反向代理

反向代理（Reverse Proxy）指的是以代理服务器来接受公网上的连接请求，然后将请求转发给内部网络上的服务器，并将从服务器上得到的结果返回给公网上请求连接的客户端。

使用场景 访问不带公网的内网机器 解决两台机器之间通信有障碍的问题

配置文件添加配置

location /    {        proxy_pass http://ip;   #实际需要访问的内网IP        proxy_set_header Host $host;        proxy_set_header X-Real-IP $remote_addr;        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;    }

实验设定：

有两台机器A和B，其中A只有内网，B有内网和外网的环境 A的内网IP为192.168.85.129 B的内网IP为192.168.85.132，外网IP为192.168.48.132 C为客户端，C只能访问B的外网IP，不能访问A或者B的内网IP 最终需要实现的目的：C要访问到A机器内网上的网站

添加网卡： B虚拟机添加网卡设备文件后，执行dhclient命令获取第二块网卡的IP地址，拷贝网卡配置文件ifcfg-ens33至ifcfg-ens38，修改配置：

删除dns配置 删除网关配置 修改网卡名称 修改IP地址

[root@feature1 ~]# cd /etc/yum.repos.d/[root@feature1 yum.repos.d]# vim nginx.repo[nginx]name=nginx repobaseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1

[root@feature1 yum.repos.d]# yum install -y nginx[root@feature1 yum.repos.d]# vim /etc/nginx/conf.d/default.conf default.confdeny all;

添加配置

[root@feature1 conf.d]# vim bbs.feature.com.confserver {    listen       80 default_server ;    server_name  bbs.feature.com;    #charset koi8-r;    #access_log  /var/log/nginx/host.access.log  main;    location / {        root   /data/wwwroot/bbs.feature.com;        index  index.html index.htm index.php;    }    #error_page  404              /404.html;    # redirect server error pages to the static page /50x.html    # #   error_page   500 502 503 504  /50x.html; #   location = /50x.html { #       root   /usr/share/nginx/html; #   }    # proxy the PHP scripts to Apache listening on 127.0.0.1:80    #    #location ~ \.php$ {    #    proxy_pass   http://127.0.0.1;    #}    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000    #    location ~ \.php$ {        root           /data/wwwroot/bbs.feature.com;        fastcgi_pass   127.0.0.1:9000;        fastcgi_index  index.php;        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.feature.com$fastcgi_sc                                                                             ript_name;        include        fastcgi_params;    }}[root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful[root@feature1 conf.d]# nginx -s reload[root@feature1 conf.d]# firewall-cmd --add-port=80/tcp --permanent #添加访问端口防火墙规则，要不然无法访问[root@feature1 conf.d]# firewall-cmd --reloadsuccess

访问验证

[root@dxg conf.d]# vi /etc/hosts192.168.48.132	bbs.aibenwoniu.xyz[root@feature1 conf.d]# curl -I bbs.feature.comHTTP/1.1 200 OKServer: nginx/1.14.2Date: Fri, 15 Feb 2019 04:04:38 GMTContent-Type: text/html; charset=utf-8Connection: keep-aliveX-Powered-By: PHP/7.3.1

nginx负载均衡

负载均衡就是把前端的请求均衡地分发到后端的各个机器上面

[root@feature1 conf.d]# vi qq.com.conf upstream qq.com    {	ip_hash; 	server 111.161.64.48:80; 	server 180.163.26.39:80;     }    server    {	listen 80;	server_name www.qq.com;	location /	{	    proxy_pass http://qq.com;	    proxy_set_header Host $host;	    proxy_set_header X-Real-IP $remote_addr;	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;	}    }    [root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful[root@feature1 conf.d]# nginx -s reload

验证

[root@feature1 conf.d]# curl -x111.161.64.48:80 www.qq.com -IHTTP/1.1 200 OKServer: squid/3.5.24Date: Fri, 15 Feb 2019 04:07:27 GMTContent-Type: text/html; charset=GB2312Connection: keep-aliveVary: Accept-EncodingVary: Accept-EncodingExpires: Fri, 15 Feb 2019 04:08:27 GMTCache-Control: max-age=60X-Cache: from www-hyVary: Accept-EncodingVary: Accept-EncodingVary: Accept-EncodingX-Cache: MISS from shenzhen.qq.com

配置ssl

配置ssl来让Nginx实现用https（是一种加密的http）来访问网站，http默认是80端口，https默认是443端口。

申请证书

生产：www.wosign.com （沃通） 免费：freessl.org 实验使用免费的freessl.org来申请证书，需要先注册账户，之后输入之前申请使用的域名（aibenwoniu.xyz）去创建证书，根据提示将dns验证信息在dnspod上新建一条txt类型的记录，验证成功后会生成三个文件（ca/crt/key）

创建证书配置文件

[root@feature1 nginx]# mkdir ssl[root@feature1 nginx]# cd ssl[root@feature1 ssl]# vi ca[root@feature1 ssl]# vi crt[root@feature1 ssl]# vi key#将之前申请的证书文件代码复制到相应的文件中

配置虚拟主机配置文件

[root@feature1 conf.d]# vim bbs.feature.com.conflisten       443 ssl;    server_name  bbs.feature.com;    ssl on;    ssl_certificate /etc/nginx/ssl/bbs.crt;    ssl_certificate_key /etc/nginx/ssl/bbs.key;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    [root@feature1 conf.d]#  nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful[root@feature1 conf.d]# nginx -s reload[root@feature1 conf.d]#  firewall-cmd --add-port=443/tcp --permanentsuccess[root@feature1 conf.d]# firewall-cmd --reloadsuccess[root@feature1 conf.d]# systemctl restart nginx

验证

[root@feature1 conf.d]# curl  -H "host:bbs.feature.com" https://192.168.85.129/index.phpcurl: (60) Peer's Certificate issuer is not recognized.More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

[root@feature1 conf.d]# curl -k -H "host:bbs.feature.com" https://192.168.85.129/index.php

备注1： curl -k #允许curl使用非安全的ssl连接并且传输数据（证书不受信）

备注2：SSL相关扩展学习—