Nginx负载均衡、ssl原理、生产ssl密钥对、Nginx配置
2018-04-28 本文已影响0人
强出头
Nginx负载均衡
1、Nginx的负载分发策略
Nginx 的 upstream目前支持的分配算法:
1)、轮询 ——1:1 轮流处理请求(默认)
每个请求按时间顺序逐一分配到不同的应用服务器,如果应用服务器down掉,自动剔除,剩下的继续轮询。
2)、权重 ——you can you up
通过配置权重,指定轮询几率,权重和访问比率成正比,用于应用服务器性能不均的情况。
3)、ip_哈希算法
每个请求按访问ip的hash结果分配,这样每个访客固定访问一个应用服务器,可以解决session共享的问题。
[root@iZbp1e0xboek6oow616aoiZ ~]# yum install -y bind-utils
[root@iZbp1e0xboek6oow616aoiZ ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13528
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1115 IN CNAME www.a.shifen.com.
www.a.shifen.com. 35 IN A 220.181.111.188
www.a.shifen.com. 35 IN A 220.181.112.244
;; Query time: 0 msec
;; SERVER: 100.100.2.138#53(100.100.2.138)
;; WHEN: 四 4月 26 22:23:07 CST 2018
;; MSG SIZE rcvd: 90
[root@iZbp1e0xboek6oow616aoiZ ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream baidu_com
{
ip_hash;
server 220.181.111.188:80;
server 220.181.112.244:80;
}
server
{
listen 80;
server_name www.baidu.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
ssl原理
ssl原理
生产ssl密钥对
生产ssl密钥对
[root@iZbp1e0xboek6oow616aoiZ ~]# cd /usr/local/nginx/conf
[root@iZbp1e0xboek6oow616aoiZ conf]# yum install openssl
#key文件为私钥
[root@iZbp1e0xboek6oow616aoiZ conf]# openssl genrsa -des3 -out tmp.key 2048
#转换key,取消密码
[root@iZbp1e0xboek6oow616aoiZ conf]# openssl rsa -in tmp.key -out test.key
#生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
[root@iZbp1e0xboek6oow616aoiZ conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:test
#这里的test.crt为公钥
[root@iZbp1e0xboek6oow616aoiZ conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CH/ST=Sichuan/L=Chengdu/O=test/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
Nginx配置ssl
Nginx配置ssl
[root@iZbp1e0xboek6oow616aoiZ conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/wwwroot/test1.com;
ssl on;
ssl_certificate test.crt;
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@iZbp1e0xboek6oow616aoiZ conf]# cd /usr/local/src/nginx-1.14.0
[root@iZbp1e0xboek6oow616aoiZ nginx-1.14.0]# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@iZbp1e0xboek6oow616aoiZ nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@iZbp1e0xboek6oow616aoiZ nginx-1.14.0]# make && make install
[root@iZbp1e0xboek6oow616aoiZ nginx-1.14.0]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@iZbp1e0xboek6oow616aoiZ conf]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@iZbp1e0xboek6oow616aoiZ conf]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@iZbp1e0xboek6oow616aoiZ conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11372/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9068/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11372/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 11090/mysqld
[root@iZbp1e0xboek6oow616aoiZ conf]# mkdir /data/wwwroot/test1.com
[root@iZbp1e0xboek6oow616aoiZ conf]# echo “ssl test page.”>/data/wwwroot/test1.com/index.html
[root@iZbp1e0xboek6oow616aoiZ conf]# vim /etc/hosts
127.0.0.1 test.com
[root@iZbp1e0xboek6oow616aoiZ ~]# curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
扩展
针对请求的uri来代理 http://ask.apelearn.com/question/1049
根据访问的目录来区分后端的web http://ask.apelearn.com/question/920
nginx长连接 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
