标签:term 新版本 src subject 数据完整性 upstream tcp6 wro ror
12.17 Nginx负载均衡Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,通过upstream来保证用户可以通过代理服务器正常访问各个IP。
#配置内容
upstream qq #名字自定义
{
ip_hash;
#目的:同一个用户保持在同一个服务器上
# #即当域名指向多个IP时,保证每个用户始终解析到同一IP
server 61.135.157.156:80;
server 125.39.240.113:80;
#指定web服务器的IP
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
截图如下:
#yum安装
[root@taoyuan ~]# yum install -y bind-utils
#dig 域名解析命令,可以返回多个ip
#curl测试
[root@taoyuan ~]# curl -x127.0.0.1:80 www.qq.com
Hello default .
#返回默认虚拟主机
#检验 && 加载
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan ~]# /usr/local/nginx/sbin/nginx -s reload
[root@taoyuan ~]# curl -x127.0.0.1:80 www.qq.com
#结果截图如下
注意: Nginx不支持代理https,只能代理http,新版本的Nginx可以代理tcp。
HTTP超文本传输协议(HyperText Transfer Protocol)是互联网上应用最为广泛的一种网络协议。
HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议要比http协议安全。
HTTP默认的端口号为80,HTTPS的端口号为443。
TCP(Transmission Control Protocol 传输控制协议)是一种面向连接的、可靠的、基于字节流的传输层通信协议,由IETF的RFC 793定义。默认监听80端口。
SSL(Secure Sockets Layer 安全套接层)协议,及其继任者TLS(Transport Layer Security传输层安全)协议,是为网络通信提供安全及数据完整性的一种安全协议。
[root@taoyuan ~]# cd /usr/local/nginx/conf/
which openssl
来查询该命令哪个包的 #如果过没有可以安装一下
[root@taoyuan conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64
#安装
[root@taoyuan conf]# yum install -y openssl-1.0.2k-8.el7.x86_64
#生成命令
[root@taoyuan conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
Verify failure
User interface error
140423990957984:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:385:
#2048 为长度,需要输入密码
[root@taoyuan conf]# openssl rsa -in tmp.key -out taoyuan.key
Enter pass phrase for tmp.key:
writing RSA key
#密码比较麻烦,所以取消掉密码
#生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
[root@taoyuan conf]# rm -f tmp.key
#命令
[root@taoyuan conf]# openssl req -new -key taoyuan.key -out taoyuan.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#输入一些信息,可以直接回车
[root@taoyuan conf]# openssl x509 -req -days 365 -in taoyuan.csr -signkey taoyuan.key -out taoyuan.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
[root@taoyuan conf]# ls taoyuan.
taoyuan.crt taoyuan.csr taoyuan.key
#这里的aminglinux.crt为公钥
server
server
{
listen 443;
server_name taoyuan.com;
index index.html index.php;
root /data/wwwroot/taoyuan.com;
ssl on;
ssl_certificate taoyuan.crt;
ssl_certificate_key taoyuan.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
#报错unknown directive "ssl"
[root@taoyuan conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#需要重新编译nginx, 加上--with-http_ssl_module
#源码包查看
[root@taoyuan conf]# cd /usr/local/src/nginx-1.8.0/
[root@taoyuan nginx-1.8.0]# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
#重新编译nginx
[root@taoyuan nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
#make && make install
#-t restart[重启]
[root@taoyuan nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@taoyuan nginx-1.8.0]# /usr/local/nginx/sbin/nginx restart
nginx: invalid option: "restart"
[root@taoyuan nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
#查看监听端口
[root@taoyuan nginx-1.8.0]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4622/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1000/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1371/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4622/nginx: master
tcp6 0 0 :::22 :::* LISTEN 1000/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1371/master
tcp6 0 0 :::3306 :::* LISTEN 1329/mysqld
[root@taoyuan nginx-1.8.0]# mkdir /data/wwwroot/taoyuan.com
#创建测试文件
[root@taoyuan nginx-1.8.0]# echo "ssl test page." > /data/wwwroot/taoyuan.com/index.html
[root@taoyuan nginx-1.8.0]# vi /etc/hosts
# 编辑hosts,增加127.0.0.1 taoyuan.com
root@taoyuan nginx-1.8.0]# curl https://taoyuan.com
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.
#不能直接curl 需要用vi /etc/hosts
#显示如下结果表示测试成功
扩展
502问题汇总 http://ask.apelearn.com/question/9109
location优先级 http://blog.lishiming.net/?p=100
Nginx负载均衡、ssl原理、生产ssl密钥对、Nginx配置ssl
标签:term 新版本 src subject 数据完整性 upstream tcp6 wro ror
原文地址:http://blog.51cto.com/3622288/2058857