23.1Nginx集群完善HTTPS实践

Posted 柯正

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了23.1Nginx集群完善HTTPS实践相关的知识,希望对你有一定的参考价值。

1.环境准备

主机名称 应用环境 外网地址 内网地址
lb01 nginx 10.0.0.5 172.16.1.5
web01 nginx+php+nfs客户端 10.0.0.7 172.16.1.7
web02 nginx+php+nfs客户端 10.0.0.8 172.16.1.8
web03 nginx+php+nfs客户端 10.0.0.9 172.16.1.9
db01 mysql 10.0.0.51 172.16.1.51
nfs01 nfs服务端+sersync客户端 10.0.0.31 172.16.1.31
backup rsync服务端 10.0.0.41 172.16.1.41

2.web01配置

# 1.安装nginx和php
[root@web01 ~]# rz nginx_php.tgz 
[root@web01 ~]# tar xf nginx_php.tgz
[root@web01 ~]# cd nginx_php/
[root@web01 ~/nginx_php]# rpm -ivh *

# 2.统一nginx和php的用户
[root@web01 ~]# groupadd www -g 666
[root@web01 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M
[root@web01 ~]# vim /etc/nginx/nginx.conf
user www;
...

[root@web01 ~]# vim /etc/php-fpm.d/www.conf
...
user = www
; RPM: Keep a group allowed to write in log dir.
group = www
...

# 3.启动并开机自启
[root@web01 ~]# systemctl start nginx php-fpm
[root@web01 ~]# systemctl enable nginx php-fp

# 4.编辑配置文件
# 4.1编辑fastcgi这个文件,给他加上能识别跳转443     (重要)
[root@web01 ~]# vim /etc/nginx/fastcgi_params
...
fastcgi_param HTTPS on;


[root@web01 ~]# vim /etc/nginx/conf.d/wordpress.conf
server {
        listen 80;
        server_name wp.com;
        root /code/wordpress;
        index index.php;

        location ~ .php {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

}


[root@web01 ~]# vim /etc/nginx/conf.d/zh.conf
server {
        listen 80;
        server_name zh.com;
        root /code/zh;
        index index.php;

        location ~ .php {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }

}


# 5.创建站点目录
[root@web01 ~]# mkdir /code/{wordpress,zh} -p

# 6.检查语法
[root@web01 ~]# nginx -t

# 7.重新加载配置文件
[root@web01 ~]# nginx -s reload

# 8.配置域名解析


##### 9.上传wordpress和Wecenter(或者去网站下载)
[root@web01 ~]# rz

# 9.1解压
[root@web01 ~]# tar xf wordpress-5.0.3-zh_CN.tar.gz 
[root@web01 ~]# unzip WeCenter_3-2-1.zip

# 10.把所有文件移动到站点目录下
[root@web01 ~]# mv wordpress/* /code/wordpress/
[root@web01 ~]# mv WeCenter_3-2-1/* /code/zh/

# 11.授权目录
[root@web01 ~]# chown www.www -R /code/

# 12.上传解压主题
[root@web01 ~]# cd /code/wordpress/wp-content/themes
[root@web01 /code/wordpress/wp-content/themes]# rz
[root@web01 /code/wordpress/wp-content/themes]# unzip QQ.zip

3.安装部署mariadb(db01操作)

# 1.下载mariadb
[root@db01 ~]# yum install -y mariadb-server.x86_64 

# 2.启动数据库并开机自启
[root@db01 ~]# systemctl start mariadb.service 
[root@db01 ~]# systemctl enable mariadb.service

# 3.给数据库一个登入密码
[root@db01 ~]# mysqladmin -uroot password ‘123‘

# 4.登入数据库
[root@db01 ~]# mysql -uroot -p123

# 5.创建wordpress和Wecenter数据库
MariaDB [(none)]> create database wp;
MariaDB [(none)]> create database zh;

# 6.查看是否创建成功
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
| wp                 |
| zh                 |
+--------------------+
6 rows in set (0.00 sec)

