OpenRestry实现HTTPS与灰度发布(Docker版)
1.概述
1.1 OpenRestry
- OpenResty® 是一个基于 Nginx 与 Lua 的高性能 Web 平台,其内部集成了大量精良的 Lua 库、第三方模块以及大多数的依赖项。用于方便地搭建能够处理超高并发、扩展性极高的动态 Web 应用、Web 服务和动态网关。
OpenResty® 通过汇聚各种设计精良的 Nginx 模块(主要由 OpenResty 团队自主开发),从而将 Nginx 有效地变成一个强大的通用 Web 应用平台。这样,Web 开发人员和系统工程师可以使用 Lua 脚本语言调动 Nginx 支持的各种 C 以及 Lua 模块,快速构造出足以胜任 10K 乃至 1000K 以上单机并发连接的高性能 Web 应用系统。
OpenResty® 的目标是让你的Web服务直接跑在 Nginx 服务内部,充分利用 Nginx 的非阻塞 I/O 模型,不仅仅对 HTTP 客户端请求,甚至于对远程后端诸如 MySQL、PostgreSQL、Memcached 以及 Redis 等都进行一致的高性能响应。。
1.2 HTTPS
- HTTPS (全称:Hyper Text Transfer Protocol over SecureSocket Layer),是以安全为目标的 HTTP 通道,在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性。HTTPS 在HTTP 的基础下加入SSL,HTTPS 的安全基础是 SSL,因此加密的详细内容就需要 SSL。 HTTPS 存在不同于 HTTP 的默认端口及一个加密/身份验证层(在 HTTP与 TCP 之间)。这个系统提供了身份验证与加密通讯方法。它被广泛用于万维网上安全敏感的通讯,例如交易支付等方面
- 为什什么需要使⽤用HTTPS, 因为HTTP不不安全
1.传输数据被中间⼈人盗⽤用, 信息泄露露
2.数据内容劫持, 篡改
1.3 灰度发布
- 灰度发布(又名金丝雀发布)是指在黑与白之间,能够平滑过渡的一种发布方式。在其上可以进行A/B testing,即让一部分用户继续用产品特性A,一部分用户开始用产品特性B,如果用户对B没有什么反对意见,那么逐步扩大范围,把所有用户都迁移到B上面来。灰度发布可以保证整体系统的稳定,在初始灰度的时候就可以发现、调整问题,以保证其影响度。
2.Docker安装OpenRestry
2.1 拉取镜像
docker pull sevenyuan/openresty
2.2 启动openresty
docker run -id --name openresty -p 80:80 sevenyuan/openresty
2.3 创建挂载目录
mkdir -p /home/kent/Tools/openresty
2.4 将容器内的初始配置拷贝
docker cp openresty:/usr/local/openresty /home/kent/Tools
2.5 删除 openresty 容器
docker rm -f 容器ID
2.6 挂载方式启动
docker run -d --name openresty-nginx --restart=always -d -m 2g --memory-swap 3g -p 80:80 -p 443:443 -p 14290:14290 -p 14284:14284 --privileged=true -v /home/ubuntu/Tools/openresty/nginx/conf:/usr/local/openresty/nginx/conf -v /home/ubuntu/Tools/openresty/nginx/logs:/usr/local/openresty/nginx/logs -v /etc/localtime:/etc/localtime sevenyuan/openresty
打开浏览器:http://127.0.0.1即可打开欢迎页
3.配置https
3.1 创建服务器私钥
- 默认openresty、openssl已经安装完成,在/usr/local/openresty/nginx/conf/目录下创建一个cert文件夹用来存放证书和服务器私钥)。
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf# mkdir cert
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf# cd cert/
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# pwd
/home/kent/Tools/openresty/nginx/conf/cert
- 进入cert目录下, 创建服务器私钥,命令会提醒输入一个密码
生成4096字节的服务器私钥:openssl genrsa -des3 -out server.key 4096
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
....................++++
...........++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# ll
total 12
drwxr-xr-x 2 root root 4096 Jul 12 14:51 ./
drwxr-xr-x 3 root root 4096 Jul 12 14:51 ../
-rw------- 1 root root 3311 Jul 12 14:52 server.key
- 创建签名请求的证书(CSR)
openssl req -new -key server.key -out server.csr
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
Can't load /root/.rnd into RNG
140326010012096:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BALLSNOW
Locality Name (eg, city) []:SHANGHAI
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SH
Organizational Unit Name (eg, section) []:SH
Common Name (e.g. server FQDN or YOUR name) []:SH
Email Address []:(邮箱地址可不用填,直接回车即可)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:bs_aipros_2021
