Web server architecture:
1. The simplest Web service implementation : Build httpd service and Nginx service to provide static HTML and PHP page access services, build lamp environment, build wordpress blog; 1 servers completed LANMP
2. multiple standalone servers for complex web architectures : Separate httpd services and Nginx services to separate MySQL and file sharing services into separate servers;
Implement redundant Web architecture, dispatch multiple Web servers through Lvs,nginx agent, realize load balancing; 2 Web servers (1 httpd,1), 1 MYSQL+NFS servers, 1 proxy servers (LVS,HTTPD) are required for the experiment. Nginx triad), 1 routers, 1 test clients, total 6 units
3. front-end Build cache server varnish for high concurrency load . Experimental requirements on the basis of the above, add 1 cache servers.
4. implement DNS resolution and HTTPS access . Experimental requirements on the above basis, add 2 units (DNS server and Certificate Server)
###########################
1. Single Server Implementation lanmp-centos7.3
Install related Packages
Yum install httpd php php-mysql mariadb-server
Start the service and test
Systemctl Start httpd
Systemctl Start mariadb
MySQL//Test login Database
echo "Apache Server Page" >/var/www/html/index.html
vi/var/www/html/index.php
<?php
Phpinfo ();
?>
Curl 192.168.10.71//test httpd Service
Set the root password and other security configuration for MySQL
Mysql_secure_installation
Log in to MySQL create database and Telnet account
Mysql-uroot-p
MariaDB [(None)]> CREATE Database wpdb;
MariaDB [(None)]> grant all on wpdb.* to [e-mail protected] ' 192.168.10.% ' identified by ' Redhat ';
Install WordPress
TAR-XF wordpress-xxx.tar.gz
Cp-p wp-config-sample.php wp-config.php
VI wp-config.php//change the following:
Define (' db_name ', ' wpdb ');
Define (' Db_user ', ' wpuser ');
Define (' Db_password ', ' redhat ');
Define (' Db_host ', ' 192.168.10.71 ');
Configuring Epel Source Installation Nginx
Yum Install Nginx
Systemctl Stop httpd
Systemctl start Nginx
echo "Nginx Server Page" >/usr/share/nginx/html/index.html
Curl 192.168.10.71
##################################
2. Add an LVS dispatch server, a total of 4 hosts, and modify the IP address as follows
Apache Server ip:10.71
Nginx Server ip:10.72
Lvs,nginx Proxy Server ip:10.73,80.162
Client ip:10.74
Apache Server configuration:
Ifdown eth1//Close other ports
IP route add default via 192.168.10.73//Add the defaults route to LVs
IP route
Default via 192.168.10.73 Dev eth0
Nginx Server configuration:
Ifdown eth1
IP route add default via 192.168.10.73
IP route
LVS server-10.73 Configuration:
Configure Epel source, install Ipvsadm
Yum Install Ipvsadm
VI/ETC/SYSCTL.CONF//Configure LVS to allow route forwarding
Net.ipv4.ip_forward = 1
SYSCTL-P//Application Configuration
Configuring LVS
Ipvsadm-a-T 192.168.80.162:80-s RR
Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.71-m
Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.72-m
Ipvsadm-ln
Ipvsadm-ln--stats
Client testing:
For i in {1..10};d o Curl 192.168.80.162;done
IPVSADM-E-T 192.168.80.162:80-s WRR
IPVSADM-E-T 192.168.80.162:80-r 192.168.10.71-m-W 3
Ipvsadm-ln
Client Configuration:
IP route add default via 192.168.80.162
For i in {1..10};d o Curl 192.168.80.162;done//test
##############################
Environment and IP planning ibid., configuring Nginx proxy server-10.73,80.162
Yum Install Nginx
vi/etc/nginx/nginx.conf//Note that there is a conflict between the stream and the HTTP configuration segment, you need to remove the HTTP configuration or you cannot start Nginx
# For more information on configuration, see:
# * Official 中文版 documentation:http://nginx.org/en/docs/
# * Official Russian documentation:http://nginx.org/ru/docs/
User Nginx;
Worker_processes Auto;
Error_log/var/log/nginx/error.log;
Pid/run/nginx.pid;
