Linux nginx Load Balancer, SSL principle, generate SSL key pair, Nginx configuration SSL Introduction

Source: Internet
Author: User
Tags delete key openssl library openssl rsa openssl x509 ssl certificate

Load balancing of Nginx

1. Find www.qq.com domain corresponding IP to do the test

[[email protected] ~]# yum install -y bind-utils  //安装dig命令包[[email protected] ~]# dig www.qq.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.qq.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5335;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;www.qq.com.            IN  A;; ANSWER SECTION:www.qq.com.     5   IN  A   59.37.96.63www.qq.com.     5   IN  A   14.17.42.40www.qq.com.     5   IN  A   14.17.32.211;; Query time: 6 msec;; SERVER: 172.16.111.2#53(172.16.111.2);; WHEN: 五 1月 05 21:14:15 CST 2018;; MSG SIZE  rcvd: 76

2. Modify the configuration file

[[email protected] ~]# cd /usr/local/nginx/conf/vhost/[[email protected] vhost]# vi ld.conf增加配置如下内容:upstream qq_com      //upstream来指定多个web server{    ip_hash;    server 59.37.96.63;    server 14.17.42.40;}server{    listen 80;    server_name www.qq.com;    location /    {        proxy_pass      http://qq_com;        proxy_set_header Host   $host;        proxy_set_header X-Real-IP      $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }}[[email protected] vhost]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload[[email protected] vhost]# curl -x127.0.0.1:80 www.qq.com

Test load balancing with curl to get results like

SSL principle

HTTPS It is an encrypted HTTPS protocol, if the HTTPS communication packets are intercepted during transmission, we can decipher the information in these packets, there are some user name, password, cell phone number and other sensitive information, and if the use of HTTPS communication, even if the packet is intercepted, And we can't decipher what's inside.

Interpreting the SSL workflow
    1. The browser sends an HTTPS request to the server;
    2. Server to have a digital certificate, you can make it yourself (the next operation is to Amin their own production of certificates), you can also apply to the organization, the difference is that the certificate issued by the client needs to be authenticated by clients before they can continue to access, and the use of trusted companies to apply for the certificate will not pop up > prompt page, This set of certificates is actually a pair of public and private keys;
    3. The server transmits the public key to the client;
    4. When the client (browser) receives the public key, it verifies that it is valid, that it has a warning alert, that it is valid, generates a random number, and encrypts the received public key;
    5. The client transmits the encrypted random string to the server;
    6. After the server receives the encrypted random string, first decrypts with the private key (public key encryption, private key decryption), obtains to this string random number, then uses this string random string to encrypt transmits the data (this encryption is symmetric encryption, so-called symmetric encryption, is the data and the private key is this random string > by some kind of algorithm mixes together, This will not get the data content unless the private key is known);
    7. The server transmits the encrypted data to the client;
    8. After the client receives the data, it decrypts it with its own private key (that is, the random string);

Generate an SSL key pair

1. Place the public key in the specified directory:

2. Generate the private key, the key file is the private key (2048 is the length of the encrypted string)

[[email protected] conf]# rpm -qf `which openssl` //查询缺少的openssl包,安装命令yum install -y openssl安装openssl-1.0.2k-8.el7.x86_64[[email protected] conf]# openssl genrsa -des3 -out tmp.key 2048 //生成私钥,2048为加密字符串长度,密码输入不能太短,否则不成功Generating RSA private key, 2048 bit long modulus.+++..........+++e is 65537 (0x10001)Enter pass phrase for tmp.key:Verifying - Enter pass phrase for tmp.key:
3. Convert key, cancel password (-in specify which key,-out output)

[[email protected] conf]# openssl rsa -in tmp.key -out aminglinux.key  //这一步是把刚刚生成的tmp.key再转换成aminglinux.key,目的是删除刚才设置的密码,如果key文件有密码,就必须在Nginx加载它的时候输入它的密码,因此很不方便Enter pass phrase for tmp.key:writing RSA key

4. Delete key

[[email protected] conf]# rm -f tmp.key

5. Generate a certificate request file

[[email protected] conf]# openssl req -new -key aminglinux.key -out aminglinux.csr  //需要拿这个文件和私钥一起生产公钥文件You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:xiState or Province Name (full name) []:taoLocality Name (eg, city) [Default City]:xieOrganization Name (eg, company) [Default Company Ltd]:linOrganizational Unit Name (eg, section) []:apaCommon Name (eg, your name or your server‘s hostname) []:dfdEmail Address []:adming Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:szyino-123An optional company name []:fdaf
Note: Because it is issued to its own certificate, so the information can be filled in casually.

