Nginx负载均衡、 ssl工作流程、生产ssl密钥对、Nginx配置ssl

Nginx负载均衡

负载均衡即是代理服务器将接收的请求均衡的分发到各服务器中
编辑虚拟主机配置文件
vim /usr/local/nginx/conf/vhost/ld.conf

在配置文件中添加如下内容

upstream qq_com
{
    ip_hash;
    server 61.135.157.156:80;
    server 125.39.240.113:80;
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass http://qq_com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

ip_hash 是让同一个用户始终保持在同一台机器上

---

ssl原理

https和http的区别是通信是加密的，如果不加密就有可能被从中间截掉，泄露数据，而加密了的即使被人截到也是看不了内容的。

实现加密解密的流程：

---

生产ssl密钥对

进入nginx 配置目录
cd /usr/local/nginx/conf

执行命令生成密钥
openssl genrsa -des3 -out tmp.key 2048

转换key，取消密码
openssl rsa -in tmp.key -out test.key

可以删除原来的key
rm -f tmp.key

生成证书请求文件，需要拿这个文件和私钥一起生产公钥文件
openssl req -new -key test.key -out test.csr

生成公钥，这里的test.crt为公钥
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

---

Nginx配置ssl

生成一个新的虚拟主机配置文件
vim /usr/local/nginx/conf/vhost/ssl.conf

在配置文件中添加如下内容
server
{
listen 443;
server_name lx.com;
index index.html index.php;
root /data/wwwroot/lx.com;
ssl on;
ssl_certificate test.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

创建网站的目录
mkidir /data/wwwroot/lx.com

检查配置文件是否错误
/usr/local/nginx/sbin/nginx -t

如果出现如下错误表示ssl moudle没有安装，那么需要重新编译安装nginx
nginx:[emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

进入nginx源码包，
cd /usr/local/src/nginx-1.12.1/

安装ssl_module

./configure --prefix=/usr/local/nginx  --with-http_ssl_module
make
make install

安装完成后再检查下配置文件是否出现错误
/usr/local/nginx/sbin/nginx -t

如果没出现错误重启下nginx服务
/etc/init.d/nginx restart

检查下443端口是否监听
netstat -lntp

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4128/nginx: master #出现这一行表示正常

再网站目录下创建一个测试页，内容自己写即可
vim /data/wwwroot/lx.com/index.html

访问测试
curl https://lx.com/ 访问网站，出现如下的提示，因为证书是自己颁发的，所以不合法，但实际上已经配置成功
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.