# 7.创建用户 (所有数据库的登入用户)
MariaDB [(none)]> grant all on *.* to wp_zh@‘%‘ identified by ‘111‘;

4.访问浏览器并发表文章

技术图片

技术图片

5.其他web的操作

# 1.上传和解压rpm包
[root@web02 ~]# tar xf nginx_php.tgz
[root@web02 ~]# cd nginx_php/
[root@web02 ~/nginx_php]# rpm -ivh *

[root@web03 ~]# tar xf nginx_php.tgz
[root@web03 ~]# cd nginx_php/
[root@web03 ~/nginx_php]# rpm -ivh *

# 2.创建用户和用户组
[root@web02 ~]# groupadd www -g 666
[root@web02 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M

[root@web03 ~]# groupadd www -g 666
[root@web03 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M


############## web01上的操作,发送需要的东西

# 发送站点目录
[root@web01 ~]# rsync -az --delete /code 172.16.1.8:/
[root@web01 ~]# rsync -az --delete /code 172.16.1.9:/

# 发送nginx和php配置文件
[root@web01 ~]# rsync -az --delete /etc/nginx/ 172.16.1.9:/etc/nginx/
[root@web01 ~]# rsync -az --delete /etc/nginx/ 172.16.1.8:/etc/nginx/
[root@web01 ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.9:/etc/php-fpm.d/
[root@web01 ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.8:/etc/php-fpm.d/


########### web02和03的操作
[root@web02 ~]# systemctl start nginx php-fpm.service 
[root@web02 ~]# systemctl enable nginx php-fpm.service 
[root@web02 ~]# nginx -s reload

[root@web03 ~]# systemctl start nginx php-fpm.service 
[root@web03 ~]# systemctl enable nginx php-fpm.service 
[root@web03 ~]# nginx -s reload

6.nfs共享目录(服务端)

# 1.创建统一用户
[root@nfs ~]# groupadd www -g 666
[root@nfs ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M

# 2.更改NFS的配置文件
[root@nfs ~]# vim /etc/exports
/file/zh 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)
/file/wp 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)

# 3.创建共享目录
[root@nfs ~]# mkdir /file/{wp,zh} -p

# 4.授权共享目录
[root@nfs ~]# chown www.www -R /file/ 

# 5.启动并开机自启nfs
[root@nfs ~]# systemctl start nfs
[root@nfs ~]# systemctl enable nfs



############# web01上的操作
# 6.发送项目上的图片到共享目录上
# wordpress上的图片
[root@web01 ~]# scp -r /code/wordpress/wp-content/uploads/* 172.16.1.31:/file/wp/
# 知乎上的图片
[root@web01 ~]# scp -r /code/zh/uploads/* 172.16.1.31:/file/zh

# 7.查看共享目录是否成功了
[root@web01 ~]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/file/wp 172.16.1.0/24
/file/zh 172.16.1.0/24

# 8.web01挂载
[root@web01 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web01 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/

# 9.查看
[root@web01 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              19G  1.6G   17G   9% /
devtmpfs              476M     0  476M   0% /dev
tmpfs                 487M     0  487M   0% /dev/shm
tmpfs                 487M  7.7M  479M   2% /run
tmpfs                 487M     0  487M   0% /sys/fs/cgroup
/dev/sda1             497M  120M  378M  25% /boot
tmpfs                  98M     0   98M   0% /run/user/0
172.16.1.31:/file/zh   19G  1.3G   18G   7% /code/zh/uploads
172.16.1.31:/file/wp   19G  1.3G   18G   7% /code/wordpress/wp-content/uploads

# 10.web02挂载
[root@web02 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web02 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/

