2019獨角獸企業重金招聘Python工程師標準>>>

?11月29日任務

12.17?Nginx負載均衡

12.18?ssl原理

12.19?生成ssl密鑰對

12.20?Nginx配置ssl

?

?

?

12.17?Nginx負載均衡

• vim /usr/local/nginx/conf/vhost/load.conf // 寫入如下內容

upstream qq_com
{
? ? ip_hash;
? ? server 61.135.157.156:80;
? ? server 125.39.240.113:80;
}
server
{
? ? listen 80;
? ? server_name www.qq.com;
? ? location /
? ? {
? ? ? ? proxy_pass ? ? ?http://qq_com;
? ? ? ? proxy_set_header Host ? $host;
? ? ? ? proxy_set_header X-Real-IP ? ? ?$remote_addr;
? ? ? ? proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
? ? }
}

• ?upstream來指定多個web server

?

?

#操作過程

[root@zgxlinux-01 ~]# yum install -y bind-utils? ? ? ? #安裝dig命令，Dig是linux中的域名解析工具。

[root@zgxlinux-01 ~]# dig qq.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49057
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.?? ??? ??? ??? ?IN?? ?A

;; ANSWER SECTION:
qq.com.?? ??? ??? ?138?? ?IN?? ?A?? ?111.161.64.48
qq.com.?? ??? ??? ?138?? ?IN?? ?A?? ?111.161.64.40

;; Query time: 20 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 日 12月 02 12:41:31 CST 2018
;; MSG SIZE ?rcvd: 67
[root@zgxlinux-01 ~]# cd /usr/local/nginx/conf/vhost/
[root@zgxlinux-01 vhost]# vi ld.conf

[root@zgxlinux-01 vhost]# curl -x127.0.0.1:80 www.qq.com
This is the default site.
[root@zgxlinux-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@zgxlinux-01 vhost]# /usr/local/nginx/sbin/nginx -s reload
[root@zgxlinux-01 vhost]# curl -x127.0.0.1:80 www.qq.com? ? ? #這時候反饋的就是QQ主頁的源代碼

?

?

12.18?ssl原理

?

?

12.19?生成ssl密鑰對

?

• cd /usr/local/nginx/conf
• ?openssl genrsa -des3 -out tmp.key 2048//key文件為私鑰
• ?openssl rsa -in tmp.key -out aminglinux.key //轉換key，取消密碼?
• ?rm -f tmp.key
• ?openssl req -new -key aminglinux.key -out aminglinux.csr//生成證書請求文件，需要拿這個文件和私鑰一起生產公鑰文件
• ?openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
• ?這里的aminglinux.crt為公鑰

?

#操作過程

[root@zgxlinux-01 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................+++
..................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

[root@zgxlinux-01 conf]# rm -f tmp.key?
[root@zgxlinux-01 conf]# ?openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than ?2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:zhangguoxiang
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:zhangguoxiang
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:zhangguoxiang
[root@zgxlinux-01 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
Signature ok
subject=/C=11/ST=shanghai/L=shanghai/O=zhangguoxiang/CN=zhangguoxiang
Getting Private key
[root@zgxlinux-01 conf]# ls aminglinux.key?
aminglinux.key
?

?

?

12.20?Nginx配置ssl

• vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下內容
• server
• {
• ? ? listen 443;
• ? ? server_name aming.com;
• ? ? index index.html index.php;
• ? ? root /data/wwwroot/aming.com;
• ? ? ssl on;
• ? ? ssl_certificate aminglinux.crt;
• ? ? ssl_certificate_key aminglinux.key;
• ? ? ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
• }
• ?-t && -s reload //若報錯unknown directive “ssl” ，需要重新編譯nginx，加上--with-http_ssl_module
• ?mkdir /data/wwwroot/aming.com
• ?echo “ssl test page.”>/data/wwwroot/aming.com/index.html
• ?編輯hosts，增加127.0.0.1 aming.com
• ?curl https://aming.com/

?

