2018-04-27 Linux Learning

12.17 Nginx Load Balancer

Proxy HTTP only

vim/usr/local/nginx/conf/vhost/load.conf//write the following:

Upstream qq_com
{
Ip_hash;
Server 61.135.157.156:80;
Server 125.39.240.113:80;
}
Server
{
Listen 80;
server_name www.qq.com;
Location/
{
Proxy_pass http://qq_com;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}

Upstream to specify multiple Web server

Dig Tools
Yum-y Install Bind-utils

[[email protected] ~]# curl -x127.0.0.1:80 www.qq.comThis is default site.[[email protected] ~]# vim /usr/local/nginx/conf/vhost/load.conf

Upstream QQ
{
Ip_hash;
Server 14.17.32.211:80;
Server 14.17.42.40:80;
}
Server
{
Listen 80;
server_name www.qq.com;
Location/
{
Proxy_pass http://qq;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}

[[email protected] ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com    //显示www.qq.com的网页内容

12.18 SSL Principle

SSL Work Flow

浏览器发送一个https的请求给服务器； 服务器要有一套数字证书，可以自己制作（后面的操作就是阿铭自己制作的证书），也可以向组织申请，区别就是自己颁发的证书需要客户端验证通过，才可以继续访问，而使用受信任的公司申请的证书则不会弹出>提示页面，这套证书其实就是一对公钥和私钥； 服务器会把公钥传输给客户端； 客户端（浏览器）收到公钥后，会验证其是否合法有效，无效会有警告提醒，有效则会生成一串随机数，并用收到的公钥加密； 客户端把加密后的随机字符串传输给服务器； 服务器收到加密随机字符串后，先用私钥解密（公钥加密，私钥解密），获取到这一串随机数后，再用这串随机字符串加密传输的数据（该加密为对称加密，所谓对称加密，就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起，这样除非知道私钥，否则无法获取数据内容）； 服务器把加密后的数据传输给客户端； 客户端收到数据后，再用自己的私钥也就是那个随机字符串解密；

12.19 Producing SSL key pairs

Cd/usr/local/nginx/conf

OpenSSL genrsa-des3-out tmp.key 2048//key file is the private key

OpenSSL rsa-in tmp.key-out aminglinux.key//Convert key, cancel password

Rm-f Tmp.key

OpenSSL req-new-key aminglinux.key-out AMINGLINUX.CSR//Generate a certificate request file that requires the production of a public key file with this file and private key

OpenSSL x509-req-days 365-in aminglinux.csr-signkey aminglinux.key-out aminglinux.crt//The AMINGLINUX.CRT here is the public key

Build process

[[email protected] ~]# cd/usr/local/nginx/conf/[[email protected] conf]# OpenSSL genrsa-des3-out Tmp.key 2048Generating RSA private key, 2048 bit long modulus.............................................+++ ..... +++e is 65537 (0x10001) Enter Pass phrase for Tmp.key:verifying-enter Pass phrase for Tmp.key:[[ema, ........ Il protected] conf]# OpenSSL rsa-in tmp.key-out aminglinux.keyenter pass phrase for tmp.key:writing RSA key[[email& Nbsp;protected] conf]# rm-rf tmp.key[[email protected] conf]# OpenSSL req-new-key aminglinux.key-out aminglinux.c Sryou is about is asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:11state or province name (full name) []:wwwlocality name (eg, city) [default city]:szorganization name (eg, company) [Default company Ltd]:wwworganizational Unit Name (E g, section) []:wwwcommon name (eg, your name or your server ' s hostname) []:wwwhostemail Address []:[email protected]p Lease enter the following ' extra ' attributesto be sent with your certificate Requesta challenge password []:www123456an op tional company name []:wwwchina[[email protected] conf]# OpenSSL x509-req-days 365-in Aminglinux.csr-signkey Amin Glinux.key-out aminglinux.crtsignature oksubject=/c=11/st=www/l=sz/o=www/ou=www/cn=wwwhost/[email protected ]getting Private Key

12.20 Nginx Configuration SSL

vim/usr/local/nginx/conf/vhost/ssl.conf//Add the following:

Server
{
Listen 443;
server_name aming.com;
Index index.html index.php;
root/data/wwwroot/aming.com;
SSL on;
Ssl_certificate AMINGLINUX.CRT;
Ssl_certificate_key Aminglinux.key;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

-T &&-S reload//If error unknown directive "SSL", need to recompile nginx, plus--with-http_ssl_module

Mkdir/data/wwwroot/aming.com
echo "SSL test page." >/data/wwwroot/aming.com/index.html

Edit hosts, add 127.0.0.1 aming.com
Curl https://aming.com/

Operation Process

[[email protected] conf]# CD vhost/[[email protected] vhost]# mkdir/data/wwwroot/aming.com[[email  Protected] vhost]# Vim ssl.conf Add the above configuration content [[email protected] vhost]#/usr/local/nginx/sbin/nginx-tnginx: [Emerg] Unknown directive "SSL" In/usr/local/nginx/conf/vhost/ssl.conf:7nginx:configuration file/usr/local/nginx/conf/ nginx.conf Test failed[[email protected] vhost]# cd/usr/local/src/nginx-1.12.2/[[email protected] nginx-1.12.2]#./configure--help |grep-i SSL--with-http_ssl_module enable Ngx_http_ssl_module--with-mail _ssl_module enable Ngx_mail_ssl_module--with-stream_ssl_module enable Ngx_stream_ssl_module--wit  H-stream_ssl_preread_module enable Ngx_stream_ssl_preread_module--with-openssl=dir set path to OpenSSL Library sources--with-openssl-opt=options Set additional build OPTIONS for openssl[[email protected] Nginx -1.12.2]#./configure--prefix=/usr/local/nginx--with-http_ssl_module[[email protected] nginx-1.12.2]# make[[email protected] nginx-1.12.2]# make Install[[email  protected] nginx-1.12.2]# cd/data/wwwroot/aming.com/[[email protected] aming.com]# vim 1.txtThis is Default site. [[email protected] aming.com]#/usr/local/nginx/sbin/nginx-tnginx:the configuration file/usr/local/nginx/conf /nginx.conf syntax is oknginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful[[email  Protected] aming.com]#/usr/local/nginx/sbin/nginx-s reload[[email protected] aming.com]# curl-x127.0.0.1:443 Https://aming.com/curl: (7) Failed connect to 127.0.0.1:443; Reject connection [[email protected] aming.com]# vim/etc/hosts127.0.0.1 aming.com[[email protected] aming.com]# Curl Https://aming.com/curl: (7) Failed connect to aming.com:443;  Refuse to connect the computer-side directly to display this is the default site. There are no security tips

2018-04-27 Linux Learning