Nginx負載均衡，ssl相關配置

Nginx負載均衡

1.使用dig命令解析 IP地址

[root@weixing01 ~]# dig qq.com

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57508
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:
qq.com.         87  IN  A   61.135.157.156
qq.com.         87  IN  A   125.39.240.113

;; Query time: 9 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 五 3月 16 22:04:01 CST 2018
;; MSG SIZE  rcvd: 67

2.新建配置文件：

[root@weixing01 ~]# vim /usr/local/nginx/conf/vhost/load.conf

upstream qq_com
{
    ip_hash;
    server 61.135.157.156:80;
    server 125.39.240.113:80;
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass      http://qq_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

3.進行測試：
未重新加載測試

[root@weixing01 ~]# curl -x127.0.0.1:80 www.qq.com
This is the default site 

重新加載測試：

[root@weixing01 ~]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(reverse-i-search)`-s': vim /etc/sysconfig/network^Ccripts/ifcfg-ens33
[root@weixing01 ~]# /usr/local/nginx/sbin/nginx -s reload

成功
Nginx無法代理https

ssl原理及配置

1.https是加密的

1.生成私鑰

[root@weixing01 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
....................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

2.轉換私鑰：

[root@weixing01 conf]# openssl rsa -in tmp.key -out weixing.key
Enter pass phrase for tmp.key:
writing RSA key
[root@weixing01 conf]# rm -f tmp.key 

3.生成請求文件：

[root@weixing01 conf]# openssl req -new -key weixing.key -out weixing.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china     
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:wei
Organizational Unit Name (eg, section) []:xing
Common Name (eg, your name or your server's hostname) []:weilinux
Email Address []:[email protected] 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:weixing
An optional company name []:weixing

4.生成公鑰：

[root@weixing01 conf]# openssl x509 -req -days 365 -in weixing.csr -signkey weixing.key -out weixing.crt
Signature ok
subject=/C=11/ST=beijing/L=beijing/O=wei/OU=xing/CN=weilinux/[email protected]
Getting Private key

5.查看文件：

[root@weixing01 conf]# ls weixing.
weixing.crt  weixing.csr  weixing.key  

6.進行配置ssl：

[root@weixing01 vhost]# vim /usr/local/nginx/conf/vhost/ssl.conf

server
{
    listen 443;
    server_name weixing.com;
    index index.html index.php;
    root /data/wwwroot/weixing.com;
    ssl on;
    ssl_certificate weixing.crt;
    ssl_certificate_key weixing.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

7.測試驗證報錯：

[root@weixing01 vhost]# /usr/local/nginx/sbin/nginx  -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@weixing01 vhost]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
configure arguments: --prefix=/usr/local/nginx

重新編譯Nginx

[root@weixing01 nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
checking for OS
 + Linux 3.10.0-693.el7.x86_64 x86_64
checking for C compiler ... found
 + using GNU C compiler
 + gcc version: 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found

make，make install

再次測試：

[root@weixing01 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@weixing01 nginx-1.12.2]# /usr/local/nginx/sbin/nginx  -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
(reverse-i-search)`-s': openssl x509 -req -days 365 -in weixing.csr ^Cignkey weixing.key -out weixing.crt
[root@weixing01 nginx-1.12.2]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  確定  ]
[root@weixing01 nginx-1.12.2]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4230/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      919/sshd            
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1160/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4230/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      919/sshd            
tcp6       0      0 ::1:25                  :::*                    LISTEN      1160/master       

重啓服務，測試：

[root@weixing01 nginx-1.12.2]# cd /data/wwwroot/weixing.com
[root@weixing01 weixing.com]# ls
[root@weixing01 weixing.com]# 
[root@weixing01 weixing.com]# vim 1.txt
[root@weixing01 weixing.com]# mv 1.txt index.html
[root@weixing01 weixing.com]# curl -x127.0.0.1:443 https://weixing.com
curl: (56) Received HTTP code 400 from proxy after CONNECT
[root@weixing01 weixing.com]# vi /etc/hosts
[root@weixing01 weixing.com]# curl https://weixing.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在瀏覽器中測試：