?

?

#操作過程

[root@zgxlinux-01 conf]# cd vhost/
[root@zgxlinux-01 vhost]# vim ssl.conf

[1]+ ?已停止 ? ? ? ? ? ? ? vim ssl.conf
[root@zgxlinux-01 vhost]# mkdir /data/wwwroot/zhangguoxiang.com

[root@zgxlinux-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "erver" in /usr/local/nginx/conf/vhost/ssl.conf:2
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@zgxlinux-01 vhost]# cd /usr/local/src/nginx-1.14.0/
[root@zgxlinux-01 nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@zgxlinux-01 nginx-1.14.0]# make && make install

[root@zgxlinux-01 nginx-1.14.0]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC)?
built with OpenSSL 1.0.2k-fips ?26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@zgxlinux-01 vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@zgxlinux-01 vhost]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): ? ? ? ? ? ? ? ? ? ? ? ? ?[ ?確定 ?]
[root@zgxlinux-01 vhost]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address ? ? ? ? ? Foreign Address ? ? ? ? State ? ? ? PID/Program name ? ?
tcp ? ? ? ?0 ? ? ?0 0.0.0.0:80 ? ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? LISTEN ? ? ?4530/nginx: master ?
tcp ? ? ? ?0 ? ? ?0 0.0.0.0:22 ? ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? LISTEN ? ? ?959/sshd ? ? ? ? ? ?
tcp ? ? ? ?0 ? ? ?0 127.0.0.1:25 ? ? ? ? ? ?0.0.0.0:* ? ? ? ? ? ? ? LISTEN ? ? ?1332/master ? ? ? ??
tcp ? ? ? ?0 ? ? ?0 0.0.0.0:443 ? ? ? ? ? ? 0.0.0.0:* ? ? ? ? ? ? ? LISTEN ? ? ?4530/nginx: master ?
tcp6 ? ? ? 0 ? ? ?0 :::3306 ? ? ? ? ? ? ? ? :::* ? ? ? ? ? ? ? ? ? ?LISTEN ? ? ?1196/mysqld ? ? ? ??
tcp6 ? ? ? 0 ? ? ?0 :::22 ? ? ? ? ? ? ? ? ? :::* ? ? ? ? ? ? ? ? ? ?LISTEN ? ? ?959/sshd ? ? ? ? ? ?
tcp6 ? ? ? 0 ? ? ?0 ::1:25 ? ? ? ? ? ? ? ? ?:::* ? ? ? ? ? ? ? ? ? ?LISTEN ? ? ?1332/master ? ? ? ??
?

[root@zgxlinux-01 vhost]# cd /data/wwwroot/zhangguoxiang.com/
[root@zgxlinux-01 zhangguoxiang.com]# ls
[root@zgxlinux-01 zhangguoxiang.com]# vim 1.txt

[root@zgxlinux-01 zhangguoxiang.com]# curl -x127.0.0.1:443 https://zhangguxoiang.com
curl: (56) Received HTTP code 400 from proxy after CONNECT

[root@zgxlinux-01 zhangguoxiang.com]# vi /etc/hosts

[root@zgxlinux-01 zhangguoxiang.com]# curl https://zhangguoxiang.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
?of Certificate Authority (CA) public keys (CA certs). If the default
?bundle file isn't adequate, you can specify an alternate file
?using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
?the bundle, the certificate verification probably failed due to a
?problem with the certificate (it might be expired, or the name might
?not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
?the -k (or --insecure) option.
#修改一下本機的hosts文檔，添加以下內容

#清空防火墻

[root@zgxlinux-01 zhangguoxiang.com]# iptables -F

#這個時候就可以用瀏覽器訪問，只不過我本機瀏覽器限制了，無法正常顯示。

轉載于:https://my.oschina.net/u/3959708/blog/2966414

總結

以上是生活随笔為你收集整理的Nginx负载均衡、ssl原理，生成ssl密钥对，配置Nginxssl的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。