例:
用戶1 –> web1服務器
用戶2 –> web2服務器
用戶1 –> web1服務器(宕機)
用戶1因為解析到了web1,但web1宕機了。沒法訪問
這時候如果使用了nginx負載均衡,web1宕機,代理服務器就不會繼續把請求發送到web1
配置負載均衡
通過dig可以查看到域名的解析IP地址
包“ bind-utils ”
[root@aminglinux-02 vhost]# yum install -y bind-util [root@aminglinux-02 vhost]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> qq.com ;; global options: cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29688 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 353 IN A 14.17.32.211 ;; Query time: 35 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 三 8月 16 00:14:17 CST 2017 ;; MSG SIZE rcvd: 51
新增一個配置文件load.conf
upstream qq_com //這個名字可以自定義 { ip_hash; //目的是為了讓同一個用戶始終保持在同一個機器上 server 14.17.32.211:80; //如果域名解析端口是80,這段配置上的指定端口80是可以省略的 } server { listen 80; //定義監聽端口 server_name www.qq.com; //域名 location / { proxy_pass http://qq_com; //這里填寫的是upstream 的名字即“http://upstream”,因為作為一個模塊,代理訪問的是通過解析后的IP訪問; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
upstream來指定多個web server
當有多個服務器同時對一個域名提供服務的時候,長時間訪問一個域名,在一定的時效內,會出現需要重新登錄或者是說跳轉到另外一個地址的服務器上;ip_hash,就是使通過這個代理訪問的同一個域名的多個IP的服務器是,始終保持在一個IP上對這個域名進行訪問
測試
沒有使用負載均衡配置的時候,curl -x 127.0.0.1 默認訪問的是虛擬主機的
[root@aminglinux-02 vhost]# curl -x127.0.0.1:80 www.qq.com This is the default site.
配置完成后檢查語法和重新加載服務
-t && -s reload
測試
[root@aminglinux-02 vhost]# curl -x127.0.0.1:80 www.qq.com var _mtac = {}; (function() { var mta = document.createElement("script"); mta.src = "http://pingjs.qq.com/h5/stats.js?v2.0.2"; mta.setAttribute("name", "MTAH5"); mta.setAttribute("sid", "500460529"); var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(mta, s); })(); </script> </body> </html><!–[if !IE]>|xGv00|66aaf676da3c9edb56f9fd489826d8e6<![endif]–>
這時curl到的是qq的主頁,反饋回來的是網頁的源碼
知識點:
nginx不支持去代理https ,支持http、tcp
解決辦法,nginx監聽443端口,但web服務必須是80端口
12.18 ssl原理 http和https的區別
https通信是加密的,如果不加密,中間傳輸數據包的時候會被截到,就會導致信息泄露,https就是對這個通信的數據包進行加密
SSL工作流程 瀏覽器發送一個https的請求給服務器; 服務器要有一套數字證書,可以自己制作(后面的操作就是阿銘自己制作的證書),也可以向組織申請,區別就是自己頒發的證書需要客戶端驗證通過,才可以繼續訪問,而使用受信任的公司申請的證書則不會彈出>提示頁面,這套證書其實就是一對公鑰和私鑰; 服務器會把公鑰傳輸給客戶端; 客戶端(瀏覽器)收到公鑰后,會驗證其是否合法有效,無效會有警告提醒,有效則會生成一串隨機數,并用收到的公鑰加密; 客戶端把加密后的隨機字符串傳輸給服務器; 服務器收到加密隨機字符串后,先用私鑰解密(公鑰加密,私鑰解密),獲取到這一串隨機數后,再用這串隨機字符串加密傳輸的數據(該加密為對稱加密,所謂對稱加密,就是將數據和私鑰也就是這個隨機字符串>通過某種算法混合在一起,這樣除非知道私鑰,否則無法獲取數據內容); 服務器把加密后的數據傳輸給客戶端; 客戶端收到數據后,再用自己的私鑰也就是那個隨機字符串解密;
12.19 生成ssl密鑰對
在自己的虛擬機生成ssl
需要用到openssl工具
如果沒有安裝就安裝
[root@aminglinux-02 conf]# rpm -qf `which openssl` openssl-1.0.1e-60.el7_3.1.x86_64 生成密鑰
[root@aminglinux-02 conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus . ………………………………… e is 65537 (0x10001) Enter pass phrase for tmp.key: //輸入密碼 Verifying – Enter pass phrase for tmp.key: //再次輸入密碼
命令解釋
openssl genrsa -des3 -out tmp.key 2048 genrsa 生成rsa的密碼 2048 2048長度 名字為 tmp.key
因為這個加密,之后在nginx訪問的時候還會提示輸入密碼,這樣會很麻煩,所以就需要去掉密碼
轉換key,取消密碼
[root@aminglinux-02 conf]# openssl rsa -in tmp.key -out aminglinux.key Enter pass phrase for tmp.key: unable to load Private Key 139930989189024:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:604: 139930989189024:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:483:
輸入錯誤密碼會提示
[root@aminglinux-02 conf]# openssl rsa -in tmp.key -out aminglinux.key Enter pass phrase for tmp.key: writing RSA key
完成取消密碼
命令解釋
-in tmp.key 輸入tmp.key -out aminglinux.key 輸出 aminglinux.key 生成公鑰
生成證書請求文件,需要拿這個文件和私鑰一起生產公鑰文件
[root@aminglinux-02 conf]# openssl req -new -key aminglinux.key -out aminglinux.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \\\’.\\\’, the field will be left blank. —– Country Name (2 letter code) [XX]:cn //國家,2個字母 State or Province Name (full name) []:GuangXi //省或州 Locality Name (eg, city) [Default City]:LiuZhou //城市 Organization Name (eg, company) [Default Company Ltd]:aming //公司 Organizational Unit Name (eg, section) []:aming //組織 Common Name (eg, your name or your server\\\’s hostname) []:aminglinux //您的主機名 Email Address []:amin@adminlinux.com //郵箱 Please enter the following \\\’extra\\\’ attributes to be sent with your certificate request A challenge password []:1231512315 //設置密碼 An optional company name []: //一個可選的公司名稱
