• nginx 配置https 负载均衡


    1、Winodw安装openssl工具(生成SSL证书用的)免编译版本下载:

    http://slproweb.com/products/Win32OpenSSL.html

    注意:如果openssl在使用过程中报无法读取conf文件,重启下电脑就好了

    Cmd里面的全部命令:

    C:OpenSSL-Win64>cd bin

    C:OpenSSL-Win64in>openssl genrsa -des3 -out ssd.key 1024

    Generating RSA private key, 1024 bit long modulus

    ....++++++

    ........++++++

    e is 65537 (0x10001)

    Enter pass phrase for ssd.key:    ---123456

    Verifying - Enter pass phrase for ssd.key:  ---123456

    C:OpenSSL-Win64in>openssl req -new -key ssd.key -out ssd.csr

    Enter pass phrase for ssd.key:   ---123456

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [AU]:cn

    State or Province Name (full name) [Some-State]:guangdong

    Locality Name (eg, city) []:zhuhai

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

    Organizational Unit Name (eg, section) []:ssd

    Common Name (e.g. server FQDN or YOUR name) []:yuange

    Email Address []:1871707128@qq.com

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:123456

    An optional company name []:ssd

    C:OpenSSL-Win64in>openssl x509 -req -days 36500 -shal -extensions v3_ca -sign

    key ssd.key -in ssd.csr -out ssd.crt

    unknown option -shal             ----这里面错的原因是:sha1不是shal

    usage: x509 args

     -inform arg     - input format - default PEM (one of DER, NET or PEM)

     -outform arg    - output format - default PEM (one of DER, NET or PEM)

     -keyform arg    - private key format - default PEM

     -CAform arg     - CA format - default PEM

     -CAkeyform arg  - CA key format - default PEM

     -in arg         - input file - default stdin

     -out arg        - output file - default stdout

     -passin arg     - private key password source

     -serial         - print serial number value

     -subject_hash   - print subject hash value

     -subject_hash_old   - print old-style (MD5) subject hash value

     -issuer_hash    - print issuer hash value

     -issuer_hash_old    - print old-style (MD5) issuer hash value

     -hash           - synonym for -subject_hash

     -subject        - print subject DN

     -issuer         - print issuer DN

     -email          - print email address(es)

     -startdate      - notBefore field

     -enddate        - notAfter field

     -purpose        - print out certificate purposes

     -dates          - both Before and After dates

     -modulus        - print the RSA key modulus

     -pubkey         - output the public key

     -fingerprint    - print the certificate fingerprint

     -alias          - output certificate alias

     -noout          - no certificate output

     -ocspid         - print OCSP hash values for the subject name and public key

     -ocsp_uri       - print OCSP Responder URL(s)

     -trustout       - output a "trusted" certificate

     -clrtrust       - clear all trusted purposes

     -clrreject      - clear all rejected purposes

     -addtrust arg   - trust certificate for a given purpose

     -addreject arg  - reject certificate for a given purpose

     -setalias arg   - set certificate alias

     -days arg       - How long till expiry of a signed certificate - def 30 days

     -checkend arg   - check whether the cert expires in the next arg seconds

                       exit 1 if so, 0 if not

     -signkey arg    - self sign cert with arg

     -x509toreq      - output a certification request object

     -req            - input is a certificate request, sign and output.

     -CA arg         - set the CA certificate, must be PEM format.

     -CAkey arg      - set the CA key, must be PEM format

                       missing, it is assumed to be in the CA file.

     -CAcreateserial - create serial number file if it does not exist

     -CAserial arg   - serial file

     -set_serial     - serial number to use

     -text           - print the certificate in text form

     -C              - print out C code forms

     -md2/-md5/-sha1/-mdc2 - digest to use

     -extfile        - configuration file with X509V3 extensions to add

     -extensions     - section from config file with X509V3 extensions to add

     -clrext         - delete extensions before signing and input certificate

     -nameopt arg    - various certificate name options

     -engine e       - use engine e, possibly a hardware device.

