12.17 Nginx负载均衡
12.18 ssl原理
12.19 生成ssl密钥对
12.20 Nginx配置ssl
扩展
针对请求的uri来代理 http://ask.apelearn.com/question/1049
根据访问的目录来区分后端的web http://ask.apelearn.com/question/920
nginx算法分析 http://blog.sina.com.cn/s/blog_72995dcc01016msi.html
12.17 Nginx负载均衡
使用dig命令 如果没有需要用yum安装bind-utils包
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
[root@localhost ~]
# dig-bash: dig: 未找到命令[root@localhost ~]# yum install -y bind-utils已安装: bind-utils.x86_64 32:9.9.4-51.el7 作为依赖被安装: bind-libs.x86_64 32:9.9.4-51.el7 作为依赖被升级: bind-libs-lite.x86_64 32:9.9.4-51.el7 bind-license.noarch 32:9.9.4-51.el7 完毕![root@localhost ~]# dig qq.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> qq.com;; global options: +cmd;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 47359
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.com. IN A;; ANSWER SECTION:qq.com. 455 IN A 61.135.157.156qq.com. 455 IN A 125.39.240.113;; Query
time
: 34 msec;; SERVER: 119.29.29.29
#53(119.29.29.29)
;; WHEN: 一 10月 23 20:34:36 CST 2017
;; MSG SIZE rcvd: 67[root@localhost ~]
#
使用
dig
qq.com 反馈回来出俩个ip 61.135.157.156, 125.39.240.113
使用
dig
ask.aplearn.com 反馈回来一个ip 121.201.9.155
[root@localhost ~]
# dig ask.apelearn.com; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> ask.apelearn.com;; global options: +cmd;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 1701
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ask.apelearn.com. IN A;; ANSWER SECTION:ask.apelearn.com. 600 IN A 121.201.9.155;; Query
time
: 126 msec;; SERVER: 119.29.29.29
#53(119.29.29.29)
;; WHEN: 一 10月 23 20:37:29 CST 2017
;; MSG SIZE rcvd: 61[root@localhost ~]
#
这其实就是域名解析,
ping
qq.com
dig
qq.com 反馈了俩个ip,qq.com 解析到了俩个ip上 ,其实这时候就可以用这个做负载均衡
新建一个
[root@localhost ~]
# vi ld.confupstream qq
{
ip_hash; 让你适中访问到一个服务器
server 61.135.157.156:80; 定义俩个server
server 125.39.240.113:80;
}server
{ listen 80; 定义监听端口
server_name www.qq.com;
location /
{
proxy_pass http:
//qq
; 定义upstream的名字
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
~
~
~
~
:wq
[root@localhost ~]
# vi ld.conf[root@localhost ~]# curl -x127.0.0.1:80 www.qq.comThis is the default site.
[root@localhost ~]
#
正常情况下访问www.qq.com 是访问默认虚拟主机
重新加载下
[root@localhost ~]
# curl -x127.0.0.1:80 www.qq.com
This is the default site.
[root@localhost ~]
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx/conf/nginx
.conf
test
is successful
[root@localhost ~]
# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]
#
});
//--
> <
/script
>
<!-- 1·1· a -->
<script
type
=
"text/javascript"
src=
"//mat1.gtimg.com/www/qq_index/js/hot_word_sogou_v1.4.min.js"
charset=
"utf-8"
><
/script
>
<!--<script
type
=
"text/javascript"
src=
"http://mat1.gtimg.com/www/js/qq2012/hot_word_sogou.min1.2.js"
charset=
"utf-8"
><
/script
> -->
<script
type
=
"text/javascript"
>
//
3ˉ1·′
initSogouHotWord(document.forms[
'soso_search_box'
], document.getElementById(
'sougouTxt'
)); <
/script
>
<!-- 1· -->
<script>
//
·
var _mtac = {};
(
function
() { var mta = document.createElement(
"script"
);
mta.src =
"http://pingjs.qq.com/h5/stats.js?v2.0.2"
;
mta.setAttribute(
"name"
,
"MTAH5"
);
mta.setAttribute(
"sid"
,
"500460529"
); var s = document.getElementsByTagName(
"script"
)[0];
s.parentNode.insertBefore(mta, s);
})(); <
/script
><
/body
><
/html
><!--[
if
!IE]>|xGv00|ca219cb3eab302806f8b762500c512cb<![endif]-->[root@localhost vhost]
#
重新加载后,再来访问就变成www.qq.com的主页了
[root@localhost vhost]
# cat ld.confupstream qq
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}server
{ listen 80;
server_name www.qq.com;
location /
{
proxy_pass http:
//qq
;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
