作者:猿来缘往 | 来源:互联网 | 2023-07-04 15:33
在lvs配置之NAT模式这篇文章配置的基础上搭建https环境系统ipredhat8test192.168.100.130redhat8DR192.168.100.131vip:1
在lvs配置之NAT模式这篇文章配置的基础上搭建https
环境
系统 |
ip |
redhat8 test |
192.168.100.130 |
redhat8 DR |
192.168.100.131 vip:192.168.18.250 |
redhat8 RS1 |
192.168.100.132 |
redhat8 RS2 |
192.168.100.133 |
LVS服务器搭建CA服务端
//RS1
echo test1 > /var/www/html/index.html
//RS2
echo test2 > /var/www/html/index.html
生成一对密钥
//DR
[root@DR ~]# mkdir -p /etc/pki/CA/private
[root@DR ~]# cd /etc/pki/CA
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@DR CA]# openssl rsa -in private/cakey.pem -pubout
生成自签署证书
//DR
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 1024
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:thl
Organizational Unit Name (eg, section) []:thl
Common Name (eg, your name or your server's hostname) []:thl
Email Address []:1@2.com
[root@DR CA]# touch index.txt && echo 01 > serial
RS1生成证书签署请求,并发送给CA
//RS1
[root@RS1 ~]# yum -y install mod_ssl
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# cd /etc/httpd/ssl
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
[root@RS1 ssl]# openssl req -new -key httpd.key -days 1024 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:thl
Organizational Unit Name (eg, section) []:thl
Common Name (eg, your name or your server's hostname) []:thl
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@RS1 ssl]# ls
httpd.csr httpd.key
//把证书签署请求文件发送给CA
[root@RS1 ssl]# scp httpd.csr root@192.168.100.131:/root/
CA签署证书并发给RS1
//DR
[root@DR ~]# mkdir /etc/pki/CA/newcerts
[root@DR ~]# touch /etc/pki/CA/index.txt
//跟踪最后一次颁发证书的序列号
[root@DR ~]# echo "01" > /etc/pki/CA/serial
[root@DR ~]# ls
anaconda-ks.cfg httpd.csr
[root@DR ~]# openssl ca -in httpd.csr -out httpd.crt -days 1024
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 6 08:10:00 2021 GMT
Not After : Feb 24 08:10:00 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizatiOnName= thl
organizatiOnalUnitName= thl
commOnName= thl
emailAddress = 1@2.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C5:3B:A3:CD:89:65:21:12:CC:88:1A:AD:67:21:58:8A:66:DE:76:55
X509v3 Authority Key Identifier:
keyid:CA:22:DC:EF:D3:15:26:6A:EA:AA:B1:83:66:8E:E6:FB:AD:G4:0B:DF
Certificate is to be certified until Feb 24 08:10:00 2024 GMT (1024 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
//CA把签署好的证书httpd.crt和服务端的证书cacert.pem发给RS1
[root@DR ~]# scp httpd.crt root@192.168.100.132:/etc/httpd/ssl
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.100.132:/etc/httpd/ssl
配置https
将RS1的证书和密钥发给RS2
//RS2
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
//RS1
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# scp cacert.pem httpd.crt httpd.key root@192.168.100.133:/etc/httpd/ssl
//RS2
[root@RS2 ~]# ls /etc/httpd/ssl/
cacert.pem httpd.crt httpd.key
修改https配置文件
//RS1
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
//修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······
//重启服务
[root@RS1 ~]# systemctl restart httpd
[root@RS1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
//RS2
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
//修改后如下所示
SSLCertificateFile /etc/httpd/ssl/httpd.crt
······
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
······
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
······
//重启服务
[root@RS2 ~]# systemctl restart httpd
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:80 *:*
添加并保存规则
//DR
//添加调度器
[root@DR ~]# ipvsadm -A -t 192.168.18.250:443 -s rr
//添加跳转的IP地址
[root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.132 -m
[root@DR ~]# ipvsadm -a -t 192.168.18.250:443 -r 192.168.100.133 -m
[root@DR ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.18.250:80 rr
-> 192.168.100.132:80 Masq 1 0 0
-> 192.168.100.133:80 Masq 1 0 0
TCP 192.168.18.250:443 rr
-> 192.168.100.132:443 Masq 1 0 0
-> 192.168.100.133:443 Masq 1 0 0
//保存规则
[root@DR ~]# ipvsadm -S > /etc/sysconfig/ipvsadm
访问测试
//test
[root@client ~]# curl -k https://192.168.18.250
test1
[root@client ~]# curl -k https://192.168.18.250
test2
[root@client ~]# curl -k https://192.168.18.250
test1
[root@client ~]# curl -k https://192.168.18.250
test2