Nginx HA 及https配置部署

 Nginx HA 

整体方案架构为:



                  (内网192.168.199.5)
             +-----------VIP----------+
             |                        |
             |                        |
           Master                   Backup
        192.168.199.90            192.168.199.57
        +----------+             +----------+
        | HAProxy  |             | HAProxy  |
        |nginx(SSL)|             |nginx(SSL)|
        |keepalived|             |keepalived|
        +----------+             +----------+
             |
             v
      192.168.199.88/89
       +----------+
       | multiple |
       |  NGINXs  |
       +----------+
             |
             v
    +--------+---------+
    |        |         |
    |        |         |
    v        v         v
+------+  +------+  +------+
| WEB1 |  | WEB2 |  | WEB3 |
+------+  +------+  +------+


各软件作用:
  * Keepalived：判定HAProxy存活，保证HA
  * HAProxy：做HTTP Load Balance
  * Nginx(SSL)：与HAProxy放置在同一服务器，负责ssl offload
  * Nginx(LB)：load balancer for app servers & web servers

客户端访问示意图:

      +--------+      HTTP                      :80 +----------+
      | client |  --------------------------------> |          |
      |        |                                    | haproxy, |
      +--------+             +---------+            |  1 or 2  |
     /        /     HTTPS    |  Nginx  |  HTTP  :80 | listening|
    <________/    ---------> |  (SSL)  | ---------> |  ports   |
                             |         |            |          |
                             +---------+            +----------+

 HAProxy + NGINX(SSL) 

使用HAProxy做HTTP的Load Balancer，使用Nginx做SSL Offload。

测试环境:
  * CentOS 6.4 x86_64 (Final)
  * Supermicro 2U4 Node
  * 域名: l99.com

IP分配:
  * lb01.l99.com 192.168.199.88
  * lb01.l99.com 192.168.199.89
  * www.l99.com 192.168.199.5 (virtual IP)
  * 192.168.199.90 做 Load Balancer (HAProxy + Nginx)

 安装配置HAProxy 


yum install libev-devel openssl-devel

cd /usr/local/src
wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.24.tar.gz
git clone https://github.com/cbonte/haproxy-patches.git

tar zxvf haproxy-1.4.24.tar.gz 

# 给haproxy 1.4.24 打 proxy协议补丁(haproxy 1.5之后才支持accpet-proxy, 由于我们要使用stud做ssl offload, 需要支持accept-proxy)
cd haproxy-1.4.24
patch -p1 < /usr/local/src/haproxy-patches/proxy-protocol/haproxy-1.4-proxy-protocol.patch 

make TARGETlinux2628 USE_EPOLL1 ARCHx86_64 && make install
cp /usr/local/src/haproxy-1.4.24/haproxy /usr/sbin/

cp examples/haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy

chkconfig --add haproxy
chkconfig haproxy on

vim /etc/haproxy/haproxy.cfg


haproxy.cfg如下：

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the ‘-r‘ option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
#    log         127.0.0.1 local2
    log 127.0.0.1   local0
    log 127.0.0.1   local1 debug

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn   45000 # Total Max Connections. This is dependent on ulimit
    user        haproxy
    group       haproxy
    daemon
    nbproc      12 # 取决于CPU处理器核数，这里的测试机是2个6核Intel E5-2620 CPU，所以核数是12

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the ‘listen‘ and ‘backend‘ sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    balance         roundrobin
#    balance            leastconn
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor header X-Real-IP
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         5000ms
    timeout client          50000ms
    timeout server          50000ms
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn   45000 # Total Max Connections. This is dependent on ulimit
    stats enable
    stats uri /stats # Real path redacted
    stats realm Haproxy\ Statistics
    stats auth username:password # Real credentials redacted
    monitor-uri /monitor # Returns 200 if we‘re up; real path redacted

frontend http-in :80
    reqdel X-Real-IP
    reqadd X-Forwarded-Proto:\ http
    default_backend http-load-balancer

frontend https-in
#    bind 127.0.0.1:8443 accept-proxy
    bind 127.0.0.1:8443
#    reqdel X-Real-IP
    reqadd X-Forwarded-Proto:\ https
    default_backend http-load-balancer

backend http-load-balancer
   server lb-1 192.168.199.88:80 maxconn 10000 check port 80
   server lb-2 192.168.199.89:80 maxconn 10000 check port 80


