Nginx配置：負載均衡和SSL配置一、負載均衡二、Nginx配置SSL

涓???璐?杞藉??琛?/h1>

璐?杞藉??琛″?ㄦ???＄??寮???涓?绠???涓?涓?姣?杈???瑕????規?с????涓?ginx?や?浣?涓哄父瑙???Web???″?ㄥ?锛?杩?浼?琚?澶ц?妯＄???ㄤ?????浠ｇ????绔?锛???涓?ginx??寮?姝ユ??跺??浠ュ???寰?澶х??骞跺??璇鋒?锛???杩?浜?骞跺??璇鋒?hold浣?涔???灏卞??浠ュ????缁????版???＄??(backend servers锛?涔????????℃?锛? ???㈢??绉?ackend)?ュ??澶?????璁＄????澶???????搴?锛?杩?绉?妯″???濂藉????稿?澶???锛?????涓??′富?烘?村???????绾????缃?IP?闆??锛?骞朵??ㄤ??￠??澧??????跺????浠ユ?逛究?版?╁?瑰???版???″?ㄣ??

璐?杞藉??琛″??浠ュ??涓虹‖浠惰?杞藉??琛″??杞?浠惰?杞藉??琛★?????涓?????涓??ㄧ??杞?浠跺??纭?浠剁?哥?????璁懼?锛?璁懼???浼???渚?瀹??存??????瑙ｅ?蟲?規?锛???甯鎬?浼??村????璐點??杞?浠剁??澶?????琛′互Nginx????缁?澶у??幫?????涔????轟??舵???????稿???瀛????绌剁????

1??淇??矽????涓繪?洪??缃???浠?浠?code>qq.com涓轟?)

[[email?protected] ~]# cd /usr/local/nginx/conf/vhost/
[[email?protected] vhost]# dig qq.com      //dig?戒護?峰??IP锛?娌℃??dig?戒護锛?浣跨?ㄢ??yum install -y bind-untils??瀹?瑁?

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38970
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         414 IN  A   125.39.240.113
qq.com.         414 IN  A   61.135.157.156

;; Query time: 37 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 浜? 3?? 16 22:00:18 CST 2018
;; MSG SIZE  rcvd: 67

//??浠ョ???頒袱涓?IP锛???涓や釜IP灏卞??浠ヨ蛋璐?杞藉??琛′?

[[email?protected] vhost]# vim load.conf     //缂?杈???缃???浠訛?澧???浠ヤ???瀹?
#??缃???瀹?upstream qq 
#??瀛???瀹?涔?
{
    ip_hash;
#   ????锛???涓?涓??ㄦ?蜂????ㄥ??涓?涓????″?ㄤ?
#   ?沖?????????澶?涓?IP?訛?淇?璇?姣?涓??ㄦ?峰?缁?瑙ｆ???闆??涓?IP
    server 61.135.157.156:80;
    server 125.39.240.113:80; 
#  ??瀹?web???″?ㄧ??IP
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass http://qq;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
           

2??娴?璇?

[[email?protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email?protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email?protected] vhost]# curl -x127.0.0.1:80 www.qq.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Fri, 16 Mar 2018 14:18:04 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Fri, 16 Mar 2018 14:19:04 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: HIT from tianjin.qq.com

//杩???濡???涓???-I??椤逛???200?舵????锛???涓烘??榛?璁よ????涓繪?猴?涓?杩??朵???绀轟?涓???           

娴?璇?涓?涓???

-I

??椤?

[[email?protected] vhost]# curl -x127.0.0.1:80 www.qq.com
           

缁???濡?涓??撅?

娉ㄦ??锛? Nginx涓?????浠ｇ??https锛????戒唬??http??

浜???Nginx??缃?SSL

SSL(Secure Sockets Layer 瀹??ㄥ??ュ?)??璁?,???剁戶浠昏??TLS锛?Transport Layer Security浼?杈?灞?瀹??????璁?锛???涓虹?缁???淇℃??渚?瀹??ㄥ???版??瀹??存?х??涓?绉?瀹??ㄥ??璁???

1??娴?瑙??ㄥ????涓?涓?https??璇鋒?缁????″???

2?????″?ㄨ???涓?濂??闆??璇?涔????浠ヨ??宸卞?朵?锛????㈢????浣?灏辨???ㄨ??宸卞?朵???璇?涔??锛?涔???浠ュ??缁?缁??寵?鳳??哄??灏辨????宸遍?????璇?涔???瑕?瀹㈡?風??楠?璇???杩?锛?????浠ョ戶缁?璁塊??锛???浣跨?ㄥ??淇′換?????哥?寵?風??璇?涔???涓?浼?寮瑰?烘??绀洪〉???杩?濂?璇?涔??跺??灏辨??涓?瀵瑰???ュ??绉??ワ?

3?????″?ㄤ??????ヤ?杈?缁?瀹㈡?風??锛?