用請求證書文件和私鑰文件,生成一個公鑰
[root@aminglinux-02 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt Signature ok subject=/C=cn/ST=GuangXi/L=LiuZhou/O=aming/OU=aming/CN=aminglinux/emailAddress=amin@adminlinux.com Getting Private key 12.20 Nginx配置ssl 生成一個新的配置文件
[root@aminglinux-02 conf]# cd vhost/ [root@aminglinux-02 vhost]# pwd /usr/local/nginx/conf/vhost server { listen 443; server_name aming.com; //主機名 index index.html index.php; root /data/wwwroot/aming.com; //root 目錄 ssl on; //打開ssl ssl_certificate aminglinux.crt; //指定公鑰 ssl_certificate_key aminglinux.key; //指定私鑰 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //ssl 的協議 }
因為是新的主機,所以需要去創建對應的目錄
配置完成后檢查語法
[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
報錯,因為安裝nginx的時候是最簡單的配置,不支持SSL
添加SSL依賴模塊
查看配置
[root@aminglinux-02 vhost]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) configure arguments: –prefix=/usr/local/nginx
需要重新編譯,加上一條支持SSL
進入nginx目錄重新編譯
[root@aminglinux-02 src]# cd nginx-1.12.1 [root@aminglinux-02 nginx-1.12.1]# pwd /usr/local/src/nginx-1.12.1
查看所需的依賴配置
[root@aminglinux-02 nginx-1.12.1]# ./configure –help |grep -i ssl –with-http_ssl_module enable ngx_http_ssl_module –with-mail_ssl_module enable ngx_mail_ssl_module –with-stream_ssl_module enable ngx_stream_ssl_module –with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module –with-openssl=DIR set path to OpenSSL library sources –with-openssl-opt=OPTIONS set additional build options for OpenSSL
所需“ –with-http_ssl_module ”
[root@aminglinux-02 nginx-1.12.1]# ./configure –prefix=/usr/local/nginx –with-http_ssl_module checking for OS Linux 3.10.0-514.el7.x86_64 x86_64 checking for C compiler … found using GNU C compiler gcc version: 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) checking for gcc -pipe switch … found … .. . nginx error log file: "/usr/local/nginx/logs/error.log" nginx http access log file: "/usr/local/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp" [root@aminglinux-02 nginx-1.12.1]# make && make install … .. . test -d \\\’/usr/local/nginx/logs\\\’ || mkdir -p \\\’/usr/local/nginx/logs\\\’ make[1]: 離開目錄“/usr/local/src/nginx-1.12.1” [root@aminglinux-02 nginx-1.12.1]# echo $? 0
檢查配置
[root@aminglinux-02 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: –prefix=/usr/local/nginx –with-http_ssl_module
重新檢查語法
[root@aminglinux-02 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重啟配置
[root@aminglinux-02 nginx-1.12.1]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 確定 ]
檢查監聽端口
[root@aminglinux-02 nginx-1.12.1]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5761/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 995/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2181/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5761/nginx: master tcp6 0 0 :::3306 :::* LISTEN 1773/mysqld tcp6 0 0 :::22 :::* LISTEN 995/sshd tcp6 0 0 ::1:25 :::* LISTEN 2181/master
多了一個443端口的監聽
測試
創建測試文件
[root@aminglinux-02 nginx-1.12.1]# cd /data/wwwroot/aming.com/ [root@aminglinux-02 aming.com]# pwd /data/wwwroot/aming.com [root@aminglinux-02 aming.com]# vim index.html This is SSL
不能繼續使用curl -x測試
[root@aminglinux-02 aming.com]# curl -x127.0.0.1:443 https://aming.com curl: (56) Received HTTP code 400 from proxy after CONNECT
會報錯
改hosts,直接訪問
[root@aminglinux-02 aming.com]# vi /etc/hosts [root@aminglinux-02 aming.com]# curl https://aming.com curl: (60) Peer\\\’s certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn\\\’t adequate, you can specify an alternate file using the –cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you\\\’d like to turn off curl\\\’s verification of the certificate, use the -k (or –insecure) option.
報錯: curl:(60)Peer的證書發行者被標記為不受用戶信任。
這是ssl已經是安裝上了
可以嘗試用瀏覽器訪問
改動本機Windows主機hosts
如果還是訪問不到,就需要加上443端口放行,或者清空默認規則
[root@aminglinux-02 aming.com]# iptables -I INPUT -p tcp –dport 443 -j ACCEPT
更多關于云服務器,域名注冊,虛擬主機的問題,請訪問三五互聯官網:m.shinetop.cn