23.1Nginx集群完善HTTPS实践
1.环境准备
| 主机名称 | 应用环境 | 外网地址 | 内网地址 |
|---|---|---|---|
| lb01 | nginx | 10.0.0.5 | 172.16.1.5 |
| web01 | nginx+php+nfs客户端 | 10.0.0.7 | 172.16.1.7 |
| web02 | nginx+php+nfs客户端 | 10.0.0.8 | 172.16.1.8 |
| web03 | nginx+php+nfs客户端 | 10.0.0.9 | 172.16.1.9 |
| db01 | mysql | 10.0.0.51 | 172.16.1.51 |
| nfs01 | nfs服务端+sersync客户端 | 10.0.0.31 | 172.16.1.31 |
| backup | rsync服务端 | 10.0.0.41 | 172.16.1.41 |
2.web01配置
# 1.安装nginx和php
[ ~]# rz nginx_php.tgz
[ ~]# tar xf nginx_php.tgz
[ ~]# cd nginx_php/
[ ~/nginx_php]# rpm -ivh *
# 2.统一nginx和php的用户
[ ~]# groupadd www -g 666
[ ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M
[ ~]# vim /etc/nginx/nginx.conf
user www;
...
[ ~]# vim /etc/php-fpm.d/www.conf
...
user = www
; RPM: Keep a group allowed to write in log dir.
group = www
...
# 3.启动并开机自启
[ ~]# systemctl start nginx php-fpm
[ ~]# systemctl enable nginx php-fp
# 4.编辑配置文件
# 4.1编辑fastcgi这个文件,给他加上能识别跳转443 (重要)
[ ~]# vim /etc/nginx/fastcgi_params
...
fastcgi_param HTTPS on;
[ ~]# vim /etc/nginx/conf.d/wordpress.conf
server {
listen 80;
server_name wp.com;
root /code/wordpress;
index index.php;
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[ ~]# vim /etc/nginx/conf.d/zh.conf
server {
listen 80;
server_name zh.com;
root /code/zh;
index index.php;
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
# 5.创建站点目录
[ ~]# mkdir /code/{wordpress,zh} -p
# 6.检查语法
[ ~]# nginx -t
# 7.重新加载配置文件
[ ~]# nginx -s reload
# 8.配置域名解析
##### 9.上传wordpress和Wecenter(或者去网站下载)
[ ~]# rz
# 9.1解压
[ ~]# tar xf wordpress-5.0.3-zh_CN.tar.gz
[ ~]# unzip WeCenter_3-2-1.zip
# 10.把所有文件移动到站点目录下
[ ~]# mv wordpress/* /code/wordpress/
[ ~]# mv WeCenter_3-2-1/* /code/zh/
# 11.授权目录
[ ~]# chown www.www -R /code/
# 12.上传解压主题
[ ~]# cd /code/wordpress/wp-content/themes
[ /code/wordpress/wp-content/themes]# rz
[ /code/wordpress/wp-content/themes]# unzip QQ.zip3.安装部署mariadb(db01操作)
# 1.下载mariadb [ ~]# yum install -y mariadb-server.x86_64 # 2.启动数据库并开机自启 [ ~]# systemctl start mariadb.service [ ~]# systemctl enable mariadb.service # 3.给数据库一个登入密码 [ ~]# mysqladmin -uroot password ‘123‘ # 4.登入数据库 [ ~]# mysql -uroot -p123 # 5.创建wordpress和Wecenter数据库 MariaDB [(none)]> create database wp; MariaDB [(none)]> create database zh; # 6.查看是否创建成功 MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | | wp | | zh | +--------------------+ 6 rows in set (0.00 sec) # 7.创建用户 (所有数据库的登入用户) MariaDB [(none)]> grant all on *.* to ‘%‘ identified by ‘111‘;
4.访问浏览器并发表文章
5.其他web的操作
# 1.上传和解压rpm包 [ ~]# tar xf nginx_php.tgz [ ~]# cd nginx_php/ [ ~/nginx_php]# rpm -ivh * [ ~]# tar xf nginx_php.tgz [ ~]# cd nginx_php/ [ ~/nginx_php]# rpm -ivh * # 2.