Nginx加密以及反向代理「建议收藏」

大家好，又见面了，我是你们的朋友全栈君。如果您正在找激活码,请点击查看最新教程,关注关注公众号 “全栈程序员社区” 获取激活教程,可能之前旧版本教程已经失效.最新Idea2022.1教程亲测有效,一键激活。

Jetbrains全系列IDE使用 1年只要46元 售后保障 童叟无欺

一、https加密算法

http协议在传输过程中使用的是明文，如果传输的是用户名和密码等信息就不安全。https就是在原来http协议中加上ssl算法，来对传输的数据进行加密。https加密的核心就是通过秘钥来实现。

• 秘钥（加密算法）的分类：
  1.对称算法(加密和解密用一样的密码)：AES,DES（适合单机加密）
  2.非对称算法(公钥和私钥):RSA,DSA
  3.信息摘要:md5,sha256,sha512（数据完整性检验）
  目前网站主要用非对称加密算法。

• 实现htpps加密步骤
  1.生成证书和私钥（就是公钥和私钥）

   cd /home/application/nginx/conf  #一定要进入conf目录下
   openssl genrsa >my.key  #生成私钥
   openssl req -new -x509 -key my.key -out my.crt #使用私钥生成对应证书。这里除了my.crt其他不能变，且my.key与私钥文件名一样
  #  openssl req -new -x509 -key my.key -out my.crt
     You are about to be asked to enter information that will be   incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
  Country Name (2 letter code) [XX]:CN #国家名称且必须只有两个字符
  State or Province Name (full name) []: GX #省份信息随便写
  Locality Name (eg, city) [Default City]:dd #城市信息，随便编写
  Organization Name (eg, company) [Default Company Ltd]:kk#公司名称随便写
  Organizational Unit Name (eg, section) []:ll#部门信息随便写
  Common Name (eg, your name or your server's hostname) []:vv#服务器主机名随便写
  Email Address []:fgf #邮箱地址随便写
  

2.修改nginx.conf实现网站加密

   vim /home/application/nginx/conf/nginx.conf
   # vim /home/application/nginx/conf/nginx.conf

 worker_processes  1;
 error_log logs/error.log error;
 events {
worker_connections  1024;
}
http {
include       mime.types;
default_type  application/octet-stream;
sendfile        on;
keepalive_timeout  65;
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
 client_header_buffer_size 512k;
large_client_header_buffers 4 512k;
 #nginx vhosts config
include extra/www.conf;
include extra/bbs.conf;
include extra/blog.conf;
include extra/status.conf;
include extra/secret.conf;  #加上加密域名配置文件
}

配置extra/secret.conf

 vim /home/application/nginx/conf/extra/secret.conf

#https server
 server {    
     listen       443 ssl;
     server_name  secret.ceishi.com;

     ssl_certificate      my.crt; #公钥
     ssl_certificate_key  my.key;#私钥

     ssl_session_cache    shared:SSL:1m;
     ssl_session_timeout  5m;

     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

     location / {
        root   html/secret;
        index  index.html index.htm;
    }
}
mkdir /home/application/nginx/html/secret
echo "jiami.ceishi.com" >/home/application/nginx/html/secret/index.html
/home/application/nginx/sbin/nginx -t
/home/application/nginx/sbin/nginx -s reload

二、Nginx作为代理软件

nginx既可以作为一个web服务器也可以作为反向代理服务器。实现web服务高可用、没有单点故障，实现负载均衡功能，集群高可用。

• 环境搭建
  两台web服务器，内容一样（装appache）
  地址为：192.168.31.38 192.168.31.134;
  一台nginx调度器
  地址为：192.168.31.230:

• 配置基于域名的虚拟主机
  装appache

  yum install httpd -y
  禁用默认的主机模式
  vim /etc/httpd/conf/httpd.conf
  注释下面这行内容
  #DocumentRoot "/var/www/html"
  添加域名的虚拟主机配置
  cd /etc/httpd/conf.d/  
  vim virtualhost.conf #添加如下内容
  NameVirtualHost *:80 
    <VirtualHost *:80>
   DocumentRoot "/var/www/html/bbs"
  ServerName    blog.ceishi.com
  </VirtualHost>
  
  以前的版本光注释了他还不行，还需要在配置文件中写明在哪个地址的哪个端口上启用虚拟主机，比如加一行：
  
  NameVirtualHost 192.168.100.24:80，但是2.4.x的httpd版本就不需要这一行了。
   
  mkdir /var/www/html/bbs
  
  cd /var/www/html/bbs
  echo "blog.3138.com">index.html
  #vim /etc/hosts
  192.168.31.38 linux7.6 blog.ceishi.com
  #curl -L  blog.ceishi.com            #测试          
   blog.3138.com
  

• 配置代理服务器nginx

  worker_processes  1;
  error_log logs/error.log error;
  events {
     worker_connections  1024;
   }
   http {
   include       mime.types;
   default_type  application/octet-stream;
   sendfile        on;
   keepalive_timeout  65;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                 '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
     upstream bbs-server-pools{  #upstream标签放在http里server标签外
     此处注意upstream后面的名字不能是这样的下划线bbs_server_pools，否则出现400错误
        server 192.168.31.38:80;   #web服务器地址
        server 192.168.31.134:80;
        }
   #nginx vhosts config
   include extra/www.conf;
    include extra/bbs.conf;
     include extra/blog.conf;  
    include extra/status.conf;
      }
  

  修改server标签配置

      #vim  nginx/conf/extra/bbs.conf
      server {
   listen       80;
   server_name  bbs.ceishi.com;
   location / {
      # root   html/bbs;
      # index  index.html index.htm;
     proxy_pass http://bbs-server-pools;  #传递给bbs_server_pools
      }
      }
  

• 客户端测试
  客户端ip为：192.168.31.128

     vim /etc/hosts
   127.0.0.1   localhost localhost.localdomain localhost4   localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6  localhost6.localdomain6
   192.168.31.230 bbs.ceishi.com  #写的时nginx代理的地址
   #curl bbs.ceishi.com
    31.134bbs.com
    #curl bbs.ceishi.com
       bbs.31.128.com
      for i in 'seq 10' ;do curl bbs.ceishi.com; sleep 1;done