nginx load balancing, configure ssl

12.17 Nginx Load Balancing

Nginx load balancing means that when the proxy server resolves the custom domain name to multiple designated IPs, it uses upstream to ensure that users can normally access each IP through the proxy server.

load balancing configuration

Configuration parameters:

[root@1 ~]# vim /usr/local/nginx/conf/vhost/load.conf
upstream aq.com
#自定义域名
{
    ip_hash;
    #保证同一个用户始终保持在同一台机器上
    #即当域名指向多个IP时，保证每个用户始终解析到同一IP
    server 61.135.157.156:80;
    server 125.39.240.113:80;
    #指定web服务器的IP
}
server
{
    listen 80;
    server_name www.qq.com;
    location /
    {
        proxy_pass      http://aq.com;
        proxy_set_header Host   $host;
        proxy_set_header X-Real-IP      $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

detect

Before proxy

[root@1 ~]# curl -x127.0.0.1:80 www.qq.com 
This is the default directory.

Before using the proxy, it resolves directly to the default virtual host.

after proxy

[root@1 ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@1 ~]# /usr/local/nginx/sbin/nginx -s reload

[root@1 ~]# curl -x127.0.0.1:80 www.qq.com

After using the proxy, it will resolve to the IP pointed to by the proxy server

[root@1 ~]# dig www.qq.com

;; ANSWER SECTION:
www.qq.com.		138	IN	A	61.135.157.156
www.qq.com.		138	IN	A	125.39.240.113

;; Query time: 13 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 二 8月 15 16:41:11 CST 2017
;; MSG SIZE  rcvd: 71

Note:  Nginx does not support proxy https, it can only proxy http, the new version of Nginx can proxy tcp.

dig command

The dig command is a common domain name resolution tool.

If the command is not present in the server, install it manually:

[root@1 ~]# yum install -y bind-utils

Syntax:  dig [domain name]

http、https、tcp

HTTP (HyperText Transfer Protocol) is the most widely used network protocol on the Internet.
HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer) is a secure HTTP channel, which is simply a secure version of HTTP. The HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is more secure than the http protocol.
The default port number for HTTP is 80, and the port number for HTTPS is 443.
TCP (Transmission Control Protocol) is a connection-oriented, reliable, byte stream-based transport layer communication protocol, defined by RFC 793 of the IETF. By default it listens on port 80.

12.18 Principles of SSL

The SSL (Secure Sockets Layer) protocol, and its successor, the TLS (Transport Layer Security) protocol, are a security protocol that provides security and data integrity for network communications.

SSL Workflow

If the tool is not present in the virtual machine, install it manually:

[root@1 ~]# yum install -y openssl

SSL Workflow

• The browser sends an https request to the server;
• The server must have a set of digital certificates, which can be made by yourself (the following operation is the certificate made by A Ming himself), or you can apply to the organization. The certificate applied by the company will not pop up the > prompt page, this certificate is actually a pair of public key and private key;
• The server will transmit the public key to the client;
• After the client (browser) receives the public key, it will verify whether it is legal and valid. If it is invalid, there will be a warning reminder. If it is valid, a string of random numbers will be generated and encrypted with the received public key;
• The client transmits the encrypted random string to the server;
• After the server receives the encrypted random string, it first decrypts it with the private key (public key encryption, private key decryption), and after obtaining the random number, encrypts the transmitted data with the random string (this encryption is symmetric encryption). , the so-called symmetric encryption is to mix the data and the private key, that is, this random string > through some algorithm, so that unless the private key is known, the data content cannot be obtained);
• The server transmits the encrypted data to the client;
• After the client receives the data, it decrypts it with its own private key, which is the random string;

12.19 Generating an SSL key pair

An SSL certificate is a pair of public and private keys.

Create private key

[root@1 ~]# cd /usr/local/nginx/conf/

[root@1 conf]# openssl genrsa -des3 -out tmp.key 2048
#生成SSL密钥
Generating RSA private key, 2048 bit long modulus
....................................................................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

Description:  Specify the password here!

Convert the key, cancel the password:

[root@1 conf]# openssl rsa -in tmp.key -out adailinux.key 

Enter pass phrase for tmp.key:
writing RSA key

Delete the key file:

[root@1 conf]# rm -f tmp.key

Generate certificate request file

You need to take this file and the private key together to produce the public key file:

[root@1 conf]# openssl req -new -key adailinux.key -out adailinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:adai
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Beijing
Organizational Unit Name (eg, section) []:Beijing
Common Name (eg, your name or your server's hostname) []:adailinux
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456

Note:  This part of the content can be customized if you do not purchase a certificate; if it is officially applied on the website, you need to fill in the corresponding information (purchase) in a standardized manner.

Create a public key:

[root@1 conf]# openssl x509 -req -days 365 -in adailinux.csr -signkey adailinux.key -out adailinux.crt

Signature ok
subject=/C=CN/ST=adai/L=Beijing/O=Beijing/OU=Beijing/CN=adailinux/[email protected]
Getting Private key

12.20 Nginx configures SSL

[root@1 conf]# cd vhost/

[root@1 vhost]# vim ssl.conf
server
{
    listen 443;
    server_name adai.com;
    index index.html index.php;
    root /data/wwwroot/adai.com;
    ssl on;
    #开启ssl
    ssl_certificate adailinux.crt;
    #配置公钥
    ssl_certificate_key adailinux.key;
    #配置私钥
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #配置协议
}

[root@1 vhost]# mkdir /data/wwwroot/adai.com

detect

Error:

[root@1 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

ssl configuration not recognized, need to recompile Nginx:

[root@1 conf]# cd /usr/local/src/nginx-1.12.1/

[root@1 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module  

[root@1 conf]# make
[root@1 conf]# make install

[root@1 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@1 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  确定  ]

[root@1 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5991/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1735/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2040/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5991/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      1990/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1735/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2040/master  

nginx listens on ports 80 and 443.

test

[root@1 nginx-1.12.1]# cd /data/wwwroot/adai.com/

[root@1 1.com]# vim index.html

This is ssl.

Add local domain name:

[root@1 adai.com]# vim /etc/hosts
127.0.0.1  adai.com

[root@1 vhost]# curl https://adai.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Because the certificate is created by yourself, it prompts that the certificate is not trusted! ! !

Note:  The Windows hosts file needs to be changed before this test can be performed.