创建用户和用户组 [ ~]# groupadd www -g 666 [ ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M [ ~]# groupadd www -g 666 [ ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M ############## web01上的操作,发送需要的东西 # 发送站点目录 [ ~]# rsync -az --delete /code 172.16.1.8:/ [ ~]# rsync -az --delete /code 172.16.1.9:/ # 发送nginx和php配置文件 [ ~]# rsync -az --delete /etc/nginx/ 172.16.1.9:/etc/nginx/ [ ~]# rsync -az --delete /etc/nginx/ 172.16.1.8:/etc/nginx/ [ ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.9:/etc/php-fpm.d/ [ ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.8:/etc/php-fpm.d/ ########### web02和03的操作 [ ~]# systemctl start nginx php-fpm.service [ ~]# systemctl enable nginx php-fpm.service [ ~]# nginx -s reload [ ~]# systemctl start nginx php-fpm.service [ ~]# systemctl enable nginx php-fpm.service [ ~]# nginx -s reload
6.nfs共享目录(服务端)
# 1.创建统一用户
[ ~]# groupadd www -g 666
[ ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
# 2.更改NFS的配置文件
[ ~]# vim /etc/exports
/file/zh 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)
/file/wp 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)
# 3.创建共享目录
[ ~]# mkdir /file/{wp,zh} -p
# 4.授权共享目录
[ ~]# chown www.www -R /file/
# 5.启动并开机自启nfs
[ ~]# systemctl start nfs
[ ~]# systemctl enable nfs
############# web01上的操作
# 6.发送项目上的图片到共享目录上
# wordpress上的图片
[ ~]# scp -r /code/wordpress/wp-content/uploads/* 172.16.1.31:/file/wp/
# 知乎上的图片
[ ~]# scp -r /code/zh/uploads/* 172.16.1.31:/file/zh
# 7.查看共享目录是否成功了
[ ~]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/file/wp 172.16.1.0/24
/file/zh 172.16.1.0/24
# 8.web01挂载
[ ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[ ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 9.查看
[ ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
# 10.web02挂载
[ ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[ ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 11.查看
[ ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
# 12.web03挂载
[ ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[ ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 13.查看
[ ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
########### 共享图片完成7.rsync备份backup操作(服务端)
[ ~]# vim /etc/rsyncd.conf # 指定启动rsync服务的用户id uid = www # 指定启动rsync服务的用户组id gid = www # 指定rsync服务启动的端口 port = 873 # 假装是root fake super = yes # 禁锢path目录 use chroot = no # 最大连接数是200 max connections = 200 # 超时时间是600s timeout = 600 # 忽略错误 ignore errors # 可读可写 read only = false # 其它客户端用户不允许查看模块名 list = false # rsync服务的日志所在路径 log file = /var/log/rsyncd.log ########### 命令相关配置 ############# auth users = nfs_bak secrets file = /etc/rsync_pass [nfs] comment = welcome to backup! path = /backup # 创建备份目录 [ ~]# mkdir /backup # 创建用户 [ ~]# groupadd www -g 666 [ ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M # 写入rsync的用户和密码 [ ~]# echo ‘nfs_bak:123‘ > /etc/rsync_pass # 授权 [ ~]# chmod 600 /etc/rsync_pass [ ~]# chown www.www /backup/ # 启动并开机自启rsync [ ~]# systemctl start rsyncd [ ~]# systemctl enable rsyncd Created symlink from /etc/systemd/system/multi-user.target.wants/rsyncd.service to /usr/lib/systemd/system/rsyncd.service. # 查看端口 [ ~]# netstat -lntup |grep 873
8.nfs操作sersync (客户端)
# 下载sersync
[ ~]# yum install -y rsync inotify-tools
# 解压
[ ~]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz
# 移动并改名
[ ~]# mv GNU-Linux-x86 /usr/local/sersync
# 编辑配置文件
[ ~]# vim /usr/local/sersync/confxml.xml
...
