本文索引：

昭陽(yáng)網(wǎng)站建設(shè)公司創(chuàng)新互聯(lián),昭陽(yáng)網(wǎng)站設(shè)計(jì)制作，有大型網(wǎng)站制作公司豐富經(jīng)驗(yàn)。已為昭陽(yáng)千余家提供企業(yè)網(wǎng)站建設(shè)服務(wù)。企業(yè)網(wǎng)站搭建\成都外貿(mào)網(wǎng)站制作要多少錢，請(qǐng)找那個(gè)售后服務(wù)好的昭陽(yáng)做網(wǎng)站的公司定做！Nginx負(fù)載均衡 ssl原理 生成ssl密鑰對(duì) Nginx配置ssl

---

Nginx負(fù)載均衡

負(fù)載均衡原理上就是代理，只不過(guò)通過(guò)設(shè)置多個(gè)代理服務(wù)器來(lái)實(shí)現(xiàn)多用戶訪問(wèn)時(shí)的負(fù)載均衡。同時(shí)也可以在某個(gè)代理服務(wù)器無(wú)法訪問(wèn)時(shí)，切換到另外的代理服務(wù)器，從而實(shí)現(xiàn)訪問(wèn)不間斷的目的。

下面以qq.com為例，配置負(fù)載均衡

先通過(guò)dig命令查看域名及其ip

# dig命令由bind-utils包安裝 [root@localhost ~]# yum install -y bind-utils [root@localhost ~]# dig qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65328 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;qq.com. IN A ;; ANSWER SECTION: qq.com. 404 IN A 61.135.157.156 qq.com. 404 IN A 125.39.240.113 ;; Query time: 40 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: 四 1月 04 22:02:25 CST 2018 ;; MSG SIZE rcvd: 67 配置虛擬主機(jī)配置文件

[root@localhost ~]# mv /usr/local/nginx/conf/vhost/load.conf # 通過(guò)upstream來(lái)指定多個(gè)web服務(wù)器 upstream qq_com { # ip_hash的目的是讓同一個(gè)用戶始終保持在同一個(gè)機(jī)器上 ip_hash; # 這里是負(fù)載均衡時(shí)使用的多個(gè)server的ip # server http://61.135.157.157:80; # 上述表示也行，對(duì)應(yīng)的server塊內(nèi)的proxy_pass內(nèi)直接寫(xiě)qq_com即可，不需要寫(xiě)http:// server 61.135.157.157:80; server 125.39.240.113:80; } server { listen 80; server_name www.qq.com; location / { # 這里使用的是upstream名即qq_com proxy_pass http://qq_com; proxy_set_header Host $host; proxy_set_header X_Real_IP $remote_addr; proxy_set_header X-Forwarded_For $proxy_add_x_forwarded_for; } } 驗(yàn)證效果

配置未生效時(shí)，本地訪問(wèn)www.qq.com，得到的將是默認(rèn)主機(jī)的內(nèi)容

[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com this is default web server

重啟服務(wù)后，獲取到了www.qq.com網(wǎng)頁(yè)的源碼

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload [root@localhost ~]# curl -x127.0.0.1:80 www.qq.com <!DOCTYPE html> <html lang="zh-CN"> <head> <meta content="text/html; charset=gb2312" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="baidu-site-verification" content="cNitg6enc2"> <title><CC><DA>?<CA><D7>?</title> <script type="text/javascript"> if(window.location.toString().indexOf(\'pref=padindex\') != -1){ }else{ if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /(Android.*Mobile.+).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){ if(window.location.href.indexOf("?mobile")<0){ try{ if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){ window.location.href="http://xw.qq.com/index.htm"; }else if(/iPad/i.test(navigator.userAgent)){ //window.location.href="http://www.qq.com/pad/" }else{ ...

