linux的Nginx负载均衡ssl原理生成ssl密钥对Nginx配置ssl介绍
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了linux的Nginx负载均衡ssl原理生成ssl密钥对Nginx配置ssl介绍相关的知识,希望对你有一定的参考价值。
nginx的负载均衡
1. 查找www.qq.com域名对应IP做测试
[[email protected] ~]# yum install -y bind-utils //安装dig命令包
[[email protected] ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5335
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.qq.com. IN A
;; ANSWER SECTION:
www.qq.com. 5 IN A 59.37.96.63
www.qq.com. 5 IN A 14.17.42.40
www.qq.com. 5 IN A 14.17.32.211
;; Query time: 6 msec
;; SERVER: 172.16.111.2#53(172.16.111.2)
;; WHEN: 五 1月 05 21:14:15 CST 2018
;; MSG SIZE rcvd: 762.修改配置文件
[[email protected] ~]# cd /usr/local/nginx/conf/vhost/
[[email protected] vhost]# vi ld.conf
增加配置如下内容:
upstream qq_com //upstream来指定多个web server
{
ip_hash;
server 59.37.96.63;
server 14.17.42.40;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] vhost]# curl -x127.0.0.1:80 www.qq.com使用curl测试负载均衡得到如下图结果
ssl原理
HTTPS它是一种加密的HTTPS协议,如果HTTPS通信的数据包在传输过程中被截获,我们可以破译这些数据包里面的信息,这里面不乏一些用户名、密码、手机号等敏感的信息,而如果使用HTTPS通信,即使数据包被截获,我们也无法破译里面的内容。
解读SSL的工作流程
- 浏览器发送一个https的请求给服务器;
- 服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可以向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
- 服务器会把公钥传输给客户端;
- 客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
- 客户端把加密后的随机字符串传输给服务器;
- 服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
- 服务器把加密后的数据传输给客户端;
- 客户端收到数据后,再用自己的私钥(也就是那个随机字符串)解密;
生成ssl密钥对
1. 公钥私钥放到指定目录下:
[[email protected] ~]# cd /usr/local/nginx/conf/
[[email protected] conf]# 2.生成私钥,key文件为私钥(2048是加密字符串长度)
[[email protected] conf]# rpm -qf `which openssl` //查询缺少的openssl包,安装命令yum install -y openssl安装
openssl-1.0.2k-8.el7.x86_64
[[email protected] conf]# openssl genrsa -des3 -out tmp.key 2048 //生成私钥,2048为加密字符串长度,密码输入不能太短,否则不成功
Generating RSA private key, 2048 bit long modulus
.+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:3.转换key,取消密码(-in指定哪个密钥,-out输出)
[[email protected] conf]# openssl rsa -in tmp.key -out aminglinux.key //这一步是把刚刚生成的tmp.key再转换成aminglinux.key,目的是删除刚才设置的密码,如果key文件有密码,就必须在Nginx加载它的时候输入它的密码,因此很不方便
Enter pass phrase for tmp.key:
writing RSA key4.删除key
[[email protected] conf]# rm -f tmp.key5.生成证书请求文件
[[email protected] conf]# openssl req -new -key aminglinux.key -out aminglinux.csr //需要拿这个文件和私钥一起生产公钥文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:xi
State or Province Name (full name) []:tao
Locality Name (eg, city) [Default City]:xie
Organization Name (eg, company) [Default Company Ltd]:lin
Organizational Unit Name (eg, section) []:apa
Common Name (eg, your name or your server‘s hostname) []:dfd
Email Address []:adming
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:szyino-123
An optional company name []:fdaf备注:因为是颁发给自己的证书所以信息可以随便填一下。
6.用刚才的证书请求文件和之前的私钥文件一起生成公钥文件
[[email protected] conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt //这里的aminglinux.crt为公钥。days为365是证书的日期是一年,这
Signature ok
subject=/C=xi/ST=tao/L=xie/O=lin/OU=apa/CN=dfd/emailAddress=adming
Getting Private keyNginx配置ssl
1. 编辑ssl配置文件
[[email protected] conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
增加如下内容:
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on; //开启ssl,支持https
ssl_certificate aminglinux.crt; //指定公钥
ssl_certificate_key aminglinux.key; //指定私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
2.创建aming.com目录
[[email protected] conf]# mkdir /data/wwwroot/aming.com3. 测试语法
[[email protected] nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful报错,如图:
原因:当初编译的时候没有指定支持ssl,所以需要重新编译nginx,加上–with-http_ssl_module -t && -s reload
解决:
指定到Nginx的源码包中,重新编译:./configure --prefix=/usr/local/nginx --with-http_ssl_module,操作如下:
[[email protected] conf]# cd /usr/local/src/nginx-1.12.1
[[email protected] nginx-1.12.1]# ./configure --help | grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[[email protected] nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[[email protected] nginx-1.12.1]# echo $?
0
[[email protected] nginx-1.12.1]# make
[[email protected] nginx-1.12.1]# make install
[[email protected] nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V //现在就多了http_ssl_module这个参数 ,完成后再测试语法OK
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
重启Nginx之后就会发现多了443的监听端口
[[email protected] nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[[email protected] nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 79269/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 812/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1237/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 79269/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1166/mysqld
tcp6 0 0 :::22 :::* LISTEN 812/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1237/master 4.编辑访问文件做测试
[[email protected] nginx-1.12.1]# cd /data/wwwroot/aming.com/
[[email protected] aming.com]# ls
[[email protected] aming.com]# vim index.html
增加如下内容:
This is ssl.5.编辑本地hosts文件
[[email protected] aming.com]# vi /etc/hosts
增加一条记录:127.0.0.1 aming.com
6.使用curl测试
[[email protected] aming.com]# curl https://aming.com/
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.解释:这个问题是被标志为不可信任,因为这个证书是我们自己颁发的,但是实际上是配置成功了。
7.使用浏览器访问
首先在要windows系统下的hosts添加解析aming.com,如果访问不了就查看下系统是否有防火墙,查看命令iptables -nvL,有的话就清空规则,命令iptables -F,也可以添加443端口的规则。
说明:这里显示不安全,是因为证书不被浏览器认可,想继续访问可以点击“高级”,然后点“添加例外”,在弹出的对话框点击“确认安全例外”,然后就可以访问网站内容了。
以上是关于linux的Nginx负载均衡ssl原理生成ssl密钥对Nginx配置ssl介绍的主要内容,如果未能解决你的问题,请参考以下文章
五十Nginx负载均衡SSL原理生成SSL密钥对Nginx配置SSL
Nginx负载均衡ssl原理生成ssl密钥对Nginx配置ssl
Nginx负载均衡ssl原理生成ssl密钥对Nginx配置ssl
Nginx负载均衡,ssl原理,生成ssl密钥对,Nginx配置ssl