SRE第九周作业
第九周作业:
1. nginx实现全栈SSL。要求http rewrite到https协议。
2. nginx实现动静分离。
3. nginx实现防盗链功能。
4. 解析nginx常见的负载均衡算法。
5. 基于LNMP完成搭建任意一种应用。
6. jumpserver 总结安装部署,添加用户授权,行为审计。
7. JVM垃圾回收原理,JVM调优。
8. tomcat实现java应用发布。
9. 实现tomcat session粘性,并验证过程。
10. 实现tomcat会话复制集群。"
- nginx实现全栈SSL。要求http rewrite到https协议。
1.1 自签名证书
[11:27:30 root@rocky pc]$ cd /apps/nginx/conf/conf.d/
[11:32:29 root@rocky conf.d]$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.yanlinux.org.key -x509 -days 3650 -out www.yanlinux.org.crt
Generating a RSA private key
...................................++++
.....................................++++
writing new private key to 'www.yanlinux.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:jiangsu
Locality Name (eg, city) [Default City]:nanjing
Organization Name (eg, company) [Default Company Ltd]:yanlinux.org
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.yanlinux.org
Email Address []:
[11:33:21 root@rocky conf.d]$ ll
total 16
-rw-r--r-- 1 root root 147 Nov 3 10:20 mobile.conf
-rw-r--r-- 1 root root 455 Nov 8 11:12 pc.conf
-rw-r--r-- 1 root root 2057 Nov 8 11:33 www.yanlinux.org.crt
-rw------- 1 root root 3272 Nov 8 11:32 www.yanlinux.org.key
1.2 第一个域名的https配置
bash
[11:38:51 root@rocky conf.d]$ vi pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/conf/conf.d/www.wenlinux.org.crt;
ssl_certificate_key /apps/nginx/conf/conf.d/www.wenlinux.org.key;
ssl_session_cache shared:sslcache:20m; #共享缓存20兆
ssl_session_timeout 10m;
server_name www.wenlinux.org;
root /apps/nginx/html/pc;
}
#配置好第一个域名的https后,再用浏览器测试即可
[11:38:51 root@rocky conf.d]$ vi pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/conf/conf.d/www.wenlinux.org.crt;
ssl_certificate_key /apps/nginx/conf/conf.d/www.wenlinux.org.key;
ssl_session_cache shared:sslcache:20m; #共享缓存20兆
ssl_session_timeout 10m; server_name www.wenlinux.org;
root /apps/nginx/html/pc;
}
1.3 实现多域名
#制作第二个域名对应的key和csr文件
[14:20:25 root@rocky conf.d]$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout m.wenlinux.org.key -x509 -days 3650 -out m.wenlinux.org.crt Generating a RSA private key
......................................................++++
...............++++
writing new private key to 'm.wenlinux.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:wenlinux.org
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:m.wenlinux.org
Email Address []:
[14:22:45 root@rocky nginx]$ ll ssl/
total 16 -rw-r--r-- 1 root root 2049 Nov 8 14:21 m.wenlinux.org.crt
-rw------- 1 root root 3272 Nov 8 14:20 m.wenlinux.org.key
-rw-r--r-- 1 root root 2057 Nov 8 11:33 www.wenlinux.org.crt
-rw------- 1 root root 3272 Nov 8 11:32 www.wenlinux.org.key
#配置第二个域名的配置文件
[14:24:09 root@rocky conf.d]$ vi mobile.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/ssl/m.wenlinux.org.crt;
ssl_certificate_key /apps/nginx/ssl/m.wenlinux.org.key;
ssl_session_cache shared:sslcache:20m
ssl_session_timeout 10m;
