan.key
Enter pass phrase for tmp.key:
writing RSA key
#密碼比較麻煩，所以取消掉密碼
#生成證書請求文件，需要拿這個文件和私鑰一起生產公鑰文件

• rm -f tmp.key

[root@taoyuan conf]# rm -f tmp.key

• 生成證書請求文件

#命令
[root@taoyuan conf]# openssl req -new -key taoyuan.key -out taoyuan.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:


Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#輸入一些信息，可以直接回車

• 生成公鑰

[root@taoyuan conf]# openssl x509 -req -days 365 -in taoyuan.csr -signkey taoyuan.key -out taoyuan.crt 
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key


[root@taoyuan conf]# ls taoyuan.
taoyuan.crt  taoyuan.csr  taoyuan.key  
#這裏的aminglinux.crt為公鑰

12.20 Nginx配置ssl

• 配置ssl.conf //加入如下內容

server
server
{
    listen 443;
    server_name taoyuan.com;
    index index.html index.php;
    root /data/wwwroot/taoyuan.com;
    ssl on;
    ssl_certificate taoyuan.crt;
    ssl_certificate_key taoyuan.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

• -t && -s reload

#報錯unknown directive "ssl"
[root@taoyuan conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed


#需要重新編譯nginx, 加上--with-http_ssl_module


#源碼包查看
[root@taoyuan conf]# cd /usr/local/src/nginx-1.8.0/
[root@taoyuan nginx-1.8.0]# ./configure --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL


#重新編譯nginx
[root@taoyuan nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module


#make && make install
#-t restart[重啟]
[root@taoyuan nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful


[root@taoyuan nginx-1.8.0]# /usr/local/nginx/sbin/nginx restart
nginx: invalid option: "restart"
[root@taoyuan nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  確定  ]


 #查看監聽端口
[root@taoyuan nginx-1.8.0]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4622/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1000/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1371/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4622/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      1000/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1371/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1329/mysqld         

• 創建測試文件

[root@taoyuan nginx-1.8.0]# mkdir /data/wwwroot/taoyuan.com


#創建測試文件
[root@taoyuan nginx-1.8.0]# echo "ssl test page." > /data/wwwroot/taoyuan.com/index.html

• 測試

[root@taoyuan nginx-1.8.0]# vi /etc/hosts
# 編輯hosts，增加127.0.0.1 taoyuan.com


root@taoyuan nginx-1.8.0]# curl https://taoyuan.com
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html


curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn‘t adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
 the -k (or --insecure) option.
#不能直接curl 需要用vi /etc/hosts
#顯示如下結果表示測試成功

擴展
502問題匯總 http://ask.apelearn.com/question/9109

location優先級 http://blog.lishiming.net/?p=100

Nginx負載均衡、ssl原理、生產ssl密鑰對、Nginx配置ssl