4??瀹㈡?風??锛?娴?瑙?????跺?闆???ュ??锛?浼?楠?璇??舵??????娉?????锛?????浼???璀???????锛???????浼?????涓?涓查???烘?幫?骞剁?ㄦ?跺?扮?????ュ??瀵?锛?

5??瀹㈡?風??????瀵????????哄??绗?覆浼?杈?缁????″???

6?????″?ㄦ?跺?闆??瀵????哄??绗?覆??锛????ㄧ??ヨВ瀵?锛????ュ??瀵?锛?绉??ヨВ瀵?锛?锛??峰???拌?涓?涓查???烘?闆??锛????ㄨ?涓查???哄??绗?覆??瀵?浼?杈????版??锛?璇ュ??瀵?涓哄?圭О??瀵?锛???璋?瀵圭О??瀵?锛?灏辨??灏??版????绉??ヤ?灏辨??杩?涓????哄??绗?覆>??杩???绉?绠?娉?娣峰???ㄤ?璧鳳?杩??烽?ら???ラ??绉??ワ???????娉??峰???版????瀹癸?锛?

7?????″?ㄦ????瀵??????版??浼?杈?缁?瀹㈡?風??锛?

8??瀹㈡?風???跺?版?版??(???＄?????ュ??瀵?)??锛????ㄨ??宸辯??绉??ヤ?灏辨???ｄ釜???哄??绗?覆瑙ｅ??锛?

1????????瀹?涔???SSL璇?涔?浠???璇?楠???

[[email?protected] conf]# openssl genrsa -des3 -out tmp.key 2048      //娌℃??openssl?戒護锛?????杩???yum install -y openssl??瀹?瑁?
Generating RSA private key, 2048 bit long modulus
...................................................................................+++
.......................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
//杩?涓?姝ユ??浣???????key?斥??绉??モ??锛?2048涓哄??瀵?瀛?绗??垮害锛?浼?璁╂??浠?杈??ュ????锛?涓??藉お??锛?????涓???????

[[email?protected] conf]# openssl rsa -in tmp.key -out zlinux.key
Enter pass phrase for tmp.key:
writing RSA key
//??tmp.key杞?????zlinux.key锛??????????ゅ????璁劇疆??瀵???锛?濡???涓?娓??ゅ????锛????㈠?涓??逛究

[[email?protected] conf]# rm -f tmp.key 
[[email?protected] conf]# openssl req -new -key zlinux.key -out zlinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JS    
Locality Name (eg, city) [Default City]:SZ    
Organization Name (eg, company) [Default Company Ltd]:XXLtd
Organizational Unit Name (eg, section) []:zlinux.com
Common Name (eg, your name or your server's hostname) []:ZZ
Email Address []:[email?protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zzz123456     
An optional company name []:z

//????璇?涔??鋒???浠訛?key??浠跺??csr??浠剁??????缁??????ユ??浠躲??Common Name涓哄???㈤??缃?Nginx??缃???浠?erver_name

[[email?protected] conf]# openssl x509 -req -days 365 -in zlinux.csr -signkey zlinux.key -out zlinux.crt
Signature ok
subject=/C=CN/ST=JS/L=C/O=C/OU=C/CN=zlinux.com/emailAddress=z
Getting Private key
[[email?protected] conf]# ls |grep zlinux
zlinux.crt
zlinux.csr
zlinux.key
//??缁?????crt璇?涔??涔?灏辨??????           

2????缃?Nginx????SSL

1锛???缂?杈???缃???浠?/h3>

[[email?protected] vhost]# vim ssl.conf       //???ヤ互涓???瀹?
server
{
    listen 443;
    server_name zlinux.com;
    index index.html index.php;
    root /data/wwwroot/ssltest;
    ssl on;
    ssl_certificate zlinux.crt;
    ssl_certificate_key zlinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
           

2锛???妫??ラ??缃?????????棰?

[[email?protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
           

杩?璇存??褰???Nginx骞朵?????SSL锛???涓轟???Nginx缂?璇??跺苟娌℃????缃?????SSL?????幫???浠ラ??瑕????扮?璇?涓?娆★???涓?SSL???幫?

[[email?protected] vhost]# cd /usr/local/src/nginx-1.12.2
[[email?protected] nginx-1.12.2]# ./configure --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[[email?protected] nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[[email?protected] nginx-1.12.2]# make
[[email?protected] nginx-1.12.2]#make install
[[email?protected] nginx-1.12.2]# /usr/local/nginx/sbin/nginx -t     //???版???nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email?protected] nginx-1.12.2]# /etc/init.d/nginx restart
           

3)??娴?璇?

??indow??hosts??浠朵腑娣誨??锛?

192.168.242.128 zlinux.com

[[email?protected] vhost]# mkdir /data/wwwroot/ssltest
[[email?protected] vhost]# echo "ssl test" > /data/wwwroot/ssltest/index.html
           

?ㄦ?瑙??ㄤ腑杈???code>https://zlinux.com锛??劇ず濡?涓??撅?

杞?杞戒?:https://blog.51cto.com/3069201/2087801