[root@localhost vhost]
#
|
这就时负载均衡
12.18 ssl原理
SSL 原理
浏览器发送一个https的请求给服务器;
服务器要有一套数字证书,可以自己制作(后面的操作就是阿铭自己制作的证书),也可向组织申请,区别就是自己颁发的证书需要客户端验证通过,才可以继续访问,而使用受信任的公司申请的证书则不会弹出>提示页面,这套证书其实就是一对公钥和私钥;
服务器会把公钥传输给客户端;
客户端(浏览器)收到公钥后,会验证其是否合法有效,无效会有警告提醒,有效则会生成一串随机数,并用收到的公钥加密;
客户端把加密后的随机字符串传输给服务器;
服务器收到加密随机字符串后,先用私钥解密(公钥加密,私钥解密),获取到这一串随机数后,再用这串随机字符串加密传输的数据(该加密为对称加密,所谓对称加密,就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起,这样除非知道私钥,否则无法获取数据内容);
服务器把加密后的数据传输给客户端;
客户端收到数据后,再用自己的私钥也就是那个随机字符串解密;
12.19 生产ssl密钥对
把公钥和私钥放到这个目录下/usr/local/nginx/conf/
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
[root@localhost ~]
# cd /usr/local/nginx/conf/[root@localhost conf]#
需要openssl这个命令,怎么样去查看一个命令是用哪个包安装的吗?需要安装那个包
rpm -qf
which
openssl
[root@localhost conf]
# rpm -qf `which openssl`openssl-1.0.2k-8.el7.x86_64[root@localhost conf]# yum install -y openssl-1.0.2k-8.el7.x86_64已加载插件:fastestmirrorLoading mirror speeds from cached hostfile
* base: mirrors.163.com
* epel:
ftp
.riken.jp
* extras: mirrors.163.com
* updates: mirrors.163.com软件包 1:openssl-1.0.2k-8.el7.x86_64 已安装并且是最新版本
无须任何处理[root@localhost conf]
#
openssl genrsa -des3 -out tmp.key 2048 命令解释:找到 rsa格式的私钥,长度2048,名字叫tmp.key key文件为私钥
[root@localhost conf]
# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus
.............................+++
...........................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase
for
tmp.key:
Verifying - Enter pass phrase
for
tmp.key:
[root@localhost conf]
#
第二步 转换key,取消密码 openssl rsa -
in
tmp.key -out aminglinux.key ,
rm
-f tpm.key
[root@localhost conf]
# openssl rsa -in tmp.key -out aminglinux.keyEnter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]
# [root@localhost conf]# rm -f tmp.key
第三步,生成一个证书请求的文件 生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
[root@localhost conf]
# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [XX]:chinastring is too long, it needs to be
less
than 2 bytes long
Country Name (2 letter code) [XX]:11State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:aming
Organizational Unit Name (eg, section) []:aming
Common Name (eg, your name or your server's
hostname
) []:aminglinux
Email Address []:aming@aminglinux.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:lishiming
An optional company name []:aming
[root@localhost conf]
#
[root@localhost conf]
# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crtSignature ok
subject=
/C
=11
/ST
=BeiJing
/L
=BeiJing
/O
=aming
/OU
=aming
/CN
=aminglinux
/emailAddress
=aming@aminglinux.com
Getting Private key
[root@localhost conf]
# [root@localhost conf]# ls aminglinux.aminglinux.crt aminglinux.csr aminglinux.key
这里的aminglinux.crt为公钥
12.20 Nginx配置ssl
有了公钥私钥之后,就可以来配置nginx
生成一个新的配置文件
[root@localhost conf]
# vim ssl.conf
[1]+ 已停止 vim ssl.conf
[root@localhost conf]
# mkdir /data/wwwroot/aming.com
[root@localhost conf]
# fg
vim ssl.confserver{
listen 443;
server_name aming.com;
index index.html index.php;
root
/data/wwwroot/aming
.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
~
~
:wq
最早编译nginx的 并没有指定支持ssl ,需要重新编译下,让大家不要去删除源码包,后期有可能还要进一步编译
[root@localhost conf]
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx/conf/nginx
.conf
test
is successful
[root@localhost conf]
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx
/1
.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=
/usr/local/nginx
进入nginx源码包下 查找需要加上这个配置才行 --with-http_ssl_module
初始化
make
,
make
install
[root@localhost conf]
# cd /usr/local/src/nginx-1.12.1/
[root@localhost nginx-1.12.1]
# ./configure --help |grep -i ssl
--with-http_ssl_module
enable
ngx_http_ssl_module
--with-mail_ssl_module
