20、Nginx 实战:HTTPS实现LNMP全站访问
一、需求
1、恢复快照
2、搭建博客和phpmyadmin
3、数据库单独部署
4、配置7层负载均衡
5、多台WEB服务器(2台)文件共享
6、给项目配置全站HTTPS
二、环境准备
服务器 | 外网IP | 内网IP | 身份 |
---|---|---|---|
lb01 | 10.0.0.4 | 172.16.1.4 | 负载均衡服务器 |
web01 | 172.16.1.7 | Web服务器 | |
web02 | 172.16.1.8 | Web服务器 | |
db01 | 172.16.1.51 | 数据库服务器 | |
nfs | 172.16.1.31 | 文件共享服务器 |
三、web01服务器配置
1.关闭防火墙
[root@web01 ~]# systemctl disable firewalld
2.关闭selinux
[root@web01 ~]# vim /etc/selinux/config
SELINUX=disabled
3.配置官方源
[root@web01 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
4.安装依赖
[root@web01 ~]# yum install -y gcc gcc-c++ autoconf pcre pcre-devel make automake wget httpd-tools vim tree
5.安装nginx
[root@web01 ~]# yum -y install nginx
6.配置nginx文件
[root@web01 ~]# vim /etc/nginx/nginx.conf
user www;
client_max_body_size 200m;
7.创建统一用户
[root@web01 ~]# groupadd www -g 666
[root@web01 ~]# useradd www -u 666 -g 666
8.检查服务并启动服务、设置开机自启
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl start nginx
[root@web01 ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
9.配置nginx站点文件
[root@web01 ~]# vim /etc/nginx/conf.d/linux.wordpress.com.conf
server {
listen 80;
server_name linux.wordpress.com;
charset utf-8;
location / {
root /code/wordpress;
index index.php;
}
location ~* \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@web01 ~]# vim /etc/nginx/conf.d/linux.php.com.conf
server {
listen 80;
server_name linux.php.com;
charset utf-8;
root /code/php;
location / {
index index.php;
}
location ~* \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
10.检查服务并重启
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl restart nginx
11.创建站点目录
[root@web01 ~]# mkdir /code
12.上传源码包并解压到指定目录
[root@web01 ~]# ll
-rw-r--r-- 1 root root 11060845 Sep 1 15:39 phpMyAdmin-4.9.0.1-all-languages.zip
-rw-r--r-- 1 root root 11098483 Aug 26 10:49 wordpress-5.0.3-zh_CN.tar.gz
[root@web01 ~]# tar xf wordpress-5.0.3-zh_CN.tar.gz -C /code/
[root@web01 ~]# unzip phpMyAdmin-4.9.0.1-all-languages.zip -d /code/
13.配置代码
[root@web01 /code]# cp php/config.sample.inc.php php/config.inc.php
[root@web01 /code]# vim php/config.inc.php
$cfg['Servers'][$i]['host'] = '172.16.1.51';
14.授权目录
[root@web01 ~]# chown -R www:www /code/
[root@web01 /code]# chown -R www.www /var/lib/php/session
四、web02服务器配置
1.关闭防火墙
[root@web02 ~]# systemctl disable firewalld
2.关闭selinux
[root@web02 ~]# vim /etc/selinux/config
SELINUX=disabled
3.配置官方源
[root@web02 ~]# vim /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
4.安装依赖
[root@web02 ~]# yum install -y gcc gcc-c++ autoconf pcre pcre-devel make automake wget httpd-tools vim tree
5.安装nginx
[root@web02 ~]# yum -y install nginx
6.配置nginx
[root@web02 ~]# vim /etc/nginx/nginx.conf
user www;
client_max_body_size 200m;
7.创建统一用户
[root@web02 ~]# groupadd www -g 666
[root@web02 ~]# useradd www -u 666 -g 666
8.启动服务并设置开机自启
[root@web02 ~]# systemctl start nginx
[root@web02 ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.servi
9.配置nginx站点文件
[root@web01 /code]# scp /etc/nginx/conf.d/* 172.16.1.8:/etc/nginx/conf.d/
root@172.16.1.8's password:
linux.php.com.conf 100% 286 124.7KB/s 00:00
linux.wordpress.com.conf 100% 323 228.3KB/s 00:00
10.检查服务并重启
[root@web02 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web02 ~]# systemctl restart nginx
11.创建目录
[root@web02 ~]# mkdir /code
12.上传源码包并解压
[root@web01 /code]# scp /root/wordpress-5.0.3-zh_CN.tar.gz 172.16.1.8:/code
root@172.16.1.8's password:
wordpress-5.0.3-zh_CN.tar.gz 100% 11MB 21.8MB/s 00:00
[root@web01 /code]# scp /root/phpMyAdmin-4.9.0.1-all-languages.zip 172.16.1.8:/code
root@172.16.1.8's password:
phpMyAdmin-4.9.0.1-all-languages.zip 100% 11MB 25.6MB/s 00:00
[root@web02 ~]# cd /code/
[root@web02 /code]# tar xf wordpress-5.0.3-zh_CN.tar.gz
[root@web02 /code]# unzip phpMyAdmin-4.9.0.1-all-languages.zip
13.配置代码
[root@web02 /code]# cp php/config.sample.inc.php php/config.inc.php
[root@web02 /code]# vim php/config.inc.php
$cfg['Servers'][$i]['host'] = '172.16.1.51';
14.授权目录
[root@web02 ~]# chown -R www:www /code/
