环境 阿里的ECS
注意在安全组开启相应端口
两个站点 a.exemple.cn b.exemple.cn
源码安装
yum -y install gcc gcc-c++ automake pcre pcre-devel zlib zlib-devel openssl openssl-devel
groupadd nginx useradd nginx -g nginx -s /sbin/nologin -M cd /opt/ wget http://nginx.org/download/nginx-1.14.0.tar.gz tar -zxvf nginx-1.14.0.tar.gz cd nginx-1.14.0
./configure --user=nginx --group=nginx --prefix=/usr/local/nginx --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module
make && make install cd /usr/local/nginx/ ls cd sbin/ ls
启动
./nginx
查看版本信息 ./nginx -V
添加开机自启
vim /etc/rc.d/rc.local
/usr/local/nginx/sbin/nginx
chmod +x /etc/rc.d/rc.local
nginx.conf配置文件
user nobody; worker_processes auto; pid /run/nginx.pid; events { worker_connections 40960; } http { sendfile on; tcp_nopush on; tcp_nodelay on; resolver_timeout 30; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' ' $upstream_addr $upstream_response_time $request_time '; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; include ../conf.d/*.conf; gzip on; gzip_disable "msie6"; proxy_max_temp_file_size 0; proxy_connect_timeout 1; proxy_send_timeout 10; proxy_read_timeout 30; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 20m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; limit_req_zone $http_x_forwarded_for zone=zbt:10m rate=20r/s; proxy_cache_path /tmp/nginx levels=1:2 keys_zone=cache:100m max_size=1g inactive=7d; limit_req_status 429; }
nginx配置文件和SLB不能同时都加载证书
如果两个站点是同一个根域名,则只在A站点配置文件中加入SSL,B站点即使不加入SSL配置也是可以的
SLB挂载网站是按照后端ECS服务器上配置网站的域名来计算的,如果后端ECS上有两个根域名的网站比如 a.exemple-A.cn b.exemple-B.cn,则需要购买两个SLB实例
1、nginx加载https证书、SLB使用TCP模式监听端口
站点A
server {
listen 80;
server_name a.exemple.cn;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
index index.html index.htm Agreement.html Privacy.html;
}
}
server {
listen 443 ;
server_name a.exemple.cn;
#allow 61.164.52.202; (允许特定的IP可以访问)
#deny all; (拒绝其他IP访问该网站)
ssl on;
root /home/web/111/;
index index.html index.htm Agreement.html Privacy.html;
ssl_certificate /home/web/ssl/xxxxx.pem;
ssl_certificate_key /home/web/xxxxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/a.exemple.cn.access.log main;
error_log /var/log/nginx/a.exemple.cn.error.log;
location / {
root /home/web/111;
index index.html index.htm Agreement.html Privacy.html;
}
}
B站点
server { listen 80; server_name b.exemple.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { index index.html index.htm Agreement.html Privacy.html; } } server { listen 443 ; server_name b.exemple.cn; ssl on; root /home/web/222; index index.html index.htm Agreement.html Privacy.html; ssl_certificate /home/web/ssl/xxxxx.pem; ssl_certificate_key /home/web/xxxxx.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
2、nginx配置文件不加载ssl证书,SLB使用http和https模式监听端口
a站点
server { listen 80; server_name a.exemple.cn; root /home/web/111; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/a.exemple.cn.access.log main; error_log /var/log/nginx/a.exemple.cn.error.log; location / { root /home/web/111; index index.html index.htm Agreement.html Privacy.html; } }
b站点
server { listen 80; server_name b.exemple.cn; root /home/web/222; location / { rewrite ^(.*)$ https://$host$1 permanent; } } server { listen 443 ; server_name a.exemple.cn; access_log /var/log/nginx/b.exemple.cn.access.log main; error_log /var/log/nginx/b.exemple.cn.error.log; location / { root /home/web/222; index index.html index.htm Agreement.html Privacy.html; } }
如果站点是IIS
前端负载均衡已经用https 443 了后端就不要用443 了。用80就可以了。证书推送到负载均衡。
操作步骤
- 从后端服务器本地发起访问,确保后端服务器上的HTTP服务正常工作。
- 登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。
本次示例使用HTTP监听,出现健康检查异常的后端服务器内网IP为10.0.0.2,其他健康检查配置信息如下:
- 健康检查端口:80
- 健康检查域名:
www.slb-test.com - 健康检查路径:
/test.html
- 以Linux系统为例,执行nc或curl命令对后端服务器上的HTTP服务进行探测,健康检查路径、健康检查端口和健康检查域名配置必须与后端服务器上配置保持一致,否则会产生健康检查异常。
此处使用nc命令为例,请根据实际情况配置健康检查路径、健康检查域名、健康检查内网地址和健康检查端口:
echo -e "HEAD /test.html HTTP/1.0 Host: www.slb-test.com " | nc -t 172.17.58.131 80- 正常情况下,返回
200或其他2xx/3xx返回码,如下图所示。
- 异常示例:假设负载均衡上的监听配置保持不变,但是删除后端服务器上/test.html页面,执行nc命令后,得到404错误码,该错误码与负载均衡SLB监听中设置的2xx或者3xx状态码不符,此时会出现健康检查异常结果,如下图所示。
- 正常情况下,返回
- 登录负载均衡控制台,在监听实例详情页中,查看健康检查配置。