1, high-availability arrangement (drawing description)
2, KeepAlived installation and configuration
1, the installation
yum install keepalived
2, keepalived.conf profile configuration
{global_defs
notification_mail {
mailbox specified keepalived ## needs to be sent when the handover occurs
}
notification_mail_from [email protected] # Sender
#smtp_server xxx.smtp.com
#smtp_connect_timeout 30
the router_id of the operation of a identification LVS_MAIN # keepalived machine
} vrrp_instance_VI_1 { state MASTER # is identified as the primary master, standby backup for the interface ens33 # set NIC instance is bound virtual_router_id 51 # virtual_router_id instance must be the same at the same 100 # master priority weights must be greater than the weight backup advert_int. 1 and # Master backup load balancer between the synchronous detection interval in seconds authentication {# set authentication AUTH_TYPE the PASS AUTH_PASS 123 } virtual_ipaddress {# set VIP 192.168.3.111
192.168.3.112 # can set up multiple virtual IP
}
}
3, start /etc/init.d/keepalived start
Session Sharing Solution: As the first request by Nginx proxy server, then there nginx server allocation request to a specific Application Server will encounter Session sharing:
1.ip_hash application server allocation request according ip
2. Do not use the session, cookie swap would not have this problem, but the site was reduced security
3. Use a cookie and redis cache (recommended this program to facilitate the expansion, the cache speed efficient) [speaks later in the project]
For example: uuid as the key to generate a user information stored in the cache redis, then uuid values as the client would write a cookie, the cookie key may be a fixed value (constant)
4、jwt
5. into the MySQL database is not recommended (increase io database)
Nginx configuration of HTTPS
A, HTTPS Introduction
1.https Profile
HTTPS is actually composed of two parts: HTTP + SSL / TLS, i.e. on an HTTP module added a layer of processing encrypted information. Data services and client information transmitted is encrypted by TLS, so the data transmission is encrypted
2.https principle agreement
First, the client establishes a connection with the server, each generate a public key and a private key, are different. Server back to the client a public key, then client holding the public key encryption to search for things, called ciphertext, and even its own public key and returned together to the server, holding their private key to decrypt ciphertext, then the response data encrypted with the public key of the client, returned to the client, the client took his private key to decrypt the ciphertext, the data presented
Second, open the ssl nginx module
1.the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
reason is the lack of http_ssl_module nginx module, configured to bring --with-http_ssl_module when compiled and installed on it
2. If you have installed nginx too, see below want to add module
1) is switched to nginx source package
CD /usr/local/src/nginx-1.11.3
2) See ngixn original module
/ usr / local / nginx / sbin / nginx -V
. 3 ) reconfiguration
./configure --prefix = / usr / local / Nginx --with-http_stub_status_module --with-http_ssl_module
. 4) recompiling is not required to install make install. Otherwise it will cover
the make
5) backup of the original has been installed nginx
cp / usr / local / nginx / sbin / nginx /usr/local/nginx/sbin/nginx.bak
6) compiled nginx will just overwrite the original nginx (ngixn must be stopped)
cp ./objs/nginx / usr / local / nginx / sbin /
At this time, you will be prompted whether to overwrite, enter yes, directly enter the default is not covered by
7) to start nginx, nginx module to view and found that has been added
/usr/local/nginx/sbin/nginx -V
Third, the certificate and private key generation
