Comprehensive experiment of Web service architecture

Source: Internet
Author: User
Tags mysql create mysql create database openssl x509 install wordpress nginx server varnish wordpress blog nginx ssl

Web server architecture:

1. The simplest Web service implementation : Build httpd service and Nginx service to provide static HTML and PHP page access services, build lamp environment, build wordpress blog; 1 servers completed LANMP

2. multiple standalone servers for complex web architectures : Separate httpd services and Nginx services to separate MySQL and file sharing services into separate servers;

Implement redundant Web architecture, dispatch multiple Web servers through Lvs,nginx agent, realize load balancing; 2 Web servers (1 httpd,1), 1 MYSQL+NFS servers, 1 proxy servers (LVS,HTTPD) are required for the experiment. Nginx triad), 1 routers, 1 test clients, total 6 units

3. front-end Build cache server varnish for high concurrency load . Experimental requirements on the basis of the above, add 1 cache servers.

4. implement DNS resolution and HTTPS access . Experimental requirements on the above basis, add 2 units (DNS server and Certificate Server)


###########################

1. Single Server Implementation lanmp-centos7.3

Install related Packages

Yum install httpd php php-mysql mariadb-server

Start the service and test

Systemctl Start httpd

Systemctl Start mariadb

MySQL//Test login Database

echo "Apache Server Page" >/var/www/html/index.html

vi/var/www/html/index.php

<?php

Phpinfo ();

?>


Curl 192.168.10.71//test httpd Service


Set the root password and other security configuration for MySQL

Mysql_secure_installation

Log in to MySQL create database and Telnet account

Mysql-uroot-p

MariaDB [(None)]> CREATE Database wpdb;

MariaDB [(None)]> grant all on wpdb.* to [e-mail protected] ' 192.168.10.% ' identified by ' Redhat ';


Install WordPress

TAR-XF wordpress-xxx.tar.gz

Cp-p wp-config-sample.php wp-config.php

VI wp-config.php//change the following:

Define (' db_name ', ' wpdb ');

Define (' Db_user ', ' wpuser ');

Define (' Db_password ', ' redhat ');

Define (' Db_host ', ' 192.168.10.71 ');


Configuring Epel Source Installation Nginx

Yum Install Nginx

Systemctl Stop httpd

Systemctl start Nginx

echo "Nginx Server Page" >/usr/share/nginx/html/index.html


Curl 192.168.10.71

##################################

2. Add an LVS dispatch server, a total of 4 hosts, and modify the IP address as follows

Apache Server ip:10.71

Nginx Server ip:10.72

Lvs,nginx Proxy Server ip:10.73,80.162

Client ip:10.74


Apache Server configuration:

Ifdown eth1//Close other ports

IP route add default via 192.168.10.73//Add the defaults route to LVs

IP route

Default via 192.168.10.73 Dev eth0


Nginx Server configuration:

Ifdown eth1

IP route add default via 192.168.10.73

IP route


LVS server-10.73 Configuration:

Configure Epel source, install Ipvsadm

Yum Install Ipvsadm

VI/ETC/SYSCTL.CONF//Configure LVS to allow route forwarding

Net.ipv4.ip_forward = 1

SYSCTL-P//Application Configuration


Configuring LVS

Ipvsadm-a-T 192.168.80.162:80-s RR

Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.71-m

Ipvsadm-a-T 192.168.80.162:80-r 192.168.10.72-m

Ipvsadm-ln

Ipvsadm-ln--stats

Client testing:

For i in {1..10};d o Curl 192.168.80.162;done


IPVSADM-E-T 192.168.80.162:80-s WRR

IPVSADM-E-T 192.168.80.162:80-r 192.168.10.71-m-W 3

Ipvsadm-ln


Client Configuration:

IP route add default via 192.168.80.162

For i in {1..10};d o Curl 192.168.80.162;done//test


##############################

Environment and IP planning ibid., configuring Nginx proxy server-10.73,80.162

Yum Install Nginx


vi/etc/nginx/nginx.conf//Note that there is a conflict between the stream and the HTTP configuration segment, you need to remove the HTTP configuration or you cannot start Nginx

# For more information on configuration, see:

# * Official 中文版 documentation:http://nginx.org/en/docs/

# * Official Russian documentation:http://nginx.org/ru/docs/

User Nginx;

Worker_processes Auto;

Error_log/var/log/nginx/error.log;

Pid/run/nginx.pid;

# Load dynamic modules. See/usr/share/nginx/readme.dynamic.

include/usr/share/nginx/modules/*.conf;

Events {

Worker_connections 1024;

}

Stream {

Upstream Mysrv {

Server 192.168.10.71:80 weight=3;

Server 192.168.10.72:80;

Least_conn;

}

server {

Listen 192.168.80.162:80;

Proxy_pass mysrv;

}

}


Systemctl start Nginx//Start Nginx Service

NGINX-T//Test Nginx Configuration

Nginx-s Reload//Reload Configuration


Client testing:

