nginx 配置https 负载均衡
1、Winodw安装openssl工具(生成SSL证书用的)免编译版本下载:
http://slproweb.com/products/Win32OpenSSL.html
注意:如果openssl在使用过程中报无法读取conf文件,重启下电脑就好了
Cmd里面的全部命令:
C:\OpenSSL-Win64>cd bin
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ssd.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for ssd.key: ---123456
Verifying - Enter pass phrase for ssd.key: ---123456
C:\OpenSSL-Win64\bin>openssl req -new -key ssd.key -out ssd.csr
Enter pass phrase for ssd.key: ---123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd
Organizational Unit Name (eg, section) []:ssd
Common Name (e.g. server FQDN or YOUR name) []:yuange
Email Address []:1871707128@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:ssd
C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -shal -extensions v3_ca -sign
key ssd.key -in ssd.csr -out ssd.crt
unknown option -shal ----这里面错的原因是:sha1不是shal
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-subject_hash - print subject hash value
-subject_hash_old - print old-style (MD5) subject hash value
-issuer_hash - print issuer hash value
-issuer_hash_old - print old-style (MD5) issuer hash value
-hash - synonym for -subject_hash
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public key
-ocsp_uri - print OCSP Responder URL(s)
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30 days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options
-checkhost host - check certificate matches "host"
-checkemail email - check certificate matches "email"
-checkip ipaddr - check certificate matches "ipaddr"
C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -extensions v3_ca -signkey s
sd.key -in ssd.csr -out ssd.crt
Signature ok
subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071
28@qq.com
Getting Private key --123456
Enter pass phrase for ssd.key: --123456
C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
...+++
e is 65537 (0x10001)
Enter pass phrase for server.key: ---123456
Verifying - Enter pass phrase for server.key: ---123456
C:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: ---123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd
Organizational Unit Name (eg, section) []:ssd
Common Name (e.g. server FQDN or YOUR name) []:yuange
Email Address []:1871707128@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:ssd
C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -md5 -extensions v3_req -CA s
sd.crt -CAkey ssd.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071
28@qq.com
Getting CA Private Key ---123456
Enter pass phrase for ssd.key: ---123456
以上的密码全部都是123456
注意:以上生成的证书保存在openssl/bin目录下,然后把生成的证书拷贝到nginx/conf的目录下,在这里面我只拷贝了server.crt 、server.key
2、什么都配置好后发现:
Nginx -t 编译成功,但是运行的时候就自动关闭了,查看日志的时候报错了:
查了好久,终于知道了原因:
Windows下的nginx配置ssl的key是不能存储密码的,否则就会报这个错
解决办法:
在cmd中cd 到openssl/bin的目录下,输入:
Openssl rsa -in C:\OpenSSL-Win64\bin\server.key -out c:/server.key.unsecure
输入server.key当初设置的密码,这里面是123456
然后在C根目录下可以看到:成功
把server.key.unsecure替换在nginx.conf文件中的server.key内容 即可
3、配置nginx.conf
- #使用的用户和组,window下不指定
- #user nobody;
- #指定工作衍生进程数(一般等于CPU总和数或总和数的两倍,例如两个四核CPU,则总和数为8)
- worker_processes 3;
- #指定错误日志文件存放路径,错误日志级别可选项为【debug|info|notice|warn|error|crit】