Note: Generally generated directory, should be placed nginx / conf / ssl directory 1. Create a server certificate key file server.key: OpenSSL genrsa-des3--out server.key 1024 to enter a password, confirm the password, just their own definition, but remember, will be used later. 2. Create a server certificate application documents server.csr OpenSSL REQ -new -key server.key -out server.csr output content: the Enter Pass phrase for root.key: Enter the password you created earlier ← Country Name (2 letter code) [AU]: CN ← country code, Chinese input CN State or Province the name (full name) [s Some-State]: BeiJing ← province's full name, spelling Locality name (eg, city) [ ]: BeiJing ← City full name, Pinyin Organization name (eg, company) [ Internet Widgits Pty Ltd]: MyCompany Corp. ← English company name Organizational Unit name (eg, section) []: ← you can not enter the Common name (eg, YOUR name) [ ]: ← do not enter a
Email Address []: [email protected] ← e-mail, can easily fill
Please Enter The following 'Extra' Attributes
to BE with your Certificate Request Sent
A Challenge password []: ← may not enter
An optional company name []: ← can not be input 4. The backup server a key file CP server.key-server.key.org 5. The removal password file OpenSSL RSA -out server.key--IN server.key.org 6. The generated server certificate file .crt OpenSSL X509 -req -days 365 -out server.key -IN server.csr -signkey server.crt
Fourth, the configuration file
proxyPort=443
redirectPort=443
{Server
# 80 than the default is to use the default 443 ssl ssl manner after extra default
the listen 443 default ssl;
#default may be omitted
# turned ON if ssl; remove this line, write back 443 ssl. This link http and https can use the
ssl ON;
# certificate (. Public key is sent to the client)
ssl_certificate ssl / server.crt;
# private,
ssl_certificate_key ssl / server.key;
# The following is a parked domain
server_name www. daj.com;
LOCATION / { # prohibits transfer proxy_redirect OFF; # Taobao agent proxy_pass https://www.gerry.com; } }
Restart Nginx
Nginx process model
First, the process model
Nginx is a classic multi-process model. Nginx daemon manner after starting running in the background, the background process comprising a master process and a plurality of worker processes, specifically as:
Figure 1 Nginx multi-process model
mainly used to manage the master process worker process includes the following four main functions: (1) receiving a signal from the outside. (2) transmits a signal to each process worker. (3) monitor the operation woker process. (4) When woker withdraw from the process (exceptional circumstances), it will automatically restart a new woker process. woker mainly used to process the network event processing, is independent and the like, are equivalent to competition from the client's request, a request can only be processed in a woker process, the process is usually set to the number of woker machine between the respective processes woker the number of CPU cores.
Second, process control
Nginx control process mainly done by the master process to, mainly in two ways: (1) Manual transmission signal can be seen from Figure 1, receives a signal to master all woker management process, then, can kill send a signal to the master process, such as kill -HUP pid to notify Nginx calmly restart. The so-called calm is restarted without interrupting service: master process after receiving the signal, it will first reload the configuration, and then start a new process to begin receiving a new request and send all the old process signaled no new request is received and processed all after automatically exit and the unprocessed request. (2) automatically transmits a signal can start a new process parameter to send a signal to a master process, such ./nginx -s reload Nginx to start a new process through command-line, and the new process parameters will resolve to reload send a signal to the master process (new process will help us to manually send signal action done automatically). Of course, this can ./nginx -s stop to stop Nginx.
Third, network events Nginx asynchronous non-blocking way to handle network events
master进程先建好需要listen的socket后,然后再fork出多个woker进程,这样每个work进程都可以去accept这个socket。当一个client连接到来时,所有accept的work进程都会受到通知,但只有一个进程可以accept成功,其它的则会accept失败。Nginx提供了一把共享锁accept_mutex来保证同一时刻只有一个work进程在accept连接,从而解决惊群问题。当一个worker进程accept这个连接后,就开始读取请求,解析请求,处理请求,产生数据后,再返回给客户端,最后才断开连接,这样一个完成的请求就结束了。
Nginx配置udp/tcp代理
1、安装模块
./configure --prefix=/usr/local/nginx --with-stream --with-http_stub_status_module
2、配置文件
#nginx.conf部分配置
# upd/tcp
stream {
upstream backend {
server 192.168.3.173:3306;
}
server {
listen 8686;
proxy_connect_timeout 8s;
proxy_timeout 24h; #代理超时
proxy_pass backend;
}
}
http {
}