     -certopt arg    - various certificate text options

     -checkhost host - check certificate matches "host"

     -checkemail email - check certificate matches "email"

     -checkip ipaddr - check certificate matches "ipaddr"

    C:OpenSSL-Win64in>openssl x509 -req -days 36500  -extensions v3_ca -signkey s

    sd.key -in ssd.csr -out ssd.crt

    Signature ok

    subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

    28@qq.com

    Getting Private key      --123456

    Enter pass phrase for ssd.key:    --123456

    C:OpenSSL-Win64in>openssl genrsa -des3 -out server.key 2048

    Generating RSA private key, 2048 bit long modulus

    .........................................+++

    ...+++

    e is 65537 (0x10001)

    Enter pass phrase for server.key:  ---123456

    Verifying - Enter pass phrase for server.key:  ---123456

    C:OpenSSL-Win64in>openssl req -new -key server.key -out server.csr

    Enter pass phrase for server.key:   ---123456

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [AU]:cn

    State or Province Name (full name) [Some-State]:guangdong

    Locality Name (eg, city) []:zhuhai

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

    Organizational Unit Name (eg, section) []:ssd

    Common Name (e.g. server FQDN or YOUR name) []:yuange

    Email Address []:1871707128@qq.com

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:123456

    An optional company name []:ssd

    C:OpenSSL-Win64in>openssl x509 -req -days 36500 -md5 -extensions v3_req -CA s

    sd.crt -CAkey ssd.key -CAcreateserial -in server.csr -out server.crt

    Signature ok

    subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

    28@qq.com

    Getting CA Private Key   ---123456

    Enter pass phrase for ssd.key:  ---123456

    以上的密码全部都是123456

    注意:以上生成的证书保存在openssl/bin目录下,然后把生成的证书拷贝到nginx/conf的目录下,在这里面我只拷贝了server.crt  server.key

     

    2、什么都配置好后发现:

    Nginx -t 编译成功,但是运行的时候就自动关闭了,查看日志的时候报错了:

     

    查了好久,终于知道了原因:

    Windows下的nginx配置sslkey是不能存储密码的,否则就会报这个错

    解决办法:

    cmdcd openssl/bin的目录下,输入:

    Openssl rsa -in  C:OpenSSL-Win64inserver.key  -out c:/server.key.unsecure

    输入server.key当初设置的密码,这里面是123456

     

    然后在C根目录下可以看到:成功

     

