23.1Nginx集群完善HTTPS实践
2021-02-02 11:14
标签:from move enable mes one timeout 密码 uri nss 域名解析 wp.com zh.com 23.1Nginx集群完善HTTPS实践 标签:from move enable mes one timeout 密码 uri nss 原文地址:https://www.cnblogs.com/jkz1/p/13170770.html1.环境准备
主机名称
应用环境
外网地址
内网地址
lb01
nginx
10.0.0.5
172.16.1.5
web01
nginx+php+nfs客户端
10.0.0.7
172.16.1.7
web02
nginx+php+nfs客户端
10.0.0.8
172.16.1.8
web03
nginx+php+nfs客户端
10.0.0.9
172.16.1.9
db01
mysql
10.0.0.51
172.16.1.51
nfs01
nfs服务端+sersync客户端
10.0.0.31
172.16.1.31
backup
rsync服务端
10.0.0.41
172.16.1.41
2.web01配置
# 1.安装nginx和php
[root@web01 ~]# rz nginx_php.tgz
[root@web01 ~]# tar xf nginx_php.tgz
[root@web01 ~]# cd nginx_php/
[root@web01 ~/nginx_php]# rpm -ivh *
# 2.统一nginx和php的用户
[root@web01 ~]# groupadd www -g 666
[root@web01 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M
[root@web01 ~]# vim /etc/nginx/nginx.conf
user www;
...
[root@web01 ~]# vim /etc/php-fpm.d/www.conf
...
user = www
; RPM: Keep a group allowed to write in log dir.
group = www
...
# 3.启动并开机自启
[root@web01 ~]# systemctl start nginx php-fpm
[root@web01 ~]# systemctl enable nginx php-fp
# 4.编辑配置文件
# 4.1编辑fastcgi这个文件,给他加上能识别跳转443 (重要)
[root@web01 ~]# vim /etc/nginx/fastcgi_params
...
fastcgi_param HTTPS on;
[root@web01 ~]# vim /etc/nginx/conf.d/wordpress.conf
server {
listen 80;
server_name wp.com;
root /code/wordpress;
index index.php;
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@web01 ~]# vim /etc/nginx/conf.d/zh.conf
server {
listen 80;
server_name zh.com;
root /code/zh;
index index.php;
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
# 5.创建站点目录
[root@web01 ~]# mkdir /code/{wordpress,zh} -p
# 6.检查语法
[root@web01 ~]# nginx -t
# 7.重新加载配置文件
[root@web01 ~]# nginx -s reload
# 8.配置域名解析
##### 9.上传wordpress和Wecenter(或者去网站下载)
[root@web01 ~]# rz
# 9.1解压
[root@web01 ~]# tar xf wordpress-5.0.3-zh_CN.tar.gz
[root@web01 ~]# unzip WeCenter_3-2-1.zip
# 10.把所有文件移动到站点目录下
[root@web01 ~]# mv wordpress/* /code/wordpress/
[root@web01 ~]# mv WeCenter_3-2-1/* /code/zh/
# 11.授权目录
[root@web01 ~]# chown www.www -R /code/
# 12.上传解压主题
[root@web01 ~]# cd /code/wordpress/wp-content/themes
[root@web01 /code/wordpress/wp-content/themes]# rz
[root@web01 /code/wordpress/wp-content/themes]# unzip QQ.zip
3.安装部署mariadb(db01操作)
# 1.下载mariadb
[root@db01 ~]# yum install -y mariadb-server.x86_64
# 2.启动数据库并开机自启
[root@db01 ~]# systemctl start mariadb.service
[root@db01 ~]# systemctl enable mariadb.service
# 3.给数据库一个登入密码
[root@db01 ~]# mysqladmin -uroot password ‘123‘
# 4.登入数据库
[root@db01 ~]# mysql -uroot -p123
# 5.创建wordpress和Wecenter数据库
MariaDB [(none)]> create database wp;
MariaDB [(none)]> create database zh;
# 6.查看是否创建成功
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
| wp |
| zh |
+--------------------+
6 rows in set (0.00 sec)
# 7.创建用户 (所有数据库的登入用户)
MariaDB [(none)]> grant all on *.* to wp_zh@‘%‘ identified by ‘111‘;
4.访问浏览器并发表文章
5.其他web的操作
# 1.上传和解压rpm包
[root@web02 ~]# tar xf nginx_php.tgz
[root@web02 ~]# cd nginx_php/
[root@web02 ~/nginx_php]# rpm -ivh *
[root@web03 ~]# tar xf nginx_php.tgz
[root@web03 ~]# cd nginx_php/
[root@web03 ~/nginx_php]# rpm -ivh *
# 2.创建用户和用户组
[root@web02 ~]# groupadd www -g 666
[root@web02 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M
