Nginx集群实现证书
1、准备LB01(10.0.0.5、172.16.1.5)做负载均衡,Web02(10.0.0.8、172.16.1.8)、Web03(10.0.0.9、172.16.1.9)两台服务器
2、配置Web02、Web03服务器监听80端口
1. [root@Web02 ~]# cat /etc/nginx/conf.d/ssl.conf 2. server { 3. listen 80; 4. server_name ssl.koten.com; 5. 6. location / { 7. root /code/ssl; 8. index index.html; 9. } 10. } 11. [root@Web02 ~]# systemctl restart nginx 12. 13. [root@Web03 ~]# cat /etc/nginx/conf.d/ssl.conf 14. server { 15. listen 80; 16. server_name ssl.koten.com; 17. 18. location / { 19. root /code/ssl; 20. index index.html; 21. } 22. } 23. [root@Web03 ~]# systemctl restart nginx
3、拷贝证书到LB服务器
1. [root@LB01 ~]# scp -rp 172.16.1.7:/etc/nginx/ssl_key /etc/nginx/ 2. The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established. 3. ECDSA key fingerprint is SHA256:zQvI/tCFYssR7l6cr90EtaIA93FXJp8FmUhGtkZshlA. 4. ECDSA key fingerprint is MD5:0b:a1:ee:d2:75:92:1a:62:05:63:5e:d1:e8:42:13:84. 5. Are you sure you want to continue connecting (yes/no)? yes 6. Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts. 7. root@172.16.1.7's password: 8. server.key 100% 1704 906.5KB/s 00:00 9. server.crt 100% 1411 1.0MB/s 00:00
4、配置LB01的Nginx配置文件
1. [root@LB01 ~]# cat /etc/nginx/conf.d/proxy_ssl.conf 2. upstream website { 3. server 172.16.1.8:80; 4. server 172.16.1.9:80; 5. } 6. 7. server { 8. listen 443 ssl; 9. server_name ssl.koten.com; 10. ssl_certificate ssl_key/server.crt; 11. ssl_certificate_key ssl_key/server.key; 12. location / { 13. proxy_pass http://website; 14. proxy_set_header Host $http_host; 15. } 16. } 17. 18. server { 19. listen 80; 20. server_name ssl.koten.com; 21. return 302 https://$server_name$request_uri; 22. } 23. [root@LB01 ~]# systemctl restart nginx
5、浏览器访问
真实业务实现HTTPS证书
1、配置LB01中的wordpress和wecenter的配置
1. [root@LB01 ~]# cat /etc/nginx/conf.d/proxy_ssl.conf 2. upstream webs { 3. server 172.16.1.7:80; 4. server 172.16.1.8:80; 5. } 6. 7. #用户的http请求跳转至https 8. server { 9. listen 80; 10. server_name blog.koten.com; 11. return 302 https://$server_name$request_uri; 12. } 13. 14. server { 15. listen 80; 16. server_name wecenter.koten.com; 17. return 302 https://$server_name$request_uri; 18. } 19. 20. server { 21. listen 443 ssl; 22. server_name blog.koten.com; 23. ssl_certificate ssl_key/server.crt; 24. ssl_certificate_key ssl_key/server.key; 25. location / { 26. proxy_pass http://webs; 27. include proxy_params; 28. } 29. } 30. 31. server { 32. listen 443 ssl; 33. server_name wecenter.koten.com; 34. ssl_certificate ssl_key/server.crt; 35. ssl_certificate_key ssl_key/server.key; 36. location / { 37. proxy_pass http://webs; 38. include proxy_params; 39. } 40. } 41. [root@LB01 ~]# nginx -t 42. nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 43. nginx: configuration file /etc/nginx/nginx.conf test is successful 44. [root@LB01 ~]# nginx -s reload
2、浏览器访问
发现均出现排版错误的情况,这是因为PHP对https不适配。
3、修正排版问题
需要在Web01和Web02的Wecenter和WordPress配置文件里添加如下配置,并重启Nginx
1. #告诉PHP我前置的负载使用的是https协议 2. fastcgi_param HTTPS on;
例如Web01的WordPress配置文件
1. [root@Web01 wecenter]# cat /etc/nginx/conf.d/wordpress.conf 2. server { 3. listen 80; 4. server_name blog.koten.com; 5. root /code/wordpress; 6. index index.php index.html index.htm; 7. 8. location ~\.php$ { 9. root /code/wordpress; 10. fastcgi_pass 127.0.0.1:9000; 11. fastcgi_index index.php; 12. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 13. fastcgi_param HTTPS on; 14. include fastcgi_params; 15. } 16. } 17. [root@Web01 wecenter]#
4、再次访问发现恢复
5、phpmyadmin配置文件与问题
1. [root@LB01 ~]# cat /etc/nginx/conf.d/proxy_php.conf 2. upstream web { 3. server 172.16.1.7:80; 4. server 172.16.1.8:80; 5. } 6. 7. server { 8. listen 80; 9. server_name php.koten.com; 10. return 302 https://$server_name$request_uri; 11. } 12. 13. server { 14. listen 443 ssl; 15. ssl_certificate ssl_key/server.crt; 16. ssl_certificate_key ssl_key/server.key; 17. server_name php.koten.com; 18. location / { 19. proxy_pass http://web; 20. include proxy_params; 21. } 22. } 23. [root@LB01 ~]# systemctl restart nginx
6、解决phpmyadmin问题
在Web01和Web02的phpmyadmin配置文件上增加如下配置:
fastcgi_param HTTPS on;
恢复正常!
