Nginx负载均衡就是指 当代理服务器将自定义的域名解析到多个指定IP时,通过upstream模块来保证用户可以通过代理服务器正常访问各个IP(反向代理多台服务器就是负载均衡)。
[root@host ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq
#自定义域名
{
ip_hash;
#目的是为了保证同一个用户始终保持在同一台机器上
#还有就是为了当域名指向多个IP时,保证每个用户始终解析到同一IP
server 61.135.157.156:80;
server 125.39.240.113:80;
#指定web服务器的IP
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
代理前
[root@host ~]# curl -x127.0.0.1:80 www.qq.com
This is the default directory.
#没使用代理时,会直接解析到默认的虚拟主机。
代理后
[root@host ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@host ~]# /usr/local/nginx/sbin/nginx -s reload
[root@host ~]# curl -x127.0.0.1:80 www.qq.com
……
#使用代理后,会解析到代理服务器所指向的IP的网页代码
dig命令是常用域名的解析工具,可以寻找域名的全部IP。
如果服务器中没有安装命令
[root@host ~]# yum install -y bind-utils
解析qq网站的全部IP
[root@host ~]# dig www.qq.com
;; ANSWER SECTION:
www.qq.com. 138 IN A 61.135.157.156
www.qq.com. 138 IN A 125.39.240.113
;; Query time: 12 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 9月 12 22:44:23 CST 2017
;; MSG SIZE rcvd: 61
SSL(Secure Sockets Layer 安//全//套接层)协议,及其继任者TLS(Transport Layer Security传输层安全)协议,是为网络通信提供安全及数据完整性的一种安全协议。
SSL证书就是一对公钥和私钥。
如果虚拟机中没有此工具,手动安装:
[root@host ~]# yum install -y openssl
[root@host ~]# cd /usr/local/nginx/conf/
[root@host conf]# openssl genrsa -des3 -out tmp.key 2048 //生成SSL密钥
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key: //密钥需要我们设置密码,一般我们都不需要再设置密码,所以要转换一下key,取消密码
[root@host conf]# openssl rsa -in tmp.key -out host.key //转换一下key,将tmp.key 转换为没密码的host.key
Enter pass phrase for tmp.key:
writing RSA key
[root@host conf]# rm -f tmp.key //删除tmp.key
[root@host conf]# openssl req -new -key host.key -out host.csr //自己生成证书请求文件,需要拿这个私钥一起生成证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:BeiJing
Organizational Unit Name (eg, section) []:BeiJing
Common Name (eg, your name or your server's hostname) []:host
Email Address []:zhouqunic@qq.com
#以上是配置证书信息,因为是自己颁发给自己的证书,就随意瞎填或者干脆Enter跳过,如果是正式应用在自己的网站上,最好规范填写。
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
[root@host conf]# openssl x509 -req -days 365 -in host.csr -signkey host.key -out host.crt //这里的aminglinux.crt为公钥
Signature ok
subject=/C=11/ST=BeiJing/L=BeiJing/O=BeiJing/OU=BeiJing/CN=host/emailAddress=zhouqunic@qq.com
Getting Private key
[root@host conf]# cd vhost/
[root@host vhost]# vim ssl.conf
server
{
listen 443;
server_name zhouqun.com;
index index.html index.php;
root /data/wwwroot/zhouquncom;
ssl on; //开启ssl
ssl_certificate host.crt; //配置公钥
ssl_certificate_key host.key; //配置私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ///配置协议
}
[root@host vhost]# mkdir /data/wwwroot/zhouqun.com
[root@host conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 //报错了
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@host conf]# cd /usr/local/src/nginx-1.12.1/
[root@host nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@host conf]# make
[root@host conf]# make install
[root@host nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@host nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ]
[root@host nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5991/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2040/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5991/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1990/mysqld
tcp6 0 0 :::22 :::* LISTEN 1735/sshd
tcp6 0 0 ::1:25 :::* LISTEN 2040/master
nginx监听80和443端口。
[root@host nginx-1.12.1]# cd /data/wwwroot/zhouqun.com/
[root@host adai.com]# vim index.html
This is ssl.
[root@host adai.com]# vim /etc/hosts
127.0.0.1 zhouqun.com
[root@host vhost]# curl https://zhouqun.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
因为该证书是自己创建的,没有符合https组织的规范,不能被正确识别,如果换上正规的证书,就没问题了。
所以,如果要使用浏览器检测,那么进行该测试之前,需要更改Windows的hosts文件,不然就会证书出错的。