50.Nginx負載均衡 ssl原理 金鑰對 配置ssl
12.17 Nginx負載均衡
12.18 ssl(https)原理
12.19 生成ssl金鑰對
12.20 Nginx配置ssl
擴充套件
針對請求的uri來代理 http://ask.apelearn.com/question/1049
根據訪問的目錄來區分後端的web http://ask.apelearn.com/question/920
nginx長連線 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx演算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
12.17 Nginx負載均衡:
跟上一節的代理伺服器。一臺web伺服器叫代理,兩臺web伺服器就叫負載均衡。代理伺服器的後端可以有多個web伺服器,多個伺服器去提供服務的時候,就能夠實現負載均衡的功能。
如果不加代理這一層的話,那使用者訪問的時候只能一臺一臺的去請求。假如使用者1去訪問web1,web1掛掉了,那麼代理伺服器就不會把請求發給web1.那麼這就是Nginx負載均衡的優點
~1.
vim /usr/local/nginx/conf/vhost/load.conf // 寫入如下內容
upstream baidu_com 用到了upstream模組。這個名字可以隨便寫,代表以下模組的名字
{
ip_hash; 使使用者始終在同一個伺服器上。比如輸入了賬號密碼,結果一會就沒有了,原因是被解析到了另一臺伺服器上了,這樣是不被允許的
server 182.61.200.6:80; 只能從這定義多個IP
server 182.61.200.7:80;
}
server
{
listen 80;
server_name www.baidu.com; 域名
location /
{
proxy_pass http://baidu_com; 指定ip,這裡是前面upstream配置的名字,這裡不能定義多個ip
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
~2.
upstream來指定多個web server
知識點:
~1.怎麼查到baidu.com解析的IP是哪個呢
yum install -y bind-utils
dig baidu.com(下面會反饋兩個IP。也就是baidu.com被解析到了這兩個IP上
~2.Nginx不支援代理https(也就是埠不能寫443)
如果使用者只能訪問443怎麼辦
只能使用者代理監聽443,後面的web伺服器為80 (不明白)
例項:
1.
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/load.conf 新建一個load.conf
upstream baidu_com
{
ip_hash;
server 182.61.200.6:80;
server 182.61.200.7:80;
}
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://baidu_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@localhost ~]# curl -x192.168.30.134:80 www.qq.com 不-t reload,先測試一下
“This is a default site.” 結果顯示預設頁
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# curl -x127.0.0.1:80 www.baidu.com -I -t reload之後再測試就可以了
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 25 Jul 2019 07:26:26 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12.18 ssl原理(https):
http與https有什麼區別?首先https是加密的,比如訪問的資訊被黑客抓到,但是他拿到的是加密的,也就是亂碼的
SSL工作流程:
~1.瀏覽器傳送一個https的請求給伺服器;
~2.伺服器要有一套數字證書,可以自己製作(後面的操作就是阿銘自己製作的證書),也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰;
~3. 伺服器會把公鑰傳輸給客戶端;
~4.客戶端(瀏覽器)收到公鑰後,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,並用收到的公鑰加密;
~5.客戶端把加密後的隨機字串傳輸給伺服器;
~6.伺服器收到加密隨機字串後,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數後,再用這串隨機字串加密傳輸的資料(該加密為對稱加密,所謂對稱加密,就是將資料和私鑰也就是這個隨機字串>通過某種演算法混合在一起,這樣除非知道私鑰,否則無法獲取資料內容);
~7.伺服器把加密後的資料傳輸給客戶端;
~8.客戶端收到資料後,再用自己的私鑰也就是那個隨機字串解密;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12.19 生成ssl金鑰對:
我們在虛擬機器上頒發一個證書,其實就是一對私鑰和公鑰:
yum install -y openssl
~1.cd /usr/local/nginx/conf
~2.openssl genrsa -des3 -out tmp.key 2048//key檔案為私鑰
genrsa 生成rsa格式的私鑰
-out 指定輸出的
2048 長度
tmp.key 名字就叫tmp.key
~3.openssl rsa -in tmp.key -out axin.key //轉換key,取消密碼。axin.key實際為轉換後的沒密碼的私鑰
-in 指定哪一個密碼要被轉換
~4.rm -f tmp.key //之前的舊的key就可以刪掉了
~5.openssl req -new -key axin.key -out axin.csr//生成證書請求檔案,需要拿這個檔案和私鑰一起生產公鑰檔案
~6.openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt //之前生成的私鑰和私鑰來生成公鑰檔案
~7.這裡的aminglinux.crt為公鑰
例項:
[root@localhost ~]# cd /usr/local/nginx/conf/ 先進到配置檔案裡面去
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 先生成.key私鑰
Generating RSA private key, 2048 bit long modulus
.......................+++
..................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: 需要輸入密碼
Verifying - Enter pass phrase for tmp.key: 再次輸入
[root@axinlinux-01 conf]# openssl rsa -in tmp.key -out axin.key 取消密碼設定,因為比較麻煩
Enter pass phrase for tmp.key: 要輸入之前設定的密碼
writing RSA key
[root@localhost conf]# rm -f tmp.key 刪掉舊的.key私鑰檔案
[root@localhost conf]# openssl req -new -key axin.key -out axin.csr 生成證書
