Nginx負載均衡,SSL工作流程,利用openssl生成自己的證書
阿新 • • 發佈:2018-12-01
負載均衡配置
檢視網站對應的ip地址工具dig
安裝 yum install -y bind-utils
使用 dig www.163.com
設定163.com的兩個地址為負債均衡
[root@test-a ~]# dig www.163.com ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> www.163.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39731 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.163.com. IN A ;; ANSWER SECTION: www.163.com. 535 IN CNAME www.163.com.lxdns.com. www.163.com.lxdns.com. 46 IN A 116.242.0.145 www.163.com.lxdns.com. 46 IN A 60.207.246.98 ;; Query time: 103 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: Fri Nov 30 07:40:01 CST 2018 ;; MSG SIZE rcvd: 104 # 配置 [root@test-a vhost]# vim load_balance.conf [root@test-a vhost]# cat load_balance.conf upstream 163 { ip_hash; server 116.242.0.145:80; server 60.207.246.98:80; } server { listen 80; server_name www.163.com; location / { proxy_pass http://163; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; } } # 測試 [root@test-a vhost]# curl -x127.0.0.1:80 www.163.com
SSL工作流程
- 瀏覽器傳送一個https的請求給伺服器;
- 伺服器要有一套數字證書,可以自己製作,也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
- 伺服器會把公鑰傳輸給客戶端;
- 客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
- 客戶端把加密後的隨機字串傳輸給伺服器;
- 伺服器收到加密隨機字串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字串加密傳輸的資料(該加密為對稱加密,所謂對稱加密,就是將資料和私鑰也就是這個隨機字串>通過某種演算法混合在一起,這樣除非知道私鑰,否則無法獲取資料內容);
- 伺服器把加密後的資料傳輸給客戶端;
- 客戶端收到資料後,再用自己的私鑰也就是那個隨機字串解密;
利用openssl生成自己的證書
[root@test-a conf]# openssl genrsa -des3 -out tmp.key 2048 # 生成私鑰檔案tmp.key Generating RSA private key, 2048 bit long modulus .........................+++ .......................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: [root@test-a conf]# openssl rsa -in tmp.key -out mytest.key # 轉換key,取消密碼 Enter pass phrase for tmp.key: writing RSA key [root@test-a conf]# rm tmp.key rm: remove regular file ‘tmp.key’? y [root@test-a conf]# openssl req -new -key mytest.key -out mytest.csr # 生成證書請求檔案,後面需要拿這個檔案和私鑰一起生產公鑰檔案 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@test-a conf]# [root@test-a conf]# openssl x509 -req -days 365 -in mytest.csr -signkey mytest.key -out mytest.crt # 生成公鑰 Signature ok subject=/C=cn/L=Default City/O=Default Company Ltd Getting Private key [root@test-a conf]# ls mytest.* mytest.crt mytest.csr mytest.key
[root@test-a vhost]# vim ssl.conf
[root@test-a vhost]# cat ssl.conf
server
{
listen 443;
server_name 12345.com;
index index.html index.php;
root /data/wwwroot/12345.com;
ssl on;
ssl_certificate mytest.crt;
ssl_certificate_key mytest.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@test-a vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
# 重新編譯nginx,加上--with-http_ssl_module
[root@test-a vhost]# cd /usr/local/src/nginx-1.14.1/
[root@test-a nginx-1.14.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@test-a nginx-1.14.1]# make
[root@test-a nginx-1.14.1]# make install
[root@test-a nginx-1.14.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@test-a nginx-1.14.1]# /usr/local/nginx/sbin/nginx -s reload
[root@test-a nginx-1.14.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ]
[root@test-a nginx-1.14.1]# netstat -nltp # 有443埠
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2375/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6105/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6105/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1195/sshd
tcp6 0 0 ::1:25 :::* LISTEN 2375/master
tcp6 0 0 :::3306 :::* LISTEN 2402/mysqld
tcp6 0 0 :::22 :::* LISTEN 1195/sshd
[root@test-a nginx-1.14.1]# cd /data/wwwroot/ # 建立站點目錄及檔案
[root@test-a wwwroot]# mkdir 12345.com
[root@test-a wwwroot]# cd 12345.com/
[root@test-a 12345.com]# vim index.html
[root@test-a 12345.com]# cat index.html
SSL test.
[root@test-a 12345.com]# curl https://12345.com # 本地需要配置hosts
curl: (35) Encountered end of file
[root@test-a 12345.com]# cd /usr/local/nginx/conf/vhost/
[root@test-a vhost]# vim /etc/hosts
[root@test-a vhost]# curl https://12345.com # 訪問提示證書不被信任,自己頒發的,肯定不被信任
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
- 瀏覽器訪問測試