- #error_log logs/error.log;
- #error_log logs/error.log notice;
- error_log logs/error.log info;
- #指定pid存放路径
- #pid logs/nginx.pid;
- #工作模式及连接数上限
- events {
- #使用网络I/O模型,Linux系统推荐使用epoll模型,FreeBSD系统推荐使用kqueue;window下不指定
- #use epoll;
- #允许的连接数
- worker_connections 1024;
- }
- #设定http服务器,利用他的反向代理功能提供负载均衡支持
- http {
- #设定mime类型
- include mime.types;
- default_type application/octet-stream;
- #设定日志格式
- #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- # '$status $body_bytes_sent "$http_referer" '
- # '"$http_user_agent" "$http_x_forwarded_for"';
- #设定请求缓冲
- client_header_buffer_size 1k;
- large_client_header_buffers 4 4k;
- #设定access log
- #access_log logs/access.log main;
- client_header_timeout 3m;
- client_body_timeout 3m;
- send_timeout 3m;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- #keepalive_timeout 0;
- keepalive_timeout 65;
- #开启gzip模块
- gzip on;
- gzip_min_length 1100;
- gzip_buffers 4 8k;
- gzip_types text/plain application/x-javascript text/css application/xml;
- output_buffers 1 32k;
- postpone_output 1460;
- server_names_hash_bucket_size 128;
- client_max_body_size 8m;
- fastcgi_connect_timeout 300;
- fastcgi_send_timeout 300;
- fastcgi_read_timeout 300;
- fastcgi_buffer_size 64k;
- fastcgi_buffers 4 64k;
- fastcgi_busy_buffers_size 128k;
- fastcgi_temp_file_write_size 128k;
- gzip_http_version 1.1;
- gzip_comp_level 2;
- gzip_vary on;
- #设定负载均衡的服务器列表
- upstream url{
- #根据ip计算将请求分配各那个后端tomcat,可以解决session问题
- #ip_hash;
- #同一机器在多网情况下,路由切换,ip可能不同
- #weigth参数表示权值,权值越高被分配到的几率越大
- #server localhost:8080 weight=1;
- #server 10.152.252.160:8443 weight=2;
- #server 10.152.252.162:8443 weight=20;
- server 10.152.252.160:8443 max_fails=2 fail_timeout=600s;
- server 10.152.252.162:8443 max_fails=2 fail_timeout=600s;
- }
- #设定虚拟主机
- server {
- listen 8080;
- #server_name 10.152.252.160;
- #proxy_pass https://url;
- rewrite ^(.*)$ https://$host:8443$1 permanent;
- #charset koi8-r;
- charset UTF-8;
- #设定本虚拟主机的访问日志
- #access_log logs/host.access.log main;
- #error_page 404 /404.html;
- # redirect server error pages to the static page /50x.html
- #
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
- }
- # HTTPS server
- server {
- listen 443;
- listen 8444;
- server_name 10.152.252.160;
- ssl on;
- ssl_certificate server.crt;
- ssl_certificate_key server.key.unsecure;
- ssl_session_timeout 5m;
- ssl_protocols SSLv2 SSLv3 TLSv1;
- ssl_ciphers HIGH:!aNULL:!MD5;
- ssl_prefer_server_ciphers on;
- location / {
- root html;
- index index.html index.htm;
- proxy_redirect off;
- #保留用户真实信息
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
- proxy_max_temp_file_size 128m;
- proxy_pass https://url;
- }
- }
- }
nginx 配置https 负载均衡的更多相关文章
- office web apps安装部署,配置https,负载均衡(七)配置过程中遇到的问题详细解答
该篇文章,是这个系列文章的最后一篇文章,该篇文章将详细解答owa在安装过程中常见的问题. 如果您没有搭建好office web apps,您可以查看前面的一系列文章,查看具体步骤: office we ...
- office web apps安装部署,配置https,负载均衡(六)配置负载均衡
owa可以采用任何的负载均衡方案,我们这里采用阿里云提供的负载均衡解决方案 前提条件,你已经配置了一台域控制器,两台域服务器[即安装了owa相关软件,并将计算机隶属于域]: 如果您不清楚怎么做,那么请 ...
- office web apps安装部署,配置https,负载均衡(五)配置服务器场
前提条件:您已经完成了域控制器的配置,拥有域账号,并且已经安装了OWA启动所需要的必要软件: 具体步骤可以参考: office web apps安装部署,配置https,负载均衡(一)背景介绍 off ...
