12.17 Nginx负载均衡 12.18 ssl原理 12.19 生成ssl密钥对 12.20 N

Posted 2020-10-27

12.17 nginx负载均衡

[[email protected] ~]# yum install -y bind-utils
[[email protected] ~]# dig www.qq.com
ANSWER SECTION:
www.qq.com. 73 IN A 59.37.96.63
www.qq.com. 73 IN A 14.17.42.40
www.qq.com. 73 IN A 14.17.32.211
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com
This is the default site.
[[email protected] ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[[email protected] ~]# /usr/local/nginx/sbin/nginx -s reload
[[email protected] ~]# curl -x127.0.0.1:80 www.qq.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Fri, 16 Mar 2018 14:24:38 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Fri, 16 Mar 2018 14:25:38 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: HIT from tianjin.qq.com

12.18 ssl原理

12.19 生成ssl密钥对

12.20 Nginx配置ssl

[[email protected] conf]# cat /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name martin.com;
index index.html index.php;
root /data/wwwroot/test.com;
ssl on;
ssl_certificate martin.crt;
ssl_certificate_key martin.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[[email protected] conf]# cat /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name martin.com;
index index.html index.php;
root /data/wwwroot/test.com;
ssl on;
ssl_certificate martin.crt;
ssl_certificate_key martin.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# cd /usr/local/src/nginx-1.12.1
[[email protected] conf]#./configure --prefix=/usr/local/nginx --with-http_ssl_module
[[email protected] conf]#make
[[email protected] conf]#make install
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# mkdir /data/wwwroot/martin.com
[[email protected] conf]# vim /data/wwwroot/martin.com/1.php
[[email protected] conf]# curl https://martin.com
curl: (60) Peer‘s certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn‘t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you‘d like to turn off curl‘s verification of the certificate, use
the -k (or --insecure) option.