upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@hanfeng ~]# yum install -y bind-utils
[root@hanfeng ~]# dig qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24485
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A
;; ANSWER SECTION:
qq.com. 273 IN A 125.39.240.113
qq.com. 273 IN A 61.135.157.156
;; Query time: 18 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 一 1月 08 22:46:59 CST 2018
;; MSG SIZE rcvd: 67
[root@hanfeng ~]#
[root@hanfeng ~]# vim /usr/local/nginx/conf/vhost/load.conf
写入以下内容
upstream qq_com //upstream后的名称自定义
{
ip_hash; //目的是为了让同一个用户始终保持在同一个机器上
server 61.135.157.156:80; //如果域名解析端口是80,这段配置上的指定端口80是可以省略的
server 125.39.240.113:80;
}
server
{
listen 80; //定义监听端口
server_name www.qq.com; //域名
location /
{
proxy_pass http://qq_com; //这里填写的是upstream 的名字
即“http://upstream”,因为作为一个模块,代理访问的是通过解析后的IP访问;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
保存退出
[root@hanfeng ~]# curl -x127.0.0.1:80 www.qq.com
This is the default site.
[root@hanfeng ~]#
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hanfeng ~]# /usr/local/nginx/sbin/nginx -s reload
[root@hanfeng ~]#
[root@hanfeng ~]# curl -x127.0.0.1:80 www.qq.com
在自己的虚拟机生成ssl 需要用到openssl工具
[root@hf-01 ~]# cd /usr/local/nginx/conf/
[root@hf-01 conf]#
[root@hf-01 conf]# rpm -qf `which openssl`
openssl-1.0.2k-8.el7.x86_64
[root@hf-01 conf]#
[root@hf-01 conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
.......+++
......................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: //输入密码
Verifying - Enter pass phrase for tmp.key: //再次输入密码
[root@hf-01 conf]#
[root@hf-01 conf]# openssl rsa -in tmp.key -out gurui.key
Enter pass phrase for tmp.key: //输入tmp.key的密码
writing RSA key
[root@hf-01 conf]#
[root@hf-01 conf]# rm -f tmp.key
[root@hf-01 conf]#
[root@hf-01 conf]# openssl req -new -key gurui.key -out gurui.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn //国家,2个字母
State or Province Name (full name) []:JiangSu //省或州
Locality Name (eg, city) [Default City]:YanCheng //城市
Organization Name (eg, company) [Default Company Ltd]:han //公司
Organizational Unit Name (eg, section) []:han //组织
Common Name (eg, your name or your server’s hostname) []:hanfeng //您的主机名
Email Address []:han1118feng@163.com //邮箱
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:hanfeng //设置密码
An optional company name []: //一个可选的公司名称
用请求证书文件和私钥文件,生成一个公钥
[root@hf-01 conf]#
[root@hf-01 conf]# openssl x509 -req -days 365 -in gurui.csr -signkey gurui.key -out gurui.crt
Signature ok
subject=/C=11/ST=BEIJING/L=BeiJing/O=hanfeng/OU=hanfeng/CN=hanfeng/emailAddress=han1118fem\x08
Getting Private key
[root@hf-01 conf]#
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@hf-01 conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
添加以下内容
server
{
listen 443; //监听端口为443
server_name aming.com; //主机名
index index.html index.php;
root /data/wwwroot/aming.com; //root 目录
ssl on; //开启ssl
ssl_certificate gurui.crt; //指定公钥
ssl_certificate_key gurui.key; //指定私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //ssl 的协议
}
保存退出
[root@hf-01 conf]# mkdir /data/wwwroot/aming.com
[root@hf-01 conf]#
[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hf-01 conf]#
[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@hf-01 conf]#
[root@hf-01 conf]# cd /usr/local/src/nginx-1.12.1/
[root@hf-01 nginx-1.12.1]# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@hf-01 nginx-1.12.1]#
[root@hf-01 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]# make
[root@hf-01 nginx-1.12.1]# make install
[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]#
[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 nginx-1.12.1]#
[root@hf-01 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@hf-01 nginx-1.12.1]#
[root@hf-01 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1533/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5716/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5716/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1205/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1533/master
tcp6 0 0 :::3306 :::* LISTEN 1576/mysqld
tcp6 0 0 :::22 :::* LISTEN 1205/sshd
[root@hf-01 nginx-1.12.1]#
[root@hf-01 nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@hf-01 aming.com]# ls
[root@hf-01 aming.com]# vim index.html
This is ssl.
保存退出
[root@hf-01 aming.com]# curl -x127.0.0.1:443 https://aming.com/
curl: (56) Received HTTP code 400 from proxy after CONNECT
[root@hf-01 aming.com]#
[root@hf-01 aming.com]# vim /etc/hosts
加入以下内容
127.0.0.1 aming.com
[root@hf-01 aming.com]# curl https://aming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@hf-01 aming.com]#
192.168.74.129 aming.com
[root@hf-01 aming.com]# iptables -nvL
[root@hf-01 aming.com]# iptables -F
[root@hf-01 aming.com]#