1.服务器环境,两台服务器做前端代理,两台服务器做后端真实服务器。这里都是nginx
| 代理服务器 | 后端服务器 |
| 172.16.5.50 | 172.16.5.52 |
| 172.16.5.51 | 172.16.5.53 |
2、 后端两台服务器修改nginx配置文件:
cd /etc/nginx/conf.d
vim www_hello80.conf
###
server {
listen 80;
server_name www.hello80.com hello80.com;
location / {
root /www/test-ssl;
# try_files $uri $uri/ /index.html;
index index.html index.htm;
}
}
以下为单机版本,可以单机测试。
cd /etc/nginx/conf.d
vim ssl-hk.conf
###
server {
listen 80;
server_name www.hello80.com hello80.com;
#rewrite ^(.*) https://$host$1 permanent;
return 307 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.hello80.com hello80.com;
ssl_certificate /etc/nginx/ssl/www.hello80.com.pem;
ssl_certificate_key /etc/nginx/ssl/www.hello80.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root /www/test-ssl;
# try_files $uri $uri/ /index.html;
index index.html index.htm;
}
}
单机在本机创建存放证书目录,上传证书。 集群在两台代理服务器执行这一步。172.16.5.50,172.16.5.51
mkdir /etc/nginx/ssl/# 上传完成查看 [root@hk2 .ssh]# ll /etc/nginx/ssl/total 8-rw-r--r-- 1 root root 1675 Dec 23 11:45 www.hello80.com.key-rw-r--r-- 1 root root 3826 Dec 23 11:45 www.hello80.com.pem
创建网页目录,编辑index文件
mkdir /www/test-ssl cat > /www/test-ssl/index.html << EOF > <h1> > test ssl -172.16.5.52 > </h1> > EOF
修改完成后重新加载nginx
3、修改代理层50,51
cd /etc/nginx/conf.d
vim www_hello80_ssl.conf
###
upstream www_hello80_servers {
server 172.16.5.52 weight=100;
server 172.16.5.53 weight=300;
}
server {
listen 80;
server_name www.hello80.com hello80.com;
#rewrite ^(.*) https://$host$1 permanent;
return 307 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.hello80.com hello80.com;
ssl_certificate /etc/nginx/ssl/www.hello80.com.pem;
ssl_certificate_key /etc/nginx/ssl/www.hello80.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://www_hello80_servers/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
}
}
可以50上编辑完,scp到51上 scp www_hello80_ssl.conf 172.16.5.51:/etc/nginx/conf.d/
证书从52向50和51同步拷贝
scp -r /etc/nginx/ssl/ 172.16.5.50:/etc/nginx/ scp -r /etc/nginx/ssl/ 172.16.5.51:/etc/nginx/
nginx -t
nginx -s reload
指向hosts文件,验证 172.16.5.55 wordpress.hello.com www.hello80.com hello80.com
自签名证书,部署到wordpress域名
如何自己去创建https证书 证书得创建,包含了创建者的信息 1.要安装openssl命令 yum install openssl openssl-devel -y 把nginx也给装好 [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key yum install nginx -y 2.创建证书的目录,通过命令去创建 mkdir -p /etc/nginx/ssl-cert/ cd /etc/nginx/ssl-cert/ 创建私钥文件 # 阿里云rsa非对称加密算法,密钥长度是2048,输出密钥信息到server.key文件中 # -idea是加密算法的名字 openssl genrsa -idea -out server.key 2048 输出私钥密码,为了保护私钥 必须输入密码才可以创建 chaoge666 [root@lb-5 /etc/nginx/ssl-cert]#cat server.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: IDEA-CBC,904B1F32A100884B 6prXU7IGtpZ4SZ6QM1TZEBNWzjWUuTi+0KfdW3b6ygnvpjz2i5s/EyEROsD2bwQX f2hGD6NYVsGBLLwMd2hV3CwrSWtcXsy/JgRZAKk4lCmZY5GJegeFK03VmCU/Lwev h/eQBIjd/cOF/pnaBSscqCaDp57L1pICjedDqyT5wvssJa4Ub0+sdn6P9ao8yMfo hr6mdCh6IwxXwf6DxfcWCgCPghdNlaxd8zgZybkE8UaelteXXZmHzBE4+znwutG3 NM8i8USoU6Opa9PZcJXmAdvR75djp3qUJZ87Lkm3Ou5r4Lz4gJmj0kFnXrW1Au86 WYA+q7X53FgAIrND9MVv/8ivxja1sQP4bZ3vkuy+G0zXGoEy2DWINfID+4lKaX7F gQO8mwzMcsEBC7mMb6MTAdLvld+d3X7UQZ+YNI4t4Ytw4/jVwM58EX+ZAb0STvfg 