Nginx topics (four) ----- https, nginx availability

Public and private keys

concept

 

 

 

 

Interactive process

Browsers use the public key to encrypt the data, and then sent out. After the public key encrypted content, only to have the private key people (nginx server) to understand it.

 

 

nginx configuration https

When https nginx configuration, you need two things to be different from this :( purchase). A key, private key. Nginx server on the inside, only this one; a certificate, a public key for the browser to download.

, Only as to create a server certificate private key ----- create a production environment is not using its own test

Enter the directory /etc/nginx/conf.d/, certificate generated will be placed here.

1, create a server private key command will let you enter a password: 

openssl genrsa -des3 -out server.key 1024

2, create a certificate signing request (CSR): 

openssl req -new -key server.key -out server.csr

3, the password must be removed when loading and Nginx SSL support using the private key: 

openssl rsa -in server.key -out server_nopass.key

4, and finally by using the private key and certificate labeled CSR: 

openssl x509 -req -days 365 -in server.csr -signkey server_nopass.key -out server.crt

Environmental requirements

Nginx first check the version information, the command:

nginx -V

 

There --with-http_ssl_module, represents https modules installed. Otherwise, reinstall. 

Configuration

 

{Server 
    the listen        443 SSL; 
    server_name sales.enjoy.com; 

    ssl_certificate          /etc/nginx/conf.d/ server.crt; # certificate 
    ssl_certificate_key      /etc/nginx/conf.d/ server_nopass.key; # private 


    IF ($ http_origin HTTP ~: // enjoy.com) {(*.). 
        SET $ $ allow_url http_origin; 
    } 
    # whether to allow the request verification information with 
    the add_header access -Control-the allow-Credentials to true ; 
    # allow cross-domain access to the domain, and may be a list of domains, it can be a wildcard * 
    add_header access -Control-allow- Origin $ allow_url; 
    # allows scripts to access the return head 
    add_header accessThe Allow-Headers--Control 'X-requested-with, Content-type, the Cache-Control, Pragma, a Date, timestamp-X' ; 
    # request method allows the use of a comma-separated 
    the add_header Access -Control-the Allow-Methods' POST, GET, the OPTIONS, PUT, DELETE ' ; 
    # allows custom header, separated by a comma, not case sensitive 
    add_header Access -Control-Expose-Headers' the WWW-Authenticate, Server-the Authorization' ; 
    # P3P support cross domain cookie operation 
    the add_header the P3P 'policyref = "/ W3C / p3p.xml", the CP = "the NOI the DSP BUS PSAA the OUR the ONL the UNI IND the COM the NAV the INT the LOC"' ; 
    the add_header Test   . 1 ; 

    IF (REQUEST_METHOD $ = 'the OPTIONS' ) {
         return 204 ;
    }

    location / {
        root   html/sales;
        index  welcome.html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

run

 

https access has been ok, suggesting that the certificate is not safe because the certificate is not certified in the organization, the certificate is normally need to spend money to buy.

redirect http to https

{Server 
    the listen        80 ; 
    server_name sales.enjoy.com; the rewrite
    
     ^ / https://sales.enjoy.com the redirect; 

    IF ($ http_origin HTTP ~: . //(.*) enjoy.com) { 
        SET $ $ http_origin allow_url ; 
    } 
    # whether to allow the request verification information with 
    the add_header access -Control-the allow-Credentials to true ; 
    # allow cross-domain access to the domain, a domain may be a list, or may be a wildcard * 
    the add_header access -Control-allow- Origin $ allow_url ; 
    return head # allows scripts to access 
    the add_header access -Control-the allow-Headers 'X-requested-with, Content-type, the Cache-Control, Pragma, a Date, timestamp-X' ; 
    # allowed request method, a comma separated open
    Access the add_headerThe Allow-Methods--Control 'the POST, the GET, the OPTIONS, the PUT, the DELETE' ; 
    # custom allows the head, separated by a comma, case-insensitive 
    the add_header Access -Control-Expose-Headers' the WWW-the Authenticate, Server- the Authorization ' ; 
    # support cross-domain cookie operating the P3P 
    the add_header the P3P ' policyref = "/ W3C / p3p.xml", the CP = "the NOI the DSP BUS PSAA the OUR the ONL the UNI IND the COM the NAV the INT the LOC" ' ; 
    the add_header Test   . 1 ; 

    IF ($ REQUEST_METHOD = 'the OPTIONS' ) {
         return 204 ; 
    } 

    LOCATION / { 
        the root HTML / Sales; 
        index the welcome.html; 
    } 

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

Note : In https years, ajax request ordinary http, it will error (reason: less secure)

 

Visit http domain at https domain error. 

nginx availability

problem

nginx solve tomcat availability ideas, is preceded by a layer of load service nginx. This practice, there will always exist down a front-end load layer may be an infinite loop.

 

solution

keepalived to solve, lvs thinking to solve

 

 

keepalived ideas :

2 by the virtual server software out of a virtual gateway vip, vip this consultation is generated by the two machines. When a machine goes down, another machine as to maintain vip. This ensures that, as long as both machines are not down at the same time, vip there. 

Note : keepalived can only be applied between two machines

keepalived download, install, configure,

download

Download: https: //pan.baidu.com/s/1G7sLL-YkZGSMu8G76yz1Rw Password: adbw. ----- correspond centos6 systems, different systems need to find different versions.

installation

1、

./configure --prefix = / data / program / keepalived --sysconf = / etc ## because keepalive start time will default read /etc/keepalived/keepalived.conf

2、

make && make install

Configuration

Open /etc/keepalived/keepalived.conf, only need to configure the following paragraph. (Other redundant configuration, delete)

 

Restart

 

The system command to view the card by ip addr

 

Eth0 on the card, there are two ip, 244.3 is true ip, 244.200 virtual vip 

The above is the configuration of the host, and then repeat the downloading, installation steps, another machine configuration. Standby configuration of two machines, only two configurations differences: 

state BACKUP # keepalived designated role, mainly the MASTER, to prepare the BACKUP 
priority 100 # priority, the larger the value, the higher the priority processing request. Alternate smaller

Test standby keepalived

Under normal circumstances, vip vip not appear on the standby host one end of the machine 244.4. Below upper part. At this point, keepalived if we kill on the host, vip will appear on the standby machine. Below the lower half.

 

After the host device keepalived restart, standby machine vip = 200 disappeared, as FIG. 

 

to sum up

KEEPALIVED high availability architecture diagram

Keepalived to monitor the use nginx 

Editing a sh script monitor, sh script:

! # / bin / the bash 
A = `PS -C Nginx --no-header | WC - l`        
 IF [$ A -eq 0 ]; the then                            
       / usr / local / Nginx / sbin / Nginx # restart Nginx
       IF [` PS Nginx --no-header -C | WC -l` -eq 0 ]; #nginx the then restart fails, the service keepalived stopped, for VIP transfer 
              killall keepalived # kill, vip to roam to another machine                 
      Fi 
Fi

Add the following two configuration in the configuration file:

 

Keepalived restart, monitoring the test results, the operation below: 

 

Test results: nginx die