For i in {1..10};d o Curl 192.168.80.162;done


###############################

3. Build Varnish Cache service--not completed

Varnish ip:10.61


Yum Install varnish

Service Varnish Start

VI/ETC/VARNISH/DEFAULT.VCL//Custom VCL configuration



Varnishadm-s/etc/varnish/secret-t 127.0.0.1:6082 # Login Admin command line

Vcl.list # List all the configurations

Vcl.load TEST1/ETC/VARNISH/DEFAULT.VCL # Load compiled new configuration, test1 is the configuration name, TEST.VCL is the configuration file

Vcl.use Test1 # Use configuration, specify the configuration name, the current configuration to use the last vcl.use to prevail

Vcl.show test1 # Show configuration content, specify configuration name



##############################

4. Configure Nginx SSL Access

Configuring CA Server -10.75 (Centos7.3)

OpenSSL configuration file: more/etc/pki/tls/openssl.cnf

Important parameter configuration for CAs

dir =/etc/pki/ca # default CA parent directory, substituting refer to the following $dir

Certs = $dir/certs # signed certificate store directory with a. CRT certificate suffix

Crl_dir = $dir/CRL # revoked certificate store directory with a. CRL suffix

Database = $dir/index.txt # certificate index file, including signed and revoked certificates

New_certs_dir = $dir/newcerts # New signed certificate, same as signed certificate directory file

Certificate = Certificate file for $dir/CACERT.PEM # CA

serial = $dir/serial # The serial number of the next signed certificate must be specified manually for the first time and subsequent system updates automatically

Crlnumber = $dir/crlnumber # The serial number of the next revocation certificate

CRL = $dir/CRL.PEM # Revocation Certificate list file

Private_key = $dir/PRIVATE/CAKEY.PEM # CA's private key file

Randfile = $dir/private/.rand # private random number file


CA server Configuration

Cd/etc/pki/ca

Touch Index.txt

echo > Serial

(Umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)

OpenSSL req-new-x509–key/etc/pki/ca/private/cakey.pem-days 7300-out/etc/pki/ca/cacert.pem

Prompt to enter country, province, city, company name, department name, CA hostname (issuer name)

C=CN, St=ha, L=zz, o=c73, Ou=it, cn=ca.baidu.com

View the generated certificate

OpenSSL X509-in/etc/pki/ca/cacert.pem-noout-text


Generate a certificate request file on the Web server (nginx-10.72) and send it to the CA server

(Umask 077; OpenSSL genrsa-out/app/service.key 2048)

OpenSSL REQ-NEW-KEY/APP/SERVICE.KEY-OUT/APP/SERVICE.CSR

Also prompted to enter the country, province, city and other information. Note: Country, province, company name three items must be consistent with the CA. The host name must be the same as the site domain name, such as www.baidu.com. or use a generic domain name, *.baidu.com, to match all.

SCP/APP/SERVICE.CSR 192.168.10.75:/etc/pki/ca/certs/


The CA server signs the certificate and issues the certificate to the Web server, noting that the certificate file suffix is *.crt

OpenSSL ca-in/etc/pki/ca/certs/service.csr–out/etc/pki/ca/certs/service.crt-days 365

SCP/ETC/PKI/CA/CERTS/SERVICE.CRT 192.168.10.72:/app/


NGINX-SSL configuration, you need to change the path of the certificate file, and cancel the default configuration of the comments about SSL #:

Vi/etc/nginx/nginx.conf

server {

Listen 443 SSL default_server;

Listen [::]:443 SSL Default_server;

server_name www.baidu.com;

root/usr/share/nginx/html;


Ssl_certificate "/APP/SERVICE.CRT";

Ssl_certificate_key "/app/service.key";

Ssl_session_cache shared:ssl:1m;

Ssl_session_timeout 10m;

Ssl_ciphers high:!anull:! MD5;

Ssl_prefer_server_ciphers on;


# Load configuration files for the default server block.

include/etc/nginx/default.d/*.conf;


Location/{

}

Error_page 404/404.html;

Location =/40x.html {

}

Error_page 502 503 504/50x.html;

Location =/50x.html {

}

}


###################################

To configure SSL access for HTTPD:

Httpd-web server-side Generate certificate request file and send to CA server

(Umask 077; OpenSSL genrsa-out/app/httpd.key 2048)

OpenSSL REQ-NEW-KEY/APP/HTTPD.KEY-OUT/APP/HTTPD.CSR

SCP/APP/HTTPD.CSR 192.168.10.75:/etc/pki/ca/certs/


The CA server signs the certificate and sends it to the HTTPD server

OpenSSL ca-in/etc/pki/ca/certs/httpd.csr–out/etc/pki/ca/certs/httpd.crt-days 365

SCP/ETC/PKI/CA/CERTS/HTTPD.CRT 192.168.10.71:/app/


httpd server-side configuration SSL:

Yum Install Mod_ssl

vi/etc/httpd/conf.d/ssl.conf//Change the file path of the certificate and key

Sslcertificatefile/app/httpd.crt

107 Sslcertificatekeyfile/app/httpd.key

Systemctl Restart httpd


This article is from the "Rackie" blog, make sure to keep this source http://rackie386.blog.51cto.com/11279229/1959592

Comprehensive experiment of Web service architecture

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.