23mIfsqNbRehsXvlF77z9UT8nvZgomb1KY+Ba0Ny3rCL4ZtFm0zzrpgBKR3TDsiI c2lRwp0TfnnJYsZO3ih2J9s0WyAE4ikQHJ87UByOfTuhIn2Mr3gB/9wNHVeieOuw VooHi9/sGLth7PNJIz/O+7YVCNEt69kCRQWJS1ouF/rpVbKQ4HwtObVVDAZdSGPg YSi6ruvhOadwjacEFNb6fxYko/hodAgWCKySKKWVGzy8sFfa4h9XVdGpxLXiAUwH 4Pf3QWooMbJ5QDiI67tBG8TMc2lFQWFJhWSJK7HbC0bIsTjvABBLs2bO06laJX9J p6C8k5g/iTUoAzIIswX4r1UrRrVyIMi+j2bHs01PkvU7kytj1E4p7tZ5mIiHryO1 UgDNWoJAJYA/pXp5EaHwTHv7xnfrMCqwiNGYXikeL5jqkYROTH1KYmiTY4k3UbX6 eaIG2py1+I4ULmjhy9rZ5XGUuOr6kF80Q6dp3bFe3+DaKGhEF+9snX65wPImyCsg kVGowZIZSX7uHBqaK5FYBH56lNxjtgYh0sgiuaWkp0Gd68wMDYP2lx3pTwHU4Y60 GoL3zv0x+fdY4SeMsxDBp9rRYihLQU7HVZ3kMm7MwehdiXUDWoCVFnkdvoSstZD5 FxMK37VSCueal+Ov0E4akxHeI7yELVqB7656w1wMI1WWOO1cOjfGIBKC630V9OBv dyex4zDdKqOqFtIXXvmTXXvRw0g7WAM/NCQ4ji2atCqSEU7MyRxABJaZ7meCofGI gxBQ8QwSjEmVItl8yzSHdBlpDxnSNjQQ8BVeHlhhpgCRDZBKCymQBpGDBIpVp7SX rbGmtxavox9X8nfPm8l8fDojt9KXUhyFpiV3aUOBMKlRN/RZ2/Y7FK/m/OHgk1Y4 dFaPEjb0Dmbm+5ZK7ymIG2PQYfCHEY14fRnfPj9slxsPSmhLBtdTZoGbl/324LHp JVrqBYvVv5ZfuLgMjWAtl2SbWzA9UgVSfUt96zOwyibMvJD8sXBIMWpCem0JqbH9 P+Hpf3klqJh16EqamXI/qlj/KxSbsyQ2dzv5A24VvWm4U0AyScfe+vyWCGa/xw0l JOAl3FWgMY0xSY8PGWZUQBkyj1Bqq5lmLa0Ag9lPZnQuAUNwJVUskg== -----END RSA PRIVATE KEY----- 然后基于该私钥文件,创建证书(创建公钥) # req创建证书,100年 证书规格,类型是-509类型,-newkey rsa:2048 基于rsa非对称加密算法,创建长度是2048的文件,创建证书,指定以哪个私钥去创建 -out server.crt 将公钥输出到server.crt文件中 # 你在创建公钥,证书的时候,会让你填写企业,组织信息 openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
修改代理层nginx配置文件
cd /etc/nginx/conf.d/
###
upstream word_press {
server 172.16.5.52;
# server 172.16.5.53:80;
}
server {
listen 80;
server_name wordpress.hello.com;
#return 307 https://$server_name$request_uri;
location / {
proxy_pass http://word_press/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
}
access_log /var/log/nginx/wordpress.access.log main;
error_log /var/log/nginx/wordpress.error.log;
}
server {
listen 443 ssl;
server_name wordpress.hello.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://word_press/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
}
access_log /var/log/nginx/wordpress_ssl.access.log main;
error_log /var/log/nginx/wordpress_ssl.error.log;
}
还需要修改php的配置,下边支持https部分。
目录不一样。
cd /code/wordpress
其他按照文档修改
hk123456
重装wordpress,换hello80.com域名
管理用户和密码
http://wordpress.hello80.com/wp-admin admin EWI7Zkur^*895Jo)Z0
支持https
参考 https://blog.csdn.net/weixin_43983960/article/details/120096009
cd /code/wordpress-new
1、找到代码 require( ABSPATH . WPINC . ‘/option.php’ ); 在下方添加:
vim wp-includes/functions.php
add_filter('script_loader_src', 'agnostic_script_loader_src', 20,2);
function agnostic_script_loader_src($src, $handle) {
return preg_replace('/^(http|https):/', '', $src);
}
add_filter('style_loader_src', 'agnostic_style_loader_src', 20,2);
function agnostic_style_loader_src($src, $handle) {
return preg_replace('/^(http|https):/', '', $src);
}
2、路径:在wordpress网站根目录中找到,wp-config.php文件,
在文件开头位置中,添加如下代码:
$_SERVER['HTTPS'] = 'on';
define('FORCE_SSL_LOGIN',true);
define('FORCE_SSL_ADMIN', true);
vim wp-config.php
$_SERVER['HTTPS'] = 'on';
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
3、修改网站后台的https修改