[root@web02 /code]# chown -R www.www /var/lib/php/session
五、web01安装PHP
1.创建目录
[root@web01 ~]# mkdir /package
[root@web01 ~]# cd /package/
2.上传源码包并解压
[root@web01 /package]# rz
[root@web01 /package]# ll
total 19424
-rw-r--r-- 1 root root 19889622 Aug 26 09:04 php.tar.gz
[root@web01 /package]# tar xf php.tar.gz
3.安装PHP
[root@web01 /package]# yum -y localinstall *.rpm
5.配置PHP
[root@web01 /package]# vim /etc/php-fpm.d/www.conf
user = www
group = www
[root@web01 /package]# vim /etc/php.ini
post_max_size = 200M
upload_max_filesize = 200M
6.启动PHP并设置开机自启
[root@web01 /package]# systemctl restart php-fpm.service
[root@web01 /package]# systemctl enable php-fpm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service.
六、web02安装PHP
1.创建目录
[root@web02 /code]# mkdir /package
[root@web02 /code]# cd /package/
2.上传源码包并解压
[root@web02 /package]# rz
[root@web02 /package]# ll
total 19424
-rw-r--r-- 1 root root 19889622 Aug 26 09:04 php.tar.gz
[root@web02 /package]# tar xf php.tar.gz
3.安装PHP
[root@web02 /package]# yum -y localinstall *.rpm
5.配置PHP
[root@web02 /package]# vim /etc/php-fpm.d/www.conf
user = www
group = www
[root@web02 /package]# vim /etc/php.ini
post_max_size = 200M
upload_max_filesize = 200M
6.启动PHP并设置开机自启
[root@web02 /package]# systemctl start php-fpm.service
[root@web02 /package]# systemctl enable php-fpm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/php-fpm.service to /usr/lib/systemd/system/php-fpm.service.
七、db01安装数据库
1.安装数据库
[root@db01 ~]# yum -y install mariadb-server
2.启动服务并设置开机自启
[root@db01 ~]# systemctl start mariadb.service
[root@db01 ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
3.设置服务器密码并验证密码
[root@db01 ~]# mysqladmin -uroot password
New password:
Confirm new password:
[root@db01 ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.65-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
4.进行数据库授权
MariaDB [(none)]> create database wordpress;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on wordpress.* to wp@'172.16.1.%' identified by 'wp123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all on *.* to admin@'172.16.1.%' identified by 'admin123';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
八、nfs服务器实现文件共享
1.安装nfs
[root@nfs ~]# yum -y install rpcbind nfs-utils
2.启动服务并设置开机自启
[root@nfs ~]# systemctl start rpcbind nfs
[root@nfs ~]# systemctl enable rpcbind nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
3.创建用户
[root@nfs ~]# groupadd www -g 666
[root@nfs ~]# useradd www -u 666 -g 666
4.创建目录并授权
[root@nfs ~]# mkdir -p /data/wp
[root@nfs ~]# chown -R www:www /data/wp/
5.配置nfs
[root@nfs ~]# vim /etc/exports
/data/wp 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
6.重启并检查配置
[root@nfs ~]# systemctl restart rpcbind nfs
[root@nfs ~]# cat /var/lib/nfs/etab
/data/wp 172.16.1.0/24(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=666,anongid=666,sec=sys,rw,secure,root_squash,all_squash)
九、web01、web02实现nfs挂载
1.web01服务器配置
1.安装nfs
[root@web01 /code]# yum -y install rpcbind nfs-utils
2.启动服务并设置开机自启
[root@web01 /code]# systemctl start rpcbind nfs
[root@web01 /code]# systemctl enable rpcbind nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
3.查看挂载点
[root@web01 /code]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/data/wp 172.16.1.0/24
4.挂载目录并查看挂载
[root@web01 /code]# mount -t nfs 172.16.1.31:/data/wp /code/wordpress/wp-content/uploads/
[root@web01 /code]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 98G 1.9G 96G 2% /
devtmpfs 980M 0 980M 0% /dev
tmpfs 991M 0 991M 0% /dev/shm
tmpfs 991M 9.6M 981M 1% /run
tmpfs 991M 0 991M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 199M 0 199M 0% /run/user/0
172.16.1.31:/data/wp 98G 1.7G 96G 2% /code/wordpress/wp-content/uploads
2.web02服务器配置
1.安装nfs
[root@web02 /package]# yum -y install rpcbind nfs-utils
2.启动服务并设置开机自启
[root@web02 /package]# systemctl start rpcbind nfs
[root@web02 /package]# systemctl enable rpcbind nfs
Created symlink from /etc/systemd/system/multi-user.target.wants/nfs-server.service to /usr/lib/systemd/system/nfs-server.service.
