12.17 Nginx Load Balancing
12.18 The principle of ssl
12.19 Generate ssl key pair
12.20 Nginx configure ssl
expand
Proxy http://ask.apelearn.com/question/1049 against the requested uri
Differentiate the backend web based on the directory accessed http://ask.apelearn.com/question/920
nginx long connection http://www.apelearn.com/bbs/thread-6545-1-1.html
Analysis of nginx algorithm http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
12.17 Nginx Load Balancing
Proxy 1 web server called a proxy
Proxying 2 web servers is called load balancing
nginx proxy does not support https parsing
1 The load balancing configuration is as follows,
# vim /usr/local/nginx/conf/vhost/load.conf
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Configuration explanation:
With the help of the module upstream,
proxy_pass does not support defining multiple ips, and proxy_pass is followed by the upstream name.
The upstream and proxy_pass are followed by the name, not the main domain name.
The main domain name and ip parameters are these three items .
server_name www.qq.com;
server 61.135.157.156:80;
server 125.39.240.113:80;
ip_hash;
The purpose of ip_hash is to always keep the same user on the same machine.
It means that the request is divided into different servers according to the IP address.
For example, the IP of user A is 1.1.1.1, and the IP of user B is 2.2.2.2, then A will forward the request to the first web server when accessing,
When B accesses, it will go to the second Web server.
Multiple ips can be defined under ip_hash , the format is ip:port
2 Domain name resolution qq.com ip
Use the dig tool to view (yum install -y bind-util)
3 curl test (The configuration does not take effect until it is reloaded.)
[root@AliKvn vhost]# curl -x127.0.0.1:80 www.qq.com
this is a default site.
When it is not configured, when visiting www.qq.com from this machine, it is the default website for visiting this machine.
4 Check the syntax, and reload.
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -s reload
5 curl test, through the access, display the webpage code, the status code is 200.
12.18 The principle of ssl
The difference between HTTP and HTTPS:
HTTPS is an encrypted HTTP protocol. If the data packets of HTTP communication are intercepted during transmission, we can decipher the information of these data packets,
There may be some usernames, passwords, and sensitive information on mobile phones. If HTTPS communication is used, even if the packet is intercepted, the content inside cannot be deciphered.
The working flow chart of the principle of SSL
Text explaining SSL workflow
1 The browser sends an https request to the server;
2 The server must have a set of digital certificates, which can be made by yourself (the following operation is the certificate made by A Ming himself), or you can apply to the organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access. The certificate applied by any company will not pop up the > prompt page, this certificate is actually a pair of public key and private key;
3 The server will transmit the public key to the client;
4 After the client (browser) receives the public key, it will verify whether it is legal and valid. If it is invalid, there will be a warning reminder. If it is valid, a string of random numbers will be generated and encrypted with the received public key;
5 The client transmits the encrypted random string to the server;
6 After the server receives the encrypted random string, it first decrypts it with the private key (public key encryption, private key decryption), and after obtaining the random number, encrypts the transmitted data with the random string (the encryption is symmetric. Encryption, the so-called symmetric encryption, is to mix the data and the private key, that is, this random string > through some algorithm, so that unless the private key is known, the data content cannot be obtained);
7 The server transmits the encrypted data to the client;
8 After the client receives the data, it decrypts it with its own private key, which is the random string;
The working principle of https is to repeatedly perform the encryption and decryption process of the public key and the private key for the data.
12.19 Generate ssl key pair
1 Enter the /conf directory
[root@AliKvn vhost]# cd /usr/local/nginx/conf/
2 Use the openssl tool to generate a private key file and define the password .key as the private key file
[root@AliKvn conf]# openssl genrsa -des3 -out tmp.key 2048
3 Convert the key and cancel the password. Because the password is entered too frequently every time it is encrypted and decrypted, the password is deleted here.
[root@AliKvn conf]# openssl rsa -in tmp.key -out aminglinux.key
Enter pass phrase for tmp.key:
writing RSA key
4 delete tmp.key
[root@AliKvn conf]#rm -f tmp.key
5 Generate the certificate request file csr, you need to use this file and the private key to produce the public key file.
[root@AliKvn conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
generate crt file
[root@AliKvn conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
[root@AliKvn conf]# ls aminglinux.*
aminglinux.crt aminglinux.csr aminglinux.key
The aminglinux.crt here is the public key
6 After you have the .csr .crt file, you can configure ssl
12.20 Nginx configure ssl
1 Configure ssl.conf
#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
Configuration explanation:
ssl on;
enable ssl
ssl_certificate aminglinux.crt
Specify the public key
ssl_certificate_key aminglinux.key;
Specify the private key
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Generally, all three protocols need to be configured.
2 Check grammar
[root@AliKvn vhost]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
The seventh line reports an error message, unknown ssl , because ssl was not compiled into the original compilation, so it needs to be recompiled, plus --with-http_ssl_module
2.1 Compile operation:
[root@AliKvn nginx-1.8.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@AliKvn nginx-1.8.0]# make && make install
2.2 -V Check compilation parameters
[root@AliKvn nginx-1.8.0]# /usr/local/nginx/sbin/nginx -V
2.3 Check the grammar again
[root@AliKvn nginx-1.8.0]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
3 Restart nginx
[root@AliKvn nginx-1.8.0]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ]
4 Check the listen port
Both ports 80 and 443 have been listened to
5 Create directories and test files
[root@AliKvn aming.com]# mkdir /data/wwwroot/aming.com/
[root@AliKvn aming.com]# echo "ssl test" > /data/wwwroot/aming.com/index.html
[root@AliKvn aming.com]# ls
index.html
[root@AliKvn our.com]# cat index.html
ssl test
6 Write aming.com on hosts
[root@AliKvn aming.com]#vim /etc/hosts
127.0.0.1 aming.com
7 curl test
The certificate is marked as untrustworthy because the certificate was created by itself and is not legal.
8 Access in the windows browser ( if you can't find access, you can check the firewall, iptables rules, or establish a rule to open port 443 )
Edit the hosts file in Windows and add aming.com into it
8.1 Enter https://aming.com in the browser to access
8.2 Because this is my own test, the trustworthiness of the site is transparent, continue to visit, click 1 Advanced 2 to continue
8.3 The page information of the original echo was found by visiting, and the access effect was normal.
Of course, this is just a test use, when using https to access, the certificate is marked as untrusted. If you want to use https for normal access, you need to purchase a certificate.