目录

一、Nginx负载均衡
二、ssl原理
三、生成ssl密钥对
四、Nginx配置ssl

一、Nginx负载均衡

如果Nginx后面有多台Web服务器，如果同时代理，那Nginx在这里就起到一个负载均衡的作用。

若不使用代理服务器，用户访问web服务器时只能一台一台的请求内容。比如用户1访问web1，用户2访问web2，此时若web1故障，则用户1无法继续访问网站。使用代理服务器时，若web1故障，则代理服务器不会继续把用户1的请求发给web1而是发给其他服务器。

代理配置中的proxy pass字段不支持写多个ip，可以使用upstream模块定义多个server（ip+端口）

• dig命令
  dig命令是常用的域名查询工具，可以用来测试域名系统工作是否正常。
  执行yum install -y bind-utils安装

使用dig命令查看一下qq.com域名对应的IP

[root@minglinux-01 ~] dig qq.com

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20175
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com.                IN  A

;; ANSWER SECTION:  //返回解析的两个IP
qq.com.         194 IN  A   111.161.64.40
qq.com.         194 IN  A   111.161.64.48

;; Query time: 19 msec
;; SERVER: 119.29.29.29#53(119.29.29.29)
;; WHEN: 五 11月 30 22:10:27 CST 2018
;; MSG SIZE  rcvd: 67

有两个IP就可以走负载均衡了，配置过程如下：

[root@minglinux-01 ~] vim /usr/local/nginx/conf/vhost/load.conf //写入以下内容

upstream qq_com  //upstream来指定多个web server，名字自定义
  2 {
  3     ip_hash;   //ip_hash的目的是让同一个用户始终保持在同一台机器上，达到保持会话的效果。
  4     server 111.161.64.40:80;
  5     server 111.161.64.48:80;
  6 }
  7 server
  8 {
  9     listen 80;
 10     server_name www.qq.com;
 11     location /
 12     {
 13         proxy_pass      http://qq_com; //跟上面upstream定义字段保持一致
 14         proxy_set_header Host   $host;
 15         proxy_set_header X-Real-IP      $remote_addr;
 16         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded    _for;
 17     }
 18 }

• 测试

此时未重载配置文件，会访问默认虚拟主机，无法访问到www.qq.com

[root@minglinux-01 ~] curl -x127.0.0.1:80 www.qq.com
Hello,thank you!
[root@minglinux-01 ~] curl -x127.0.0.1:80 localhost
Hello,thank you!

重载配置文件后可以访问www.qq.com了

[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -t
[root@minglinux-01 ~] /usr/local/nginx/sbin/nginx -s reload
[root@minglinux-01 ~] curl -x127.0.0.1:80 www.qq.com -I
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 01 Dec 2018 08:17:39 GMT
Content-Type: text/html; charset=GB2312
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Expires: Sat, 01 Dec 2018 08:18:39 GMT
Cache-Control: max-age=60
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Cache: HIT from shenzhen.qq.com

Nginx不支持代理https

Nginx代理服务器代理https：
用户想要访问https（443），可以让代理服务器监听443端口，但代理服务器访问后端时必须访问后端的80端口，不支持访问443。

二、ssl原理

HTTP协议以明文方式发送内容，不提供任何方式的数据加密，如果攻击者截取了Web浏览器和网站服务器之间的传输报文，就可以直接读懂其中的信息。

HTTPS在HTTP的基础上加入了SSL协议，SSL依靠证书来验证服务器的身份，并为浏览器和服务器之间的通信加密，即便攻击者截获了通信的数据包，也无法破译里面的内容。

HTTPS的通信过程：

(1) 浏览器发送一个HTTPS请求给服务器。
(2) 服务器要有一套数字证书，可以自己制作，也可以向组织申请，区别就是自己颁发的证书需要客户端验证通过，才可以继续访问，而使用受信任的公司申请的证书则不会弹出提示页面，这套证书其实就是一对公钥和私钥。
(3) 服务器会把公钥传输给客户端。
(4) 客户端（浏览器）收到公钥后，会验证其是否合法有效，无效会有警告提醒，有效则会生成一串随机字符串，并用收到的公钥加密。
(5) 客户端把加密后的随机字符串传输给服务器。
(6) 服务器收到加密随机字符串后，先用私钥解密（公钥加密，私钥解密），获取到这一串随机字符串后，再用这串随机字符串加密传输的数据（该加密为“对称加密”；所谓对称加密，就是将数据和私钥，也就是这个随机字符串通过某种算法混合在一起，这样除非知道私钥，否则无法获取数据内容）。
(7) 服务器把加密后的数据传输给客户端。
(8) 客户端收到数据后，再用自己的私钥（也就是那个随机字符串）解密。