# 11.查看
[root@web02 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              19G  1.6G   17G   9% /
devtmpfs              476M     0  476M   0% /dev
tmpfs                 487M     0  487M   0% /dev/shm
tmpfs                 487M  7.7M  479M   2% /run
tmpfs                 487M     0  487M   0% /sys/fs/cgroup
/dev/sda1             497M  120M  378M  25% /boot
tmpfs                  98M     0   98M   0% /run/user/0
172.16.1.31:/file/zh   19G  1.3G   18G   7% /code/zh/uploads
172.16.1.31:/file/wp   19G  1.3G   18G   7% /code/wordpress/wp-content/uploads

# 12.web03挂载
[root@web03 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web03 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/

# 13.查看
[root@web02 ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              19G  1.6G   17G   9% /
devtmpfs              476M     0  476M   0% /dev
tmpfs                 487M     0  487M   0% /dev/shm
tmpfs                 487M  7.7M  479M   2% /run
tmpfs                 487M     0  487M   0% /sys/fs/cgroup
/dev/sda1             497M  120M  378M  25% /boot
tmpfs                  98M     0   98M   0% /run/user/0
172.16.1.31:/file/zh   19G  1.3G   18G   7% /code/zh/uploads
172.16.1.31:/file/wp   19G  1.3G   18G   7% /code/wordpress/wp-content/uploads


########### 共享图片完成

7.rsync备份backup操作(服务端)

[root@backup ~]# vim /etc/rsyncd.conf
 # 指定启动rsync服务的用户id
 uid = www
 # 指定启动rsync服务的用户组id
 gid = www
 # 指定rsync服务启动的端口
 port = 873
 # 假装是root
 fake super = yes
 # 禁锢path目录
 use chroot = no
 # 最大连接数是200
 max connections = 200
 # 超时时间是600s
 timeout = 600
 # 忽略错误
 ignore errors
 # 可读可写
 read only = false
 # 其它客户端用户不允许查看模块名
 list = false
 # rsync服务的日志所在路径
 log file = /var/log/rsyncd.log

 ########### 命令相关配置 #############
 auth users = nfs_bak
 secrets file = /etc/rsync_pass
 [nfs]
 comment = welcome to backup!
 path = /backup

# 创建备份目录
[root@backup ~]# mkdir /backup
# 创建用户
[root@backup ~]# groupadd www -g 666
[root@backup ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
# 写入rsync的用户和密码
[root@backup ~]# echo ‘nfs_bak:123‘ > /etc/rsync_pass
# 授权
[root@backup ~]# chmod 600 /etc/rsync_pass
[root@backup ~]# chown www.www /backup/
# 启动并开机自启rsync
[root@backup ~]# systemctl start rsyncd
[root@backup ~]# systemctl enable rsyncd
Created symlink from /etc/systemd/system/multi-user.target.wants/rsyncd.service to /usr/lib/systemd/system/rsyncd.service.
# 查看端口
[root@backup ~]# netstat -lntup |grep 873

8.nfs操作sersync (客户端)

# 下载sersync
[root@nfs ~]# yum install -y rsync inotify-tools
# 解压
[root@nfs ~]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz
# 移动并改名
[root@nfs ~]# mv GNU-Linux-x86 /usr/local/sersync
# 编辑配置文件
[root@nfs ~]# vim /usr/local/sersync/confxml.xml
...
    </filter>
    <inotify>
        <delete start="true"/>
        <createFolder start="true"/>
        <createFile start="false"/>
        <closeWrite start="true"/>
        <moveFrom start="true"/>
        <moveTo start="true"/>
        <attrib start="true"/>
        <modify start="true"/>
    </inotify>

    <sersync>
        <localpath watch="/data">
            <remote ip="172.16.1.41" name="nfs"/>
            <!--<remote ip="192.168.8.39" name="tongbu"/>-->
            <!--<remote ip="192.168.8.40" name="tongbu"/>-->
        </localpath>
        <rsync>
            <commonParams params="-az"/>
            <auth start="true" users="nfs_bak" passwordfile="/etc/rsync.pas"/>
            <userDefinedPort start="false" port="874"/><!-- port=874 -->
            <timeout start="false" time="100"/><!-- timeout=100 -->
            <ssh start="false"/>
        </rsync>
...

