Nginx 作负载均衡进行 https 访问配置
一、 实验环境
操作系统:CentOS 7.6 x86_64
机器环境配置:
|
机器用途 |
IP |
nginx版本 |
用途 |
|
nginx |
192.168.227.100 |
nginx/1.6.2 |
前端负载均衡 |
|
web-1 |
192.168.227.101 |
nginx/1.6.2 |
Web服务器 |
|
web-2 |
192.168.227.102 |
nginx/1.6.2 |
Web服务器 |
二、 环境安装
nginx服务器环境安装:
[root@nginx ~]# cd /opt/
[root@nginx opt]# tar zxf nginx-1.6.2.tar.gz && cd nginx-1.6.2
[root@nginx nginx-1.6.2]#yum -y install perl-devel perl-ExtUtils-Embed zlib zlib-devel gcc gcc-c++openssl openssl-devel
[root@nginx ~]# ./configure--user=nginx --group=nginx --prefix=/usr/local/nginx--with-http_stub_status_module --with-http_ssl_module \--with-http_gzip_static_module --with-http_sub_module --with-http_perl_module--conf-path=/usr/local/nginx/conf/nginx.conf \
--pid-path=/usr/local/nginx/nginx.pid --with-ld-opt="-Wl,-E"
[root@nginx nginx-1.6.2]# make && make install
[root@nginx nginx-1.6.2]# cd /etc/profile.d/
[root@nginx profile.d]# vim nginx.sh
#!/bin/bash
PATH=$PATH:/usr/local/nginx/sbin
export PATH
[root@nginx profile.d]# source /etc/profile
[root@nginx profile.d]# cd /usr/lib/systemd/system
[root@nginx system]# cd /usr/lib/systemd/system
[root@nginx system]# vim nginx.service
[Unit]
Description=nginx - high performanceweb server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.targetnss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx-t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c/usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.targe
[root@nginx system]# systemctl daemon-reload
[root@nginx system]# systemctl start nginx.service
[root@nginx system]# systemctl enable nginx.service
nginx服务器环境安装:(web-1与web-2一致)
[root@web-1 ~]# cd /opt/
[root@web-1 opt]# tar zxfnginx-1.6.2.tar.gz && cd nginx-1.6.2
[root@web-1 nginx-1.6.2]# yum -yinstall perl-devel perl-ExtUtils-Embed zlib zlib-devel gcc gcc-c++ opensslopenssl-devel
[root@web-1 ~]# ./configure--user=nginx --group=nginx --prefix=/usr/local/nginx--with-http_stub_status_module --with-http_ssl_module \--with-http_gzip_static_module --with-http_sub_module --with-http_perl_module--conf-path=/usr/local/nginx/conf/nginx.conf \
--pid-path=/usr/local/nginx/nginx.pid --with-ld-opt="-Wl,-E"
[root@web-1 nginx-1.6.2]# make&& make install
[root@web-1 nginx-1.6.2]# cd/etc/profile.d/
[root@web-1 profile.d]# vim nginx.sh
#!/bin/bash
PATH=$PATH:/usr/local/nginx/sbin
export PATH
[root@web-1 profile.d]# source/etc/profile
[root@web-1 profile.d]# cd/usr/lib/systemd/system
[root@web-1 system]# cd/usr/lib/systemd/system
[root@web-1 system]# vim nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c/usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.targe
[root@web-1 system]# systemctldaemon-reload
[root@web-1 system]# systemctl startnginx.service
[root@web-1 system]# systemctl enablenginx.service
[root@web-1 system]# cd/usr/local/nginx/html
[root@web-1 html]# mv index.htmlindex.html.bak
[root@web-1 system]# vim index.html
<h1>192.168.227.101</h1>
注:index.html中ip内容改成web服务器自身ip地址即可
三、 服务配置
nginx机器配置
[root@nginx ~]# cd /usr/local/nginx/conf
[root@nginxconf]# vim nginx.conf
user nginx nginx;
worker_processes auto;
error_log logs/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user[$time_local] "$request" '
'$status $body_bytes_sent"$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
upstream LB_TEST {
server 192.168.227.101:80;
server 192.168.227.102:80;
}
server {
listen 443;
ssl on;
ssl_certificate /opt/certificate/server.crt;
ssl_certificate_key /opt/certificate/server.key;
server_name localhost;
location / {
root html;
index index.html index.htm;
proxy_pass http://LB_TEST;
proxy_set_header Host $host;
proxy_set_header X-Real-IP$remote_addr;
proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1permanent;
}
}
生成服务器端证书
[root@nginx conf]# cd /opt &&mkdir certificate
# 生成CA密钥
openssl genrsa -out ca.key 2048
# 生成CA证书,days参数以天为单位设置证书的有效期。输入过程会要求输入证书所在地、公司、站点等
openssl req -x509 -new -nodes -keyca.key -days 365 -out ca.crt
# 生成服务器证书RSA的密钥对
openssl genrsa -out server.key 2048
# 生成服务器端证书CSR,输入过程会要求输入证书所在地、公司、站点等
openssl req -new -key server.key -outserver.csr
# 生成服务器端证书
openssl x509 -req -in server.csr -CAca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
[root@nginx certificate]# systemctlreload nginx.service
web机器配置(web-1与web-2配置相同)
[root@web-1 ~]# cd/usr/local/nginx/conf
[root@web-1 conf]# vim nginx.conf
user nginx nginx;
worker_processes auto;
error_log logs/error.log;
events{
worker_connections 1024;
}
http{
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user[$time_local] "$request" '
'$status $body_bytes_sent"$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
[root@web-1 conf]# systemctl reloadnginx.service
测试:
留言评论