# Load dynamic modules. See/usr/share/nginx/readme.dynamic.
include/usr/share/nginx/modules/*.conf;
Events {
Worker_connections 1024;
}
Stream {
Upstream Mysrv {
Server 192.168.10.71:80 weight=3;
Server 192.168.10.72:80;
Least_conn;
}
server {
Listen 192.168.80.162:80;
Proxy_pass mysrv;
}
}
Systemctl start Nginx//Start Nginx Service
NGINX-T//Test Nginx Configuration
Nginx-s Reload//Reload Configuration
Client testing:
For i in {1..10};d o Curl 192.168.80.162;done
###############################
3. Build Varnish Cache service--not completed
Varnish ip:10.61
Yum Install varnish
Service Varnish Start
VI/ETC/VARNISH/DEFAULT.VCL//Custom VCL configuration
Varnishadm-s/etc/varnish/secret-t 127.0.0.1:6082 # Login Admin command line
Vcl.list # List all the configurations
Vcl.load TEST1/ETC/VARNISH/DEFAULT.VCL # Load compiled new configuration, test1 is the configuration name, TEST.VCL is the configuration file
Vcl.use Test1 # Use configuration, specify the configuration name, the current configuration to use the last vcl.use to prevail
Vcl.show test1 # Show configuration content, specify configuration name
##############################
4. Configure Nginx SSL Access
Configuring CA Server -10.75 (Centos7.3)
OpenSSL configuration file: more/etc/pki/tls/openssl.cnf
Important parameter configuration for CAs
dir =/etc/pki/ca # default CA parent directory, substituting refer to the following $dir
Certs = $dir/certs # signed certificate store directory with a. CRT certificate suffix
Crl_dir = $dir/CRL # revoked certificate store directory with a. CRL suffix
Database = $dir/index.txt # certificate index file, including signed and revoked certificates
New_certs_dir = $dir/newcerts # New signed certificate, same as signed certificate directory file
Certificate = Certificate file for $dir/CACERT.PEM # CA
serial = $dir/serial # The serial number of the next signed certificate must be specified manually for the first time and subsequent system updates automatically
Crlnumber = $dir/crlnumber # The serial number of the next revocation certificate
CRL = $dir/CRL.PEM # Revocation Certificate list file
Private_key = $dir/PRIVATE/CAKEY.PEM # CA's private key file
Randfile = $dir/private/.rand # private random number file
CA server Configuration
Cd/etc/pki/ca
Touch Index.txt
echo > Serial
(Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)
OpenSSL req-new-x509–key/etc/pki/ca/private/cakey.pem-days 7300-out/etc/pki/ca/cacert.pem
Prompt to enter country, province, city, company name, department name, CA hostname (issuer name)
C=CN, St=ha, L=zz, o=c73, Ou=it, cn=ca.baidu.com
View the generated certificate
OpenSSL X509-in/etc/pki/ca/cacert.pem-noout-text
Generate a certificate request file on the Web server (nginx-10.72) and send it to the CA server
(Umask 077; OpenSSL genrsa-out/app/service.key 2048)
OpenSSL REQ-NEW-KEY/APP/SERVICE.KEY-OUT/APP/SERVICE.CSR
Also prompted to enter the country, province, city and other information. Note: Country, province, company name three items must be consistent with the CA. The host name must be the same as the site domain name, such as www.baidu.com. or use a generic domain name, *.baidu.com, to match all.
SCP/APP/SERVICE.CSR 192.168.10.75:/etc/pki/ca/certs/
The CA server signs the certificate and issues the certificate to the Web server, noting that the certificate file suffix is *.crt
OpenSSL ca-in/etc/pki/ca/certs/service.csr–out/etc/pki/ca/certs/service.crt-days 365
SCP/ETC/PKI/CA/CERTS/SERVICE.CRT 192.168.10.72:/app/
NGINX-SSL configuration, you need to change the path of the certificate file, and cancel the default configuration of the comments about SSL #:
Vi/etc/nginx/nginx.conf
server {
Listen 443 SSL default_server;
Listen [::]:443 SSL Default_server;
server_name www.baidu.com;
root/usr/share/nginx/html;
Ssl_certificate "/APP/SERVICE.CRT";
Ssl_certificate_key "/app/service.key";
Ssl_session_cache shared:ssl:1m;
Ssl_session_timeout 10m;
Ssl_ciphers high:!anull:! MD5;
Ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include/etc/nginx/default.d/*.conf;
Location/{
}
Error_page 404/404.html;
Location =/40x.html {
}
Error_page 502 503 504/50x.html;
Location =/50x.html {
}
}
###################################
To configure SSL access for HTTPD:
Httpd-web server-side Generate certificate request file and send to CA server
(Umask 077; OpenSSL genrsa-out/app/httpd.key 2048)
OpenSSL REQ-NEW-KEY/APP/HTTPD.KEY-OUT/APP/HTTPD.CSR
SCP/APP/HTTPD.CSR 192.168.10.75:/etc/pki/ca/certs/
The CA server signs the certificate and sends it to the HTTPD server
OpenSSL ca-in/etc/pki/ca/certs/httpd.csr–out/etc/pki/ca/certs/httpd.crt-days 365
SCP/ETC/PKI/CA/CERTS/HTTPD.CRT 192.168.10.71:/app/
httpd server-side configuration SSL:
Yum Install Mod_ssl
vi/etc/httpd/conf.d/ssl.conf//Change the file path of the certificate and key
Sslcertificatefile/app/httpd.crt
107 Sslcertificatekeyfile/app/httpd.key
Systemctl Restart httpd
This article is from the "Rackie" blog, make sure to keep this source http://rackie386.blog.51cto.com/11279229/1959592
Comprehensive experiment of Web service architecture