超哥 LNMP架构 (5) 之 Nginx负载均衡、ssl原理、生成ssl密钥对、配置ssl
文章目录
[隐藏]
- 1. Nginx负载均衡
- 1.1 负载均衡配置参数
- 1.2 检测
- 1.3 dig命令
- 2. ssl原理
- 2.1 http、https、tcp
- 2.2 SSL工作流程
- 3. 生成ssl密钥对
- 3.1 准备工具
- 3.2 创建私钥
- 3.3 自己生成证书
- 3.4 创建公钥
- 4. Nginx配置ssl
- 4.1 配置文件
- 4.2 检测
- 4.3 报错 unknown directive “ssl” 未识别ssl配置,需要重新编译nginx,加上–with-http_ssl_module
- 4.4 测试
- 4.5 添加本地域名:
1. Nginx负载均衡
Nginx负载均衡就是指 当代理服务器将自定义的域名解析到多个指定IP时,通过upstream模块来保证用户可以通过代理服务器正常访问各个IP(反向代理多台服务器就是负载均衡)。
1.1 负载均衡配置参数
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/load.conf upstream qq #自定义域名 { ip_hash; #目的是为了保证同一个用户始终保持在同一台机器上 #还有就是为了当域名指向多个IP时,保证每个用户始终解析到同一IP server 61.135.157.156:80; server 125.39.240.113:80; #指定web服务器的IP } server { listen 80; server_name www.qq.com; location / { proxy_pass http://qq; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } 1.2 检测
代理前
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com This is the default directory. #没使用代理时,会直接解析到默认的虚拟主机。 代理后
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload [[email protected] ~]# curl -x127.0.0.1:80 www.qq.com …… #使用代理后,会解析到代理服务器所指向的IP的网页代码 1.3 dig命令
dig命令是常用域名的解析工具,可以寻找域名的全部IP。
如果服务器中没有安装命令
[[email protected] ~]# yum install -y bind-utils 解析qq网站的全部IP
[[email protected] ~]# dig www.qq.com ;; ANSWER SECTION: www.qq.com. 138 IN A 61.135.157.156 www.qq.com. 138 IN A 125.39.240.113 ;; Query time: 12 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 二 9月 12 22:44:23 CST 2017 ;; MSG SIZE rcvd: 61 2. ssl原理
SSL(Secure Sockets Layer 安//全//套接层)协议,及其继任者TLS(Transport Layer Security传输层安全)协议,是为网络通信提供安全及数据完整性的一种安全协议。
2.1 http、https、tcp
- HTTP超文本传输协议(HyperText Transfer Protocol)是互联网上应用最为广泛的一种网络协议。
- HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),简单讲是HTTP的安全加密版。
- HTTP默认的端口号为80,HTTPS的端口号为443。
- TCP(Transmission Control Protocol 传输控制协议)是一种面向连接的、可靠的、基于字节流的传输层通信协议。默认监听80端口。
- http是应用层协议, tcp是传输层。 http使用tcp传输文本数据; http只是定义了tcp数据的解析方式
2.2 SSL工作流程
- 浏览器发送一个https的请求给服务器;
- 服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
- 服务器会把公钥传输给客户端;
- 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
- 客户端把加密后的随机字符串传输给服务器;
- 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
- 服务器把加密后的数据传输给客户端;
- 客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
3. 生成ssl密钥对
SSL证书就是一对公钥和私钥。
3.1 准备工具
如果虚拟机中没有此工具,手动安装:
[[email protected] ~]# yum install -y openssl 3.2 创建私钥
[[email protected] ~]# cd /usr/local/nginx/conf/ [[email protected] conf]# openssl genrsa -des3 -out tmp.key 2048 //生成SSL密钥 Generating RSA private key, 2048 bit long modulus ....................................................................................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: //密钥需要我们设置密码,一般我们都不需要再设置密码,所以要转换一下key,取消密码 [[email protected] conf]# openssl rsa -in tmp.key -out host.key //转换一下key,将tmp.key 转换为没密码的host.key Enter pass phrase for tmp.key: writing RSA key [[email protected] conf]# rm -f tmp.key //删除tmp.key 3.3 自己生成证书
[[email protected] conf]# openssl req -new -key host.key -out host.csr //自己生成证书请求文件,需要拿这个私钥一起生成证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:11 State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:BeiJing Organizational Unit Name (eg, section) []:BeiJing Common Name (eg, your name or your server's hostname) []:host Email Address []:[email protected] #以上是配置证书信息,因为是自己颁发给自己的证书,就随意瞎填或者干脆Enter跳过,如果是正式应用在自己的网站上,最好规范填写。 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456 3.4 创建公钥
[[email protected] conf]# openssl x509 -req -days 365 -in host.csr -signkey host.key -out host.crt //这里的aminglinux.crt为公钥 Signature ok subject=/C=11/ST=BeiJing/L=BeiJing/O=BeiJing/OU=BeiJing/CN=host/[email protected] Getting Private key 4. Nginx配置ssl
4.1 配置文件
[[email protected] conf]# cd vhost/ [[email protected] vhost]# vim ssl.conf server { listen 443; server_name zhouqun.com; index index.html index.php; root /data/wwwroot/zhouquncom; ssl on; //开启ssl ssl_certificate host.crt; //配置公钥 ssl_certificate_key host.key; //配置私钥 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ///配置协议 } [[email protected] vhost]# mkdir /data/wwwroot/zhouqun.com 4.2 检测
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 //报错了 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed 4.3 报错 unknown directive “ssl” 未识别ssl配置,需要重新编译nginx,加上–with-http_ssl_module
[[email protected] conf]# cd /usr/local/src/nginx-1.12.1/ [[email protected] nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [[email protected] conf]# make [[email protected] conf]# make install [ro[email protected] nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [[email protected] nginx-1.12.1]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ OK ] [[email protected] nginx-1.12.1]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5991/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2040/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5991/nginx: master tcp6 0 0 :::3306 :::* LISTEN 1990/mysqld tcp6 0 0 :::22 :::* LISTEN 1735/sshd tcp6 0 0 ::1:25 :::* LISTEN 2040/master nginx监听80和443端口。
4.4 测试
[[email protected] nginx-1.12.1]# cd /data/wwwroot/zhouqun.com/ [[email protected] adai.com]# vim index.html This is ssl. 4.5 添加本地域名:
[[email protected] adai.com]# vim /etc/hosts 127.0.0.1 zhouqun.com [[email protected] vhost]# curl https://zhouqun.com/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. 因为该证书是自己创建的,没有符合https组织的规范,不能被正确识别,如果换上正规的证书,就没问题了。
所以,如果要使用浏览器检测,那么进行该测试之前,需要更改Windows的hosts文件,不然就会证书出错的。
原文出处:oschina -> https://my.oschina.net/zhouyuntai/blog/1787409
本站所发布的一切资源仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如果侵犯你的利益,请发送邮箱到 [email protected],我们会很快的为您处理。