6. Generate the public key file together with the previous private key file with the certificate request file

[[email protected] conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt //这里的aminglinux.crt为公钥。days为365是证书的日期是一年,这Signature ok  subject=/C=xi/ST=tao/L=xie/O=lin/OU=apa/CN=dfd/emailAddress=admingGetting Private key
Nginx Configuration SSL

1. Edit the SSL configuration file

[[email protected] conf]# vim /usr/local/nginx/conf/vhost/ssl.conf增加如下内容:server{    listen 443;    server_name aming.com;    index index.html index.php;    root /data/wwwroot/aming.com;    ssl on; //开启ssl,支持https    ssl_certificate aminglinux.crt;  //指定公钥    ssl_certificate_key aminglinux.key;  //指定私钥    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}

2. Create a aming.com directory

[[email protected] conf]# mkdir /data/wwwroot/aming.com

3. Test syntax

[[email protected] nginx-1.12.1]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Error

Cause: The original compiler did not specify the support SSL, so need to recompile nginx, plus –with-http_ssl_module-t &&-S Reload

Solve:

Specify to Nginx source package, recompile:./configure--prefix=/usr/local/nginx--with-http_ssl_module, operate as follows:

[[email protected] conf]# cd/usr/local/src/nginx-1.12.1[[email protected] nginx-1.12.1]#./configure-- Help | Grep-i SSL--with-http_ssl_module enable Ngx_http_ssl_module--with-mail_ssl_module enable Ngx_ Mail_ssl_module--with-stream_ssl_module enable Ngx_stream_ssl_module--with-stream_ssl_preread_module enabl E ngx_stream_ssl_preread_module--with-openssl=dir set path to OpenSSL library sources--with-openssl-op T=options set additional build OPTIONS for openssl[[email protected] nginx-1.12.1]#./configure--prefix=/usr /local/nginx--with-http_ssl_module[[email protected] nginx-1.12.1]# Echo $?0[[email protected] nginx-1.12.1]# make[[email protected] nginx-1.12.1]# make install[[email protected] nginx-1.12.1]#/usr/ LOCAL/NGINX/SBIN/NGINX-V//Now more http_ssl_module this parameter, complete and then test the syntax Oknginx version:nginx/1.12.1built by GCC 4.8.5 20150623 ( Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fIPs Jan 2017TLS SNI support enabledconfigure arguments:--prefix=/usr/local/nginx--with-http_ssl_module 

After you restart Nginx, you will find 443 more listening ports

[[email protected] nginx-1.12.1]#/etc/init.d/nginx restartrestarting nginx (via Systemctl): Determine [[email protected] nginx-1.12.1]# netstat-lntpactive Internet connections (only servers) Proto recv-q send-q Local A ddress Foreign Address State pid/program name TCP 0 0 0.0.0.0:80 0.0.0 .0:* LISTEN 79269/nginx:master TCP 0 0 0.0.0.0:22 0.0.0.0:* LIS         TEN 812/sshd TCP 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1237/master      TCP 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 79269/nginx:master tcp6 0                   0::: 3306:::* LISTEN 1166/mysqld tcp6 0 0::: 22                    :::* LISTEN 812/sshd tcp6 0 0:: 1:25:::* LISTEN     1237/master  

4. Edit the Access file to do the test

[[email protected] nginx-1.12.1]# cd /data/wwwroot/aming.com/[[email protected] aming.com]# ls[[email protected] aming.com]# vim index.html增加如下内容:This is ssl.

5. Edit the local Hosts file

[[email protected] aming.com]# vi /etc/hosts增加一条记录:127.0.0.1 aming.com

6. Using Curl Testing

[[email protected] aming.com]# curl https://aming.com/curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn‘t adequate, you can specify an alternate file using the --cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you‘d like to turn off curl‘s verification of the certificate, use the -k (or --insecure) option.
Explanation: This issue was flagged as untrusted because the certificate was issued by us, but was actually successfully configured.

7. Access using the browser

First in the Windows system to add the hosts to resolve the aming.com, if you can not access to see if the system has a firewall, view the command IPTABLES-NVL, some will empty the rules, command iptables-f, or add 443 port rules.

Note: This is not safe, because the certificate is not recognized by the browser, want to continue to access can click on "Advanced", then click "Add Exception", in the Pop-up dialog box click on "Confirm Security Exception", then you can access the site content.

Linux nginx Load Balancer, SSL principle, generate SSL key pair, Nginx configuration SSL Introduction

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.