50.Nginx负载均衡 ssl原理 密钥对 配置ssl

原文链接: https://my.oschina.net/u/3866192/blog/3079173

12.17 Nginx负载均衡

12.18 ssl(https)原理

12.19 生成ssl密钥对

12.20 Nginx配置ssl

扩展 

针对请求的uri来代理 http://ask.apelearn.com/question/1049

根据访问的目录来区分后端的web http://ask.apelearn.com/question/920

nginx长连接 http://www.apelearn.com/bbs/thread-6545-1-1.html

nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html

 

 

 

 

12.17 Nginx负载均衡:

 

 

 

跟上一节的代理服务器。一台web服务器叫代理,两台web服务器就叫负载均衡。代理服务器的后端可以有多个web服务器,多个服务器去提供服务的时候,就能够实现负载均衡的功能。

如果不加代理这一层的话,那用户访问的时候只能一台一台的去请求。假如用户1去访问web1,web1挂掉了,那么代理服务器就不会把请求发给web1.那么这就是Nginx负载均衡的优点

 

 

 

~1.

vim /usr/local/nginx/conf/vhost/load.conf // 写入如下内容

upstream baidu_com 用到了upstream模块。这个名字可以随便写,代表以下模块的名字

{

ip_hash; 使用户始终在同一个服务器上。比如输入了账号密码,结果一会就没有了,原因是被解析到了另一台服务器上了,这样是不被允许的

server 182.61.200.6:80; 只能从这定义多个IP

server 182.61.200.7:80;

}

server

{

listen 80;

server_name www.baidu.com; 域名

location /

{

proxy_pass http://baidu_com; 指定ip,这里是前面upstream配置的名字,这里不能定义多个ip

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

}

~2.

upstream来指定多个web server

 

 

 

知识点:

~1.怎么查到baidu.com解析的IP是哪个呢

 yum install -y bind-utils

dig baidu.com(下面会反馈两个IP。也就是baidu.com被解析到了这两个IP上

~2.Nginx不支持代理https(也就是端口不能写443)

如果用户只能访问443怎么办

只能用户代理监听443,后面的web服务器为80 (不明白)

 

 

实例:

1.

[root@localhost ~]# vim /usr/local/nginx/conf/vhost/load.conf 新建一个load.conf

upstream baidu_com
{
    ip_hash;
    server 182.61.200.6:80;
    server 182.61.200.7:80;
}
server
{
    listen 80;
    server_name www.baidu.com;
    location /
    {
        proxy_pass      http://baidu_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

[root@localhost ~]# curl -x192.168.30.134:80 www.qq.com 不-t reload,先测试一下

“This is a default site.” 结果显示默认页

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

[root@localhost ~]#  curl -x127.0.0.1:80 www.baidu.com -I -t reload之后再测试就可以了

HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 25 Jul 2019 07:26:26 GMT
Content-Type: text/html
Content-Length: 277
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Etag: "575e1f60-115"
Last-Modified: Mon, 13 Jun 2016 02:50:08 GMT
Pragma: no-cache

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

12.18 ssl原理(https):

 

 

http与https有什么区别?首先https是加密的,比如访问的信息被黑客抓到,但是他拿到的是加密的,也就是乱码的

 

SSL工作流程:

~1.浏览器发送一个https的请求给服务器;

~2.服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;

~3. 服务器会把公钥传输给客户端;

~4.客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;

~5.客户端把加密后的随机字符串传输给服务器;

~6.服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);

~7.服务器把加密后的数据传输给客户端;

~8.客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;

 

50.Nginx负载均衡 ssl原理 密钥对 配置ssl_第1张图片

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

12.19 生成ssl密钥对:

 

我们在虚拟机上颁发一个证书,其实就是一对私钥和公钥:

yum install -y openssl

~1.cd /usr/local/nginx/conf

~2.openssl genrsa -des3 -out tmp.key 2048//key文件为私钥

genrsa 生成rsa格式的私钥

-out 指定输出的

2048 长度

tmp.key 名字就叫tmp.key

~3.openssl rsa -in tmp.key -out axin.key //转换key,取消密码。axin.key实际为转换后的没密码的私钥

-in 指定哪一个密码要被转换

~4.rm -f tmp.key //之前的旧的key就可以删掉了

~5.openssl req -new -key axin.key -out axin.csr//生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件

~6.openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt //之前生成的私钥和私钥来生成公钥文件

~7.这里的aminglinux.crt为公钥

 

 

实例:

[root@localhost ~]# cd /usr/local/nginx/conf/ 先进到配置文件里面去

[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 先生成.key私钥

Generating RSA private key, 2048 bit long modulus

.......................+++

..................................+++

e is 65537 (0x10001)

