nginx源码安装文件模块的修改访问加密(自定义签名证书)及负载均衡+轮询

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx源码安装文件模块的修改访问加密(自定义签名证书)及负载均衡+轮询相关的知识,希望对你有一定的参考价值。

主机环境 redhat6.5

实验环境 服务端 ip172.25.29.1    nginx

   服务端 ip 172.25.29.2  apache

   服务端 ip 172.25.29.3  apache

   测试端 ip 172.25.254.29

安装包       nginx-1.10.1.tar.gz

nginx用作反向代理

 

服务端1

1.  安装nginx

1.解压及简单配置

[[email protected] mnt]# yum install gcc -y      #安装gcc

[[email protected] mnt]# tar zxf nginx-1.10.1.tar.gz   #解压nginx压缩包

[[email protected] mnt]# ls

nginx-1.10.1 nginx-1.10.1.tar.gz

[[email protected] mnt]# cd nginx-1.10.1

[[email protected] nginx-1.10.1]# vim auto/cc/gcc     #禁止debug调试

 178 # debug

 179#CFLAGS="$CFLAGS -g"

[[email protected] nginx-1.10.1]# vim src/core/nginx.h   #禁止出现nginx版本号,以保证安全性

 14 #defineNGINX_VER          "nginx/"

 

   2.软件配置(静态)

[[email protected] nginx-1.10.1]# ./configure--prefix=/usr/local/lnmp/nginx --with-http_ssl_module--with-http_stub_status_module

 

如果出现以下错误

技术分享


[[email protected] nginx-1.10.1]# yum install pcre-devel -y

 

重新配置

[[email protected] nginx-1.10.1]# ./configure--prefix=/usr/local/lnmp/nginx --with-http_ssl_module--with-http_stub_status_module

 

如果出现以下错误

 

技术分享

[[email protected] nginx-1.10.1]# yum install openssl-devel -y

 

重新配置

[[email protected] nginx-1.10.1]# ./configure--prefix=/usr/local/lnmp/nginx --with-http_ssl_module--with-http_stub_status_module

 

3.编译、链接、安装

[[email protected] nginx-1.10.1]# make

技术分享

[r[email protected] nginx-1.10.1]# make install

技术分享

 

2.将nginx作为系统变量,开启nginx

 [[email protected]]# cd /usr/local/lnmp/nginx/

[[email protected] nginx]# ls

conf  html  logs sbin

[[email protected] nginx]# ln -s /usr/local/lnmp/nginx/sbin/nginx/usr/local/sbin/  #作软链接将nginx的启动命令作为系统命令

[[email protected] nginx]# nginx -t     #检测

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] nginx]# nginx    #打开nginx

[[email protected] nginx]# cd conf/

 

3.配置文件中模块的修改及测试

[[email protected] conf]# useradd -u 900 -d /usr/local/lnmp/nginx/nginx  #创建管理nginx的用户

 

1.修改用户、添加cpu及绑定cpu

[[email protected] conf]# vim nginx.conf

  2 user  nginx;    #修改nginx的用户

  3 worker_processes  2;   #工作进程,两块cpu

  4 worker_cpu_affinity01 10;  #绑定cpu

[[email protected] conf]# nginx -t   #检测

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] conf]# nginx -s reload   #重载

 

测试

[[email protected] conf]# ps aux | grep nginx

技术分享

 

[[email protected] conf]# vim nginx.conf

 13 events {

 14     worker_connections  4096; #支持的最大链接数

 15 }

[[email protected] conf]# nginx -t   #检测

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] conf]# nginx -s reload  #重载

 

[[email protected] conf]# vim /etc/security/limits.conf  #系统分配给nginx的

 51 nginx   -      nofile  200

 52 nginx   -      nproc   200

[[email protected] conf]# :() { :|:& };:     #测试 

如果把上面200改成4096,那么系统直接卡死

 

2.查看nginx状态

[[email protected] conf]# vim nginx.conf   #查看nginx状态

 57         location /status {

 58                 stub_status on;

 59                 access_log off;

 60         }

[[email protected] conf]# nginx -t

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] conf]# nginx -s reload

[[email protected] mnt]# yum install httpd -y

 

[[email protected] conf]# vim /etc/httpd/conf/httpd.conf

  136 Listen 8080      #之前nginx监听80端口,httpd就换了端口

[[email protected] conf]# /etc/init.d/httpd start

Starting httpd:                                           [  OK  ]

测试 172.25.29.1/status

技术分享

 

3.nginx访问加密(自定义签名证书)

在互联网中,如果访问不加密,会导致很多重要信息泄露,所有才有了加密

[[email protected] conf]# vim nginx.conf    #访问加密

101     #

102     server {

103         listen       443 ssl;

104        server_name  localhost;

105

106        ssl_certificate      cert.pem;

107        ssl_certificate_key  cert.pem;

108

109         ssl_session_cache    shared:SSL:1m;

110        ssl_session_timeout  5m;

111

112        ssl_ciphers  HIGH:!aNULL:!MD5;

113        ssl_prefer_server_ciphers  on;

114

115         location / {

116             root   html;

117            index  index.html index.htm;

118         }

119     }

120

[[email protected] conf]# cd /etc/pki/tls/certs/

[[email protected] certs]# make cert.pem    #生成自定义签名证书

umask 77 ; \

    PEM1=`/bin/mktemp/tmp/openssl.XXXXXX` ; \

    PEM2=`/bin/mktemp/tmp/openssl.XXXXXX` ; \

    /usr/bin/openssl req-utf8 -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2-set_serial 0 ; \

    cat $PEM1 >  cert.pem ; \

    echo ""    >> cert.pem ; \

    cat $PEM2 >>cert.pem ; \

    rm -f $PEM1 $PEM2

Generating a 2048 bit RSA private key

..............+++

................+++

writing new private key to ‘/tmp/openssl.9egbT2‘

-----

You are about to be asked to enter information that will beincorporated

into your certificate request.