server_name m.wenlinux.org;
root /apps/nginx/html/mobile; }
#最后访问浏览器输入网址m.wenlinux.org,会得到一个结果为m.wenlinux.org的页面
1.4 实现HSTS
[14:33:06 root@rocky conf.d]$ vi pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/ssl/www.wenlinux.org.crt;
ssl_certificate_key /apps/nginx/ssl/www.wenlinux.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.wenlinux.org;
root /apps/nginx/html/pc;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; #在首部加上HSTS location / { #实现跳转
if ( $scheme = http ) {
rewrite ^/(.*)$ https://www.wenlinux.org/$1 redirect;
}
root /apps/nginx/html/pc;
}
}
2、nginx实现动静分离。
2.1 实现动静分离
策略:将客户端对除php以外的资源的访问通过192.168.72.153转发至后端服务器 192.168.72.155上
2.1.1 配置 nginx 实现反向代理的动静分离
[root@centos8 ~]#vi /apps/nginx/conf/conf.d/pc.conf
location / {
proxy_pass http://192.168.72.153;
index index.html;
}
location ~ \.php$ {
root /data/php;
fastcgi_pass 192.168.72.155:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /data/php$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
2.1.2 准备后端 httpd 服务器
#在后端服务器10.0.0.28上安装httpd服务
[root@centos8 ~]#dnf -y install httpd
[root@centos8 ~]#systemctl enable --now httpd
[root@centos8 ~]#mkdir /var/www/html/images
[root@centos8 ~]#wget -O /var/www/html/images/magedu.jpg
http://www.magedu.com/wp-content/uploads/2019/05/2019052306372726.jpg
3.nginx实现防盗链功能。
防盗链基于客户端携带的referer实现,referer是记录打开一个页面之前记录是从哪个页面跳转过来的标记信息,如果别人只链接了自己网站图片或某个单独的资源,
而不是打开了网站的整个页面,这就是盗链,referer就是之前的那个网站域名。
3.1实现盗链
在一个web 站点盗链另一个站点的资源信息,比如:图片、视频等
#新建一个主机www.mageedu.org,盗取另一台主机www.magedu.org的图片
[root@centos8 conf.d]# pwd
/apps/nginx/conf/conf.d
[root@centos8 conf.d]# cat mageedu.org.conf
server {
listen 80;
server_name www.mageedu.org;
location / {
index index.html;
root "/data/nginx/html/magedu";
access_log /apps/nginx/logs/magedu.org_access.log main;
}
}
#准备盗链web页面:
[root@centos8 conf.d]# mkdir /data/nginx/html/magedu
[root@centos8 conf.d]# cat /data/nginx/html/magedu/daolian.html
欢迎大家
马哥教育欢迎你
#重启Nginx并访问http://www.mageedu.org/daolian.html 测试
#验证两个域名的日志,是否会在被盗连的web站点的日志中出现以下盗链日志信息:
[root@centos8 ~]#tail /apps/nginx/logs/magedu.org_access.log
192.168.72.150 - - [11/Oct/2022:09:50:07 +0800] "GET /images/logo.png HTTP/1.1" 200
5934 "http://www.magedu.org/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
Edg/86.0.622.38" "-"
3.2 实现防盗链
基于访问安全考虑,nginx支持通过ngx_http_referer_module模块,检查访问请求的referer信息是否有
效实现防盗链功能
官方文档:https://nginx.org/en/docs/http/ngx_http_referer_module.html
语法格式:
location /images {
root /data/nginx/html/pc;
index index.html;
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
if ($invalid_referer) {
return 403;
}
范例: 定义防盗链:
[root@centos8 ~]# vim /apps/nginx/conf/conf.d/pc.conf
server {
index index.html;
valid_referers none blocked server_names *.magedu.com *.magedu.org
~\.google\. ~\.baidu\. ~\.bing\. ~\.so\. ~\.dogedoge\. ; #定义有效的
referer
if ($invalid_referer) { #假如是使用其他的无效的referer访问
return 403 "Forbidden Access"; #返回状态码403
}
......