 安装配置Nginx(SSL) 

/usr/local/nginx/conf/nginx.conf


user  nginx;
worker_processes  12;

error_log  logs/error.log crit;

pid        logs/nginx.pid;
worker_rlimit_nofile    30000;

events {
    use epoll;
    worker_connections  51200;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # include common options #
    include options.conf;

    # include proxy settings #
    include proxy.conf;

    # domain config #
    include l99.com/*.conf;

}


/usr/local/nginx/conf/l99.com/www.l99.com.conf

server {
        listen 443;

    ssl on;
        ssl_certificate /usr/local/nginx/conf/l99.com/lifeix-l99.crt;
        ssl_certificate_key /usr/local/nginx/conf/l99.com/lifeix-l99.key;
        ssl_client_certificate /usr/local/nginx/conf/l99.com/lifeix-dvroot.crt;
        ssl_session_timeout 5m;

        ssl_protocols SSLv2 SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;

    default_type  text/plain;

        access_log logs/access.www.ssl.l99.com.log main;
        error_log logs/error.www.ssl.l99.com.log;
        server_name www.l99.com;

    if ($request_uri ~ update.php) {
                rewrite /(.*)$  http://www.L99.com/timeline.action last;
        }   

        location / {
                proxy_cache off;
                proxy_next_upstream http_502 http_504 error timeout invalid_header;
                proxy_ignore_headers   Expires Cache-Control;
                proxy_store         off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                more_clear_headers  "Cache-Control";
                add_header      Cache-Control "no-cache,max-age0";

        proxy_pass http://127.0.0.1:8443;
        }

}

 启动并测试 


service haproxy restart
service nginx restart

# 测试 HTTPS
openssl s_client -connect 192.168.199.90:443 -servername l99.com

# 测试HTTP
telnet 192.168.199.90 80
GET / HTTP/1.1
Host: www.L99.com



 Nginx(LB)配置修改 

修改options.conf (主要是由于使用HAProxy作为代理后，需要记录来源IP)

  log_format  main  ‘$http_x_forwarded_proto $http_x_real_ip $remote_addr $host $remote_user [$time_local] "$request" ‘
                    ‘$status $body_bytes_sent "$http_referer" "$http_user_agent" ‘
                    ‘$request_time $upstream_response_time $pipe "$gzip_ratio"‘;



重启nginx后，通过haproxy访问立方网日志如下:

https 192.168.199.15 192.168.199.90 www.l99.com - [04/Oct/2013:17:02:33 +0800] "GET /skin/recharge/images/paybtn_bg.jpg HTTP/1.1" 304 0 "https://www.l99.com/Recharge_pay.action" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36" 0.007 0.006 . "-"


 HAProxy + Keepalived 

/etc/keepalived/keepalived.conf

! Configuration File for keepalived

global_defs {
   router_id LVS_DEVEL
}

vrrp_script chk_haproxy {
   script "killall -0 haproxy"   # verify the pid existance
   interval 2                    # check every 2 seconds
   weight 2                      # add 2 points of prio if OK
}

vrrp_script chk_nginx {
   script "killall -0 nginx"   # verify the pid existance
   interval 2                    # check every 2 seconds
   weight 2                      # add 2 points of prio if OK
}

vrrp_instance VI_1 {
   interface eth0                # interface to monitor
   state MASTER
   virtual_router_id 51          # Assign one ID for this route
   priority 101                  # 101 on master, 100 on backup
   virtual_ipaddress {
       192.168.199.5            # the virtual IP
   }
   track_script {
       chk_haproxy
       chk_nginx
   }
}

时间： 2024-12-11 10:24:36

Nginx HA 及https配置部署的相关文章

nginx http跳https配置

为了数据传输的安全性以及防止网页被恶意篡改,现在大多数网站都配置了https. 如何保证用户都是通过https进行访问呢? 如果有用到nginx,我们可以配置强制跳转. 在nginx配置中添加: server { listen 80; listen 443 ssl; server_name www.imcati.com; root /usr/share/nginx/html; if ( $server_port = 80) { return 301 https://$server_name$re