[root@web03 ~]# groupadd www -g 666
[root@web03 ~]# useradd www -u 666 -g 666 -s /sbin/nologin -M
############## web01上的操作,发送需要的东西
# 发送站点目录
[root@web01 ~]# rsync -az --delete /code 172.16.1.8:/
[root@web01 ~]# rsync -az --delete /code 172.16.1.9:/
# 发送nginx和php配置文件
[root@web01 ~]# rsync -az --delete /etc/nginx/ 172.16.1.9:/etc/nginx/
[root@web01 ~]# rsync -az --delete /etc/nginx/ 172.16.1.8:/etc/nginx/
[root@web01 ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.9:/etc/php-fpm.d/
[root@web01 ~]# rsync -avz --delete /etc/php-fpm.d/ 172.16.1.8:/etc/php-fpm.d/
########### web02和03的操作
[root@web02 ~]# systemctl start nginx php-fpm.service
[root@web02 ~]# systemctl enable nginx php-fpm.service
[root@web02 ~]# nginx -s reload
[root@web03 ~]# systemctl start nginx php-fpm.service
[root@web03 ~]# systemctl enable nginx php-fpm.service
[root@web03 ~]# nginx -s reload
6.nfs共享目录(服务端)
# 1.创建统一用户
[root@nfs ~]# groupadd www -g 666
[root@nfs ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
# 2.更改NFS的配置文件
[root@nfs ~]# vim /etc/exports
/file/zh 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)
/file/wp 172.16.1.0/24(sync,rw,all_squash,anonuid=666,anongid=666)
# 3.创建共享目录
[root@nfs ~]# mkdir /file/{wp,zh} -p
# 4.授权共享目录
[root@nfs ~]# chown www.www -R /file/
# 5.启动并开机自启nfs
[root@nfs ~]# systemctl start nfs
[root@nfs ~]# systemctl enable nfs
############# web01上的操作
# 6.发送项目上的图片到共享目录上
# wordpress上的图片
[root@web01 ~]# scp -r /code/wordpress/wp-content/uploads/* 172.16.1.31:/file/wp/
# 知乎上的图片
[root@web01 ~]# scp -r /code/zh/uploads/* 172.16.1.31:/file/zh
# 7.查看共享目录是否成功了
[root@web01 ~]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/file/wp 172.16.1.0/24
/file/zh 172.16.1.0/24
# 8.web01挂载
[root@web01 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web01 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 9.查看
[root@web01 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
# 10.web02挂载
[root@web02 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web02 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 11.查看
[root@web02 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
# 12.web03挂载
[root@web03 ~]# mount -t nfs 172.16.1.31:/file/zh /code/zh/uploads/
[root@web03 ~]# mount -t nfs 172.16.1.31:/file/wp /code/wordpress/wp-content/uploads/
# 13.查看
[root@web02 ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 19G 1.6G 17G 9% /
devtmpfs 476M 0 476M 0% /dev
tmpfs 487M 0 487M 0% /dev/shm
tmpfs 487M 7.7M 479M 2% /run
tmpfs 487M 0 487M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 98M 0 98M 0% /run/user/0
172.16.1.31:/file/zh 19G 1.3G 18G 7% /code/zh/uploads
172.16.1.31:/file/wp 19G 1.3G 18G 7% /code/wordpress/wp-content/uploads
########### 共享图片完成
7.rsync备份backup操作(服务端)
[root@backup ~]# vim /etc/rsyncd.conf
# 指定启动rsync服务的用户id
uid = www
# 指定启动rsync服务的用户组id
gid = www
# 指定rsync服务启动的端口
port = 873
# 假装是root
fake super = yes
# 禁锢path目录
use chroot = no
# 最大连接数是200
max connections = 200
# 超时时间是600s
timeout = 600
# 忽略错误
ignore errors
# 可读可写
read only = false
# 其它客户端用户不允许查看模块名
list = false
# rsync服务的日志所在路径
log file = /var/log/rsyncd.log
########### 命令相关配置 #############
auth users = nfs_bak
secrets file = /etc/rsync_pass
[nfs]
comment = welcome to backup!
