實現(xiàn)雙主配置
第一個歷程: 編寫keepalived服務(wù)配置文件
lb01
vrrp_instance oldboy {
state MASTER
interface eth0
virtual_router_id 63
priority 110
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
vrrp_instance oldgirl {
state BACKUP
interface eth0
virtual_router_id 64
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4
}
}
lb02
vrrp_instance oldboy {
state BACKUP
interface eth0
virtual_router_id 63
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.3
}
}
vrrp_instance oldgirl {
state MASTER
interface eth0
virtual_router_id 64
priority 110
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.0.0.4
}
}
第二個歷程: 修改負(fù)載均衡服務(wù)配置文件
方式一:
server {
listen 10.0.0.3:80;
server_name www.oldboy.com;
location / {
proxy_pass http://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 10.0.0.4:80;
server_name bbs.oldboy.com;
location / {
proxy_pass http://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
方式二:
server {
listen 10.0.0.3:80;
listen 10.0.0.4:80;
server_name localhost;
location / {
proxy_pass http://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
網(wǎng)站安全訪問概念介紹 HTTPs(secure)
1. 數(shù)據(jù)的機(jī)密性 對稱加密算法 私鑰和公鑰 保護(hù)好算法信息 發(fā)送方(私鑰/公鑰) --- 接收方(私鑰/公鑰)
2. 數(shù)據(jù)的完整性 對稱加密算法 私鑰和公鑰 保護(hù)好特征碼
3. 身份認(rèn)證問題 非對稱加密算法 私鑰在服務(wù)器上保留好 公鑰進(jìn)行分發(fā)
公鑰 === 證書(身份證)
CA證書頒發(fā)機(jī)構(gòu)(你媽)
如何實現(xiàn)HTTPs安全訪問網(wǎng)站
第一個歷程: 創(chuàng)建私鑰和公鑰(證書)
cd /etc/nginx/
openssl genrsa -idea -out server.key 2048
genrsa --- 創(chuàng)建什么類型私鑰
idea --- 需要給私鑰文件設(shè)置密碼
out --- 創(chuàng)建生成一個私鑰文件
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
req --- 創(chuàng)建一個證書文件
days --- 證書文件有效期(默認(rèn) 天)
x509 --- 證書文件格式
sha256 --- 指定生成證書算法
nodes --- 去除私鑰的密碼生成證書
keyout --- 指定加載私鑰文件
out --- 生成的證書信息
第二個歷程: 在nginx程序中,編寫配置文件開啟HTTPS功能,加載私鑰和公鑰信息
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
[root@web02 nginx]# cat /etc/nginx/conf.d/www.conf
server {
listen 443 ssl;
server_name www.oldboy.com www.jd.com;
root /html/www;
index index.html;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}
第三個歷程: 進(jìn)行HTTP訪問跳轉(zhuǎn)HTTPS功能配置
server {
listen 80;
server_name www.oldboy.com;
rewrite ^/(.*)$ https://$host/$1 redirect;
}
server {
listen 443 ssl;
server_name www.oldboy.com www.jd.com;
root /html/www;
index index.html;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}
利用負(fù)載均衡實現(xiàn)HTTPs訪問過程
方式一: 全網(wǎng)服務(wù)器都配置證書和私鑰信息
用戶客戶端訪問 --- lb01 --- web節(jié)點(diǎn)
www.oldboy.com http://www.oldboy.com
https://www.oldboy.com ---> listen 443 ssl
第一個歷程: 編寫lb負(fù)載均衡配置文件
upstream oldboy {
#server 10.0.0.7:443;
server 10.0.0.8:443;
#server 10.0.0.9:80;
}
server {
listen 80;
server_name localhost;
rewrite ^/(.*)$ https://$host/$1 redirect;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
proxy_pass https://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
第二個歷程: web節(jié)點(diǎn)配置
server {
listen 443 ssl;
server_name www.oldboy.com www.jd.com;
root /html/www;
index index.html;
ssl_certificate server.crt;
ssl_certificate_key server.key;
}
方式二: 負(fù)載均衡服務(wù)器配置證書和私鑰信息
用戶客戶端訪問 --- lb01 ---> web節(jié)點(diǎn)
www.oldboy.com http://www.oldboy.com
https://www.oldboy.com ---> listen 80
第一個歷程: 負(fù)載均衡配置信息
upstream oldboy {
#server 10.0.0.7:443;
server 10.0.0.8:80;
#server 10.0.0.9:80;
}
server {
listen 80;
server_name localhost;
rewrite ^/(.*)$ https://$host/$1 redirect;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
proxy_pass http://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
第二個歷程: web節(jié)點(diǎn)配置信息
server {
listen 80;
server_name www.oldboy.com www.jd.com;
root /html/www;
index index.html;
}
利用HTTPs訪問動態(tài)頁面 WordPress
第一個歷程: 修改配置文件信息
修改負(fù)載均衡配置文件:
upstream oldboy {
#server 10.0.0.7:443;
server 10.0.0.8:443;
#server 10.0.0.9:80;
}
server {
listen 80;
server_name localhost;
rewrite ^/(.*)$ https://$host/$1 redirect;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
proxy_pass https://oldboy;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
web服務(wù)器配置過程
server {
listen 443 ssl;
server_name blog.oldboy.com blog.oldgirl.com;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
root /html/blog;
index index.php index.html;
}
location ~ \.php$ {
root /html/blog;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
第二個歷程: 修改wordpress后臺信息
修改地址為 https://blog.oldboy.com
第三個歷程: 重啟nginx程序