|
|
说正事儿,先说下我的想法,
前端负载均衡服务器采用Nginx,
中间配置两个(或多个)apache+tomcat
应用程序服务器,
后端采用连接到一个数据库,
采用共享磁盘的方式公用一个文件服务器,
配置nginx开始:
1、下载 pcre、nginx、openssl 程序包,
我这里用的分别是
pcre-8.00.tar.gz、
nginx-0.7.51.tar.gz、
openssl-1.0.0-beta3.tar.tar,
2、安装程序
安装openssl 程序,解压缩,./config
make && make install
groupadd www
useradd -g www www
tar zxvf pcre-8.00.tar.gz
cd pcre-8.00
./configure
make && make install
tar zxvf nginx-0.7.51.tar.gz
cd nginx-0.7.51
./configure --user=www --group=www --prefix=/usr/local/webserver/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
这样就安装完毕了
3、启动
执行 # /usr/local/webserver/nginx/sbin/nginx 命令启动程序
[iyunv@localhost nginx-0.7.51]# ps -ef |grep nginx (查看命令)
root 4276 1 0 00:23 ? 00:00:00 nginx: master process /usr/local/webserver/nginx/sbin/nginx
www 4277 4276 0 00:23 ? 00:00:00 nginx: worker process
4276为nginx主程序,可以看到程序运行起来了。
访问web页面,http://localhost ,可以看见 “
Welcome to nginx!
”字样,说明程序运行良好。
4、变http 为https
修改配置文件
# vi /usr/local/webserver/nginx/conf/nginx.conf
把 http {}括号里面的 第一个server配置全部注释掉
##########
#server {
#listen 443;
#server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# # location / {
# # root html;
index index.html index.htm;
## }
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
## error_page 500 502 503 504 /50x.html;
## location = /50x.html {
## root html;
## }
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# }
############################
把第三个server,https sever 的注释去掉并改为
#####################
# HTTPS server
#
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
##########################
这里面需要两个 证书文件,即红色的部分,
方法如下:
Generate Certificates
To generate private (dummy) certificates you can perform the following list of openssl commands.
First change directory to where you want to create the certificate and private key, for example:
$ cd /usr/local/nginx/conf
Now create the server private key, you'll be asked for a passphrase:
$ openssl genrsa -des3 -out server.key 1024
Create the Certificate Signing Request (CSR):
$ openssl req -new -key server.key -out server.csr
Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
Finally sign the certificate using the above private key and CSR:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
,然后把生成的 server.crt 和 server.key 放到和nginx.conf 同一个文件夹下
执行 # /usr/local/webserver/nginx/sbin/nginx -t 查看修改的配置文件是否正确,正确的信息如下
2010/11/27 01:00:33 [info] 4383#0: the configuration file /usr/local/webserver/nginx/conf/nginx.conf syntax is ok
2010/11/27 01:00:33 [info] 4383#0: the configuration file /usr/local/webserver/nginx/conf/nginx.conf was tested successfully
如果不正确,按照提示修改正确。
重启nginx
操作如下:
[iyunv@localhost conf]# ps -ef |grep nginx
root 4276 1 0 00:23 ? 00:00:00 nginx: master process /usr/local/webserver/nginx/sbin/nginx
www 4371 4276 0 00:51 ? 00:00:00 nginx: worker process
root 4389 3998 0 01:01 pts/1 00:00:00 grep nginx
[iyunv@localhost conf]# kill -HUP 4276
然后访问页面,https://localhost ,出现 “
Welcome to nginx!
”字体,说明 ssl 配置正确
5、配置后端 apache
配置文件修改如下,可以参考,不必一样,重点注意红色部分
###################################
[iyunv@localhost conf]# cat nginx.conf_good
#user nobody;
user www www;
worker_processes 6;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /usr/local/webserver/nginx/logs/nginx.pid;
events {
use epoll;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 8m;
tcp_nopush on;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
upstream backend
{
# ip_hash;
# server 10.2.2.122:443;
server 10.1.3.247:443;
server 10.2.2.137:443;
}
server {
#listen 80;
listen 443;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.jsp index.html index.htm;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://backend;
}
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location /nginx {
access_log on;
auth_basic "NginxStatus";
auth_basic_user_file /usr/local/nginx/htpasswd;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
#######################
然后重新启动 nginx,访问 https://localhost,
在我这个配置里面,就会把请求发送到 10.1.3.247 或 10.2.2.137上。
如果是对session有要求的程序,需要实现session共享的,那么你可以把 ip_hash的注释去掉,就可以正常访问了。 |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-12-23 07:08:36
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