kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

nginx 四层转发配置

nginx rpm: http://nginx.org/packages/mainline/centos/7/x86_64/RPMS/

nginx source: http://nginx.org/en/download.html

nginx stream: http://nginx.org/en/docs/stream/ngx_stream_core_module.html

http://www.52devops.com/chuck/1153.html

一、nginx四层代理

Nginx 1.9.0 开发版发布,该版本增加了 stream module 用于一般的 TCP 代理和负载均衡。

三、nginx四层代理实战

3.1编译安装nginx

编译安装nginx需指定–with-stream参数

1
2
[root@linux-node1 nginx-1.9.12]#./configure --prefix=/usr/local/nginx-1.9.12 --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-file-aio --with-stream
[root@linux-node1 nginx-1.9.12]#make && make install
3.2 使用nginx实现ssh四层代理

编辑nginx配置文件并启动

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@linux-node1 conf]# vim nginx.conf
worker_processes  1;
events {
    worker_connections  1024;
}
stream {  #类似于7层的http段
    upstream ssh_proxy {
        hash $remote_addr consistent;
        server 192.168.56.11:22;
        server 192.168.56.12:22;
    }
    server {
        listen 2222;
        proxy_connect_timeout 1s;
        proxy_timeout 300s;
        proxy_pass ssh_proxy;
    }
}
[root@linux-node1 conf]# ../sbin/nginx
[root@linux-node1 conf]# netstat -lntup|grep nginx
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      61127/nginx: master

连接ssh,从结果看把请求抛向了linux-node2的ssh

1
2
3
4
[root@linux-node1 conf]# ssh -p 2222 root@192.168.56.11
root@192.168.56.11's password:
Last login: Sun Mar  6 17:29:42 2016 from linux-node1.example.com
[root@linux-node2 ~]# Connection to 192.168.56.11 closed by remote host.

lvs fwmark 模式

http://blog.51cto.com/angus717/769577

persistent netfilter marked packet persistence 持久防火墙标记(在pre-routing链上打netfilter marked,而且该标记只在防火墙内部有效通常是0-99)

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@slave ~]# ipvsadm -C
[root@slave ~]# iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 172.16.8.120 --dport 80 -j MARK --set-mark 80
[root@slave ~]# iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 172.16.8.120 --dport 443 -j MARK --set-mark 80
[root@slave ~]# ipvsadm -A -f 80 -s rr -p 1000
[root@slave ~]# ipvsadm -a -f 80 -r 172.16.100.7 -g
[root@slave ~]# ipvsadm -a -f 80 -r 172.16.100.6 -g
[root@slave ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
FWM  80 rr persistent 1000
  -> 172.16.100.6:0               Route   1      0          0        
  -> 172.16.100.7:0               Route   1      0          0 

nginx https/nginx 配置

curl wget 不验证证书进行https请求

1
2
wget 'https://x.x.x.x/get_ips' --no-check-certificate
curl 'https://x.x.x.x/get_ips' -k

服务端

生成证书和私匙

1
openssl req -newkey rsa:4096 -nodes -keyout test_private.perm -new -x509 -sha512 -days 3650 -subj "/CN=test.com/" -out test.crt

test_private.perm 是私匙, test.crt 是证书

其中CN和nginx.conf中的server_name一样

https://cloud.tencent.com/document/product/400/35244

vim /etc/nginx/nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
http {
	server {
		listen  443;
		server_name test.com;
		ssl on;
		# ssl_certificate /root/test.crt;
		# ssl_certificate_key /root/test_private.perm;
		ssl_certificate /root/kk/www.npcable.cn_nginx/www.npcable.cn_bundle.crt;
		ssl_certificate_key /root/kk/www.npcable.cn_nginx/www.npcable.cn.key;
		location / {
			root /var/www/html;
			index index.html;
		}
	}
	...
}

客户端

自建证书得不到信任,所以会提示: curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.

解决方法:

拿服务器证书

1
openssl s_client -showcerts -connect www.baidu.com:443

curl 参数带证书

1
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time --cacert /root/test.crt

或者将证书加到信任的证书列表中

1
2
cat /root/test.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time

访问的host一定要是证书中CN(commonname), 不然会提示: curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.