Linux Learning Summary (43) Nginx Load Balancer HTTPS configuration

1 Nginx Load Balancer

There is a distribution problem when the serviced side of the agent is multiple servers, so it involves a concept of load balancing. A variety of equalization algorithms are used to allow client requests to be distributed evenly to each server according to predetermined assumptions. The IP hashing algorithm described below can be used for the following purposes.
When load balancing is done on multiple dynamic application servers in the backend, the Ip_hash directive is able to target a client IP request to the same back-end server through a hashing algorithm. This way, when a user from an IP logs on back-end Web Server A, and then accesses the other URLs of that site, it is guaranteed to access back-end Web Server A. If the requested website involves login information such as user name password, it is not required to be lost on another server on the next visit.
We also take Baidu as an example, is in the previous response agent based on the addition of Ip_hash algorithm
We execute dig www.baidu.com dig up two proxy IPs
61.135.169.125
61.135.169.121

upstream baidu_com{    ip_hash;    server 61.135.169.125:80;    server 61.135.169.121:80;}server{    listen 80;    server_name www.baidu.com;    location /    {        proxy_pass      http://baidu_com;        proxy_set_header Host   $host;        proxy_set_header X-Real-IP      $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}

Curl-x127.0.0.1:80 www.baidu.com
We found that we can access, that is, the proxy server is working, but how to verify that his load balance, is how to see the final access to which IP, there are know the small partners can give me a message.

2 HTTPS Encryption principle

Htttps has a set of digital authentication procedures relative to HTTP, and the communication between the client and the server is encrypted, so it has high security. Below we describe the encryption transfer process according to the principle shown.

1 Client initiates a HTTS request
2 The server obtains the SSL certificate from the trusted authority.
3 The server uses the public key of the certificate to request the client accordingly.
4 The client verifies the validity and validity of the received public key and does not issue a warning alert. Valid generates a random string and encrypts it with the public key.
5 The client sends the encrypted string to the server.
6 The server receives a random string encrypted from the client and decrypts the string with the SSL certificate private key
7 Service side uses decrypted string encryption to request page data to be returned to the client
8 The client decrypts the data with a random string.
Note: During this process, the random string generated by the client is a one-time

3 Generating an SSL key pair

cd /usr/local/nginx/confopenssl genrsa -des3 -out tmp.key 2048//key文件为私钥,根据提示输入两次密码openssl rsa -in tmp.key -out lvlinux.key //转换key，取消密码 。根据提示输入上面的密码rm -f tmp.keyopenssl req -new -key lvlinux.key -out lvlinux.csr//生成证书请求文件，需要拿这个文件和私钥一起生成公钥。根据提示填写相关信息。openssl x509 -req -days 365 -in lvlinux.csr -signkey lvlinux.key -out lvlinux.crt 这里的lvlinux.crt为公钥

4 Nginux Configuring SSL

vim/usr/local/nginx/conf/vhost/ssl.conf//Add the following:

server{    listen 443;    server_name lvlinux.com;    index index.html index.php;    root /data/wwwroot/lvlinux.com;    ssl on;    ssl_certificate lvlinux.crt;    ssl_certificate_key lvlinux.key;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}

-T &&-S reload//If error unknown directive "SSL", need to recompile nginx, plus--with-http_ssl_module
Mkdir/data/wwwroot/lvlinux.com
echo "SSL Test" >/data/wwwroot/lvlinux.com/index.html
Edit hosts, add 127.0.0.1 lvlinux.com
Curl https://lvlinux.com/

Discover that the certification authority is marked as not trusted by the user, of course, the certificate we issued ourselves.
Bind hosts in WinDOS with browser access

Notice we're going to NETSTAT-LNTP to see if there's a 443 port, no, reboot the Nginx.

Linux Learning Summary (43) Nginx Load Balancer HTTPS configuration