Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,通过upstream来保证用户可以通过代理服务器正常访问各个IP。
配置参数:
[root@123 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq.com
#自定义域名
{
ip_hash;
#保证同一个用户始终保持在同一台机器上
#即当域名指向多个IP时,保证每个用户始终解析到同一IP
server 61.135.157.156:80;
server 125.39.240.113:80;
#指定web服务器的IP
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@123 ~]# curl -x127.0.0.1:80 www.qq.com
This is the default directory.
使用代理前,会直接解析到默认虚拟主机。
[root@123 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@adailinux ~]# /usr/local/nginx/sbin/nginx -s reload
[root@adailinux ~]# curl -x127.0.0.1:80 www.qq.com
使用代理后会解析到代理服务器所指向的IP
[root@123 ~]# dig www.qq.com
;; ANSWER SECTION:
www.qq.com. 138 IN A 61.135.157.156
www.qq.com. 138 IN A 125.39.240.113
;; Query time: 13 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 8月 15 16:41:11 CST 2017
;; MSG SIZE rcvd: 71
注意: Nginx不支持代理https,只能代理http,新版本的Nginx可以代理tcp。
dig命令是常用域名解析工具。
如果服务器中没有该命令,手动安装:
[root@123 ~]# yum install -y bind-utils
语法: dig [域名]
HTTP超文本传输协议(HyperText Transfer Protocol)是互联网上应用最为广泛的一种网络协议。
HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议要比http协议安全。
HTTP默认的端口号为80,HTTPS的端口号为443。
TCP(Transmission Control Protocol 传输控制协议)是一种面向连接的、可靠的、基于字节流的传输层通信协议,由IETF的RFC 793定义。默认监听80端口。
SSL(Secure Sockets Layer 安全套接层)协议,及其继任者TLS(Transport Layer Security传输层安全)协议,是为网络通信提供安全及数据完整性的一种安全协议。
如果虚拟机中没有此工具,手动安装:
[root@123 ~]# yum install -y openssl
SSL证书就是一对公钥和私钥。
[root@123 ~]# cd /usr/local/nginx/conf/
[root@123 conf]# openssl genrsa -des3 -out tmp.key 2048
#生成SSL密钥
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
说明: 在此指定密码!
[root@123 conf]# openssl rsa -in tmp.key -out linux.key
Enter pass phrase for tmp.key:
writing RSA key
删除密钥文件:
[root@123 conf]# rm -f tmp.key
需要拿这个文件和私钥一起生产公钥文件:
[root@123 conf]# openssl req -new -key linux.key -out linux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:aaa
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Beijing
Organizational Unit Name (eg, section) []:Beijing
Common Name (eg, your name or your server's hostname) []:linux
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
说明: 该部分内容如果不购买证书可以自定义;如果是正式应用在网站上,需要规范填写对应信息(购买)。
[root@123 conf]# openssl x509 -req -days 365 -in linux.csr -signkey linux.key -out linux.crt
Signature ok
subject=/C=CN/ST=adai/L=Beijing/O=Beijing/OU=Beijing/CN=adailinux/[email protected]
Getting Private key
[root@123 conf]# cd vhost/
[root@123 vhost]# vim ssl.conf
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
#开启ssl
ssl_certificate linux.crt;
#配置公钥
ssl_certificate_key linux.key;
#配置私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#配置协议
}
[root@123 vhost]# mkdir /data/wwwroot/aming.com
报错:
[root@123 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
未识别ssl配置,需要重新编译Nginx:
[root@123 conf]# cd /usr/local/src/nginx-1.12.1/
[root@123 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@123 conf]# make
[root@123 conf]# make install
[root@123 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@123 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@123 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5991/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2040/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5991/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1990/mysqld
tcp6 0 0 :::22 :::* LISTEN 1735/sshd
tcp6 0 0 ::1:25 :::* LISTEN 2040/master
nginx监听80和443端口。
[root@123 nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@123 adai.com]# vim index.html
This is ssl.
添加本地域名:
[root@123 adai.com]# vim /etc/hosts
127.0.0.1 aming.com
[root@123 vhost]# curl https://aming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
因为该证书是自己创建的,所以提示证书不被信任!!!
使用浏览器检测:
注: 进行该测试之前需要更改Windows的hosts文件。