2018-3-16 12周5次課 Nginx負載均衡、ssl原理、秘鑰、配置
在upstream下定義多個ip
如何查到網站解析的ip?——使用dig命令 需要安裝bind-utils
[root@localhost ~]# yum install -y bind-utils (過程省略) [root@localhost ~]# dig qq.com
(這是網站的兩臺服務器ip)
[root@localhost vhost]# vim ld.conf
ip_hash 網站有兩臺服務器提供服務,想讓始終訪問一臺服務器,用ip_hash
[root@localhost vhost]# curl -x127.0.0.1:80 www.sina.com.cn This is the default site.##回會去訪問默認虛擬主機 [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload [root@localhost vhost]# curl -x127.0.0.1:80 www.sina.com.cn
(內容太多,是網站源碼)
·瀏覽器發送一個https的請求給服務器;
·服務器要有一套數字證書,可以自己制作,也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
·服務器會把公鑰傳輸給客戶端;
·客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
·客戶端把加密後的隨機字符串傳輸給服務器;
·服務器收到加密隨機字符串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字符串加密傳輸的數據(該加密為對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起,這樣除非知道私鑰,否則無法獲取數據內容);
服務器把加密後的數據傳輸給客戶端;
·客戶端收到數據後,再用自己的私鑰也就是那個隨機字符串解密;
[root@localhost vhost]# cd /usr/local/nginx/conf/ ##公鑰和私鑰放到conf下 [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 ##生成私鑰 Generating RSA private key, 2048 bit long modulus ......+++ ...................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: [root@localhost conf]# openssl rsa -in tmp.key -out arsenal.key Enter pass phrase for tmp.key: ##轉換key,取消密碼 writing RSA key [root@localhost conf]# rm -f tmp.key ##刪除 [root@localhost conf]# openssl req -new -key arsenal.key -out arsenal.csr
生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件
[root@localhost conf]# openssl x509 -req -days 365 -in arsenal.csr -signkey arsenal.key -out arsenal.crt Signature ok subject=/C=cn/ST=nj/L=nj/O=60/CN=arsenal/[email protected] Getting Private key [root@localhost conf]# ls arsenal.crt fastcgi.conf fastcgi_params.default koi-win nginx.conf scgi_params.default vhost arsenal.csr fastcgi.conf.default htpasswd mime.types nginx.conf.bak uwsgi_params win-utf arsenal.key fastcgi_params koi-utf mime.types.default scgi_params uwsgi_params.default
[root@localhost conf]# mkdir /data/wwwroot/aming.com [root@localhost vhost]# cd /usr/local/nginx/conf/vhost/ [root@localhost vhost]# vim ssl.conf
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 nginx:configuration file /usr/local/nginx/conf/nginx.conf test failed
若報錯unknown directive “ssl” ,nginx可能不支持ssl,需要重新編譯nginx,加上--with-http_ssl_module
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module (編譯過程省略) [root@localhost vhost]# make && make install (過程省略) [root@localhost vhost]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload [root@localhost vhost]# /usr/local/nginx/sbin/nginx restart nginx: invalid option: "restart" [root@localhost vhost]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 確定 ] [root@localhost vhost]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4252/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 797/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1083/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4252/nginx: master tcp6 0 0 :::22 :::* LISTEN 797/sshd tcp6 0 0 ::1:25 :::* LISTEN 1083/master tcp6 0 0 :::3306 :::* LISTEN 1044/mysqld
(監聽端口443啟用)
[root@localhost vhost]# cd /data/wwwroot/aming.com/ [root@localhost arsenal.com]# vim index.html [root@localhost arsenal.com]# curl -x127.0.0.1:443 https://aming.com curl: (56) Received HTTP code 400 from proxy after CONNECT [root@localhost arsenal.com]# vim /etc/hosts
[root@localhost arsenal.com]# curl https://aming.com
(證書不可信任,但實際上已經配置成功了)
在windows的hosts中添加192.168.65.128 aming.com
打開瀏覽器,訪問https://aming.com
高級——>自己前往
寫到快1點,實在是有點困,筆記有點匆忙,待時間充裕再更新
如有錯誤,歡迎指正,互相學習,共同進步!!!
2018-3-16 12周5次課 Nginx負載均衡、ssl原理、秘鑰、配置