enable
ngx_mail_ssl_module
--with-stream_ssl_module
enable
ngx_stream_ssl_module
--with-stream_ssl_preread_module
enable
ngx_stream_ssl_preread_module
--with-openssl=DIR
set
path to OpenSSL library sources
--with-openssl-opt=OPTIONS
set
additional build options
for
OpenSSL[root@localhost nginx-1.12.1]
# [root@localhost nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
nginx path prefix:
"/usr/local/nginx"
nginx binary
file
:
"/usr/local/nginx/sbin/nginx"
nginx modules path:
"/usr/local/nginx/modules"
nginx configuration prefix:
"/usr/local/nginx/conf"
nginx configuration
file
:
"/usr/local/nginx/conf/nginx.conf"
nginx pid
file
:
"/usr/local/nginx/logs/nginx.pid"
nginx error log
file
:
"/usr/local/nginx/logs/error.log"
nginx http access log
file
:
"/usr/local/nginx/logs/access.log"
nginx http client request body temporary files:
"client_body_temp"
nginx http proxy temporary files:
"proxy_temp"
nginx http fastcgi temporary files:
"fastcgi_temp"
nginx http uwsgi temporary files:
"uwsgi_temp"
nginx http scgi temporary files:
"scgi_temp"
[root@localhost nginx-1.12.1]
# [root@localhost nginx-1.12.1]# makesed -e "s|%%PREFIX%%|/usr/local/nginx|" \
-e
"s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|"
\
-e
"s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|"
\
-e
"s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|"
\
<
man
/nginx
.8 > objs
/nginx
.8
make
[1]: 离开目录“
/usr/local/src/nginx-1
.12.1”
[root@localhost nginx-1.12.1]
# [root@localhost nginx-1.12.1]# make install
||
mkdir
-p
'/usr/local/nginx/logs'
test
-d
'/usr/local/nginx/html'
\
||
cp
-R html
'/usr/local/nginx'
test
-d
'/usr/local/nginx/logs'
\
||
mkdir
-p
'/usr/local/nginx/logs'
make
[1]: 离开目录“
/usr/local/src/nginx-1
.12.1”
[root@localhost nginx-1.12.1]
#
现在再看看,多了一个参数 --with-http_ssl_module
[root@localhost nginx-1.12.1]
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx
/1
.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=
/usr/local/nginx
--with-http_ssl_module
[root@localhost nginx-1.12.1]
#
[root@localhost nginx-1.12.1]
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx/conf/nginx
.conf
test
is successful
[root@localhost nginx-1.12.1]
#
[root@localhost nginx-1.12.1]
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682
/nginx
: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874
/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783
/master
tcp6 0 0 :::3306 :::* LISTEN 1578
/mysqld
tcp6 0 0 :::22 :::* LISTEN 874
/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1783
/master
这里出错了,并没有出现 443 端口被监听,所以 肯定是哪里错了,
原来是创建的 ssl.conf配置文件 不是在vhost目录下 在conf下 创建了,所以失效,后面删除掉conf目录下的 ssl.conf文件,到vhost目录下重新创建配置文件ssl.conf 就好了
把之前的 conf目录下的 ssl.conf 文件删掉,
去vhost目录下 重新创建配置文件 vim ssl.conf 加入下面的配置
[root@localhost conf]
# cd vhost/
[root@localhost vhost]
# vim ssl.conf
[root@localhost vhost]
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration
file
/usr/local/nginx/conf/nginx
.conf syntax is ok
nginx: configuration
file
/usr/local/nginx/conf/nginx
.conf
test
is successful
[root@localhost vhost]
# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@localhost vhost]
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682
/nginx
: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874
/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783
/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5682
/nginx
: master
tcp6 0 0 :::3306 :::* LISTEN 1578
/mysqld
tcp6 0 0 :::22 :::* LISTEN 874
/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1783
/master
[root@localhost vhost]
#
到aming.com目录下创建一个1.txt测试文件
用curl访问下,这样就不对了
[root@localhost vhost]