# 写入rsync的密码
[root@nfs ~]# echo ‘123‘ > /etc/rsync.pas
# 授权
[root@nfs ~]# chmod 600 /etc/rsync.pas
# 启动sersync
[root@nfs ~]#  /usr/local/sersync/sersync2 -rdo /usr/local/sersync/confxml.xml


#####成功实时备份

9.负载均衡上的操作

# 1.安装nginx
[root@lb01 ~]# tar xf nginx_php.tgz 
[root@lb01 ~]# cd nginx_php/
[root@lb01 ~/nginx_php]# rpm -ivh nginx*

# 2.统一用户
[root@lb01 ~]# groupadd www -g 666
[root@lb01 ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
[root@lb01 ~]# vim /etc/nginx/nginx.con

# 3.编辑代理服务的安全优化
[root@lb01 ~]# vim /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;

proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;

proxy_next_upstream error timeout http_500 http_502 http_503 http_504 http_404 http_403;

# 4.创建证书目录
[root@lb01 ~]# mkdir /etc/nginx/ssl

# 5.创建证书
[root@web01 ssl]# openssl genrsa -idea -out /etc/nginx/ssl/`date +%Y%m%d`_aaa.com.key 2048 

Generating RSA private key, 2048 bit long modulus
.....+++
........................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:
Verifying - Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:

# 6.查看
[root@web01 ssl_key]# ls
total 4
-rw-r--r-- 1 root root 1739 Jun  3 21:57 20200603_aaa.com.key

# 7.生成自签证书,同时去掉私钥的密码
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout /etc/nginx/20200603_aaa.com.key -out /etc/nginx/ssl/20200603_aaa.com.crt

Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to ‘/etc/nginx/ssl_key/20200603_aaa.com.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:shanghai
Organizational Unit Name (eg, section) []:shanghai
Common Name (eg, your name or your server‘s hostname) []:*.com
Email Address []:123@qq.com


[root@lb01 conf.d]# ll /etc/nginx/ssl/
total 8
-rw-r--r-- 1 root root 1379 Jun  4 03:44 aaa.com.crt
-rw-r--r-- 1 root root 1708 Jun  4 03:44 aaa.com.key


# 2.编辑配置文件
[root@lb01 ~]# vim /etc/nginx/conf.d/wp_lb.conf
upstream wp {
        server 172.16.1.7;
        server 172.16.1.8;
        server 172.16.1.9;
}

server {
        listen 80;
        server_name wp.com;
         return 302 https://$server_name$request_uri;
}

server {
        listen 80;
        server_name zh.com;
         return 302 https://$server_name$request_uri;
}

server {
        listen 80;
        server_name admin.com;
         return 302 https://$server_name$request_uri;
}

server {
        listen 443 ssl;
        server_name wp.com zh.com admin.com;
        ssl_certificate     /etc/nginx/ssl/20200603105245_www.linux.com.crt;
        ssl_certificate_key /etc/nginx/ssl/20200603105245_www.linux.com.key;

        location / {
                proxy_pass http://wp;
                proxy_set_header Host $host;
        }
}

# 检查语法并重新加载配置文件
[root@lb01 ~]# nginx -t
[root@lb01 ~]# nginx -s reload

域名解析

技术图片

10.打开浏览器访问

wp.com

技术图片

技术图片

zh.com

技术图片

技术图片

以上是关于23.1Nginx集群完善HTTPS实践的主要内容,如果未能解决你的问题,请参考以下文章

实践出真知——一文教你搭建Nginx+Tomcat集群,实现负载均衡及动静分离

Nginx+Keepalived高可用集群应用实践

Mycat集群方案收集(待实践)

0551-期中集群架构nginx负载均衡实践

实践出真知----k8s初步熟悉使用介绍,实践搭建nginx集群

统一观测丨使用 Prometheus 监控 Nginx Ingress 网关最佳实践