Linux学习总结（四十三）nginx 负载均衡 https 配置

1 nginx 负载均衡当被代理的服务端为多台服务器时,就存在一个分发的问题,那么就涉及到一个负载均衡的概念.如何让客户端请求按照预定的设想均衡的分发到各个服务器上,就要使用各种均衡算法.下面介绍的ip哈希算法可以实现如下目的.当对后端的多台动态应用服务器做负载均衡时,ip_hash指令能够将某个客户端IP的请求通过哈希算法定位到同一台后端服务器上.这样,当来自某个IP的用户在后端Web服务器A上登录后,再访问该站点的其他URL,能够保证其访问的还是后端Web服务器A.如果请求的网站涉及到用户

tomcat 安装配置部署到nginx+tomcat+https

目录 1 Tomcat简介 2.下载并安装Tomcat服务 2.2 部署java环境 2.3 安装Tomcat 2.4 Tomcat目录介绍 (关注点 bin conf logs webapps) 2.5 启动Tomcat 3.2 Tomcat管理 8 搭建jpress--java 版本的wordpress tomcat 配置文件 conf/server.xml tomcat 自定义网站目录 Tomcat多实例 (多个虚拟主机) tomcat反向代理集群 tomcat监控 zabbix监控 ng

Nginx 学习笔记（一）个人网站的Https配置

一.系统环境 1.系统:Ubuntu 16.04.2 LTS 2.WEB服务器:Openresty11.2.5 二.开始配置 1.获取certbot客户端 wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto 2.停止Nginx服务 sudo systemctl stop nginx.service 3.生成证书 ./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你

菜鸟nginx源码剖析配置与部署篇（一）手把手实现nginx "I love you"

菜鸟nginx源码剖析配置与部署篇(一) 手把手配置nginx "I love you" Author:Echo Chen(陈斌) Email:[email protected] Blog:Blog.csdn.net/chen19870707 Date:Nov 7th, 2014 还记得在前几年的CSDN泄漏账号事件中,统计发现程序员的账号中含有love的最多,这里我也俗套下,在这篇文章中将讲解如何一步一步实用Nginx在一台机器上搭建一个最简单的显示"I love yo

Nginx HTTPS功能部署实践

本文出处:http://oldboy.blog.51cto.com/2561410/1889346 30.1 文档目的本文目的提高自己文档的写作能力及排版能力,加强上课所讲的内容得以锻炼也方便自己以后查阅特写此文档. 30.2 文档内容本章内容包括:单向和双向认证的概念.openssl的介绍.Nginx单向ssl的配置前提.使用openssl制作证书(单向认证与双向认证). 30.3 单向认证与双向认证的概念 30.3.1 什么是单向认证单项认证就是比如你有个密码用户名然后和服务器上的用户

nginx证书制作以及配置https并设置访问http自动跳转https（反向代理转发jboss）

nginx证书制作以及配置https并设置访问http自动跳转https 默认情况下ssl模块并未被安装,如果要使用该模块则需要在编译时指定–with-http_ssl_module参数,安装模块依赖于OpenSSL库和一些引用文件,通常这些文件并不在同一个软件包中.通常这个文件名类似libssl-dev. 生成证书可以通过以下步骤生成一个简单的证书: 首先,进入你想创建证书和私钥的目录,例如: $ cd /usr/local/nginx/conf 创建服务器私钥,命令会让你输入一个口令: $

nginx配置及HTTPS配置示例

一.nginx简单配置示例 user www www; worker_processes 10; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; #最大文件描述符 worker_rlimit_nofile 51200; events { use epoll; worker_connections 51200; } ht

nginx基本用法和HTTPS配置

nginx作用讲解:1.反向代理:需要多个程序共享80端口的时候就需要用到反向代理,nginx是反向代理的一种实现方式.2.静态资源管理:一般使用nginx做反向代理的同时,应该把静态资源交由nginx管理.3.负载均衡:略. nginx原理:nginx实质是通过配置文件创建监听80端口的服务器,然后通过该服务器重定向请求到指定端口. nginx实现HTTPS访问:原理同上文,使用配置文件创建HTTPS服务器,然后通过该服务器重定向请求到指定端口. 为什么要用nginx管理静态资源?1.减少了重