# cd /data/wwwroot/aming.com/[root@localhost aming.com]# ls[root@localhost aming.com]# vim 1.txtThis is ssl.
~
~
~
:wq
[root@localhost aming.com]
# mv 1.txt index.html[root@localhost aming.com]# curl -x12.0.0.1:443 https://aming.com/curl: (7) Failed connect to 12.0.0.1:443; 拒绝连接
[root@localhost aming.com]
#
这样访问是不对的,改下hosts文件
[root@localhost aming.com]
# vi /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.202.131 www.qq123.com www.13.com www.aming.com127.0.0.1 www.13.com aming.com
~
~
~
:wq
[root@localhost aming.com]
# vi /etc/hosts[root@localhost aming.com]# curl https://aming.com/curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http:
//curl
.haxx.se
/docs/sslcerts
.html
curl performs SSL certificate verification by default, using a
"bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle
file
isn't adequate, you can specify an alternate
file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented
in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not match the domain name
in
the URL).
If you
'd like to turn off curl'
s verification of the certificate, use
the -k (or --insecure) option.
[root@localhost aming.com]
#
|
这个证书别标记为不可信任了,因为这是我们自己颁发的 ,不合法
实际上一节成功了,不妨来编辑下windows hosts 来访问下
保存之后,打开浏览器输入地址https://aming.com
如果访问不到,看看有没有防火墙
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
[root@localhost aming.com]
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
8573 12M ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate RELATED,ESTABLISHED 13 936 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
762 67198 INPUT_direct all -- * * 0.0.0.0
/0
0.0.0.0
/0
762 67198 INPUT_ZONES_SOURCE all -- * * 0.0.0.0
/0
0.0.0.0
/0
762 67198 INPUT_ZONES all -- * * 0.0.0.0
/0
0.0.0.0
/0
21 2296 DROP all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate INVALID 736 64646 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt
in
out
source
destination
0 0 ACCEPT all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0
/0
0.0.0.0
/0
0 0 FORWARD_direct all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 DROP all -- * * 0.0.0.0
/0
0.0.0.0
/0
ctstate INVALID 0 0 REJECT all -- * * 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 2489 packets, 320K bytes)
pkts bytes target prot opt
in
out
source
destination
7836 1311K OUTPUT_direct all -- * * 0.0.0.0
/0
0.0.0.0
/0
Chain FORWARD_IN_ZONES (1 references)
pkts bytes target prot opt
in
out
source
destination
0 0 FWDI_public all -- ens33 * 0.0.0.0
/0
0.0.0.0
/0
[goto]
0 0 FWDI_public all -- ens37 * 0.0.0.0
/0
0.0.0.0
/0
[goto]
0 0 FWDI_public all -- + * 0.0.0.0
/0
0.0.0.0
/0
[goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FORWARD_OUT_ZONES (1 references)
pkts bytes target prot opt
in
out
source
destination
0 0 FWDO_public all -- * ens33 0.0.0.0
/0
0.0.0.0
/0
[goto]
0 0 FWDO_public all -- * ens37 0.0.0.0
/0
0.0.0.0
/0
[goto]
0 0 FWDO_public all -- * + 0.0.0.0
/0
0.0.0.0
/0
[goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FORWARD_direct (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDI_public (3 references)
pkts bytes target prot opt
in
out
source
destination
0 0 FWDI_public_log all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FWDI_public_deny all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FWDI_public_allow all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
Chain FWDI_public_allow (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDI_public_deny (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDI_public_log (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDO_public (3 references)
pkts bytes target prot opt
in
out
source
destination
0 0 FWDO_public_log all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FWDO_public_deny all -- * * 0.0.0.0
