11月29日任务

12.17 Nginx负载均衡

12.18 ssl原理

12.19 生成ssl密钥对

12.20 Nginx配置ssl

 

Nginx负载均衡

负载均衡原理上就是代理，只不过通过设置多个代理服务器来实现多用户访问时的负载均衡。同时也可以在某个代理服务器无法访问时，切换到另外的代理服务器，从而实现访问不间断的目的。

下面以qq.com为例，配置负载均衡

1. 先通过dig命令查看域名及其ip

# dig命令由bind-utils包安装[root@localhost ~]# yum install -y bind-utils[root@localhost ~]# dig qq.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65328;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;qq.com.				IN	A;; ANSWER SECTION:qq.com.			404	IN	A	61.135.157.156qq.com.			404	IN	A	125.39.240.113;; Query time: 40 msec;; SERVER: 119.29.29.29#53(119.29.29.29);; WHEN: 四 1月 04 22:02:25 CST 2018;; MSG SIZE  rcvd: 67

1. 配置虚拟主机配置文件

[root@localhost ~]# mv /usr/local/nginx/conf/vhost/load.conf# 通过upstream来指定多个web服务器upstream qq_com{    # ip_hash的目的是让同一个用户始终保持在同一个机器上    ip_hash;        # 这里是负载均衡时使用的多个server的ip    # server http://61.135.157.157:80;    # 上述表示也行，对应的server块内的proxy_pass内直接写qq_com即可，不需要写http://    server 61.135.157.157:80;    server 125.39.240.113:80;}server{    listen 80;    server_name www.qq.com;    location /    {        # 这里使用的是upstream名即qq_com        proxy_pass http://qq_com;        proxy_set_header Host               $host;        proxy_set_header X_Real_IP          $remote_addr;        proxy_set_header X-Forwarded_For    $proxy_add_x_forwarded_for;    }}

验证效果

配置未生效时，本地访问www.qq.com，得到的将是默认主机的内容

[root@localhost ~]# curl -x127.0.0.1:80 www.qq.comthis is default web server

重启服务后，获取到了www.qq.com网页的源码

[root@localhost ~]# /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
    
    
    

nginx不支持代理https，即server语句内的端口无法使用443。

---

ssl原理

1. 客户端向服务器发送https请求；
2. 服务器上存储了一套数字证书，其实质为一对公私钥。数字证书可以自己制作，也可以向组织申请。前者在客户端访问时需要验证才能继续访问；后者不会弹出验证提示；
3. 服务器将公钥传输给客户端；
4. 客户端验证公钥是否合法：无效（自己制作的）会弹出警告，有效的则生成一串随机数，用此随机数加密公钥；
5. 客户端将加密后的字符串传输给服务器
6. 服务器收到字符串后，先使用私钥进行解密，获取加密使用的随机数，并以此随机数加密传输的数据（对称机密）；
7. 服务器将加密后的数据传输给客户端；
8. 客户端收到数据后，使用自己的私钥（即随机字符串）进行解密。

对称加密：将数据和私钥（随机字符串）通过某种算法混合在一起，除非知道私钥，否则无法解密。

---

生成SSL密钥对

• 创建私钥key

[root@localhost ~]# cd /usr/local/nginx/conf# 创建私钥key文件，必须输入密码，否则无法生成key文件[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus..............................+++...............................................................+++e is 65537 (0x10001)Enter pass phrase for tmp.key:Verifying - Enter pass phrase for tmp.key:

• 转换key，取消密码

[root@localhost conf]# openssl rsa -in tmp.key -out test.keyEnter pass phrase for tmp.key:writing RSA key[root@localhost conf]# rm -f tmp.key

• 生成证书

[root@localhost conf]# openssl req -new -key test.key -out test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN    State or Province Name (full name) []:ZheJiangLocality Name (eg, city) [Default City]:QuZhouOrganization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 需要使用csr文件与私钥一起生成.crt文件[root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crtSignature oksubject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company LtdGetting Private key

---

Nginx配置SSL

• 创建新虚拟主机配置文件

[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.confserver{    listen 443;    server_name test.com;    index index.html index.php;    root /data/www/test.com;    ssl on;    ssl_certificate test.crt;    ssl_certificate_key test.key;    ssl_protocols TLSv1 TLS1.1 TLS1.2；}

• 创建对应目录及文件

[root@localhost conf]# mkdir -p /data/www/test.com[root@localhost conf]# vim /data/www/test.com/index.phpssl test page.

• 重启服务

/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload

设置时报错 -- unknown directive “ssl”

这时由于一开始编译时未将http_ssl_module模块编译进nginx，需要重新编译安装

[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module[root@localhost nginx-1.12.2]# make && make install

---

重新编译后将导致之前配置的虚拟主机配置文件丢失，最后在重新编译前对有用的nginx虚拟主机文件进行备份

---

• 编译完成后查看

[root@localhost conf]# /usr/local/nginx/sbin/nginx -Vnginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips  ...TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module

• 重启nginx服务

# 重新编译后的nginx必须使用/etc/init.d/nginx脚本进行重启[root@localhost conf]# /etc/init.d/nginx restartRestarting nginx (via systemctl):                          [  确定  ]# 查看443端口是否开放[root@localhost conf]# netstat -lntpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1354/sshd           tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2116/master         tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4953/nginx: master  tcp6       0      0 :::3306                 :::*                    LISTEN      2156/mysqld         tcp6       0      0 :::22                   :::*                    LISTEN      1354/sshd           tcp6       0      0 ::1:25                  :::*                    LISTEN      2116/master

• 效果验证

1. curl验证

# 如果不想使用-x指定ip，可以在/etc/hosts内添加如下代码[root@localhost conf]# vim /etc/hosts127.0.0.1 test.com# curl测试[root@localhost conf]# curl https://test.comcurl: (60) Peer's certificate issuer has been marked as not trusted by the user.More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

1. 浏览器验证 同样的要修改客户端上的hosts文件，添加一行代码如下：

192.168.65.133 test.com

同时要检查服务器端的防火墙是否开放443端口，这里为了测试方便，直接清空了iptables规则表

[root@localhost conf]# iptables -F

在浏览器内输入https://test.com，测试效果如下：

点击“仍要继续”，页面内容显示如下：

网页说明描述，证书不合法