Nginx负载均衡、 ssl工作流程、生产ssl密钥对、Nginx配置ssl

一、Nginx负载均衡

负载均衡即是代理服务器将接收的请求均衡的分发到各服务器中

1. 编辑虚拟主机配置文件

vim /usr/local/nginx/conf/vhost/ld.conf

2. 在配置文件中添加如下内容

upstream qq_com

{

    ip_hash;

    server 61.135.157.156:80;

    server 125.39.240.113:80;

}

server

{

    listen 80;

    server_name www.qq.com ;

    location /

    {

        proxy_pass  http://qq_com ;

        proxy_set_header Host   $host;

        proxy_set_header X-Real-IP      $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

}

 ip_hash 是让同一个用户始终保持在同一台机器上

二、 ssl工作流程

三、生产ssl密钥对

1. 进入nginx 配置目录

cd /usr/local/nginx/conf

2. 执行命令生成密钥

openssl genrsa -des3 -out tmp.key 2048

3. 转换key，取消密码

openssl rsa -in tmp.key -out test.key

4. 可以删除原来的key

rm -f tmp.key

5. 生成证书请求文件，需要拿这个文件和私钥一起生产公钥文件

openssl req -new -key test.key -out test.csr

6.  生成公钥，这里的test.crt为公钥

openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

四、Nginx配置ssl

1. 生成一个新的虚拟主机配置文件

vim /usr/local/nginx/conf/vhost/ssl.conf

2. 在配置文件中添加如下内容

server

{

    listen 443;

    server_name lx.com ;

    index index.html index.php;

    root /data/wwwroot/ lx.com ;

    ssl on;

    ssl_certificate test.crt;

    ssl_certificate_key aminglinux.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

3. 创建网站的目录

mkidir /data/wwwroot/lx.com

4. 检查配置文件是否错误

[root@localhost ~]# /usr/local/nginx/sbin/nginx -t

    如果出现如下错误表示ssl moudle没有安装，那么需要重新编译安装nginx

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7

nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

5. 进入nginx源码包，

cd /usr/local/src/nginx-1.12.1/

6. 安装ssl_module

./configure --prefix=/usr/local/nginx  --with-http_ssl_module

make

make install

7. 安装完成后再检查下配置文件是否出现错误

/usr/local/nginx/sbin/nginx -t

8. 如果没出现错误重启下nginx服务

/etc/init.d/nginx restart

9. 检查下443端口是否监听

netstat -lntp

tcp        0      0 0.0.0.0:443      0.0.0.0:*        LISTEN      4128/nginx: master      #出现这一行表示正常

10 .再网站目录下创建一个测试页，内容自己写即可

vim /data/wwwroot/lx.com/index.html

11. 访问测试

[root@localhost lx.com ]#  curl https://lx.com/                  访问网站，出现如下的提示，因为证书是自己颁发的，所以不合法，但实际上已经配置成功

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.