/0
0.0.0.0
/0
0 0 FWDO_public_allow all -- * * 0.0.0.0
/0
0.0.0.0
/0
Chain FWDO_public_allow (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDO_public_deny (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain FWDO_public_log (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain INPUT_ZONES (1 references)
pkts bytes target prot opt
in
out
source
destination
0 0 IN_public all -- ens33 * 0.0.0.0
/0
0.0.0.0
/0
[goto]
430 35873 IN_public all -- ens37 * 0.0.0.0
/0
0.0.0.0
/0
[goto]
2 656 IN_public all -- + * 0.0.0.0
/0
0.0.0.0
/0
[goto]
Chain INPUT_ZONES_SOURCE (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain INPUT_direct (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain IN_public (3 references)
pkts bytes target prot opt
in
out
source
destination
762 67198 IN_public_log all -- * * 0.0.0.0
/0
0.0.0.0
/0
762 67198 IN_public_deny all -- * * 0.0.0.0
/0
0.0.0.0
/0
762 67198 IN_public_allow all -- * * 0.0.0.0
/0
0.0.0.0
/0
1 48 ACCEPT icmp -- * * 0.0.0.0
/0
0.0.0.0
/0
Chain IN_public_allow (1 references)
pkts bytes target prot opt
in
out
source
destination
4 208 ACCEPT tcp -- * * 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:22 ctstate NEW
Chain IN_public_deny (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain IN_public_log (1 references)
pkts bytes target prot opt
in
out
source
destination
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt
in
out
source
destination
[root@localhost aming.com]
# iptables -F
[root@localhost aming.com]
#
|
有直接iptables -F 直接把规则全部清空再试下,
证书不被信任的时候就会提示这样,红色的,不是绿色的
要想去正常的访问HTTPS 要去沃通买证书
扩展
针对请求的uri来代理 http://ask.apelearn.com/question/1049
nginx针对请求的uri来代理 代理 Nginx 场景:1台nginx去代理4台apache 需求:根据不同的请求uri 代理到不同的apache
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
nginx的配置文件为:
upstream aa.com {
server 192.168.0.121; server 192.168.0.122;
} upstream bb.com {
server 192.168.0.123; server 192.168.0.124;
} server { listen 80; server_name www.abc.com; location ~ aa.php
{ proxy_pass http:
//aa
.com/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
} location ~ bb.php
{ proxy_pass http:
//bb
.com/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
根据访问的目录来区分后端的web http:
//ask
.apelearn.com
/question/920
nginx代理--根据访问的目录来区分后端的web
回复收藏 分享 配置文件 目录 代理 Server listen 我的需求: 当请求的目录是
/aaa/
则把请求发送到机器a,当请求的目录为
/bbb/
则把请求发送到机器b,除了目录
/aaa/
与目录
/bbb/
外,其他的请求发送到机器b
我的配置文件内容为:
upstream aaa.com
{
server 192.168.111.6;}
upstream bbb.com
{
server 192.168.111.20;}
server {
listen 80;
server_name li.com;
location
/aaa/
{
proxy_pass http:
//aaa
.com
/aaa/
;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location
/bbb/
{
proxy_pass http:
//bbb
.com
/bbb/
;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /
{
proxy_pass http:
//bbb
.com/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
说明:1 以上配置文件中的 aaa.com 以及 bbb.com 都是自定义的,随便写。2 upstream 中的server 可以写多个,例如
upstream aaa.com
{
server 192.168.111.6;
server 192.168.111.4;
server 192.168.111.5;}
3 proxy_pass http:
//aaa
.com
/aaa/
这里必须要加这个目录,不然就访问到根目录了。 4 实际上,上述配置文件中, localtion
/bbb/
部分是可以省略掉的,因为后边的 location / 已经包含了
/bbb/
,所以即使我们不去定义 localtion
/bbb/
也是会访问到 bbb.com 的。
nginx长连接 http:
//www
.apelearn.com
/bbs/thread-6545-1-1
.html
nginx 代理多台机器导致用户登陆异常,长连接(会话保持)解决问题
用户 排障经验 网站使用程序 discuzx3 访问都正常,只有用户登陆存在异常,具体的情况是这样的: 用户登陆后,会马上显示未登陆,然后刷新一下或者多下又变成了登陆中。
这个问题很显然是由于session导致,后台有多个web机器,当用户登陆后,会把登陆态session保存到当前web,但是再次发送请求时则会到另一台机器,所以原来的session信息找不到了。解决这个问题有两个思路:
可以把session时时同步到另外的机器。
可以让前端的调度器保持长连接,也就是说某个用户的请求在某一时间段内始终抓发到固定的一台机器上。 这两种方式,第二种更容易实现。
我使用的是nginx的代理,其中nginx有一种算法支持长连接,具体配置是这样的:
upstream
test
{
ip_hash;server 192.168.109.5;server 192.168.109.3;
}
关键代码: ip_hash 这样,nginx会把用户的请求一直转发到后端的某台机器。
|
本文转自 ch71smas 51CTO博客,原文链接:http://blog.51cto.com/ch71smas/1975759
