1200字范文 > Nginx支持HTTPS openssl生成SSL证书

Nginx支持HTTPS openssl生成SSL证书

时间：2018-12-29 07:22:04

./configure --prefix=/usr/local/nginx --with-http_ssl_module

1)创建SSL证书私钥，输入两次密码，生成文件为server.key

openssl genrsa -des3 -out server.key 2048

2)利用私钥生成一个不需要输入密码的密钥文件，生成文件为 server_nopass.key, 需要输入一次密码

openssl rsa -in server.key -out server_nopass.key

3)创建SSL证书签名请求文件，生成SSL证书时需要使用到，生成文件为server.csr；

在生成过程中，我们需要输入一些信息，需要注意的是Common Name需要和网站域名一致

openssl req -new -key server.key -out server.csr

4)生成SSL证书，有效期为365天，生成文件为server.crt；

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

如果需要用pfx 可以用以下命令生成openssl pkcs12 -export -inkey ssl.key -in ssl.crt -out ssl.pfx在需要使用证书的nginx配置文件的server节点里加入以下配置就可以了。

没有域名也没事，直接配置 hosts 文件也是可以的

别忘了配完后刷新 dns 缓存： ipconfig/flushdns

ssl证书脚本

#!/bin/bashclient_ip=192.168.1.3# 生成文件目标路径dir=/var/dlp/data/emqx/certs# 生成自签名的CA key和证书(简单起见客户端和服务端共用一个CA证书)sudo openssl genrsa -out $dir/ca.key 2048sudo openssl req -x509 -new -nodes -key $dir/ca.key -sha256 -days 3650 -subj "/CN=www.emqx.io" -out $dir/ca.pem# 生成服务器端的key和证书sudo openssl genrsa -out $dir/server.key 2048sudo openssl req -new -key $dir/server.key -out $dir/server.csr -subj "/CN=127.0.0.1"sudo openssl x509 -req -in $dir/server.csr -CA $dir/ca.pem -CAkey $dir/ca.key -CAcreateserial -out $dir/server.pem -days 3650 -sha256# 生成客户端key和证书sudo openssl genrsa -out $dir/client.key 2048sudo openssl req -new -key $dir/client.key -out $dir/client.csr -subj "/CN=$client_ip"sudo openssl x509 -req -in $dir/client.csr -CA $dir/ca.pem -CAkey $dir/ca.key -CAcreateserial -out $dir/client.pem -days 3650 -sha256# PKCS1私钥转换为PKCS8(该格式java调用)sudo openssl pkcs8 -topk8 -inform PEM -in $dir/client.key -outform pem -nocrypt -out $dir/pkcs8.pem

某域名下ssl证书生成

> openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt> Country Name (2 letter code) [AU]:CN> State or Province Name (full name) [Some-State]:BEIJING> Locality Name (eg, city) []:BEIJING> Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mock> Organizational Unit Name (eg, section) []:Mock> # 注意此处必须是网站域名> Common Name (e.g. server FQDN or YOUR name) []:> Email Address []:a@

–with-http_ssl_module

#server {#listen 80;#server_name ip;##把http的域名请求转成https#return 301 https://$host$request_uri;#}server {listen 80; listen 443 ssl; server_name ip;#ssl on;ssl_certificate/usr/local/nginx/ssl/server.crt; ssl_certificate_key /usr/local/nginx/ssl/server_nopass.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # SSL协议版本ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # SSL加密算法ssl_prefer_server_ciphers on; # 优先采取服务器算法ssl_session_cache shared:SSL:10m; # 共享会话缓存大小ssl_session_timeout 10m; # 会话超时时间location / {root /data/vue_admin/dist;index index.html index.htm;proxy_redirect off;proxy_connect_timeout 600;proxy_send_timeout 600;proxy_read_timeout 600;send_timeout 600;add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Credentials' 'true';add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';try_files $uri $uri/ /index.html =404;client_max_body_size 1024m;}location /api {proxy_pass http://192.168.3.101:8080; # 设置代理服务访问地址proxy_set_header Host $host; # 设置客户端真实的域名（包括端口号）proxy_set_header X-Real-IP $remote_addr; # 设置客户端真实IPproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 设置在多层代理时会包含真实客户端及中间每个代理服务器的IPproxy_set_header X-Forwarded-Proto $scheme; # 设置客户端真实的协议（http还是https）#proxy_set_header REMOTE-HOST $remote_addr;index index.html index.htm;}error_page 500 502 503 504 /50x.html;location = /50x.html {root /usr/share/nginx/html;}}

Nginx与SpringBoot做Https认证

在SpringBoot的application.yml里面进行配置

server:

tomcat:

remoteip:

protocol-header: x-forwarded-proto

remote-ip-header: x-forwarded-for

remote:

port-header: X-Forwarded-Port

forward-headers-strategy: none

或者application.properties：

server.tomcat.remote_ip_header=x-forwarded-for