    server.key.unsecure替换在nginx.conf文件中的server.key内容  即可

     3、配置nginx.conf

      1 #使用的用户和组,window下不指定
      2 #user nobody;
      3 #指定工作衍生进程数(一般等于CPU总和数或总和数的两倍,例如两个四核CPU,则总和数为8)
      4 worker_processes 3;
      5 #指定错误日志文件存放路径,错误日志级别可选项为【debug|info|notice|warn|error|crit】
      6 #error_log logs/error.log;
      7 #error_log logs/error.log notice;
      8 error_log logs/error.log info;
      9 #指定pid存放路径
     10 #pid logs/nginx.pid; 
     11 
     12 #工作模式及连接数上限
     13 events {
     14 #使用网络I/O模型,Linux系统推荐使用epoll模型,FreeBSD系统推荐使用kqueue;window下不指定
     15 #use epoll;
     16 #允许的连接数
     17 worker_connections 1024;
     18 } 
     19 
     20 #设定http服务器,利用他的反向代理功能提供负载均衡支持
     21 http {
     22 #设定mime类型
     23 include mime.types;
     24 default_type application/octet-stream;
     25 #设定日志格式
     26 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
     27 # '$status $body_bytes_sent "$http_referer" '
     28 # '"$http_user_agent" "$http_x_forwarded_for"'; 
     29 
     30 
     31 #设定请求缓冲
     32 client_header_buffer_size 1k;
     33 large_client_header_buffers 4 4k; 
     34 
     35 #设定access log
     36 #access_log logs/access.log main;
     37 client_header_timeout 3m;
     38 client_body_timeout 3m;
     39 send_timeout 3m; 
     40 
     41 sendfile on;
     42 tcp_nopush on;
     43 tcp_nodelay on;
     44 #keepalive_timeout 0;
     45 keepalive_timeout 65; 
     46 
     47 #开启gzip模块
     48 gzip on;
     49 gzip_min_length 1100;
     50 gzip_buffers 4 8k;
     51 gzip_types text/plain application/x-javascript text/css application/xml; 
     52 
     53 output_buffers 1 32k;
     54 postpone_output 1460; 
     55 
     56 server_names_hash_bucket_size 128;
     57 client_max_body_size 8m; 
     58 
     59 fastcgi_connect_timeout 300;
     60 fastcgi_send_timeout 300;
     61 fastcgi_read_timeout 300;
     62 fastcgi_buffer_size 64k;
     63 fastcgi_buffers 4 64k;
     64 fastcgi_busy_buffers_size 128k;
     65 fastcgi_temp_file_write_size 128k;
     66 gzip_http_version 1.1;
     67 gzip_comp_level 2;
     68 gzip_vary on; 
     69 
     70 #设定负载均衡的服务器列表
     71 upstream url{
     72 #根据ip计算将请求分配各那个后端tomcat,可以解决session问题
     73 #ip_hash;
     74 #同一机器在多网情况下,路由切换,ip可能不同
     75 #weigth参数表示权值,权值越高被分配到的几率越大
     76 #server localhost:8080 weight=1;
     77 #server 10.152.252.160:8443 weight=2;
     78 #server 10.152.252.162:8443 weight=20;
     79 server 10.152.252.160:8443 max_fails=2 fail_timeout=600s;
     80 server 10.152.252.162:8443 max_fails=2 fail_timeout=600s;
     81 } 
     82 
     83 #设定虚拟主机
     84 server {
     85 listen 8080;
     86 #server_name 10.152.252.160; 
     87 
     88 #proxy_pass https://url;
     89 rewrite ^(.*)$ https://$host:8443$1 permanent;
     90 #charset koi8-r;
     91 charset UTF-8;
     92 #设定本虚拟主机的访问日志
     93 #access_log logs/host.access.log main;
     94 
     95 #error_page 404 /404.html; 
     96 
     97 # redirect server error pages to the static page /50x.html
     98 #
     99 error_page 500 502 503 504 /50x.html;
    100 location = /50x.html {
    101 root html;
    102 } 
    103 }
    104 # HTTPS server
    105 server {
    106  listen 443;
    107  listen 8444;
    108  server_name 10.152.252.160; 
    109 
    110  ssl on;
    111  ssl_certificate server.crt;
    112  ssl_certificate_key server.key.unsecure; 
    113 
    114  ssl_session_timeout 5m; 
    115 
    116  ssl_protocols SSLv2 SSLv3 TLSv1;
    117  ssl_ciphers HIGH:!aNULL:!MD5;
    118  ssl_prefer_server_ciphers on; 
    119 
    120  location / {
    121  root html;
    122  index index.html index.htm;
    123 
    124  proxy_redirect off;
    125  #保留用户真实信息
    126  proxy_set_header Host $host;
    127  proxy_set_header X-Real-IP $remote_addr;
    128  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    129  
    130  proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
    131  proxy_max_temp_file_size 128m; 
    132 
    133  proxy_pass https://url;
    134  }
    135 } 
    136 }
    View Code
  • 相关阅读:
    在Mybatis中使用连表查询的一次实际应用
    Mybatis使用generatedKey在插入数据时返回自增id始终为1,自增id实际返回到原对象当中的问题排查
    一次org.springframework.jdbc.BadSqlGrammarException ### Error querying database Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException问题排查过程
    商品的spu、sku及其之间的关系
    Java transient关键字的理解
    关于Serializable的一个形象的例子
    一个很大的文件,存放了10G个整数的乱序数列,如何用程序找出中位数。
    Logger.error方法之打印错误异常的详细堆栈信息
    什么是Http无状态?Session、Cookie、Token三者之间的区别
    接口API中的敏感数据基于AES进行安全加密后返回
  • 原文地址:https://www.cnblogs.com/qq1871707128/p/7078232.html
Copyright © 2020-2023  润新知