path = /backup
# 创建备份目录
[root@backup ~]# mkdir /backup
# 创建用户
[root@backup ~]# groupadd www -g 666
[root@backup ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
# 写入rsync的用户和密码
[root@backup ~]# echo ‘nfs_bak:123‘ > /etc/rsync_pass
# 授权
[root@backup ~]# chmod 600 /etc/rsync_pass
[root@backup ~]# chown www.www /backup/
# 启动并开机自启rsync
[root@backup ~]# systemctl start rsyncd
[root@backup ~]# systemctl enable rsyncd
Created symlink from /etc/systemd/system/multi-user.target.wants/rsyncd.service to /usr/lib/systemd/system/rsyncd.service.
# 查看端口
[root@backup ~]# netstat -lntup |grep 873
8.nfs操作sersync (客户端)
# 下载sersync
[root@nfs ~]# yum install -y rsync inotify-tools
# 解压
[root@nfs ~]# tar xf sersync2.5.4_64bit_binary_stable_final.tar.gz
# 移动并改名
[root@nfs ~]# mv GNU-Linux-x86 /usr/local/sersync
# 编辑配置文件
[root@nfs ~]# vim /usr/local/sersync/confxml.xml
...
9.负载均衡上的操作
# 1.安装nginx
[root@lb01 ~]# tar xf nginx_php.tgz
[root@lb01 ~]# cd nginx_php/
[root@lb01 ~/nginx_php]# rpm -ivh nginx*
# 2.统一用户
[root@lb01 ~]# groupadd www -g 666
[root@lb01 ~]# useradd www -g 666 -u 666 -s /sbin/nologin -M
[root@lb01 ~]# vim /etc/nginx/nginx.con
# 3.编辑代理服务的安全优化
[root@lb01 ~]# vim /etc/nginx/proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
proxy_next_upstream error timeout http_500 http_502 http_503 http_504 http_404 http_403;
# 4.创建证书目录
[root@lb01 ~]# mkdir /etc/nginx/ssl
# 5.创建证书
[root@web01 ssl]# openssl genrsa -idea -out /etc/nginx/ssl/`date +%Y%m%d`_aaa.com.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
........................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:
Verifying - Enter pass phrase for /etc/nginx/ssl_key/20200603_aaa.com.key:
# 6.查看
[root@web01 ssl_key]# ls
total 4
-rw-r--r-- 1 root root 1739 Jun 3 21:57 20200603_aaa.com.key
# 7.生成自签证书,同时去掉私钥的密码
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout /etc/nginx/20200603_aaa.com.key -out /etc/nginx/ssl/20200603_aaa.com.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to ‘/etc/nginx/ssl_key/20200603_aaa.com.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:shanghai
Organizational Unit Name (eg, section) []:shanghai
Common Name (eg, your name or your server‘s hostname) []:*.com
Email Address []:123@qq.com
[root@lb01 conf.d]# ll /etc/nginx/ssl/
total 8
-rw-r--r-- 1 root root 1379 Jun 4 03:44 aaa.com.crt
-rw-r--r-- 1 root root 1708 Jun 4 03:44 aaa.com.key
# 2.编辑配置文件
[root@lb01 ~]# vim /etc/nginx/conf.d/wp_lb.conf
upstream wp {
server 172.16.1.7;
server 172.16.1.8;
server 172.16.1.9;
}
server {
listen 80;
server_name wp.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name zh.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name admin.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name wp.com zh.com admin.com;
ssl_certificate /etc/nginx/ssl/20200603105245_www.linux.com.crt;
ssl_certificate_key /etc/nginx/ssl/20200603105245_www.linux.com.key;
location / {
proxy_pass http://wp;
proxy_set_header Host $host;
}
}
# 检查语法并重新加载配置文件
[root@lb01 ~]# nginx -t
[root@lb01 ~]# nginx -s reload
10.打开浏览器访问