Nginx加密以及反向代理

一、https加密算法

http协议在传输过程中使用的是明文,如果传输的是用户名和密码等信息就不安全。https就是在原来http协议中加上ssl算法,来对传输的数据进行加密。https加密的核心就是通过秘钥来实现

  • 秘钥(加密算法)的分类:
    1.对称算法(加密和解密用一样的密码):AES,DES(适合单机加密)
    2.非对称算法(公钥和私钥):RSA,DSA
    3.信息摘要:md5,sha256,sha512(数据完整性检验)
    目前网站主要用非对称加密算法

  • 实现htpps加密步骤
    1.生成证书和私钥(就是公钥和私钥)

     cd /home/application/nginx/conf  #一定要进入conf目录下
     openssl genrsa >my.key  #生成私钥
     openssl req -new -x509 -key my.key -out my.crt #使用私钥生成对应证书。这里除了my.crt其他不能变,且my.key与私钥文件名一样
    #  openssl req -new -x509 -key my.key -out my.crt
       You are about to be asked to enter information that will be   incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
     If you enter '.', the field will be left blank.
     -----
    Country Name (2 letter code) [XX]:CN #国家名称且必须只有两个字符
    State or Province Name (full name) []: GX #省份信息随便写
    Locality Name (eg, city) [Default City]:dd #城市信息,随便编写
    Organization Name (eg, company) [Default Company Ltd]:kk#公司名称随便写
    Organizational Unit Name (eg, section) []:ll#部门信息随便写
    Common Name (eg, your name or your server's hostname) []:vv#服务器主机名随便写
    Email Address []:fgf #邮箱地址随便写
    

2.修改nginx.conf实现网站加密

   vim /home/application/nginx/conf/nginx.conf
   # vim /home/application/nginx/conf/nginx.conf

 worker_processes  1;
 error_log logs/error.log error;
 events {
worker_connections  1024;
}
http {
include       mime.types;
default_type  application/octet-stream;
sendfile        on;
keepalive_timeout  65;
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
 client_header_buffer_size 512k;
large_client_header_buffers 4 512k;
 #nginx vhosts config
include extra/www.conf;
include extra/bbs.conf;
include extra/blog.conf;
include extra/status.conf;
include extra/secret.conf;  #加上加密域名配置文件
}

配置extra/secret.conf

 vim /home/application/nginx/conf/extra/secret.conf

#https server
 server {    
     listen       443 ssl;
     server_name  secret.ceishi.com;

     ssl_certificate      my.crt; #公钥
     ssl_certificate_key  my.key;#私钥

     ssl_session_cache    shared:SSL:1m;
     ssl_session_timeout  5m;

     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

     location / {
        root   html/secret;
        index  index.html index.htm;
    }
}
mkdir /home/application/nginx/html/secret
echo "jiami.ceishi.com" >/home/application/nginx/html/secret/index.html
/home/application/nginx/sbin/nginx -t
/home/application/nginx/sbin/nginx -s reload

二、Nginx作为代理软件

nginx既可以作为一个web服务器也可以作为反向代理服务器。实现web服务高可用、没有单点故障,实现负载均衡功能,集群高可用。

  • 环境搭建
    两台web服务器,内容一样(装appache)
    地址为:192.168.31.38 192.168.31.134;
    一台nginx调度器
    地址为:192.168.31.230:

  • 配置基于域名的虚拟主机
    装appache

    yum install httpd -y
    禁用默认的主机模式
    vim /etc/httpd/conf/httpd.conf
    注释下面这行内容
    #DocumentRoot "/var/www/html"
    添加域名的虚拟主机配置
    cd /etc/httpd/conf.d/  
    vim virtualhost.conf #添加如下内容
    NameVirtualHost *:80 
      
     DocumentRoot "/var/www/html/bbs"
    ServerName    blog.ceishi.com
    
    
    以前的版本光注释了他还不行,还需要在配置文件中写明在哪个地址的哪个端口上启用虚拟主机,比如加一行:
    
    NameVirtualHost 192.168.100.24:80,但是2.4.x的httpd版本就不需要这一行了。
     
    mkdir /var/www/html/bbs
    
    cd /var/www/html/bbs
    echo "blog.3138.com">index.html
    #vim /etc/hosts
    192.168.31.38 linux7.6 blog.ceishi.com
    #curl -L  blog.ceishi.com            #测试          
     blog.3138.com
    
  • 配置代理服务器nginx

    worker_processes  1;
    error_log logs/error.log error;
    events {
       worker_connections  1024;
     }
     http {
     include       mime.types;
     default_type  application/octet-stream;
     sendfile        on;
     keepalive_timeout  65;
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
       upstream bbs-server-pools{  #upstream标签放在http里server标签外
       此处注意upstream后面的名字不能是这样的下划线bbs_server_pools,否则出现400错误
          server 192.168.31.38:80;   #web服务器地址
          server 192.168.31.134:80;
          }
     #nginx vhosts config
     include extra/www.conf;
      include extra/bbs.conf;
       include extra/blog.conf;  
      include extra/status.conf;
        }
    

    修改server标签配置

        #vim  nginx/conf/extra/bbs.conf
        server {
     listen       80;
     server_name  bbs.ceishi.com;
     location / {
        # root   html/bbs;
        # index  index.html index.htm;
       proxy_pass http://bbs-server-pools;  #传递给bbs_server_pools
        }
        }
    
  • 客户端测试
    客户端ip为:192.168.31.128

       vim /etc/hosts
     127.0.0.1   localhost localhost.localdomain localhost4   localhost4.localdomain4
      ::1         localhost localhost.localdomain localhost6  localhost6.localdomain6
     192.168.31.230 bbs.ceishi.com  #写的时nginx代理的地址
     #curl bbs.ceishi.com
      31.134bbs.com
      #curl bbs.ceishi.com
         bbs.31.128.com
        for i in 'seq 10' ;do curl bbs.ceishi.com; sleep 1;done
    

你可能感兴趣的:(运维nginx安装配置)