What you are about to enter is what is called a DistinguishedName or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Shaanxi

Locality Name (eg, city) [Default City]:xi‘an

Organization Name (eg, company) [Default Company Ltd]:wen

Organizational Unit Name (eg, section) []:linux

Common Name (eg, your name or your server‘s hostname)[]:server1.example.com

Email Address []:[email protected]

[[email protected] certs]# mv cert.pem /usr/local/lnmp/nginx/conf/

[[email protected] certs]# nginx -t

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] certs]# nginx -s reload

 

测试 https://172.25.29.1

技术分享


选择 I Understand the Risks,确认

技术分享

 

4.虚拟主机

虚拟主机允许从一个httpd服务器同时为多个网站提供服务

[[email protected] certs]# cd /usr/local/lnmp/nginx/conf/

[[email protected] conf]# vim nginx.conf

120     server {

121                 listen 80;  #监听端口

122                server_name www.wen.com;   #域名

123

124                location / {

125                        root /web1;    #默认发布目录

126                        index index.html;  #默认发布文件

127                 }

128     }

129     server {

130                listen 80;

131                server_name www.mi.com;

132

133                location / {

134                        root /web2;

135                        index index.html;

136                 }

137     }

[[email protected] conf]# mkdir /web1 /web2

[[email protected] conf]# vim /web1/index.html

Welcome to www.wen.com

[[email protected] conf]# vim /web2/index.html

Welcome to www.mi.com

[[email protected] conf]# nginx -t

nginx: the configuration file /usr/local/lnmp/nginx/conf/nginx.confsyntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] conf]# nginx -s reload

测试

在测试端的主机里加上域名解析

[[email protected] Desktop]# vim /etc/hosts

172.25.29.1 www.wen.comwww.mi.com

技术分享

 

技术分享

5.负载均衡+轮询

  参数说明: round-robin (默认)

    wegiht 默认为1.weight越大,负载的权重就越大

            backup: 其它所有的非backup机器都down时,才会请求backup机器。所以这台机器压力会最轻

ip_hash:每个请求按访问ip的hash结果分配,这样每个访客固定访问一个后端服务器,可以解决session的问题

 

 [[email protected] conf]# vim nginx.conf

 18 http {

 19         upstream wen {

 20                 server 172.25.29.2:80;

 21                 server 172.25.29.3:80weight=2;

 22                 server 172.25.29.4:8080backup;

 23         } 

125     server {

126                 listen80;

127                server_name www.wen.com;

128

129                location / {

130                        #root /web1;

131                        #index index.html;

132                        proxy_pass http://wen;   

133                 }

134     }

[[email protected] conf]# nginx -t

nginx: the configuration file/usr/local/lnmp/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/lnmp/nginx/conf/nginx.conftest is successful

[[email protected] conf]# nginx -s reload

[[email protected] conf]# vim /var/www/html/index.html

[[email protected] conf]# /etc/init.d/httpd restart

Stopping httpd:                                           [  OK  ]

Starting httpd:                                           [  OK  ]

 

 

其他两个2,3服务端,测试时要保证其http服务开启且默认访问的首页的路径下要有index.html文件,在文件里要有内容(随便什么都行)

测试

[[email protected] ~]$ for i in $(seq 10 );do curl www.wen.com; done

<h1>server3</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>

[[email protected] ~]$ for i in $(seq 10 );do curl www.wen.com; done   当server3 httpd stop 之后

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

[[email protected] ~]$ for i in $(seq 10 );do curl www.wen.com; done  当server2和server3httpd都 stop 之后

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

<h1>please try again!</h1>

 

[[email protected] ~]$ for i in $(seq 10 );do curl www.wen.com; done  当server2 和server3的httpd 都start之后,继续轮询

<h1>www.westos.org-server2</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>

<h1>www.westos.org-server2</h1>

<h1>server3</h1>

<h1>server3</h1>


本文出自 “不忘初心,方得始终” 博客,请务必保留此出处http://12087746.blog.51cto.com/12077746/1854238

以上是关于nginx源码安装文件模块的修改访问加密(自定义签名证书)及负载均衡+轮询的主要内容,如果未能解决你的问题,请参考以下文章

linux系统nginx认证加密等模块使用

通过Nginx定义Header头信息

修改Spring源码对Web项目进行加密

19.负载均衡健康检查模块与源码安装Nginx

19.负载均衡健康检查模块与源码安装Nginx

开启nginx加密模块ssl