Comprehensive experiment of Web service architecture

Web server architecture:

1. The simplest Web service implementation : Build httpd service and Nginx service to provide static HTML and PHP page access services, build lamp environment, build wordpress blog; 1 servers completed LANMP

2. multiple standalone servers for complex web architectures : Separate httpd services and Nginx services to separate MySQL and file sharing services into separate servers;

Implement redundant Web architecture, dispatch multiple Web servers through Lvs,nginx agent, realize load balancing; 2 Web servers (1 httpd,1), 1 MYSQL+NFS servers, 1 proxy servers (LVS,HTTPD) are required for the experiment. Nginx triad), 1 routers, 1 test clients, total 6 units

3. front-end Build cache server varnish for high concurrency load . Experimental requirements on the basis of the above, add 1 cache servers.

4. implement DNS resolution and HTTPS access . Experimental requirements on the above basis, add 2 units (DNS server and Certificate Server)

###########################

1. Single Server Implementation lanmp-centos7.3

Install related Packages

Yum install httpd php php-mysql mariadb-server

Start the service and test

Systemctl Start httpd

Systemctl Start mariadb

MySQL//Test login Database

echo "Apache Server Page" >/var/www/html/index.html

vi/var/www/html/index.php

<?php

Phpinfo ();

?>

Curl 192.168.10.71//test httpd Service

Set the root password and other security configuration for MySQL

Mysql_secure_installation

Log in to MySQL create database and Telnet account

Mysql-uroot-p

MariaDB [(None)]> CREATE Database wpdb;

MariaDB [(None)]> grant all on wpdb.* to [e-mail protected] ' 192.168.10.% ' identified by ' Redhat ';

Install WordPress

TAR-XF wordpress-xxx.tar.gz

Cp-p wp-config-sample.php wp-config.php

VI wp-config.php//change the following:

Define (' db_name ', ' wpdb ');

Define (' Db_user ', ' wpuser ');

Define (' Db_password ', ' redhat ');

Define (' Db_host ', ' 192.168.10.71 ');

Configuring Epel Source Installation Nginx

Yum Install Nginx

Systemctl Stop httpd

Systemctl start Nginx

echo "Nginx Server Page" >/usr/share/nginx/html/index.html

Curl 192.168.10.71

##################################

2. Add an LVS dispatch server, a total of 4 hosts, and modify the IP address as follows

Apache Server ip:10.71

Nginx Server ip:10.72

Lvs,nginx Proxy Server ip:10.73,80.162

Client ip:10.74

Apache Server configuration:

Ifdown eth1//Close other ports

IP route add default via 192.168.10.73//Add the defaults route to LVs

IP route

Default via 192.168.10.73 Dev eth0

Nginx Server configuration:

Ifdown eth1

IP route add default via 192.168.10.73

IP route

LVS server-10.73 Configuration:

Configure Epel source, install Ipvsadm

Yum Install Ipvsadm

VI/ETC/SYSCTL.CONF//Configure LVS to allow route forwarding

Net.ipv4.ip_forward = 1

SYSCTL-P//Application Configuration

Configuring LVS

Ipvsadm-a-T 192.168.80.162:80-s RR

Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.71-m

Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.72-m

Ipvsadm-ln

Ipvsadm-ln--stats

Client testing:

For i in {1..10};d o Curl 192.168.80.162;done

IPVSADM-E-T 192.168.80.162:80-s WRR

IPVSADM-E-T 192.168.80.162:80-r 192.168.10.71-m-W 3

Ipvsadm-ln

Client Configuration:

IP route add default via 192.168.80.162

For i in {1..10};d o Curl 192.168.80.162;done//test

##############################

Environment and IP planning ibid., configuring Nginx proxy server-10.73,80.162

Yum Install Nginx

vi/etc/nginx/nginx.conf//Note that there is a conflict between the stream and the HTTP configuration segment, you need to remove the HTTP configuration or you cannot start Nginx

# For more information on configuration, see:

# * Official 中文版 documentation:http://nginx.org/en/docs/

# * Official Russian documentation:http://nginx.org/ru/docs/

User Nginx;

Worker_processes Auto;

Error_log/var/log/nginx/error.log;

Pid/run/nginx.pid;

# Load dynamic modules. See/usr/share/nginx/readme.dynamic.

include/usr/share/nginx/modules/*.conf;

Events {

Worker_connections 1024;

}

Stream {

Upstream Mysrv {

Server 192.168.10.71:80 weight=3;

Server 192.168.10.72:80;

Least_conn;

}

server {

Listen 192.168.80.162:80;

Proxy_pass mysrv;

}

}

Systemctl start Nginx//Start Nginx Service

NGINX-T//Test Nginx Configuration

Nginx-s Reload//Reload Configuration

Client testing:

