Shulou(Shulou.com)06/02 Report--

Nginx load balancing

When a user accesses a domain name customized by nginx, nginx is forwarded to several real sites and implemented through upstream

[root@centos7 vhost] # vim / usr/local/nginx/conf/vhost/load.confupstream www.tt.com# custom domain name {# ip_ash; # ensures that the same user is always on the same machine, that is, when the domain name points to more than one IP, each user is guaranteed to always resolve to the same IP server 192.168.3.74 IP 80; server 192.168.3.83 usr/local/nginx/conf/vhost/load.confupstream www.tt.com# 80; # specify the IP} server {listen 80 of the web server Server_name www.tt.com; location / {proxy_pass http://tt.com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}}

Ssl principle

SSL (Secure Sockets Layer secure Sockets layer) protocol and its successor TLS (Transport Layer Security Transport layer Security) protocol is a security protocol that provides security and data integrity for network communication.

The browser sends a request for https to the server

The server must have a set of digital certificates, which can be made by itself or apply to the organization. The difference is that the certificate issued by the server needs to be verified by the client before it can continue to access. The certificate applied for by a trusted company will not pop up the > prompt page. This set of certificates is actually a pair of public and private keys.

The server transmits the public key to the client

After receiving the public key, the client (browser) will verify whether it is legal and valid. If it is invalid, it will be warned. If it is valid, it will generate a string of random numbers and encrypt it with the received public key.

The client transmits the encrypted random string to the server

After receiving the encrypted random string, the server first decrypts it with the private key (public key encryption, private key decryption), and then uses this string of random numbers to encrypt the transmitted data (the encryption is symmetric encryption, the so-called symmetric encryption. It is to mix the data and the private key, that is, the random string > through some algorithm, so that the data content cannot be obtained unless the private key is known.)

The server transmits the encrypted data to the client

After receiving the data, the client decrypts it with its own private key, that is, the random string.

The certificate issued must be approved by the browser manufacturer.

Generate ssl key pair

First of all, let nginx support the ssl module.

1 、

[root@centos7 nginx-1.12.1] # cd / data/package/nginx-1.12.1

2 、

[root@centos7 nginx-1.12.1] # / configure-- prefix=/usr/local/nginx-- with-http_ssl_module

3 、

Make

4 、

Make install

Formal operation:

1 、

[root@centos7 vhost] # cd / usr/local/nginx/conf/

2. Enter the password

[root@centos7 conf] # openssl genrsa-des3-out tmp.key 2048

3. Convert key and cancel the password:

[root@centos7 conf] # openssl rsa-in tmp.key-out testssl.key Enter pass phrase for tmp.key: enter the password for step 2

4. Delete the key file:

[root@centos7 conf] # rm-f tmp.key

5. Generate certificate request file

You need to take this file and the private key to produce the public key file:

[root@centos7 conf] # openssl req-new-key testssl.key-out testssl.csrCountry Name (2 letter code) [XX]: CNState or Province Name (full name) []: GDLocality Name (eg, city) [Default City]: GZOrganization Name (eg, company) [Default Company Ltd]: FCOrganizational Unit Name (eg, section) []: FCCommon Name (eg) Your name or your server's hostname) []: testsslEmail Address []: admin@admin.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: 123456An optional company name []: 123456

6 、

[root@centos7 conf] # ls testssl.*testssl.csr testssl.key

7. Create a public key

[root@centos7 conf] # openssl x509-req-days 365-in testssl.csr-signkey testssl.key-out testssl.crtSignature oksubject=/C=CN/ST=GD/L=GZ/O=FC/OU=FC/CN=testssl/emailAddress=admin@admin.comGetting Private keyYou have new mail in / var/spool/mail/root [root@centos7 conf] # ls testssl.*testssl.crt testssl.csr testssl.key

8. Nginx configure ssl

[root@centos7 vhost] # vi ssl.conf server {listen 443; server_name testssl.com; index index.html index.php; root/ data/wwwroot/ssl.com; ssl on; # Open ssl ssl_certificate testssl.crt; # configure Public key ssl_certificate_key testssl.key; # configure Private key ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # configuration Protocol}

9 、

[root@centos7 vhost] # / etc/init.d/nginx restart

10 、

[root@centos7 vhost] # netstat-nutlp | grep 443tcp 0 0 0.0.0.0 nutlp 443 0.0.0.0 LISTEN 7703/nginx: master

Verify:

Because the sll I applied for was not approved by the browser, it was marked as unsafe. Can be accessed

In addition, for the load balancing configuration of Ali Cloud, please refer to its official documentation: https://help.aliyun.com/document_detail/27552.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.