Nginx负载均衡即为当代理服务器将自定义的域名解析到多个指定IP时,通过upstream来保证用户可以通过代理服务器正常访问各个IP。
代理一台机器叫做代理,代理两台及两台服务器就能叫做负载均衡。
创建一个配置文件/usr/local/nginx/conf/vhost/load.con
[root@localhost ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq.com
#借助upstream模块,自定义域名
{
ip_hash;
#保证同一个用户始终保持在同一台机器上
#即当域名指向多个IP时,保证同一个用户始终解析到之前访问的IP
server 61.135.157.156:80;
server 125.39.240.113:80;
#指定web服务器的IP
}
server
{
listen 80;
#定义监听端口
server_name www.qq.com; #域名
location /
{
proxy_pass http://qq.com;
#不支持再proxy_pass中写多个ip。代理中可以写成ip,但是再负载中不能写ip,要写入和upstream 对应
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
测试并重载配置:
[root@localhost ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
设置代理前:
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
This is the default directory.
设置代理后:
[root@localhost ~]# curl -x127.0.0.1:80 www.qq.com
......
#会显示网页的源码。
注意: Nginx不支持代理https,只能代理http,新版本的Nginx可以代理tcp。
dig 命令是常用的域名解析工具。
安装dig 命令
[root@localhost ~]# yum install -y bind-utils
www.qq.com解析到了3个ip
[root@localhost ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36583
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.qq.com. IN A
;; ANSWER SECTION:
www.qq.com. 97 IN A 14.17.32.211
www.qq.com. 97 IN A 14.17.42.40
www.qq.com. 97 IN A 59.37.96.63
;; Query time: 60 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 一 1月 08 21:
TCP(Transmission Control Protocol 传输控制协议)是一种面向连接的、可靠的、基于字节流的传输层通信协议,由IETF的RFC 793定义。默认监听80端口。
SSL(Secure Sockets Layer 安全套接层)协议,及其继任者TLS(Transport Layer Security传输层安全)协议,是为网络通信提供安全及数据完整性的一种安全协议。
[root@localhost ~]# yum install -y openssl
ssl工作流程
ssl证书就是一对公钥和私钥
切换目录,密钥对会保存在该目录下:
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
#生成rsa格式的密钥对,2048是长度。
Generating RSA private key, 2048 bit long modulus
.....+++
..................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
#生成密钥时要指定密码。
[root@localhost conf]# openssl rsa -in tmp.key -out huang.key
#in指定哪个密钥要被转换,out指定输出密钥的 名称。
Enter pass phrase for tmp.key:
writing RSA key
#需要输入上一个tmp.key 的密码。这时候,tmp.key和huang.key其实是一个,只是huang.key没密码。
[root@localhost conf]# rm -f tmp.key
#删除有密码的key
生成请求文件目的是为了让请求文件和私钥一起去生成一个公钥。
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:Beijing //省或州
Locality Name (eg, city) [Default City]:Beijing //城市
Organization Name (eg, company) [Default Company Ltd]:Beijing //公司
Organizational Unit Name (eg, section) []:Beijing //组织
Common Name (eg, your name or your server‘s hostname) []:centos 03 //主机名
Email Address []:abc@abc.com //邮箱
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456 //一个可选的公司名称
An optional company name []:123456
说明: 该部分内容如果不购买证书可以自定义;如果是正式应用在网站上,需要规范填写对应信息。
[root@localhost conf]# openssl x509 -req -days 365 -in huang.csr -signkey huang.key -out huang.crt
#365是密钥生效的天数。
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Beijing/OU=Beijing/CN=centos 03/emailAddress=abc@abc.com
Getting Private key
[root@localhost conf]# ls /usr/local/nginx/conf/huang*
/usr/local/nginx/conf/huang.crt /usr/local/nginx/conf/huang.csr /usr/local/nginx/conf/huang.key
创建新的配置文件:
[root@localhost conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name abc.com;
index index.html index.php;
root /data/wwwroot/abc.com;
ssl on;
#开启ssl
ssl_certificate huang.crt;
#配置公钥
ssl_certificate_key huang.key;
#配置私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#配置协议,一般情况三种都配置上。
}
检测配置:
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
#检测报错,为时便ssl配置,需要重新编译Nginx。
重新编译Nginx:
[root@localhost conf]# cd /usr/local/src/nginx-1.8.0/
[root@localhost nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
.....
[root@localhost nginx-1.8.0]# echo $?
0
[root@localhost nginx-1.8.0]# make
......
[root@localhost nginx-1.8.0]# echo $?
0
[root@localhost nginx-1.8.0]# make install
......
[root@localhost nginx-1.8.0]# echo $?
0
#./configure --hlep 查看可以安装的模块
测试配置文件,并重启nginx服务:
[root@localhost nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@localhost nginx-1.8.0]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4905/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1243/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2121/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4905/nginx: master
......
#nginx 监听了443和80端口
添加本地域名
root@localhost nginx-1.8.0]# vim /etc/hosts
127.0.0.1 abc.com
[root@localhost nginx-1.8.0]# curl https://abc.com/
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.
#因为该证书是自己创建的,所以提示证书不被信任!!!
使用浏览器访问
需要先在hosts文件中添加本地域名,并清空或添加防火墙规则。
192.168.159.132 abc.com
购买正规证书:沃通等
Nginx负载均衡、ssl原理、生成ssl密钥对、Nginx配置ssl
原文:http://blog.51cto.com/754599082/2058866