</filter>
<inotify>
<delete start="true"/>
<createFolder start="true"/>
<createFile start="false"/>
<closeWrite start="true"/>
<moveFrom start="true"/>
<moveTo start="true"/>
<attrib start="true"/>
<modify start="true"/>
</inotify>
<sersync>
<localpath watch="/data">
<remote ip="172.16.1.41" name="nfs"/>
<!--<remote ip="192.168.8.39" name="tongbu"/>-->
<!--<remote ip="192.168.8.40" name="tongbu"/>-->
</localpath>
<rsync>
<commonParams params="-az"/>
<auth start="true" users="nfs_bak" passwordfile="/etc/rsync.pas"/>
<userDefinedPort start="false" port="874"/><!-- port=874 -->
<timeout start="false" time="100"/><!-- timeout=100 -->
<ssh start="false"/>
</rsync>
...
# 写入rsync的密码
[ ~]# echo ‘123‘ > /etc/rsync.pas
# 授权
[ ~]# chmod 600 /etc/rsync.pas
# 启动sersync
[ ~]# /usr/local/sersync/sersync2 -rdo /usr/local/sersync/confxml.xml
#####成功实时备份9.负载均衡上的操作
# 1.安装nginx
[ ~]# tar xf nginx_php.tgz
[ ~]# cd nginx_php/
[ ~/nginx_php]# rpm -ivh nginx*
# 2.统一用户
[ ~]# groupadd www -g 666
[ ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
[ ~]# vim /etc/nginx/nginx.con
# 3.编辑代理服务的安全优化
[ ~]# vim /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504 http_404 http_403;
# 4.创建证书目录
[ ~]# mkdir /etc/nginx/ssl
# 5.创建证书
[ ssl]# openssl genrsa -idea -out /etc/nginx/ssl/`date +%Y%m%d`_aaa.com.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
........................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:
Verifying - Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:
# 6.查看
[ ssl_key]# ls
total 4
-rw-r--r-- 1 root root 1739 Jun 3 21:57 20200603_aaa.com.key
# 7.生成自签证书,同时去掉私钥的密码
[ ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout /etc/nginx/20200603_aaa.com.key -out /etc/nginx/ssl/20200603_aaa.com.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to ‘/etc/nginx/ssl_key/20200603_aaa.com.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:shanghai
Organizational Unit Name (eg, section) []:shanghai
Common Name (eg, your name or your server‘s hostname) []:*.com
Email Address []:
[ conf.d]# ll /etc/nginx/ssl/
total 8
-rw-r--r-- 1 root root 1379 Jun 4 03:44 aaa.com.crt
-rw-r--r-- 1 root root 1708 Jun 4 03:44 aaa.com.key
# 2.编辑配置文件
[ ~]# vim /etc/nginx/conf.d/wp_lb.conf
upstream wp {
server 172.16.1.7;
server 172.16.1.8;
server 172.16.1.9;
}
server {
listen 80;
server_name wp.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name zh.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name admin.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name wp.com zh.com admin.com;
ssl_certificate /etc/nginx/ssl/20200603105245_www.linux.com.crt;
ssl_certificate_key /etc/nginx/ssl/20200603105245_www.linux.com.key;
location / {
proxy_pass http://wp;
proxy_set_header Host $host;
}
}
# 检查语法并重新加载配置文件
[ ~]# nginx -t
[ ~]# nginx -s reload域名解析
10.打开浏览器访问
wp.com
zh.com
相关推荐
云中舞步 2020-11-12
杨德龙 2020-11-11
JohnYork 2020-10-16
wangzhaotongalex 2020-09-22
xiaoseyihe 2020-11-16
不要皱眉 2020-10-14
Crazyshark 2020-11-13
K先生 2020-11-10
momode 2020-09-11
思君夜未眠 2020-09-04
点滴技术生活 2020-08-21
MaggieRose 2020-08-19
kevinweijc 2020-08-18
wintershii 2020-08-17
vapaad 2020-08-17
wera00 2020-08-17
移动开发与培训 2020-08-16
ReunionIsland 2020-08-16
JimyFengqi 2020-08-16