環境 阿里的ECS
注意在安全組開啟相應端口
兩個站點 a.exemple.cn b.exemple.cn
源碼安裝
yum -y install gcc gcc-c++ automake pcre pcre-devel zlib zlib-devel openssl openssl-devel
groupadd nginx useradd nginx -g nginx -s /sbin/nologin -M cd /opt/ wget http://nginx.org/download/nginx-1.14.0.tar.gz tar -zxvf nginx-1.14.0.tar.gz cd nginx-1.14.0
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module
make && make install cd /usr/local/nginx/ ls cd sbin/ ls
啟動
./nginx
查看版本信息 ./nginx -V
添加開機自啟
vim /etc/rc.d/rc.local
/usr/local/nginx/sbin/nginx
chmod +x /etc/rc.d/rc.local
nginx.conf配置文件
user nobody; worker_processes auto; pid /run/nginx.pid; events { worker_connections 40960; } http { sendfile on; tcp_nopush on; tcp_nodelay on; resolver_timeout 30; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' ' $upstream_addr $upstream_response_time $request_time '; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; include ../conf.d/*.conf; gzip on; gzip_disable "msie6"; proxy_max_temp_file_size 0; proxy_connect_timeout 1; proxy_send_timeout 10; proxy_read_timeout 30; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 20m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; limit_req_zone $http_x_forwarded_for zone=zbt:10m rate=20r/s; proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d; limit_req_status 429; }
nginx配置文件和SLB不能同時都加載證書
如果兩個站點是同一個根域名,則只在A站點配置文件中加入SSL,B站點即使不加入SSL配置也是可以的
SLB掛載網站是按照后端ECS服務器上配置網站的域名來計算的,如果后端ECS上有兩個根域名的網站比如 a.exemple-A.cn b.exemple-B.cn,則需要購買兩個SLB實例
1、nginx加載https證書、SLB使用TCP模式監聽端口
站點A
server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ;
server_name a.exemple.cn;
#allow 61.164.52.202; (允許特定的IP可以訪問)
#deny all; (拒絕其他IP訪問該網站)
ssl on;
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111;
index index.html index.htm Agreement.html Privacy.html;
}
}
B站點
server { listen 80; server_name b.exemple.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { index index.html index.htm Agreement.html Privacy.html; } } server { listen 443 ; server_name b.exemple.cn; ssl on; root /home/web/222; index index.html index.htm Agreement.html Privacy.html; ssl_certificate /home/web/ssl/xxxxx.pem; ssl_certificate_key /home/web/xxxxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
2、nginx配置文件不加載ssl證書,SLB使用http和https模式監聽端口
a站點
server { listen 80; server_name a.exemple.cn; root /home/web/111; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/a.exemple.cn.access.log main; error_log /var/log/nginx/a.exemple.cn.error.log; location / { root /home/web/111; index index.html index.htm Agreement.html Privacy.html; } }
b站點
server { listen 80; server_name b.exemple.cn; root /home/web/222; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
如果站點是IIS
前端負載均衡已經用https 443 了后端就不要用443 了。用80就可以了。證書推送到負載均衡。
操作步驟
- 從后端服務器本地發起訪問,確保后端服務器上的HTTP服務正常工作。
- 登錄負載均衡控制台,在監聽實例詳情頁中,查看健康檢查配置。
本次示例使用HTTP監聽,出現健康檢查異常的后端服務器內網IP為10.0.0.2,其他健康檢查配置信息如下:
- 健康檢查端口:80
- 健康檢查域名:
www.slb-test.com - 健康檢查路徑:
/test.html
- 以Linux系統為例,執行nc或curl命令對后端服務器上的HTTP服務進行探測,健康檢查路徑、健康檢查端口和健康檢查域名配置必須與后端服務器上配置保持一致,否則會產生健康檢查異常。
此處使用 nc命令為例,請根據實際情況配置健康檢查路徑、健康檢查域名、健康檢查內網地址和健康檢查端口:
echo -e "HEAD /test.html HTTP/1.0\r\nHost: www.slb-test.com\r\n\r\n" | nc -t 172.17.58.131 80- 正常情況下,返回
200或其他2xx/3xx返回碼,如下圖所示。
- 異常示例:假設負載均衡上的監聽配置保持不變,但是刪除后端服務器上/test.html頁面,執行nc命令后,得到404錯誤碼,該錯誤碼與負載均衡SLB監聽中設置的2xx或者3xx狀態碼不符,此時會出現健康檢查異常結果,如下圖所示。
- 正常情況下,返回
- 登錄負載均衡控制台,在監聽實例詳情頁中,查看健康檢查配置。