- office web apps安装部署,配置https,负载均衡(四)安装office web apps相关软件
前提条件: 1.一台windows server 2008R2服务器,并且已经配置了域: 服务器连接域控制器的相关文档,请查看上一篇文章: office web apps安装部署,配置https,负载 ...
- office web apps安装部署,配置https,负载均衡(三)服务器连接域控制器
前提条件:1>一台window server 2008R2 服务器 2>您已经在同一内网的另外一台服务器上安装好了域控制器文档请看我写的另外一篇文章: office web apps安装部 ...
- 使用nginx+docker配置https负载均衡
了解Docker Docker是一个golang编写的开源轻量级的.可移植的.自给自足的容器,Docker主要应用在以下场景: web应用的自动化打包和发布: 自动化测试和持续集成.发布: 在服务型环 ...
- Nginx配置之负载均衡、限流、缓存、黑名单和灰度发布
一.Nginx安装(基于CentOS 6.5) 1.yum命令安装 yum install nginx –y(若不能安装,执行命令yum install epel-release) 2. 启动.停止和 ...
- Nginx配置及负载均衡
转载:http://www.cnblogs.com/jingmoxukong/p/5945200.html nginx简易教程 目录 Nginx 概述 安装与使用 nginx 配置实战 参 ...
- nginx配置优化+负载均衡+动静分离详解
nginx配置如下: #指定nginx进程运行用户以及用户组user www www;#nginx要开启的进程数为8worker_processes 8;#全局错误日志文件#debug输出日志最为详细 ...
随机推荐
- IOS对话框UIAlertView
//修改弹出对话框的样式 alertView.alertViewStyle = UIAlertViewStylePlainTextInput; //根据索引获取指定的某个文本框 [alertView ...
- Nuget常用命令操作
Nuget是一个.NET平台下的开源的项目,它是Visual Studio的扩展.在使用Visual Studio开发基于.NET Framework的应用时,Nuget能把在项目中添加.移除和更新引 ...
- hdu3555 Bomb 数位DP入门
题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=3555 简单的数位DP入门题目 思路和hdu2089基本一样 直接贴代码了,代码里有详细的注释 代码: ...
- Java数组的排序算法
在Java中,实现数组的排序算法有很多,如冒泡排序法.选择排序法.直接插入法和快速排序法等.下面介绍几种排序算法的具体 实现. 本文引用文献:Java必须知道的300个问题. 1.冒泡排序法 1.1 ...
- html5,js插件实现手机端实现头像剪切上传
思路:先打开相册,选取图片,在剪切图片,转化为base64格式,然后上传到七牛存储,返回url,再传给后端,整个流程就是这样.用的是angular框架,图像插件用到imagecropper.js,废话 ...
- Linux_shell 学习
shell中test的运用 test 命令是用于检查某个条件是否成立,他可以进行数值.符号.文件三个方面的测试 1.数值中的运用 -eq 等于 -ne 不等于 -gt 大于 -ge 大于等于 -lt ...
- 侯捷STL学习(一)
开始跟着<STL源码剖析>的作者侯捷真人视频,学习STL,了解STL背后的真实故事! 视频链接:侯捷STL 还有很大其他视频需要的留言 第一节:STL版本和重要资源 STL和标准库的区别 ...
- find命令之xargs,exec
一,find命令之xargs: 在 使用 find命令的-exec选项处理匹配到的文件时, find命令将所有匹配到的文件一起传递给exec执行.但有些系统对能够传递给exec的命 令长度有限制,这样 ...
- countDownLatch和cyclicBarrier
< Effecit In Java >说过,从java 1.5发现版本开始, 就不建议使用wait和notify,它们使用比较困难,可以使用更高级并发工具来替代. 图一所说的同步器是指那些 ...
- Managing Spark data handles in R
When working with big data with R (say, using Spark and sparklyr) we have found it very convenient t ...