三、生成ssl密钥对

• 查看openssl命令是由哪个包来安装

[root@minglinux-01 /usr/local/nginx/conf] which openssl
/usr/bin/openssl
[root@minglinux-01 /usr/local/nginx/conf] rpm -qf `which openssl`
openssl-1.0.2k-12.el7.x86_64    //查看openssl命令是由哪个包来安装来的
[root@minglinux-01 ~] cd /usr/local/nginx/conf/

• 生成私钥

[root@minglinux-01 /usr/local/nginx/conf] openssl genrsa -des3 -out tmp.key 2048  
Generating RSA private key, 2048 bit long modulus
...............................+++
............................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

[root@minglinux-01 /usr/local/nginx/conf] openssl rsa -in tmp.key -out ming.key
Enter pass phrase for tmp.key:
writing RSA key
[root@minglinux-01 /usr/local/nginx/conf] rm -f tmp.key 

上面第二步将tmp.key转换成ming.key清除密码，目的是为了让用户在访问https网站时不需要输入密码。ming.key和tmp.key实际是同一个密钥，只是tmp.key有密码，ming.key没有密码。

• 生成证书请求文件，需要拿这个文件和私钥一起生成公钥文件

[root@minglinux-01 /usr/local/nginx/conf] openssl req -new -key ming.key -out ming.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                   
State or Province Name (full name) []:Shenzhen     
Locality Name (eg, city) [Default City]:Shenzhen      
Organization Name (eg, company) [Default Company Ltd]:123
Organizational Unit Name (eg, section) []:123
Common Name (eg, your name or your server's hostname) []:123
Email Address []:admin@ming.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xiaoming  
An optional company name []:ming 

• key文件CSR文件一起生成公钥文件

[root@minglinux-01 /usr/local/nginx/conf] openssl x509 -req -days 365 -in ming.csr -signkey ming.key -out ming.crt
Signature ok
subject=/C=CN/ST=Shenzhen/L=Shenzhen/O=123/OU=123/CN=123/emailAddress=admin@ming.com
Getting Private key
[root@minglinux-01 /usr/local/nginx/conf] ls ming.*
ming.crt  ming.csr  ming.key

四、Nginx配置ssl

[root@minglinux-01 /usr/local/nginx/conf] vim /usr/local/nginx/conf/vhost/ssl.conf
//写入以下内容

  1 server
  2 {
  3     listen 443;
  4     server_name ming.com;
  5     index index.html index.php;
  6     root /data/wwwroot/ming.com;
  7     ssl on;
  8     ssl_certificate ming.crt;
  9     ssl_certificate_key ming.key;
 10     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 11 }

• 检查Nginx配置出错

[root@minglinux-01 /usr/local/nginx/conf] /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@minglinux-01 /usr/local/nginx/conf] /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
configure arguments: --prefix=/usr/local/nginx

报错当前的Nginx并不支持SSL，这是因为在先前的Nginx编译时，并没有额外配置支持SSL的参数，要解决该问题只能重新编译一遍Nginx。

• 重新编译Nginx

[root@minglinux-01 /usr/local/nginx/conf] cd /usr/local/src/nginx-1.12.2/
[root@minglinux-01 /usr/local/src/nginx-1.12.2] ./configure --help | grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

[root@minglinux-01 /usr/local/src/nginx-1.12.2] ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@minglinux-01 /usr/local/src/nginx-1.12.2] make
[root@minglinux-01 /usr/local/src/nginx-1.12.2] make install

[root@minglinux-01 /usr/local/src/nginx-1.12.2] /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
//多了--with-http_ssl_module

[root@minglinux-01 /usr/local/src/nginx-1.12.2] /usr/local/nginx/sbin/nginx -t  //检查配置通过了
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@minglinux-01 /usr/local/src/nginx-1.12.2] /etc/init.d/nginx restart 
Restarting nginx (via systemctl):                          [  确定  ]
[root@minglinux-01 /usr/local/src/nginx-1.12.2] netstat -lntp 
Active Internet connections (only servers)   //nginx分别监听了80和443端口
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4120/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4120/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      764/sshd            
tcp6       0      0 :::3306                 :::*                    LISTEN      1199/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      764/sshd 

• 测试

[root@minglinux-01 /usr/local/src/nginx-1.12.2] mkdir /data/wwwroot/ming.com
[root@minglinux-01 /usr/local/src/nginx-1.12.2] cd !$
cd /data/wwwroot/ming.com
[root@minglinux-01 /data/wwwroot/ming.com] vim index.html
[root@minglinux-01 /data/wwwroot/ming.com] vim /etc/hosts
写入如下行
···
127.0.0.1 ming.com

[root@minglinux-01 /data/wwwroot/ming.com] curl https://ming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

• Windows访问

  
  

证书是自己颁发的，是不可信任，如果需要正规颁发的受信任证书可以到沃通等站点购买

扩展

针对请求的uri来代理 http://ask.apelearn.com/question/1049
根据访问的目录来区分后端的web http://ask.apelearn.com/question/920
nginx长连接 http://www.apelearn.com/bbs/thread-6545-1-1.html
nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html