For i in {1..10};d o Curl 192.168.80.162;done

###############################

3. Build Varnish Cache service--not completed

Varnish ip:10.61

Yum Install varnish

Service Varnish Start

VI/ETC/VARNISH/DEFAULT.VCL//Custom VCL configuration

Varnishadm-s/etc/varnish/secret-t 127.0.0.1:6082 # Login Admin command line

Vcl.list # List all the configurations

Vcl.load TEST1/ETC/VARNISH/DEFAULT.VCL # Load compiled new configuration, test1 is the configuration name, TEST.VCL is the configuration file

Vcl.use Test1 # Use configuration, specify the configuration name, the current configuration to use the last vcl.use to prevail

Vcl.show test1 # Show configuration content, specify configuration name

##############################

4. Configure Nginx SSL Access

Configuring CA Server -10.75 (Centos7.3)

OpenSSL configuration file: more/etc/pki/tls/openssl.cnf

Important parameter configuration for CAs

dir =/etc/pki/ca # default CA parent directory, substituting refer to the following $dir

Certs = $dir/certs # signed certificate store directory with a. CRT certificate suffix

Crl_dir = $dir/CRL # revoked certificate store directory with a. CRL suffix

Database = $dir/index.txt # certificate index file, including signed and revoked certificates

New_certs_dir = $dir/newcerts # New signed certificate, same as signed certificate directory file

Certificate = Certificate file for $dir/CACERT.PEM # CA

serial = $dir/serial # The serial number of the next signed certificate must be specified manually for the first time and subsequent system updates automatically

Crlnumber = $dir/crlnumber # The serial number of the next revocation certificate

CRL = $dir/CRL.PEM # Revocation Certificate list file

Private_key = $dir/PRIVATE/CAKEY.PEM # CA's private key file

Randfile = $dir/private/.rand # private random number file

CA server Configuration

Cd/etc/pki/ca

Touch Index.txt

echo > Serial

(Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)

OpenSSL req-new-x509–key/etc/pki/ca/private/cakey.pem-days 7300-out/etc/pki/ca/cacert.pem

Prompt to enter country, province, city, company name, department name, CA hostname (issuer name)

C=CN, St=ha, L=zz, o=c73, Ou=it, cn=ca.baidu.com

View the generated certificate

OpenSSL X509-in/etc/pki/ca/cacert.pem-noout-text

Generate a certificate request file on the Web server (nginx-10.72) and send it to the CA server

(Umask 077; OpenSSL genrsa-out/app/service.key 2048)

OpenSSL REQ-NEW-KEY/APP/SERVICE.KEY-OUT/APP/SERVICE.CSR

Also prompted to enter the country, province, city and other information. Note: Country, province, company name three items must be consistent with the CA. The host name must be the same as the site domain name, such as www.baidu.com. or use a generic domain name, *.baidu.com, to match all.

SCP/APP/SERVICE.CSR 192.168.10.75:/etc/pki/ca/certs/

The CA server signs the certificate and issues the certificate to the Web server, noting that the certificate file suffix is *.crt

OpenSSL ca-in/etc/pki/ca/certs/service.csr–out/etc/pki/ca/certs/service.crt-days 365

SCP/ETC/PKI/CA/CERTS/SERVICE.CRT 192.168.10.72:/app/

NGINX-SSL configuration, you need to change the path of the certificate file, and cancel the default configuration of the comments about SSL #:

Vi/etc/nginx/nginx.conf

server {

Listen 443 SSL default_server;

Listen [::]:443 SSL Default_server;

server_name www.baidu.com;

root/usr/share/nginx/html;

Ssl_certificate "/APP/SERVICE.CRT";

Ssl_certificate_key "/app/service.key";

Ssl_session_cache shared:ssl:1m;

Ssl_session_timeout 10m;

Ssl_ciphers high:!anull:! MD5;

Ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include/etc/nginx/default.d/*.conf;

Location/{

}

Error_page 404/404.html;

Location =/40x.html {

}

Error_page 502 503 504/50x.html;

Location =/50x.html {

}

}

###################################

To configure SSL access for HTTPD:

Httpd-web server-side Generate certificate request file and send to CA server

(Umask 077; OpenSSL genrsa-out/app/httpd.key 2048)

OpenSSL REQ-NEW-KEY/APP/HTTPD.KEY-OUT/APP/HTTPD.CSR

SCP/APP/HTTPD.CSR 192.168.10.75:/etc/pki/ca/certs/

The CA server signs the certificate and sends it to the HTTPD server

OpenSSL ca-in/etc/pki/ca/certs/httpd.csr–out/etc/pki/ca/certs/httpd.crt-days 365

SCP/ETC/PKI/CA/CERTS/HTTPD.CRT 192.168.10.71:/app/

httpd server-side configuration SSL:

Yum Install Mod_ssl

vi/etc/httpd/conf.d/ssl.conf//Change the file path of the certificate and key

Sslcertificatefile/app/httpd.crt

107 Sslcertificatekeyfile/app/httpd.key

Systemctl Restart httpd

This article is from the "Rackie" blog, make sure to keep this source http://rackie386.blog.51cto.com/11279229/1959592

Comprehensive experiment of Web service architecture