环境 阿里的ECS
注意在安全组开启相应端口
两个站点 a.exemple.cn b.exemple.cn
源码安装
yum update -y
yum -y install gcc gcc-c++ epel-release automake pcre pcre-devel zlib zlib-devel openssl openssl-devel gd gd-devel
groupadd nginx useradd nginx -g nginx -s /sbin/nologin -M cd /opt/ wget http://nginx.org/download/nginx-1.21.3.tar.gz tar -zxvf nginx-1.21.3.tar.gz
cd nginx-1.21.3
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-http_image_filter_module
make && make install cd /usr/local/nginx/ ls cd sbin/ ls
启动
./nginx
查看版本信息 ./nginx -V
添加开机自启
vim /etc/rc.d/rc.local
/usr/local/nginx/sbin/nginx
chmod +x /etc/rc.d/rc.local
nginx.conf配置文件
user nobody; worker_processes auto; pid /run/nginx.pid; include /usr/share/nginx/modules/*.conf;
events { worker_connections 40960; } http { sendfile on; tcp_nopush on; tcp_nodelay on; resolver_timeout 30; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' ' $upstream_addr $upstream_response_time $request_time '; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; include ../conf.d/*.conf; gzip on; gzip_disable "msie6"; proxy_max_temp_file_size 0; proxy_connect_timeout 1; proxy_send_timeout 10; proxy_read_timeout 30; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 20m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; limit_req_zone $http_x_forwarded_for zone=zl:10m rate=20r/s; proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d; limit_req_status 429; }
nginx配置文件和SLB不能同时都加载证书
如果两个站点是同一个根域名,则只在A站点配置文件中加入SSL,B站点即使不加入SSL配置也是可以的
SLB挂载网站是按照后端ECS服务器上配置网站的域名来计算的,如果后端ECS上有两个根域名的网站比如 a.exemple-A.cn b.exemple-B.cn,则需要购买两个SLB实例
1、nginx加载https证书、SLB使用TCP模式监听端口 (直接使用单台ECS的nginx代理,不使用SLB,配置文件也是这样)
站点A
server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ;
server_name a.exemple.cn;
#allow 61.164.52.202; #(允许特定的IP可以访问)
#deny all; #(拒绝其他IP访问该网站)
ssl on;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/ssl/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
}
}
B站点
server { listen 80; server_name b.exemple.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { index index.html index.htm Agreement.html Privacy.html; } } server { listen 443 ; server_name b.exemple.cn; ssl on; index index.html index.htm Agreement.html Privacy.html; ssl_certificate /home/web/ssl/xxxxx.pem; ssl_certificate_key /home/web/ssl/xxxxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222/; index index.html index.htm Agreement.html Privacy.html; } }
2、nginx配置文件不加载ssl证书,SLB使用http和https模式监听端口,SLB实现强制跳转
a站点
server {
listen 80;
server_name phoneh5;
access_log /var/log/nginx/a.exampel.access.log main;
error_log /var/log/nginx/a.example.error.log;
location / {
root /home/web/111/;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/web/111/;
}
}
b站点
server {
listen 80;
server_name phoneh5;
access_log /var/log/nginx/b.example.access.log main;
error_log /var/log/nginx/b.example.error.log;
location / {
root /home/web/222/;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /home/web/222/;
}
}
SLB配置实现:
1、443监听配置nginx服务器的80端口
2、访问SLB的80端口(即访问网站自动跳转https)
如果站点是IIS
前端负载均衡已经用https 443 了后端就不要用443 了。用80就可以了。证书推送到负载均衡。
操作步骤
-
确保后端服务器上没有针对100.64.0.0/10地址段进行任何形式的屏蔽,包括iptables或其他任何第三方防火墙/安全策略软件。
负载均衡SLB通过100.64.0.0/10内部保留地址段中的IP地址与后端服务器通信,如被屏蔽则会导致健康检查异常,负载均衡无法正常工作。
-
从后端服务器本地发起访问,确保后端服务器上的HTTP服务正常工作。
-
登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。
本次示例使用HTTP监听,出现健康检查异常的后端服务器内网IP为10.0.0.2,其他健康检查配置信息如下:
- 健康检查端口:80
- www.slb-test.com
- /test.html
-
curl命令对后端服务器上的HTTP服务进行探测,健康检查路径、健康检查端口和健康检查域名配置必须与后端服务器上配置保持一致,否则会产生健康检查异常。
nc命令为例,请根据实际情况配置健康检查路径、健康检查域名、健康检查内网地址和健康检查端口:
80- 2xx/3xx返回码,如下图所示。
- nc命令后,得到404错误码,该错误码与负载均衡SLB监听中设置的2xx或者3xx状态码不符,此时会出现健康检查异常结果,如下图所示。
端口转发配置:
upstream xx.midust.com{
server 192.168.1.1xx:8081 max_fails=2 fail_timeout=2s;
keepalive 300;
}server {
listen 80;
server_name xx.midust.com;
location / {
proxy_pass http://xx.midust.com;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}多端口转发
80端口转发192.168.1.213:4999 端口 192.168.1.51:9527端口
upstream docs.xxx.com{ server 192.168.1.213:4999 max_fails=0 fail_timeout=0s weight=3; keepalive 300; } upstream datax.xxxxxx.com{ server 192.168.1.51:9527 max_fails=0 fail_timeout=0s weight=3; keepalive 300; } server { listen 80; server_name docs.xxx.com; access_log /var/log/nginx/docs.xxx.com.access.log; error_log /var/log/nginx/docs.xxx.com.error.log; # Load configuration files for the default server block. #include /etc/nginx/default.d/*.conf; location / { proxy_pass http://docs.xxx.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } server { listen 80; server_name datax.xxxxxx.com; access_log /var/log/nginx/datax.xxxxxx.com.access.log; error_log /var/log/nginx/datax.xxxxxx.com.error.log; # Load configuration files for the default server block. location / { proxy_pass http://datax.xxxxxx.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Connection ""; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
upstream xxx.whenchat.com{
server 172.16.xxx.xxx:8080 max_fails=2 fail_timeout=2s; keepalive 300; } server { listen 80; server_name xxx.whenchat.com; # 自行修改成你的域名 return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name xxx.whenchat.com; # 自行修改成你的域名 ssl_certificate /home/ssl/02__whenchat.com.pem; # 自行设置证书 ssl_certificate_key /home/ssl/02__whenchat.com.key; # 自行设置证书 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; allow 61.164.52.xx; deny all; location / { proxy_pass http://xxx.whenchat.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } - 2xx/3xx返回码,如下图所示。
-
curl命令对后端服务器上的HTTP服务进行探测,健康检查路径、健康检查端口和健康检查域名配置必须与后端服务器上配置保持一致,否则会产生健康检查异常。
-
登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。