You are about to be asked to enter information that will be incorporated 以下為需要填寫的資訊。因為做實驗,所以直接為空了
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wangxin789 但是設定了密碼
An optional company name []:
[root@localhost conf]# openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt
Signature ok 生成成功
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12.20 Nginx配置ssl:
~1.vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下內容
server
{
listen 443; 監聽的埠為443,因為不能直接80
server_name axin.com;
index index.html index.php;
root /data/wwwroot/axin.com;
ssl on; 開啟ssl。支援https
ssl_certificate axin.crt; 指定公鑰
ssl_certificate_key axin.key; 指定私鑰
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 協議。一般這三種,都配置上
}
server
{
listen 443;
server_name axin.com;
index index.html index.php;
root /data/wwwroot/axin.com;
ssl on;
ssl_certificate axin.crt;
ssl_certificate_key axin.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
~2.-t && -s reload //若報錯unknown directive “ssl” ,需要重新編譯(make&&make install)nginx,加上--with-http_ssl_module(也就是“./configure --prefix=/usr/local/nginx --with-http_ssl_module”
~3.mkdir /data/wwwroot/axin.com
~4.echo “ssl test page.”>/data/wwwroot/axin.com/index.html
~5.編輯hosts,增加127.0.0.1 axin.com
~6.curl https://axin.com/
例項:
[root@localhost conf]# cd vhost/
[root@localhost vhost]# ls
aaa.com.conf load.conf proxy.conf test.com.conf
[root@localhost vhost]# vim ssl.conf 新建一個.conf
[root@localhost vhost]# mkdir /data/wwwroot/axin.com
[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t 報錯。紀委他不知道ssl這個配置
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@localhost vhost]# cd /usr/local/src/nginx-1.8.0/
[root@localhost nginx-1.8.0]# ./configure --help |grep -i ssl 搜一下ssl模組
--with-http_ssl_module enable ngx_http_ssl_module 需要的是這個
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@localhost nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost nginx-1.8.0]# make
[root@localhost nginx-1.8.0]# make install
[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -V 看一下多了ssl模組
nginx version: nginx/1.8.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t 重新-t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost nginx-1.8.0]# /etc/init.d/nginx restart 重啟一下nginx
Restarting nginx (via systemctl): [ 確定 ]
[root@localhost nginx-1.8.0]# netstat -lntp 檢視監聽埠,多了個443
tcp 0 0 192.168.30.134:9000 0.0.0.0:* LISTEN 1076/php-fpm: maste
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1388/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 803/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1071/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1388/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1059/mysqld
tcp6 0 0 :::22 :::* LISTEN 803/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1071/master[root@localhost nginx-1.8.0]# vim /data/wwwroot/axin.com/1.txt 在指定的目錄下,建立測試檔案
[root@localhost nginx-1.8.0]# mv /data/wwwroot/axin.com/1.txt /data/wwwroot/axin.com/index.html 改個名字叫index.html
[root@localhost nginx-1.8.0]# vim /etc/hosts 改下hosts,加上axin.com這個目錄
192.168.30.134 www.wangxin.com axin.com
[root@localhost nginx-1.8.0]# curl https://axin.com/ 測試報錯是因為,這個證書是自己頒發的。實際上已經成功了
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.More details here: http://curl.haxx.se/docs/sslcerts.html
我們可以在windows上瀏覽器測試一下
首先把axin.com加入hosts>檢視linux上防火牆規則有的話,直接-F>瀏覽器上搜索htps://axin.com會顯示下圖:
我們點高階,點選繼續前往,即成功
所以,當證書不被瀏覽器所信任的時候,就會有以上提示(有需要可以去 沃通 購買證書)
知識點:我們訪問政府的網站比如www.12306.com的時候,如果加上https://www/12306.com的時候也會顯示上圖。是因為政府網站用別人頒發的證書可能會不安全,所以要用自己頒發的。所以造成了瀏覽器不