}
#重启Nginx并访问测试
#指定referer为http://www.baidu.com进行访问
[root@centos7 ~]# curl -e 'http://www.baidu.com' www.magedu.org
#指定referer为http://www.xxx.com进行访问,被拒绝
[root@centos7 ~]# curl -e 'http://www.xxx.com' www.magedu.org
#不加http的referer不会拒绝
[root@centos7 ~]# curl -e 'www.xxx.com' www.magedu.org
#在被盗链的nginx服务器查看日志
[14:30:08 root@rocky ~]$ cat /apps/nginx/logs/m.yanlinux.org-access.log|jq
{ "@timestamp": "2022-11-09T14:30:57+08:00",
"host": "192.168.72.150",
"clientip": "192.168.72.151",
"size": 16,
"responsetime": 0.000,
"upstreamtime": "-",
"upstreamhost": "-",
"http_host": "m. www.magedu.org",
"uri": "/logo.png", "xff": "-",
"referer": "http:// www.magedu.org/",
"tcp_xff": "-",
"http_user_agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.35",
"status": "403" #403错误 }
4.解析nginx常见的负载均衡算法。
Nginx 可以基于ngx_http_upstream_module模块提供服务器分组转发、权重分配、状态监测、调度算法等高级功能
官方文档: https://nginx.org/en/docs/http/ngx_http_upstream_module
4.1负载均衡五种算法
4.1.1轮询(默认)
每个请求按时间顺序逐一分配到不同的后端服务,如果后端某台服务器死机,自动剔除故障系统,使用户访问不受影响。
4.1.2weight(轮询权值)
weight的值越大分配到的访问概率越高,主要用于后端每台服务器性能不均衡的情况下。或者仅仅为在主从的情况下设置不同的权值,达到合理有效的地利用主机资源。
指定轮询几率,weight和访问比率成正比,用于后端服务器性能不均的情况。
4.1.3ip_hash
每个请求按访问IP的哈希结果分配,使来自同一个IP的访客固定访问一台后端服务器,并且可以有效解决动态网页存在的session共享问题。
每个请求按访问ip的hash结果分配,这样每个访客固定访问一个后端服务器,可以解决session的问题。
4.1.4fair(第三方)
比 weight、ip_hash更加智能的负载均衡算法,fair算法可以根据页面大小和加载时间长短智能地进行负载均衡,也就是根据后端服务器的响应时间 来分配请求,响应时间短的优先分配。Nginx本身不支持fair,如果需要这种调度算法,则必须安装upstream_fair模块。
按后端服务器的响应时间来分配请求,响应时间短的优先分配。
4.1.5url_hash(第三方)
按访问的URL的哈希结果来分配请求,使每个URL定向到一台后端服务器,可以进一步提高后端缓存服务器的效率。Nginx本身不支持url_hash,如果需要这种调度算法,则必须安装Nginx的hash软件包。
按访问url的hash结果来分配请求,使每个url定向到同一个后端服务器,后端服务器为缓存时比较有效。
注:一般基于hash的调度算法添加节点后,会导致很多的调度的缓存信息失效;
因此,后面相关专业人士又发明出了一致性hash 算法,它的特点是:
大球是服务端hash取模后地址,小球是客户端hash取模后地址,客户端小球顺时针找到离他最近的大球
环节点不均匀哈希偏斜情况也是会出现的,但是可以把后端地址进行权重*1w计算,添加1w个随机数字对
1w个数字进行hash计算,每个节点都这么计算,4w个大圈就不会很偏斜
————————————————
hash KEY [consistent];
#基于指定请求报文中首部字段或者URI等key做hash计算,使用consistent参数,将使用ketama一致性hash算法,适用于后端是Cache服务器(如varnish)时使用,consistent定义使用一致性hash运算,一致性hash基于取模运算
#示例
hash $request_uri consistent; #基于用户请求的uri做hash
hash $cookie_sessionid #基于cookie中的sessionid这个key进行hash调度,实现会话绑定
ip_hash;
#源地址hash调度方法,基于的客户端的remote_addr(源地址IPv4的前24位或整个IPv6地址)做hash计算,以实现会话保持
#hash $remote_addr 则是对全部32bit的IPv4进行hash计算
least_conn;
#最少连接调度算法,优先将客户端请求调度到当前连接最少的后端服务器,相当于LVS中的WLC
5.基于LNMP完成搭建任意一种应用.
