1. Nginx load balancing
Nginx load balancing means that when a proxy server resolves a customized domain name to multiple specified IP, the upstream module ensures that users can access each IP normally through the proxy server (reverse proxy multiple servers is load balancing).
1.1 Load Balancing Configuration Parameters
[root@host ~]# vim /usr/local/nginx/conf/vhost/load.conf upstream qq #Custom domain name { ip_hash; #The goal is to ensure that the same user is always on the same machine. #Another is to ensure that each user always resolves to the same IP when the domain name points to multiple IP. server 61.135.157.156:80; server 125.39.240.113:80; #Specify the IP of the web server } server { listen 80; server_name www.qq.com; location / { proxy_pass http://qq; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
1.2 detection
Before proxy
[root@host ~]# curl -x127.0.0.1:80 www.qq.com This is the default directory. #When no proxy is used, it will be resolved directly to the default virtual host.
After agency
[root@host ~]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@host ~]# /usr/local/nginx/sbin/nginx -s reload [root@host ~]# curl -x127.0.0.1:80 www.qq.com …… #After using the proxy, the page code of the IP pointed to by the proxy server will be resolved.
1.3 dig command
The dig command is a common domain name parsing tool, which can find all the IP of the domain name.
If there is no installation command in the server
[root@host ~]# yum install -y bind-utils
Resolve all IP of qq website
[root@host ~]# dig www.qq.com ;; ANSWER SECTION: www.qq.com. 138 IN A 61.135.157.156 www.qq.com. 138 IN A 125.39.240.113 ;; Query time: 12 msec ;; SERVER: 119.29.29.29#53(119.29.29.29) ;; WHEN: February 1222:44:23 CST 2017 ;; MSG SIZE rcvd: 61
2. ssl principle
SSL(Secure Sockets Layer security//Full // socket layer protocol and its successor TLS (Transport Layer Security) protocol are security protocols that provide security and data integrity for network communication.
2.1 http,https,tcp
- HTTP HyperText Transfer Protocol is the most widely used network protocol on the Internet.
- HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer) is simply a secure encryption version of HTTP.
- The default port number of HTTP is 80 and that of HTTPS is 443.
- TCP(Transmission Control Protocol) is a connection-oriented, reliable, byte-stream-based transport layer communication protocol. Default listen on port 80.
- http is the application layer protocol and tcp is the transport layer. http uses tcp to transmit text data; http just defines how tcp data is parsed
2.2 SSL workflow
- The browser sends an https request to the server.
- The server should have a set of digital certificates, which can be made by itself (the latter operation is the certificate made by Amin himself) or applied to the organization. The difference is that the certificates issued by the server need to be verified by the client before it can continue to visit. The certificates applied by trusted companies will not pop up the > prompt page. This set of certificates is actually a public key and a private key.
- The server will transfer the public key to the client.
- When the client (browser) receives the public key, it will verify whether it is valid or not. If it is invalid, it will be warned. If it is valid, it will generate a random number and encrypt it with the received public key.
- The client transmits the encrypted random string to the server.
- After the server receives the encrypted random string, it first decrypts it with the private key (public key encryption, private key decryption), obtains the random number, and then encrypts the transmitted data with the random string (symmetric encryption, so-called symmetric encryption, is to mix the data and the private key, that is, the random string > through some algorithm, so that unless the private key is known, whether or not Data content cannot be obtained;
- The server transmits the encrypted data to the client.
- After the client receives the data, it decrypts it with its own private key, that is, the random string.
3. Generating ssl key pairs
An SSL certificate is a public key and a private key.
3.1 Preparatory Tools
If this tool is not available in the virtual machine, install it manually:
[root@host ~]# yum install -y openssl
3.2 Create Private Key
[root@host ~]# cd /usr/local/nginx/conf/ [root@host conf]# Openssl genrsa-des3-out tmp.key 2048//Generate an SSL key Generating RSA private key, 2048 bit long modulus ....................................................................................+++ ...............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: //The key requires us to set the password. Normally we don't need to set the password any more, so we need to change the key and cancel the password. [root@host conf]# Openssl rsa-in tmp.key-out host.key// Convert tmp.key to host without password. Enter pass phrase for tmp.key: writing RSA key [root@host conf]# Rm-f tmp.key//delete tmp.key
3.3 Self-generated Certificates
[root@host conf]# openssl req -new -key host.key -out host.csr // / / Generate certificate request file by oneself. You need to use this private key to generate certificate together. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:11 State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:BeiJing Organizational Unit Name (eg, section) []:BeiJing Common Name (eg, your name or your server's hostname) []:host Email Address []:zhouqunic@qq.com #Above is the configuration certificate information, because it is their own certificate issued to their own, it is random to fill in or simply Enter skip, if it is formally applied to their website, it is best to fill in the norms. Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:123456
3.4 Create a public key:
[root@host conf]# OpenSSL x509-req-days 365-in host.csr-signkey host.key-out host.crt//here aminglinux.crt is the public key Signature ok subject=/C=11/ST=BeiJing/L=BeiJing/O=BeiJing/OU=BeiJing/CN=host/emailAddress=zhouqunic@qq.com Getting Private key
4. Nginx configuration ssl
4.1 Profile
[root@host conf]# cd vhost/ [root@host vhost]# vim ssl.conf server { listen 443; server_name zhouqun.com; index index.html index.php; root /data/wwwroot/zhouquncom; ssl on; //Open ssl ssl_certificate host.crt; //Configure public key ssl_certificate_key host.key; //Configure private key ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ///Configuration Protocol } [root@host vhost]# mkdir /data/wwwroot/zhouqun.com
4.2 detection
[root@host conf]# /usr/local/nginx/sbin/nginx -t nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7 //Wrong report nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
4.3 Error unknown directive "ssl" does not recognize SSL configuration and needs to recompile nginx, plus -- with-http_ssl_module
[root@host conf]# cd /usr/local/src/nginx-1.12.1/ [root@host nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@host conf]# make [root@host conf]# make install [root@host nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@host nginx-1.12.1]# /etc/init.d/nginx restart Restarting nginx (via systemctl): [ OK ] [root@host nginx-1.12.1]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5991/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1735/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2040/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5991/nginx: master tcp6 0 0 :::3306 :::* LISTEN 1990/mysqld tcp6 0 0 :::22 :::* LISTEN 1735/sshd tcp6 0 0 ::1:25 :::* LISTEN 2040/master
nginx listens on ports 80 and 443.
4.4 test
[root@host nginx-1.12.1]# cd /data/wwwroot/zhouqun.com/ [root@host adai.com]# vim index.html This is ssl.
4.5 Add local domain names:
[root@host adai.com]# vim /etc/hosts 127.0.0.1 zhouqun.com [root@host vhost]# curl https://zhouqun.com/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Because the certificate is self-created, does not conform to the specifications of the https organization, can not be correctly identified, if replaced with a formal certificate, no problem.
So, if you want to use browser detection, you need to change the Windows hosts file before testing, otherwise the certificate will go wrong.