An optional company name []:ballsnow
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# ll
total 16
drwxr-xr-x 2 root root 4096 Jul 12 14:55 ./
drwxr-xr-x 3 root root 4096 Jul 12 14:51 ../
-rw-r--r-- 1 root root 1756 Jul 12 14:55 server.csr
-rw------- 1 root root 3311 Jul 12 14:52 server.key
- 在加载SSL支持的Nginx服务器上,使用上述私钥时除去必须的口令(注意,所谓除去,其实就是将必须的私钥密码写入到了私钥文件里面了,更新了原来的私钥文件)
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# cp server.key server.key.org
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# ll
total 20
drwxr-xr-x 2 root root 4096 Jul 12 14:57 ./
drwxr-xr-x 3 root root 4096 Jul 12 14:51 ../
-rw-r--r-- 1 root root 1756 Jul 12 14:55 server.csr
-rw------- 1 root root 3311 Jul 12 14:52 server.key
-rw------- 1 root root 3311 Jul 12 14:57 server.key.org
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
- 通过openssl的x509指令生成证书文件
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
root@ecs-94a9:/home/kent/Tools/openresty/nginx/conf/cert# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = BALLSNOW, L = SHANGHAI, O = SH, OU = SH, CN = SH
Getting Private key
3.2 配置nginx.conf文件
server {
listen 443 ssl;
server_name localhost;
#ssl on;
ssl_certificate /usr/local/openresty/nginx/conf/cert/server.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/cert/server.key;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
alias html/;
index index.html index.htm;
try_files $uri $uri/ /index.html;
client_max_body_size 100M;
}
......
}
我的配置文件如下:
# http请求自动重定向https
server{
listen 80;
server_name 114.115.200.111;
rewrite ^/(.*)$ https://114.115.200.111:443/$1 permanent;
}
# https配置
server {
listen 443 ssl;
server_name 114.115.200.111;
ssl_certificate /usr/local/openresty/nginx/conf/cert/server.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/cert/server.key;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
# 转发地址
location / {
index index.html index.htm;
try_files $uri $uri/ /index.html;
client_max_body_size 100M;
}
}
- 重启openresty容器,访问https://ip,成功
这里面需要注意的是:80和443这两个端口,无论在容器与物理机的映射上,还是在物理机与公网的映射上,一定都要开通,本人就卡在这卡了很久
3.3 配置https请求
详细如下显示:但是后台接口调用需要注意的是:地址为:https://114.115.200.111:443/xxx
而不是之前的http://114.115.200.111:9098(9098是后台端口)
#http请求自动重订向https
server{
listen 80;
server_name 114.115.200.111;
rewrite ^/(.*)$ https://114.115.200.111:443/$1 permanent;
}
# https配置
server {
listen 443 ssl;
server_name 114.115.200.111;
ssl_certificate /usr/local/openresty/nginx/conf/cert/server.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/cert/server.key;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
# 转发地址
location / {
index index.html index.htm;
try_files $uri $uri/ /index.html;
client_max_body_size 100M;
proxy_pass http://114.115.200.111:9098/;
}
location /AIPros {
proxy_pass http://114.115.200.111:8080;
}
location /aipros-user-management {
proxy_pass http://114.115.200.111:9098/aipros-user-management;
}
location /aipros-access-management {
proxy_pass http://114.115.200.111:9098/aipros-access-management;
}
}