使用 OpenSSL 创建自签名证书

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符：

输入字符：rancher

root@ocean-app-1a-01 cert\]# openssl genrsa -des3 -out https.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for https.key: 139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters Enter pass phrase for https.key: Verifying - Enter pass phrase for https.key: #3、创建签名请求证书 openssl req -new -key https.key -out https.csr ### \[root@ocean-app-1a-01 cert\]# openssl req -new -key https.key -out https.csr Enter pass phrase for https.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) \[XX\]:rancher string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) \[XX\]:CN State or Province Name (full name) \[\]:BJ Locality Name (eg, city) \[Default City\]:beijing Organization Name (eg, company) \[Default Company Ltd\]: Organizational Unit Name (eg, section) \[\]: Common Name (eg, your name or your server's hostname) \[\]: Email Address \[\]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[\]:rancher An optional company name \[\]: #4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令 $ cp https.key https.key.org $ openssl rsa -in https.key.org -out https.key ## 输入 rancher \[root@ocean-app-1a-01 cert\]# openssl rsa -in https.key.org -out https.key ## 输入 rancher Enter pass phrase for https.key.org: writing RSA key #5、最后标记证书使用上述私钥和CSR和有效期 openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt \[root@ocean-app-1a-01 cert\]# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt Signature ok subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd Getting Private key #6、nginx添加配置如下： #### 示例 server { listen 443 ssl; #监听443端口 server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding 'gzip'; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 2G; proxy_pass https://rancher; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } #### 实际配置 server { listen 443 ssl; server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; location / { proxy_pass https://rancher; proxy_redirect off; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #下面的参数取决环境需要 #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 2G; #允许客户端请求的最大单文件字节数 client_body_buffer_size 512k; #缓冲区代理缓冲用户端请求的最大字节数 proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 300; #连接成功后，后端服务器响应时间(代理接收超时) proxy_buffer_size 4k; #设置代理服务器（nginx）保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区，网页平均在32k以下的话，这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小（proxy_buffers*2） proxy_temp_file_write_size 64k; #设定缓存文件夹大小 fastcgi_buffer_size 128k; fastcgi_buffers 8 128k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; } location = /50x.html { root /usr/share/nginx/html; } } #### 8443 是自动部署rancher 暴露的端口 https协议 upstream rancher{ server 10.0.0.24:8443; server 10.0.0.24:8080; }