在 upstream 下定义多个 ip
如何查到网站解析的 ip? 使用 dig 命令 需要安装 bind-utils
- [root@localhost ~]# yum install -y bind-utils
- (过程省略)
- [root@localhost ~]# dig qq.com
- (这是网站的两台服务器 ip)
- [root@localhost vhost]# vim ld.conf
ip_hash 网站有两台服务器提供服务, 想让始终访问一台服务器, 用 ip_hash
- [root@localhost vhost]# curl -x127.0.0.1:80 www.sina.com.cn
- This is the default site.## 回会去访问默认虚拟主机
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
- [root@localhost vhost]# curl -x127.0.0.1:80 www.sina.com.cn
(内容太多, 是网站源码)
12.18 ssl 原理
. 浏览器发送一个 https 的请求给服务器;
. 服务器要有一套数字证书, 可以自己制作, 也可以向组织申请, 区别就是自己颁发的证书需要客户端验证通过, 才可以继续访问, 而使用受信任的公司申请的证书则不会弹出>提示页面, 这套证书其实就是一对公钥和私钥;
. 服务器会把公钥传输给客户端;
. 客户端 (浏览器) 收到公钥后, 会验证其是否合法有效, 无效会有警告提醒, 有效则会生成一串随机数, 并用收到的公钥加密;
. 客户端把加密后的随机字符串传输给服务器;
. 服务器收到加密随机字符串后, 先用私钥解密 (公钥加密, 私钥解密), 获取到这一串随机数后, 再用这串随机字符串加密传输的数据(该加密为对称加密, 所谓对称加密, 就是将数据和私钥也就是这个随机字符串> 通过某种算法混合在一起, 这样除非知道私钥, 否则无法获取数据内容);
服务器把加密后的数据传输给客户端;
. 客户端收到数据后, 再用自己的私钥也就是那个随机字符串解密;
12.19 生成 ssl 密钥对
- [root@localhost vhost]# cd /usr/local/nginx/conf/ ## 公钥和私钥放到 conf 下
- [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 ## 生成私钥
- Generating RSA private key, 2048 bit long modulus
- ......+++
- ...................................................+++
- e is 65537 (0x10001)
- Enter pass phrase for tmp.key:
- Verifying - Enter pass phrase for tmp.key:
- [root@localhost conf]# openssl rsa -in tmp.key -out arsenal.key
- Enter pass phrase for tmp.key: ## 转换 key, 取消密码
- writing RSA key
- [root@localhost conf]# rm -f tmp.key ## 删除
- [root@localhost conf]# openssl req -new -key arsenal.key -out arsenal.csr
生成证书请求文件, 需要拿这个文件和私钥一起生产公钥文件
- [root@localhost conf]# openssl x509 -req -days 365 -in arsenal.csr -signkey arsenal.key -out arsenal.crt
- Signature ok
- subject=/C=cn/ST=nj/L=nj/O=60/CN=arsenal/emailAddress=270139442@qq.com
- Getting Private key
- [root@localhost conf]# ls
- arsenal.crt fastcgi.conf fastcgi_params.default koi-win nginx.conf scgi_params.default vhost
- arsenal.csr fastcgi.conf.default htpasswd mime.types nginx.conf.bak uwsgi_params win-utf
- arsenal.key fastcgi_params koi-utf mime.types.default scgi_params uwsgi_params.default
12.20 Nginx 配置 ssl
- [root@localhost conf]# mkdir /data/wwwroot/aming.com
- [root@localhost vhost]# cd /usr/local/nginx/conf/vhost/
- [root@localhost vhost]# vim ssl.conf
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
- nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
- nginx:configuration file /usr/local/nginx/conf/nginx.conf test failed
若报错 unknown directive ssl ,nginx 可能不支持 ssl, 需要重新编译 nginx, 加上 --with-http_ssl_module
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -V
- nginx version: nginx/1.12.2
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --prefix=/usr/local/nginx
- [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
- (编译过程省略)
- [root@localhost vhost]# make && make install
- (过程省略)
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -V
- nginx version: nginx/1.12.2
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
- nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
- nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -t
- nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
- nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx -s reload
- [root@localhost vhost]# /usr/local/nginx/sbin/nginx restart
- nginx: invalid option: "restart"
- [root@localhost vhost]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
- [root@localhost vhost]# netstat -lntp
- Active Internet connections (only servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
- tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4252/nginx: master
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 797/sshd
- tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1083/master
- tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4252/nginx: master
- tcp6 0 0 :::22 :::* LISTEN 797/sshd
- tcp6 0 0 ::1:25 :::* LISTEN 1083/master
- tcp6 0 0 :::3306 :::* LISTEN 1044/mysqld
- (监听端口 443 启用)
- [root@localhost vhost]# cd /data/wwwroot/aming.com/
- [root@localhost arsenal.com]# vim index.html
- [root@localhost arsenal.com]# curl -x127.0.0.1:443 https://aming.com
- curl: (56) Received HTTP code 400 from proxy after CONNECT
- [root@localhost arsenal.com]# vim /etc/hosts
[root@localhost arsenal.com]# curl https://aming.com
(证书不可信任, 但实际上已经配置成功了)
在 windows 的 hosts 中添加 192.168.65.128 aming.com
打开浏览器, 访问 https://aming.com
高级>自己前往
写到快 1 点, 实在是有点困, 笔记有点匆忙, 待时间充裕再更新
如有错误, 欢迎指正, 互相学习, 共同进步!!!
2018-3-16 12 周 5 次课 Nginx 负载均衡 ssl 原理秘钥配置
来源: http://www.bubuko.com/infodetail-2529532.html