在之前的文章已经提到怎么实现keepalived的双机热备,现在我们就结合nginx来实现高可用
1、nginx的部署
1.1 依赖安装
在线安装依赖
yum -y install gcc gcc-c++ pcre pcre-devel zlib zlib-devel openssl openssl-devel1.2nginx的安装
https://nginx.org/en/download.html
下载好之后放到/usr/下进行解压
tar -zxvf nginx-1.23.1.tar.gz
cd nginx-1.23.1/ 1.3nginx配置
echo "export PATH=$PATH:/usr/local/nginx/sbin" >> /etc/profile
source /etc/profile
echo "/usr/local/nginx/sbin/nginx" >> /etc/rc.local
chmod 777 /etc/rc.local /etc/rc.d/rc.local1.4命令汇总
/usr/local/nginx/sbin/nginx #启动
/usr/local/nginx/sbin/nginx -s stop #停止
/usr/local/nginx/sbin/nginx -s reload #重启
/usr/local/nginx/sbin/nginx -t #验证
ps -ef | grep nginx #查看进程
/usr/local/nginx/sbin/nginx -V #查看安装模块1.5生成自签证书
mkdir /usr/local/nginx/ssl_cert
cd /usr/local/nginx/ssl_cert
openssl genrsa -out server.key 2048
#创建证书密钥文件
openssl req -new -key server.key -out server.csr
#利用密钥生成证书请求文件,按提示输入证书信息(密码为空) 全部默认回车
Country Name #名称
State or Province Name #省份
Locality Name #城市名称
Organization Name #单位名称
Organizational Unit #部门
Common Name #名称
Email Address #邮箱
A challenge password #私钥保护密码
An optional company name #可选的公司名称
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#利用证书请求文件生成自签证书
2nginx的代理实现
前面已经把包放到/usr目录下解压,修改一下名字,改为nginx。然后再把/usr/nginx/conf/nginx.conf,全部替换
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
#user nginx;
worker_processes auto;
#error_log /data/log/nginx/error.log;
#pid /run/nginx.pid;
events {
worker_connections 10240;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /usr/nginx/conf/mime.types;
default_type application/octet-stream;
include /usr/nginx/conf/conf.d/test1.conf;
include /usr/nginx/conf/conf.d/test2.conf;
}
替换完之后在/usr/nginx/conf/目录下创建一个conf.d文件夹
在conf.d文件夹下创建test1.conf和test2.conf文件来简述两种代理
vi test1.conf
#复制下列
server {
listen 8888;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 300;
proxy_pass https://center.mkeysec.net/; #该地方的域名地址为被代理地址
}
}
vi test2.conf
#复制下列
#nginx做负载均衡,按照不同权重分配业务
#upstream device {
# server 192.168.1.236:8080 weight=2;
# server 192.168.1.237:8080 weight=1;
#}
upstream device {
server 192.168.1.236:8080;
}
server {
listen *:8443 ssl;
ssl_certificate /usr/local/nginx/ssl_cert/server.crt;
ssl_certificate_key /usr/local/nginx/ssl_cert/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5:!3DES;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Content-Security-Policy upgrade-insecure-requests; #这里是处理https反向代理http静态资源的关键
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 300;
proxy_pass http://device/;
proxy_redirect http:// https://; #修改response中的location中的协议http为https外网访问的协议
}
####如果是代理云服务模式,可参考以下回调配置方法,不需要则删除
#代理内网回调地址
#若本监听端口的外网地址为:https://192.168.1.123:333/
location ^~ /back/ {
if ($request_uri ~ /back/(.*)){
set $backurl $1;
}
proxy_pass $backurl;
}
}
在test2.conf中,把下面两个ip换成我们弄的双机热备虚拟ip就能实现四台设备处理业务了。