nginx不支持代理https，即server語(yǔ)句內(nèi)的端口無(wú)法使用443。

---

ssl原理

客戶端向服務(wù)器發(fā)送https請(qǐng)求； 服務(wù)器上存儲(chǔ)了一套數(shù)字證書(shū)，其實(shí)質(zhì)為一對(duì)公私鑰。數(shù)字證書(shū)可以自己制作，也可以向組織申請(qǐng)。前者在客戶端訪問(wèn)時(shí)需要驗(yàn)證才能繼續(xù)訪問(wèn)；后者不會(huì)彈出驗(yàn)證提示； 服務(wù)器將公鑰傳輸給客戶端； 客戶端驗(yàn)證公鑰是否合法：無(wú)效（自己制作的）會(huì)彈出警告，有效的則生成一串隨機(jī)數(shù)，用此隨機(jī)數(shù)加密公鑰； 客戶端將加密后的字符串傳輸給服務(wù)器 服務(wù)器收到字符串后，先使用私鑰進(jìn)行解密，獲取加密使用的隨機(jī)數(shù)，并以此隨機(jī)數(shù)加密傳輸?shù)臄?shù)據(jù)（對(duì)稱機(jī)密）； 服務(wù)器將加密后的數(shù)據(jù)傳輸給客戶端； 客戶端收到數(shù)據(jù)后，使用自己的私鑰（即隨機(jī)字符串）進(jìn)行解密。

對(duì)稱加密：將數(shù)據(jù)和私鑰（隨機(jī)字符串）通過(guò)某種算法混合在一起，除非知道私鑰，否則無(wú)法解密。

---

生成SSL密鑰對(duì) 創(chuàng)建私鑰key

[root@localhost ~]# cd /usr/local/nginx/conf # 創(chuàng)建私鑰key文件，必須輸入密碼，否則無(wú)法生成key文件 [root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: 轉(zhuǎn)換key，取消密碼

[root@localhost conf]# openssl rsa -in tmp.key -out test.key Enter pass phrase for tmp.key: writing RSA key [root@localhost conf]# rm -f tmp.key 生成證書(shū)

[root@localhost conf]# openssl req -new -key test.key -out test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter \'.\', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ZheJiang Locality Name (eg, city) [Default City]:QuZhou Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server\'s hostname) []: Email Address []: Please enter the following \'extra\' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 需要使用csr文件與私鑰一起生成.crt文件 [root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt Signature ok subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd Getting Private key

---

Nginx配置SSL 創(chuàng)建新虛擬主機(jī)配置文件

[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf server { listen 443; server_name test.com; index index.html index.php; root /data/www/test.com; ssl on; ssl_certificate test.crt; ssl_certificate_key test.key; ssl_protocols TLSv1 TLS1.1 TLS1.2； } 創(chuàng)建對(duì)應(yīng)目錄及文件

[root@localhost conf]# mkdir -p /data/www/test.com [root@localhost conf]# vim /data/www/test.com/index.php ssl test page. 重啟服務(wù)

/usr/local/nginx/sbin/nginx -t /usr/local/nginx/sbin/nginx -s reload 設(shè)置時(shí)報(bào)錯(cuò) -- unknown directive “ssl”

這時(shí)由于一開(kāi)始編譯時(shí)未將http_ssl_module模塊編譯進(jìn)nginx，需要重新編譯安裝

[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/ [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost nginx-1.12.2]# make && make install

---

重新編譯后將導(dǎo)致之前配置的虛擬主機(jī)配置文件丟失，最后在重新編譯前對(duì)有用的nginx虛擬主機(jī)文件進(jìn)行備份

---

編譯完成后查看

[root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module 重啟nginx服務(wù)

# 重新編譯后的nginx必須使用/etc/init.d/nginx腳本進(jìn)行重啟 [root@localhost conf]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ 確定 ] # 查看443端口是否開(kāi)放 [root@localhost conf]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1354/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2116/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master tcp6 0 0 :::3306 :::* LISTEN 2156/mysqld tcp6 0 0 :::22 :::* LISTEN 1354/sshd tcp6 0 0 ::1:25 :::* LISTEN 2116/master 效果驗(yàn)證 curl驗(yàn)證

# 如果不想使用-x指定ip，可以在/etc/hosts內(nèi)添加如下代碼 [root@localhost conf]# vim /etc/hosts 127.0.0.1 test.com # curl測(cè)試 [root@localhost conf]# curl https://test.com curl: (60) Peer\'s certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn\'t adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you\'d like to turn off curl\'s verification of the certificate, use the -k (or --insecure) option. 瀏覽器驗(yàn)證 同樣的要修改客戶端上的hosts文件，添加一行代碼如下：

192.168.65.133 test.com

同時(shí)要檢查服務(wù)器端的防火墻是否開(kāi)放443端口，這里為了測(cè)試方便，直接清空了iptables規(guī)則表

[root@localhost conf]# iptables -F

---