12.17 Nginx Load Balancer
Proxy HTTP only
vim/usr/local/nginx/conf/vhost/load.conf//write the following:
Upstream qq_com
{
Ip_hash;
Server 61.135.157.156:80;
Server 125.39.240.113:80;
}
Server
{
Listen 80;
server_name www.qq.com;
Location/
{
Proxy_pass http://qq_com;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}
Upstream to specify multiple Web server
Dig Tools
Yum-y Install Bind-utils
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.comThis is default site.[[email protected] ~]# vim /usr/local/nginx/conf/vhost/load.conf
Upstream QQ
{
Ip_hash;
Server 14.17.32.211:80;
Server 14.17.42.40:80;
}
Server
{
Listen 80;
server_name www.qq.com;
Location/
{
Proxy_pass http://qq;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}
[[email protected] ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com //显示www.qq.com的网页内容
12.18 SSL Principle
SSL Work Flow
浏览器发送一个https的请求给服务器; 服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥; 服务器会把公钥传输给客户端; 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密; 客户端把加密后的随机字符串传输给服务器; 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容); 服务器把加密后的数据传输给客户端; 客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
12.19 Producing SSL key pairs
Cd/usr/local/nginx/conf
OpenSSL genrsa-des3-out tmp.key 2048//key file is the private key
OpenSSL rsa-in tmp.key-out aminglinux.key//Convert key, cancel password
Rm-f Tmp.key
OpenSSL req-new-key aminglinux.key-out AMINGLINUX.CSR//Generate a certificate request file that requires the production of a public key file with this file and private key
OpenSSL x509-req-days 365-in aminglinux.csr-signkey aminglinux.key-out aminglinux.crt//The AMINGLINUX.CRT here is the public key
Build process
[[email protected] ~]# cd/usr/local/nginx/conf/[[email protected] conf]# OpenSSL genrsa-des3-out Tmp.key 2048Generating RSA private key, 2048 bit long modulus.............................................+++ ..... +++e is 65537 (0x10001) Enter Pass phrase for Tmp.key:verifying-enter Pass phrase for Tmp.key:[[ema, ........ Il protected] conf]# OpenSSL rsa-in tmp.key-out aminglinux.keyenter pass phrase for tmp.key:writing RSA key[[email& Nbsp;protected] conf]# rm-rf tmp.key[[email protected] conf]# OpenSSL req-new-key aminglinux.key-out aminglinux.c Sryou is about is asked to enter information that'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [Xx]:11state or province name (full name) []:wwwlocality name (eg, city) [default city]:szorganization name (eg, company) [Default company Ltd]:wwworganizational Unit Name (E g, section) []:wwwcommon name (eg, your name or your server ' s hostname) []:wwwhostemail Address []:[email protected]p Lease enter the following ' extra ' attributesto be sent with your certificate Requesta challenge password []:www123456an op tional company name []:wwwchina[[email protected] conf]# OpenSSL x509-req-days 365-in Aminglinux.csr-signkey Amin Glinux.key-out aminglinux.crtsignature oksubject=/c=11/st=www/l=sz/o=www/ou=www/cn=wwwhost/[email protected ]getting Private Key
12.20 Nginx Configuration SSL
vim/usr/local/nginx/conf/vhost/ssl.conf//Add the following:
Server
{
Listen 443;
server_name aming.com;
Index index.html index.php;
root/data/wwwroot/aming.com;
SSL on;
Ssl_certificate AMINGLINUX.CRT;
Ssl_certificate_key Aminglinux.key;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
-T &&-S reload//If error unknown directive "SSL", need to recompile nginx, plus--with-http_ssl_module
Mkdir/data/wwwroot/aming.com
echo "SSL test page." >/data/wwwroot/aming.com/index.html
Edit hosts, add 127.0.0.1 aming.com
Curl https://aming.com/
Operation Process
[[email protected] conf]# CD vhost/[[email protected] vhost]# mkdir/data/wwwroot/aming.com[[email Protected] vhost]# Vim ssl.conf Add the above configuration content [[email protected] vhost]#/usr/local/nginx/sbin/nginx-tnginx: [Emerg] Unknown directive "SSL" In/usr/local/nginx/conf/vhost/ssl.conf:7nginx:configuration file/usr/local/nginx/conf/ nginx.conf Test failed[[email protected] vhost]# cd/usr/local/src/nginx-1.12.2/[[email protected] nginx-1.12.2]#./configure--help |grep-i SSL--with-http_ssl_module enable Ngx_http_ssl_module--with-mail _ssl_module enable Ngx_mail_ssl_module--with-stream_ssl_module enable Ngx_stream_ssl_module--wit H-stream_ssl_preread_module enable Ngx_stream_ssl_preread_module--with-openssl=dir set path to OpenSSL Library sources--with-openssl-opt=options Set additional build OPTIONS for openssl[[email protected] Nginx -1.12.2]#./configure--prefix=/usr/local/nginx--with-http_ssl_module[[email protected] nginx-1.12.2]# make[[email protected] nginx-1.12.2]# make Install[[email protected] nginx-1.12.2]# cd/data/wwwroot/aming.com/[[email protected] aming.com]# vim 1.txtThis is Default site. [[email protected] aming.com]#/usr/local/nginx/sbin/nginx-tnginx:the configuration file/usr/local/nginx/conf /nginx.conf syntax is oknginx:configuration file/usr/local/nginx/conf/nginx.conf test is successful[[email Protected] aming.com]#/usr/local/nginx/sbin/nginx-s reload[[email protected] aming.com]# curl-x127.0.0.1:443 Https://aming.com/curl: (7) Failed connect to 127.0.0.1:443; Reject connection [[email protected] aming.com]# vim/etc/hosts127.0.0.1 aming.com[[email protected] aming.com]# Curl Https://aming.com/curl: (7) Failed connect to aming.com:443; Refuse to connect the computer-side directly to display this is the default site. There are no security tips
2018-04-27 Linux Learning