Nginx负载均衡
负载均衡是当下广泛流行的web架构中极其重要的一环,为服务器稳定性提供重要保障,同时也保障了用户体验,Nginx用作负载均衡时,
Nginx用作负载均衡时,前端支持http和https,后端访问目前只支持http,暂未支持https,据说新版本将会支持代理tcp。
1、创建负载均衡脚本
[[email protected] ~]# yum install -y bind-utils
[[email protected] ~]# dig qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9431
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A
;; ANSWER SECTION:
qq.com. 23 IN A 111.161.64.40
qq.com. 23 IN A 111.161.64.48
;; Query time: 0 msec
;; SERVER: 100.100.2.136#53(100.100.2.136)
;; WHEN: Wed Jun 13 01:59:00 CST 2018
;; MSG SIZE rcvd: 67
[[email protected] ~]# vim /usr/local/nginx/conf/vhost/load.conf
创建负载均衡脚本,写入如下内容:
upstream qq 指定多个webserver,qq是upstream模块的名字
{
ip_hash; 让用户始终访问在同一个web服务器上
server 111.161.64.40:80; 两个web服务器的ip
server 111.161.64.48:80; 两个web服务器的ip
}
server
{
listen 80; 监听端口
server_name www.qq.com; 网站名称
location / 位置 / 目录
{
proxy_pass http://qq; 这里必须写upstream模块的名字,如果不加http://,则需要再上面server后面的 两个IP前加上http://
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
2、测试负载均衡是否成功:
未重载前访问:
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com
this is a test! 请求被转到了默认虚拟主机处理了
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重载之后再次访问:
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="baidu-site-verification" content="cNitg6enc2">
<title>͚Ѷ˗ҳ</title>
<!-- ӆ¶¯ˊƤJS½ű¾ -->
<script type="text/javascript">
if (window.location.toString().indexOf('pref=padindex') != -1) {
} else {
if (/AppleWebKit.*Mobile/i.test(navigator.userAgent) || /\(Android.*Mobile.+\).+Gecko.+Firefox/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))) {
if (window.location.href.indexOf("?mobile")<0){
try {
if (/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)) {
window.location.href="https://xw.qq.com?f=qqcom";
} else if (/iPad/i.test(navigator.userAgent)) {
//window.location.href="http://www.qq.com/pad/"
} else {
window.location.href="http://xw.qq.com/simple/s/index/"
}
} catch (e) {}
}
}
}
ssl原理
生成ssl**对
[[email protected] ~]# cd /usr/local/nginx/conf
[[email protected] conf]# openssl genrsa -des3 -out tmp.key 2048 生成临时私钥文件
Generating RSA private key, 2048 bit long modulus
...............+++
............+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: 为临时私钥文件输入加密密码
140415873787808:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters 如果密码小于4位会要求重新输入
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
Enter pass phrase for tmp.key: 输入刚才的加密密码,即给新的私钥文件脱去密码
writing RSA key
[[email protected] conf]# ls
fastcgi.conf fastcgi_params htpasswd koi-win mime.types.default nginx.conf.bak scgi_params tmp.key uwsgi_params.default win-utf
testprivate.key fastcgi.conf.default fastcgi_params.default koi-utf mime.types nginx.conf nginx.conf.default scgi_params.default uwsgi_params vhost
[[email protected] conf]# rm -f tmp.key 删除临时私钥文件
[[email protected] conf]# openssl req -new -key testprivate.key -out test.csr 生成证书请求文件
要用这个证书和私钥一起生产公钥文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN 填写相关信息
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:test
Email Address []:@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test123
An optional company name []:test
[[email protected] conf]#
[[email protected] conf]# openssl x509 -req -days 365 -in test.csr -signkey testprivate.key -out testpublic.crt 用证书请求文件和私钥 制作公钥,有效期365天
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=TEST/OU=IT/CN=test/[email protected]
Getting Private key test.csr 证书 testprivate.key 私钥 testpublic.crt 公钥
Nginx配置ssl
1、创建ssl配置脚本
[[email protected] conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
加入如下内容:
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/wwwroot/test.com;
ssl on; 在nginx1.15.0 的版本中这一行会报错
ssl_certificate testpublic.crt;
ssl_certificate_key testprivate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
2、测试ssl是否有效:
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
排错需要重新编译nginx:
[[email protected] conf]# cd /usr/local/src/nginx-1.14.0
[[email protected] nginx-1.14.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[[email protected] nginx-1.14.0]# make && make install
[[email protected] nginx-1.14.0]# echo $?
0
[[email protected] conf]# service nginx restart
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# netstat -lntp
查看是否有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12839/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1410/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12839/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 12773/mysqld
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[[email protected] vhost]#
测试https已经可以正常工作,只是由于时自己给自己办法的证书,各大浏览器厂商并未认可而已