nginx自签SSL证书生成和配置

创建

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=CN/ST=SiChuan/L=ChengDu/O=ACS" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca
$ openssl genrsa -out private.key 2048
$ openssl req -new -key private.key -subj "/C=CN/ST=SiChuan/L=ChengDu/O=ACS/CN=secrets--manager.oss-cn-shanghai.aliyuncs.com" -sha256 -out private.csr
$ cat > private.ext << EOF
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Definesys
localityName = Definesys
organizationName = Definesys
[SAN]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = DNS:secrets--manager.oss-cn-shanghai.aliyuncs.com
EOF
# subjectAltName可以是DNS和IP,写法: DNS:域名.com/IP:192.168.1.1; 多个用逗号隔开。
$ openssl x509 -req -days 3650 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN

配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
server {
        listen 443 ssl;
        server_name  secrets--manager.oss-cn-shanghai.aliyuncs.com;
        keepalive_timeout  65;
        client_max_body_size 512m;
        client_header_buffer_size 1024k;
        large_client_header_buffers 4 1024k;
        client_body_timeout      5m;
        ssl_certificate "/etc/nginx/conf.d/ssl/private.crt";
        ssl_certificate_key "/etc/nginx/conf.d/ssl/private.key";
        ssl_session_timeout  10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!ADH:!aNULL:!MD5:!3DES:!IDEA:!DES;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        #ssl_session_timeout  10m;
        #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
        #ssl_prefer_server_ciphers on;
        fastcgi_param HTTPS $https if_not_empty;

        ###### 根目录 #######
        #location / {
            #add_header Access-Control-Allow-Origin *;
            #add_header Access-Control-Allow-Credentials: true;
            #add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
            #add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            #root /usr/share/nginx/html/sqfy;
            #index index.html;
            #proxy_pass http://nginx:80/;
        #}

        add_header Alt-Svc 'h3=":443"; ma=86400';
        add_header Cross-0rigin-Opener-Policy same-origin;
        add_header Cross-0rigin-Embedder-Policy require-corp;
        location / {
            #add_header Access-Control-Allow-Origin *;
            #add_header Access-Control-Allow-Credentials: true;
            #add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept";
            #add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
            root /usr/share/nginx/html;
            index index.html;
        }
        location /mes-secrets-manager.json {
            default_type application/json;
            return 200 '{"tokenKey":"UoeqTwLRGtZJug==","jksResourceName":"xxx-jwt.jks","jksName":"xxxx","jksAlias":"iyunware-oauth-jwt","authorizationKey":"","refreshTokenKey":"","platformKey":"","mapKey":""}';
        }
    }

将CA-certificate.crt复制到/usr/local/share/ca-certificates; 然后执行update-ca-certificates更新证书缓存

上面是我的配置示例