实验项目:利用LNMP搭建可道云站点
192.168.72.152安装nginx,192.168.72.145安装mysql和redis(即rocky-9),150机是DNS服务器
#5.1 yum安装mysql和redis服务
[root@rocky9 ~]# yum -y install mysql-server
Extra Packages for Enterprise Linux 9 - x86_64 1.8 kB/s | 7.1 kB 00:04
Extra Packages for Enterprise Linux 9 - x86_64 653 kB/s | 12 MB 00:18
Rocky Linux 9 - BaseOS 341 B/s | 3.6 kB 00:10
Rocky Linux 9 - BaseOS 156 kB/s | 1.7 MB 00:11
Rocky Linux 9 - AppStream 409 B/s | 4.1 kB 00:10
Rocky Linux 9 - AppStream 348 kB/s | 6.4 MB 00:18
Rocky Linux 9 - Extras 289 B/s | 2.9 kB 00:10
Rocky Linux 9 - Extras 1.1 kB/s | 8.3 kB 00:07
Dependencies resolved.
================================================================================================================================================
Package Architecture Version Repository Size
================================================================================================================================================
Installing:
mysql-server x86_64 8.0.30-3.el9_0 appstream 17 M
Upgrading:
audit x86_64 3.0.7-103.el9 baseos 252 k
audit-libs x86_64 3.0.7-103.el9 baseos 116 k
libselinux x86_64 3.4-3.el9 baseos 85 k
libselinux-utils x86_64 3.4-3.el9 baseos 158 k
libsemanage x86_64 3.4-2.el9 baseos 118 k
libsepol x86_64 3.4-1.1.el9 baseos 315 k
policycoreutils x86_64 3.4-4.el9 baseos 202 k
python3-libselinux x86_64 3.4-3.el9 appstream 185 k
Installing dependencies:
checkpolicy x86_64 3.4-1.el9 appstream 346 k
libaio x86_64 0.3.111-13.el9 baseos 23 k
libtirpc x86_64 1.3.3-0.el9 baseos 92 k
mariadb-connector-c-config noarch 3.2.6-1.el9_0 appstream 9.8 k
mecab x86_64 0.996-3.el9.3 appstream 347 k
mysql x86_64 8.0.30-3.el9_0 appstream 2.8 M
mysql-common x86_64 8.0.30-3.el9_0 appstream 70 k
mysql-errmsg x86_64 8.0.30-3.el9_0 appstream 476 k
mysql-selinux noarch 1.0.5-1.el9_0 appstream 35 k
perl-AutoLoader noarch 5.74-479.el9 appstream 30 k
perl-B x86_64 1.80-479.el9 appstream 188 k
perl-Carp noarch 1.50-460.el9 appstream 29 k
perl-Class-Struct noarch 0.66-479.el9 appstream 31 k
perl-Data-Dumper x86_64 2.174-462.el9 appstream 55 k
perl-Digest noarch 1.19-4.el9 appstream 25 k
perl-Digest-MD5 x86_64 2.58-4.el9 appstream 36 k
perl-Encode x86_64 4:3.08-462.el9 appstream 1.7 M
perl-Errno x86_64 1.30-479.el9 appstream 24 k
perl-Exporter noarch 5.74-461.el9 appstream 31 k
perl-Fcntl x86_64 1.13-479.el9 appstream 29 k
perl-File-Basename noarch 2.85-479.el9 appstream 26 k
perl-File-Path noarch 2.18-4.el9 appstream 35 k
perl-File-Temp noarch 1:0.231.100-4.el9 appstream 59 k
perl-File-stat