标签:Linux
Nginx负载均衡负载均衡即是代理服务器将接收的请求均衡的分发到各服务器中
编辑虚拟主机配置文件vim /usr/local/nginx/conf/vhost/ld.conf
在配置文件中添加如下内容
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
ip_hash 是让同一个用户始终保持在同一台机器上
https和http的区别是通信是加密的,如果不加密就有可能被从中间截掉,泄露数据,而加密了的即使被人截到也是看不了内容的。
实现加密解密的流程:
进入nginx 配置目录cd /usr/local/nginx/conf
执行命令生成密钥openssl genrsa -des3 -out tmp.key 2048
转换key,取消密码openssl rsa -in tmp.key -out test.key
可以删除原来的keyrm -f tmp.key
生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件openssl req -new -key test.key -out test.csr
生成公钥,这里的test.crt为公钥openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
生成一个新的虚拟主机配置文件vim /usr/local/nginx/conf/vhost/ssl.conf
在配置文件中添加如下内容
server
{
listen 443;
server_name lx.com;
index index.html index.php;
root /data/wwwroot/lx.com;
ssl on;
ssl_certificate test.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
创建网站的目录mkidir /data/wwwroot/lx.com
检查配置文件是否错误/usr/local/nginx/sbin/nginx -t
如果出现如下错误表示ssl moudle没有安装,那么需要重新编译安装nginx
nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
进入nginx源码包,cd /usr/local/src/nginx-1.12.1/
安装ssl_module
./configure --prefix=/usr/local/nginx --with-http_ssl_module
make
make install
安装完成后再检查下配置文件是否出现错误/usr/local/nginx/sbin/nginx -t
如果没出现错误重启下nginx服务/etc/init.d/nginx restart
检查下443端口是否监听netstat -lntp
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master
#出现这一行表示正常
再网站目录下创建一个测试页,内容自己写即可vim /data/wwwroot/lx.com/index.html
访问测试curl https://lx.com/
访问网站,出现如下的提示,因为证书是自己颁发的,所以不合法,但实际上已经配置成功
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.
Nginx负载均衡、 ssl工作流程、生产ssl密钥对、Nginx配置ssl
标签:Linux
原文地址:http://blog.51cto.com/13658403/2128566