服务器控制台开启https之前,先登录网站后台,修改了wordpress地址和站点地址,再操作第一,二步骤,应该也是可以的实现的,如图:
http://wordpress.hello80.com/wp-admin
将http改成https
重新安装时的数据库,在51服务器上
MariaDB [(none)]> create database wordpress_new;
重装后的配置文件我贴一下:
代理层50和51:
[root@template conf.d]# vim wordpress_hello80.conf
###
upstream word_press_hello80_servers {
server 172.16.5.52;
server 172.16.5.53:80;
}
server {
listen 80;
server_name wordpress.hello80.com;
return 307 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name wordpress.hello80.com;
ssl_certificate /etc/nginx/ssl/wordpress.hello80.com.pem;
ssl_certificate_key /etc/nginx/ssl/wordpress.hello80.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://word_press_hello80_servers/;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
}
access_log /var/log/nginx/w_80_ssl.access.log main;
error_log /var/log/nginx/w_80_ssl.error.log;
}
后端真实服务器52和53
[root@hk2 conf.d]# cat wordpress1.conf
server{
listen 80;
server_name wordpress.hello80.com;
# 静态请求,资源存放路径
root /code/wordpress-new;
index index.php index.html;
# 动态请求处理
#
location ~ \.php$ {
root /code/wordpress-new;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
access_log /var/log/nginx/wordpress_80.access.log main;
error_log /var/log/nginx/wordpress_80.error.log;
}
nfs文件共享
50服务器
[root@template conf.d]# vim /etc/exports /wordpress-uploads 172.16.5.0/24(rw,sync,all_squash,anonuid=666,anongid=666) /wordpress-new-uploads 172.16.5.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
修改完重启nfs
systemctl restart nfs
创建共享目录,和修改权限
mkdir /wordpress-new-uploads chown www.www /wordpress-new-uploads/ -R
52放53服务器挂载共享目录
mount -t nfs 172.16.5.50:/wordpress-new-uploads /code/wordpress-new/wp-content/uploads/
ssh 密钥登录
linux服务器上
cd /root/.ssh 生成密钥对,一路回车就行: ssh-keygen [root@hk2 .ssh]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:kHc5zsKhdu0CpS9V3AxVU0JAgkQOGAeg+wZAOnmrlKU root@hk2 The key's randomart image is: +---[RSA 2048]----+ | ...o+ooo.oo++=..| |oo .. +.. * o | |* .. o = * o | |.++. B B . | |oE. = S + | |.+ . = o | |. o . o . | | . . . | | | +----[SHA256]-----+ 就会生成以下两个文件 [root@hk2 .ssh]# ll total 12 -rw------- 1 root root 1675 Dec 23 18:55 id_rsa -rw-r--r-- 1 root root 390 Dec 23 18:55 id_rsa.pub 下一步,把公钥拷贝到被登录服务器。就会把生成的公钥内容在authorized_keys下追加一行,如果没有这个认证文件,会创建。 [root@hk2 .ssh]# ssh-copy-id 172.16.5.52 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '172.16.5.52 (172.16.5.52)' can't be established. ECDSA key fingerprint is SHA256:MbAFOZtVmy5T1VrVw6ClpSUFtUsWx20sM7cSrsrq66g. ECDSA key fingerprint is MD5:2e:7a:01:9e:4e:d0:b6:f0:a3:c0:02:d1:23:55:37:63. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '172.16.5.52'" and check to make sure that only the key(s) you wanted were added. [root@hk2 .ssh]# ll total 16 -rw------- 1 root root 390 Dec 23 18:56 authorized_keys -rw------- 1 root root 1675 Dec 23 18:55 id_rsa -rw-r--r-- 1 root root 390 Dec 23 18:55 id_rsa.pub -rw-r--r-- 1 root root 692 Dec 23 18:56 known_hosts
这个时候,52服务器就可以免密登录到已拷贝公钥的服务器。
windows客户端
SecureCRT
将私钥下载到本地,创建连接时选择用私钥登录就可以了。
标签:nginx,hello80,server,ssl,初识,proxy,https,root From: https://www.cnblogs.com/yuyongqi/p/17933903.html