Enter pass phrase for tmp.key: 需要输入密码

Verifying - Enter pass phrase for tmp.key: 再次输入

[root@axinlinux-01 conf]# openssl rsa -in tmp.key -out axin.key 取消密码设置,因为比较麻烦

Enter pass phrase for tmp.key: 要输入之前设置的密码

writing RSA key

[root@localhost conf]# rm -f tmp.key 删掉旧的.key私钥文件

[root@localhost conf]# openssl req -new -key axin.key -out axin.csr 生成证书

You are about to be asked to enter information that will be incorporated 以下为需要填写的信息。因为做实验,所以直接为空了

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

string is too long, it needs to be less than 2 bytes long

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:wangxin789 但是设置了密码

An optional company name []:

[root@localhost conf]# openssl x509 -req -days 365 -in axin.csr -signkey axin.key -out axin.crt

Signature ok 生成成功

subject=/C=XX/L=Default City/O=Default Company Ltd

Getting Private key

Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

 

 

12.20 Nginx配置ssl:

 

 

~1.vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容

server

{

listen 443; 监听的端口为443,因为不能直接80

server_name axin.com;

index index.html index.php;

root /data/wwwroot/axin.com;

ssl on; 开启ssl。支持https

ssl_certificate axin.crt; 指定公钥

ssl_certificate_key axin.key; 指定私钥

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 协议。一般这三种,都配置上

}

server
{
    listen 443;
    server_name axin.com;
    index index.html index.php;
    root /data/wwwroot/axin.com;
    ssl on;
    ssl_certificate axin.crt;
    ssl_certificate_key axin.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

~2.-t && -s reload //若报错unknown directive “ssl” ,需要重新编译(make&&make install)nginx,加上--with-http_ssl_module(也就是“./configure --prefix=/usr/local/nginx --with-http_ssl_module”

~3.mkdir /data/wwwroot/axin.com

~4.echo “ssl test page.”>/data/wwwroot/axin.com/index.html

~5.编辑hosts,增加127.0.0.1 axin.com

~6.curl https://axin.com/

 

 

 

 

 

实例:

[root@localhost conf]# cd vhost/

[root@localhost vhost]# ls

aaa.com.conf  load.conf  proxy.conf  test.com.conf

[root@localhost vhost]# vim ssl.conf 新建一个.conf

[root@localhost vhost]# mkdir /data/wwwroot/axin.com

[root@localhost vhost]# /usr/local/nginx/sbin/nginx -t 报错。纪委他不知道ssl这个配置

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7

nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

[root@localhost vhost]# cd /usr/local/src/nginx-1.8.0/

[root@localhost nginx-1.8.0]# ./configure --help |grep -i ssl 搜一下ssl模块

--with-http_ssl_module enable ngx_http_ssl_module 需要的是这个

--with-mail_ssl_module enable ngx_mail_ssl_module

--with-openssl=DIR set path to OpenSSL library sources

--with-openssl-opt=OPTIONS set additional build options for OpenSSL

 --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

[root@localhost nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@localhost nginx-1.8.0]# make

[root@localhost nginx-1.8.0]# make install

[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -V 看一下多了ssl模块

nginx version: nginx/1.8.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t 重新-t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost nginx-1.8.0]# /etc/init.d/nginx restart 重启一下nginx

Restarting nginx (via systemctl): [ 确定 ]

[root@localhost nginx-1.8.0]# netstat -lntp 查看监听端口,多了个443

tcp        0      0 192.168.30.134:9000     0.0.0.0:*               LISTEN      1076/php-fpm: maste 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1388/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      803/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1071/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1388/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      1059/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      803/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1071/master

[root@localhost nginx-1.8.0]# vim /data/wwwroot/axin.com/1.txt 在指定的目录下,创建测试文件

[root@localhost nginx-1.8.0]# mv /data/wwwroot/axin.com/1.txt /data/wwwroot/axin.com/index.html 改个名字叫index.html

[root@localhost nginx-1.8.0]# vim /etc/hosts 改下hosts,加上axin.com这个目录

192.168.30.134 www.wangxin.com axin.com

[root@localhost nginx-1.8.0]# curl https://axin.com/ 测试报错是因为,这个证书是自己颁发的。实际上已经成功了

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

More details here: http://curl.haxx.se/docs/sslcerts.html

我们可以在windows上浏览器测试一下

首先把axin.com加入hosts>查看linux上防火墙规则有的话,直接-F>浏览器上搜索htps://axin.com会显示下图:

50.Nginx负载均衡 ssl原理 密钥对 配置ssl_第2张图片

我们点高级,点击继续前往,即成功

所以,当证书不被浏览器所信任的时候,就会有以上提示(有需要可以去 沃通 购买证书)

 

知识点:我们访问政府的网站比如www.12306.com的时候,如果加上https://www/12306.com的时候也会显示上图。是因为政府网站用别人颁发的证书可能会不安全,所以要用自己颁发的。所以造成了浏览器不认可

 

转载于:https://my.oschina.net/u/3866192/blog/3079173

你可能感兴趣的:(50.Nginx负载均衡 ssl原理 密钥对 配置ssl)