[root@WangJiayue-4 ~]# for i in $(seq 10);do curl 192.168.222.250;done
WangJiayue-2
WangJiayue-3
WangJiayue-2
WangJiayue-3
WangJiayue-2
WangJiayue-3
3.搭建HTTPS负载均衡
3.1 生成证书
//生成一对密钥
[root@WangJiayue ~]# cd /etc/pki/CA/
[root@WangJiayue CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......+++
.......+++
e is 65537 (0x10001)
//生成自签署证书
[root@WangJiayue CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
//在RS生成证书签署请求,并发送给CA
[root@WangJiayue-2 ~]# mkdir /etc/httpd/ssl
[root@WangJiayue-2 ~]# cd /etc/httpd/ssl
[root@WangJiayue-2 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...........................................................................................................+++
................................................+++
e is 65537 (0x10001)
[root@WangJiayue-2 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@WangJiayue-2 ssl]# scp httpd.csr [email protected]:/root/
The authenticity of host '192.168.222.128 (192.168.222.128)' can't be established.
ECDSA key fingerprint is 03:18:89:32:f3:e7:3e:8b:44:2a:9c:ed:0a:8f:53:6f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1033 1.0KB/s 00:00
//CA签署证书并发给客户端
[root@WangJiayue ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jul 24 11:25:38 2020 GMT
Not After : Jul 24 11:25:38 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.a.com
organizationalUnitName = www.a.com
commonName = www.a.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:14:97:6A:0F:9C:62:70:9A:C9:4C:AD:C6:0E:EC:63:93:67:A4:44
X509v3 Authority Key Identifier:
keyid:16:FC:92:C6:94:8B:B8:31:B4:CE:12:EF:43:E4:7D:D1:C5:95:00:C6
Certificate is to be certified until Jul 24 11:25:38 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@WangJiayue ~]# ls
httpd.crt httpd.csr
//CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端
[root@WangJiayue ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[email protected]'s password:
httpd.crt 100% 4565 4.5KB/s 00:00
[root@WangJiayue ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
The authenticity of host '192.168.222.136 (192.168.222.130)' can't be established.
ECDSA key fingerprint is 3d:0e:f3:00:71:87:a5:a0:ec:a4:64:95:e0:bc:78:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.130' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 4565 4.5KB/s 00:00
[root@WangJiayue ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[email protected]'s password:
cacert.pem 100% 1383 1.4KB/s 00:00
3.2 配置HTTPS
/在WangJiayue-2(RS1)上将httpd.key传给WangJiayue-3(RS2),并在WangJiayue-2和WangJiayue-3上安装ssl模块
[root@WangJiayue-2 ~]# cd /etc/httpd/ssl/
[root@WangJiayue-2 ssl]# ls
httpd.crt httpd.csr httpd.key
[root@WangJiayue-2 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.222.130 (192.168.222.130)' can't be established.
ECDSA key fingerprint is 3d:0e:f3:00:71:87:a5:a0:ec:a4:64:95:e0:bc:78:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.130' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.key 100% 1679 1.6KB/s 00:00
[root@WangJiayue-2 ssl]# yum -y install mod_ssl
[root@WangJiayue-3 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@WangJiayue-3 ssl]# yum -y install mod_ssl
[root@WangJiayue-2 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@WangJiayue-2 ~]# systemctl restart httpd
[root@WangJiayue-3 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@WangJiayue-3 ~]# systemctl restart httpd
[root@WangJiayue ~]# route add -host 192.168.222.250 dev lo
[root@WangJiayue -2 ~]# route add -host 192.168.222.250 dev lo
[root@WangJiayue -3 ~]# route add -host 192.168.222.250 dev lo
[root@WangJiayue-4 ~]# for i in $(seq 10);do curl 192.168.222.250;done
WangJiayue-2
WangJiayue-3
WangJiayue-2
WangJiayue-3
WangJiayue-2
WangJiayue-3
3. 搭建HTTPS负载均衡
3.1 证书生成
//生成一对密钥
[root@WangJiayue ~]# cd /etc/pki/CA/
[root@WangJiayue CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......+++
.......+++
e is 65537 (0x10001)
//生成自签署证书
[root@WangJiayue CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
//在RS生成证书签署请求,并发送给CA
[root@WangJiayue-2 ~]# mkdir /etc/httpd/ssl
[root@WangJiayue-2 ~]# cd /etc/httpd/ssl
[root@WangJiayue-2 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
...........................................................................................................+++
................................................+++
e is 65537 (0x10001)
[root@WangJiayue-2 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@WangJiayue-2 ssl]# scp httpd.csr [email protected]:/root/
The authenticity of host '192.168.222.128 (192.168.222.128)' can't be established.
ECDSA key fingerprint is 03:18:89:32:f3:e7:3e:8b:44:2a:9c:ed:0a:8f:53:6f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1033 1.0KB/s 00:00
//CA签署证书并发给客户端
[root@WangJiayue ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jul 24 11:25:38 2020 GMT
Not After : Jul 24 11:25:38 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.a.com
organizationalUnitName = www.a.com
commonName = www.a.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:14:97:6A:0F:9C:62:70:9A:C9:4C:AD:C6:0E:EC:63:93:67:A4:44
X509v3 Authority Key Identifier:
keyid:16:FC:92:C6:94:8B:B8:31:B4:CE:12:EF:43:E4:7D:D1:C5:95:00:C6
Certificate is to be certified until Jul 24 11:25:38 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@WangJiayue ~]# ls
httpd.crt httpd.csr
//CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给客户端
[root@WangJiayue ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
[email protected]'s password:
httpd.crt 100% 4565 4.5KB/s 00:00
[root@WangJiayue ~]# scp httpd.crt [email protected]:/etc/httpd/ssl
The authenticity of host '192.168.222.130 (192.168.222.130)' can't be established.
ECDSA key fingerprint is 3d:0e:f3:00:71:87:a5:a0:ec:a4:64:95:e0:bc:78:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.159.136' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 4565 4.5KB/s 00:00
[root@WangJiayue ~]# scp /etc/pki/CA/cacert.pem [email protected]:/etc/httpd/ssl
[email protected]'s password:
cacert.pem 100% 1383 1.4KB/s 00:00
3.2 在WangJiayue-2(RS1)和WangJiayue-3(RS2)上配置HTTPS
/在WangJiayue-2(RS1)上将httpd.key传给WangJiayue-3(RS2),并在WangJiayue-2和WangJiayue-3上安装ssl模块
[root@WangJiayue-2 ~]# cd /etc/httpd/ssl/
[root@WangJiayue-2 ssl]# ls
httpd.crt httpd.csr httpd.key
[root@WangJiayue-2 ssl]# scp httpd.key [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.222.130 (192.168.222.130)' can't be established.
ECDSA key fingerprint is 3d:0e:f3:00:71:87:a5:a0:ec:a4:64:95:e0:bc:78:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.130' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.key 100% 1679 1.6KB/s 00:00
[root@WangJiayue-2 ssl]# yum -y install mod_ssl
[root@WangJiayue-3 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@WangJiayue-3 ssl]# yum -y install mod_ssl
[root@WangJiayue-2 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@WangJiayue-2 ~]# systemctl restart httpd
[root@WangJiayue-3 ~]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
//将下面两行删除注释,并修改域名
DocumentRoot "/var/www/html"
ServerName aaa.com:443
...
//修改下面没有带注释的行
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
...
...
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@WangJiayue-3 ~]# systemctl restart httpd