49次課(Nginx負載均衡、ssl原理、 生成ssl密鑰對、 Nginx配置ssl)
阿新 • • 發佈:2018-08-16
密碼 n) tin [] hat -- form proc adb Nginx負載均衡
查看網站ip
用qq.com的兩個ip去做負載均衡111.161.64.48 / 111.161.64.40
創建配置文件
[root@100xuni1 vhost]# vim /usr/local/nginx/conf/vhost/ld.conf ##創建ld.conf 寫入下面的內容
upstream qq_com ##這個名字可以隨便寫 { ip_hash; ##目的是為了讓同一個用戶始終保持在一個機器上 server 111.161.64.48:80; server 111.161.64.40:80; } server { listen 80; server_name www.qq.com; location / { proxy_pass http://qq_com; ##用來指導ip的 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
配置完成重新加載
[root@100xuni1 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@100xuni1 vhost]# /usr/local/nginx/sbin/nginx -s reload
測試
[root@100xuni1 vhost]# curl -x127.0.0.1:80 www.qq.com
ssl原理
生成ssl密鑰對
頒發證書,其實就是公鑰和私鑰
把這對公鑰私鑰放到 /usr/local/nginx/conf
[root@100xuni1 vhost]# cd /usr/local/nginx/conf/
[root@100xuni1 conf]#
頒發證書需要一個工具openssl,如果沒有安裝,用rpm -qf ‘which openssl‘查找安裝包
[root@100xuni1 conf]# openssl genrsa -des3 -out tmp.key 2048 ##genrsa意思是生成rsa格式的,名字tmp.key Generating RSA private key, 2048 bit long modulus ...............................+++ ......+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: ##輸入密碼 Verifying - Enter pass phrase for tmp.key:
[root@100xuni1 conf]# openssl rsa -in tmp.key -out aminglinux.key ##轉換key,取消密碼,-in指定哪一個秘鑰要被轉換-out指定它輸出
[root@100xuni1 conf]# rm -f tmp.key ##刪除tmp.key
[root@100xuni1 conf]# openssl req -new -key aminglinux.key -out aminglinux.csr ##//生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:aming
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:aminglinux
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:hanshuo
An optional company name []:aming
[root@100xuni1 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt ##生成公鑰
Signature ok
subject=/C=11/ST=Beijing/L=Beijing/O=aming/CN=aminglinux/[email protected]
Getting Private key
Nginx配置ssl
生成一個新的配置文件
[root@100xuni1 vhost]# vim /usr/local/nginx/conf/vhost/ssl.conf ##寫入一下內容
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@100xuni1 vhost]# mkdir /data/wwwroot/aming.com ##創建aming.com
如果想正常的訪問https必須去買個證書,比如說wotong網站買
擴展
針對請求的uri來代理 http://ask.apelearn.com/question/1049
根據訪問的目錄來區分後端的web http://ask.apelearn.com/question/920
nginx長連接 http://www.apelearn.com/bbs/thread-65...
49次課(Nginx負載均衡、ssl原理、 生成ssl密鑰對、 Nginx配置ssl)