3.查看挂载点
[root@web02 /package]# showmount -e 172.16.1.31
Export list for 172.16.1.31:
/data/wp 172.16.1.0/24
4.挂载目录并查看挂载
[root@web02 /package]# mount -t nfs 172.16.1.31:/data/wp /code/wordpress/wp-content/uploads/
[root@web02 /package]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 98G 1.9G 96G 2% /
devtmpfs 980M 0 980M 0% /dev
tmpfs 991M 0 991M 0% /dev/shm
tmpfs 991M 9.6M 981M 1% /run
tmpfs 991M 0 991M 0% /sys/fs/cgroup
/dev/sda1 497M 120M 378M 25% /boot
tmpfs 199M 0 199M 0% /run/user/0
172.16.1.31:/data/wp 98G 1.7G 96G 2% /code/wordpress/wp-content/uploads
十、lb01服务器配置
1.配置官方源
[root@lb01 ~]# scp 172.16.1.7:/etc/yum.repos.d/nginx.repo /etc/yum.repos.d/
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:g6buQ4QMSFl+5MMAh8dTCmLtkIfdT8sgRFYc6uCzV3c.
ECDSA key fingerprint is MD5:5f:d7:ad:07:e8:fe:d2:49:ec:79:2f:d4:91:59:c5:03.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
root@172.16.1.7's password:
nginx.repo 100% 183 137.6KB/s 00:00
2.安装依赖
[root@lb01 ~]# yum install -y gcc gcc-c++ autoconf pcre pcre-devel make automake wget httpd-tools vim tree
3.安装nginx
[root@lb01 ~]# yum -y install nginx
3.配置nginx
[root@lb01 ~]# vim /etc/nginx/nginx.conf
user www;
4.创建用户
[root@lb01 ~]# groupadd www -g 666
[root@lb01 ~]# useradd www -u666 -g 666
5.生成https证书
[root@lb01 ~]# mkdir /etc/nginx/ssl_key
[root@lb01 ~]# cd /etc/nginx/ssl_key/
[root@lb01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@lb01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.........................+++
.......................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:mei
Locality Name (eg, city) [Default City]:guo
Organization Name (eg, company) [Default Company Ltd]:shan
Organizational Unit Name (eg, section) []:kou
Common Name (eg, your name or your server's hostname) []:kenan
Email Address []:kenan
6.配置站点文件
[root@lb01 /etc/nginx/ssl_key]# vim /etc/nginx/conf.d/linux.wordpress.com.conf
upstream wordpress {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
server_name linux.wordpress.com;
rewrite (.*) https://linux.wordpress.com$1;
}
server {
listen 443 ssl;
server_name linux.wordpress.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://wordpress;
include /etc/nginx/conf.d/proxy_params;
}
}
[root@lb01 /etc/nginx/conf.d]# vim linux.php.com.conf
upstream php {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
server_name linux.php.com;
rewrite (.*) https://linux.php.com$1;
}
server {
listen 443 ssl;
server_name linux.php.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://php;
include /etc/nginx/conf.d/proxy_params;
}
}
7.重启服务并设置开机自启
[root@lb01 /etc/nginx/ssl_key]# systemctl start nginx
[root@lb01 /etc/nginx/ssl_key]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
十一、阿里云配置HTTPS
1.购买云主机
2.购买负载均衡
3.配置负载均衡端口转发
4.通过端口转发连接并配置web机器
5.配置负载均衡
6.访问负载均衡
7.申请证书
8.部署证书