12.17 Nginx负载均衡

只能代理http

vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容

upstream qq_com

{ ip_hash;server 61.135.157.156:80;server 125.39.240.113:80;}server{ listen 80;server_name www.qq.com;location /{ proxy_pass ;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}

upstream来指定多个web server

dig工具

yum -y install bind-utils

[root@linux-01 ~]# curl -x127.0.0.1:80 www.qq.comThis is default site.[root@linux-01 ~]# vim /usr/local/nginx/conf/vhost/load.conf

upstream qq

{ ip_hash;server 14.17.32.211:80;server 14.17.42.40:80;}server{ listen 80;server_name www.qq.com;location /{ proxy_pass ;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}

[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@linux-01 ~]# /usr/local/nginx/sbin/nginx -s reload[root@linux-01 ~]# curl -x127.0.0.1:80 www.qq.com    //显示www.qq.com的网页内容

12.18 ssl原理

SSL工作流程

浏览器发送一个https的请求给服务器； 服务器要有一套数字证书，可以自己制作（后面的操作就是阿铭自己制作的证书），也可以向组织申请，区别就是自己颁发的证书需要客户端验证通过，才可以继续访问，而使用受信任的公司申请的证书则不会弹出>提示页面，这套证书其实就是一对公钥和私钥； 服务器会把公钥传输给客户端； 客户端（浏览器）收到公钥后，会验证其是否合法有效，无效会有警告提醒，有效则会生成一串随机数，并用收到的公钥加密； 客户端把加密后的随机字符串传输给服务器； 服务器收到加密随机字符串后，先用私钥解密（公钥加密，私钥解密），获取到这一串随机数后，再用这串随机字符串加密传输的数据（该加密为对称加密，所谓对称加密，就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起，这样除非知道私钥，否则无法获取数据内容）； 服务器把加密后的数据传输给客户端； 客户端收到数据后，再用自己的私钥也就是那个随机字符串解密；

12.19 生产ssl密钥对

cd /usr/local/nginx/conf

openssl genrsa -des3 -out tmp.key 2048 //key文件为私钥

openssl rsa -in tmp.key -out aminglinux.key //转换key，取消密码

rm -f tmp.key

openssl req -new -key aminglinux.key -out aminglinux.csr //生成证书请求文件，需要拿这个文件和私钥一起生产公钥文件

openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt //这里的aminglinux.crt为公钥

生成过程

[root@linux-01 ~]# cd /usr/local/nginx/conf/[root@linux-01 conf]# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus.............................................+++......................+++e is 65537 (0x10001)Enter pass phrase for tmp.key:Verifying - Enter pass phrase for tmp.key:[root@linux-01 conf]# openssl rsa -in tmp.key -out aminglinux.keyEnter pass phrase for tmp.key:writing RSA key[root@linux-01 conf]# rm -rf tmp.key[root@linux-01 conf]# openssl req -new -key aminglinux.key -out aminglinux.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:11State or Province Name (full name) []:wwwLocality Name (eg, city) [Default City]:szOrganization Name (eg, company) [Default Company Ltd]:wwwOrganizational Unit Name (eg, section) []:wwwCommon Name (eg, your name or your server's hostname) []:wwwhostEmail Address []:www@163.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:www123456An optional company name []:wwwchina[root@linux-01 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crtSignature oksubject=/C=11/ST=www/L=sz/O=www/OU=www/CN=wwwhost/emailAddress=www@163.comGetting Private key

12.20 Nginx配置ssl

vim /usr/local/nginx/conf/vhost/ssl.conf //加入如下内容

server

{ listen 443;server_name aming.com;index index.html index.php;root /data/wwwroot/aming.com;ssl on;ssl_certificate aminglinux.crt;ssl_certificate_key aminglinux.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}

-t && -s reload //若报错unknown directive “ssl” ，需要重新编译nginx，加上--with-http_ssl_module

mkdir /data/wwwroot/aming.com

echo “ssl test page.”>/data/wwwroot/aming.com/index.html

编辑hosts，增加127.0.0.1 aming.com

curl

操作过程

[root@linux-01 conf]# cd vhost/[root@linux-01 vhost]# mkdir /data/wwwroot/aming.com[root@linux-01 vhost]# vim ssl.conf添加上面的配置内容[root@linux-01 vhost]# /usr/local/nginx/sbin/nginx -tnginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed[root@linux-01 vhost]# cd /usr/local/src/nginx-1.12.2/[root@linux-01 nginx-1.12.2]# ./configure --help |grep -i ssl  --with-http_ssl_module             enable ngx_http_ssl_module  --with-mail_ssl_module             enable ngx_mail_ssl_module  --with-stream_ssl_module           enable ngx_stream_ssl_module  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module  --with-openssl=DIR                 set path to OpenSSL library sources  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL[root@linux-01 nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module[root@linux-01 nginx-1.12.2]# make[root@linux-01 nginx-1.12.2]# make install[root@linux-01 nginx-1.12.2]# cd /data/wwwroot/aming.com/[root@linux-01 aming.com]# vim 1.txtThis is default site.[root@linux-01 aming.com]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@linux-01 aming.com]# /usr/local/nginx/sbin/nginx -s reload[root@linux-01 aming.com]# curl -x127.0.0.1:443 https://aming.com/curl: (7) Failed connect to 127.0.0.1:443; 拒绝连接[root@linux-01 aming.com]# vim /etc/hosts127.0.0.1   aming.com[root@linux-01 aming.com]# curl https://aming.com/curl: (7) Failed connect to aming.com:443; 拒绝连接电脑端直接显示  This is default site.  有不安全提示