ZXTM专题二：使用ZXTM用自建ssl证书实现网站的https协议访问

news/2024/5/20 21:51:50/文章来源:https://blog.csdn.net/weixin_34279246/article/details/92572004

可能一些网站的二级域名涉及交易,用户信息等敏感重要信息,所以建议使用https协议替代传统的httpd,我这里使用了负载均衡ZXTM来做这件事情.

1 创建公钥,私钥,证书
习惯借用linux下的openssl工具,zxtm也可以创建相应东东:
[root@dongwm conf]# openssl genrsa -des3 1024 > server.key   //建立服务器密钥
Generating RSA private key, 1024 bit long modulus
……………………++++++
………………++++++
e is 65537 (0×10001)
Enter pass phrase:    //输入密码
Verifying – Enter pass phrase:   //重复输入密码
[root@dongwm conf]# openssl rsa -in server.key -out server.key     //从密钥中删除密码
Enter pass phrase for server.key: //输入上面写入的密码
writing RSA key    //生成了server.key
[root@dongwm conf]# openssl req -new -key server.key -out server.csr //建立服务器公钥
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN   //国家名称
State or Province Name (full name) [Berkshire]:Beijing //省名
Locality Name (eg, city) [Newbury]:Beijing   //城市名
Organization Name (eg, company) [My Company Ltd]:www.dongwm.com //域名
Organizational Unit Name (eg, section) []: //不填
Common Name (eg, your name or your server’s hostname) []:www.dongwm.com //通称写域名即可
Email Address []:admin@dongwm.com      //邮箱地址

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: //回车
An optional company name []: //回车
[root@dongwm conf]# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365 //建立服务器证书
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=www.dongwm.com/CN=www.dongwm.com/emailAddress=admin@dongwm.com
Getting Private key

生成了三个文件:server.key server.crt(证书) server.csr(公钥)

2 配置ZXTM
1 添加一个POOL,添加web节点:

2 添加SSL证书:
进入Catalogs–>SSL页面

选择第一项SSL Certificates catalog进入:

选择Import Certificate选项导入上面生成的证书和私钥:

名字随便命名,Certificate file:选择的文件是刚才生成的server.crt ,Private key file选择最开始生成的server.key,单击 Import Certificate

3 添加Virtual Servers
进入 Services–>Virtual Servers页面 Create a new Virtual Server

注意协议为HTTP 端口为443,流量POOL是最初建的那个测试pool

点开下面的SSL Decryption选项:

里面的Certificate 选择刚才新建的那个证书,标示最开始就是刚才给那个证书命名的名字.

4 现在配置完成,测试
注意我以下的表述:
点开https://你的ZXTM的Traffic IP Groups地址(也就是负载均衡前端IP)
就实现了访问你最初建的POOL里面节点的web内容
不同的域名需要不同的在httpd.conf里面指定因为我这里监听的是192.168.8.108的8080端口,所以在这个端口上的HTTP流量都会走这个加密的https协议