目录
1.生成自签名证书
1.1:我们需要为服务端和客户端准备私钥和公钥:
//生成服务器端私钥 openssl genrsa -out server.key 1024 //生成服务器端公钥 openssl rsa -in server.key -pubout -out server.pem
1.2:生成CA证书
// 生成 CA 私钥 openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr
注意:执行上面命令会出现以下需要填写的项目,可以直接回车跳过,但是Common Name那一项建议填写你的域名,如果是本地的话,可以写localhost
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:这个是你的域名 Email Address []:
生成CA证书
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
1.3:生成服务器证书
//服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件 openssl req -new -key server.key -out server.csr //向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书 openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
1.4:生成cer文件
//使用openssl 进行转换 openssl x509 -in server.crt -out server.cer -outform der
2.配置nginx
mkdir ssl
我们将server.crt和server.key拷贝到nginx的配置文件所在的目录ssl
其次,在nginx的配置中添加如下配置:
upstream backend_addr { server 192.168.50.36:8989; keepalive 32; } server { listen 80; server_name j.kkk.com; #rewrite ^(.*) https://$server_name$1 permanent; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; #listen 80; server_name j.kkk.com; charset utf-8; ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; location / { proxy_pass http://backend_addr; proxy_redirect off; proxy_set_header Host $host; proxy_set_header ROMOTE_ADDR $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; real_ip_header X-Forwarded-For; real_ip_recursive on; #return 301 http://jenkins.kkk.com; #rewrite ^(.*) http://jenkins.kkk.com permanent; } }
3.配置Basic Auth登录认证的实现方法
1. 安装httpd-tools
yuminstallhttpd-tools -y
2. 创建授权用户和密码
htpasswd -c -d/etc/nginx/conf/pass_filekaikai这个配置文件存放路径可以随意指定, 这里我指定的是nginx配置文件目录, 其中magina是指允许登录的用户名, 这个可以自定义
3. 配置Nginx
server { listen 80; server_name res.yinnote.com; root /mnt/html/resource; index index.html index.php; } upstream backend_addr { server 192.168.50.36:8989; keepalive 32; } server { listen 80; server_name kaikai.kkk.com; #rewrite ^(.*) https://$server_name$1 permanent; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; #listen 80; server_name kaikai.kkk.com; auth_basic "登录认证"; auth_basic_user_file /etc/nginx/conf/pass_file; autoindex on; autoindex_exact_size on; autoindex_localtime on; charset utf-8; ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; location / { proxy_pass http://backend_addr; proxy_redirect off; proxy_set_header Host $host; proxy_set_header ROMOTE_ADDR $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; real_ip_header X-Forwarded-For; real_ip_recursive on; #return 301 http://jenkins.kkk.com; #rewrite ^(.*) http://jenkins.kkk.com permanent; } }
脚本生成证书
#!/bin/sh
# create self-signed server certificate:
read -p "Enter your domain [www.example.com]: " DOMAIN
echo "Create server key..."
openssl genrsa -des3 -out $DOMAIN.key 1024
echo "Create server certificate signing request..."
SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
echo "Remove password..."
mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
echo "Sign SSL certificate..."
openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo " ..."
echo " listen 443 ssl;"
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"