使用 OpenSSL 创建自签名证书

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符:

输入字符:rancher

root@ocean-app-1a-01 cert\]# openssl genrsa -des3 -out https.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for https.key: 139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters Enter pass phrase for https.key: Verifying - Enter pass phrase for https.key: #3、创建签名请求证书 openssl req -new -key https.key -out https.csr ### \[root@ocean-app-1a-01 cert\]# openssl req -new -key https.key -out https.csr Enter pass phrase for https.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) \[XX\]:rancher string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) \[XX\]:CN State or Province Name (full name) \[\]:BJ Locality Name (eg, city) \[Default City\]:beijing Organization Name (eg, company) \[Default Company Ltd\]: Organizational Unit Name (eg, section) \[\]: Common Name (eg, your name or your server's hostname) \[\]: Email Address \[\]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[\]:rancher An optional company name \[\]: #4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令 $ cp https.key https.key.org $ openssl rsa -in https.key.org -out https.key ## 输入 rancher \[root@ocean-app-1a-01 cert\]# openssl rsa -in https.key.org -out https.key ## 输入 rancher Enter pass phrase for https.key.org: writing RSA key #5、最后标记证书使用上述私钥和CSR和有效期 openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt \[root@ocean-app-1a-01 cert\]# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt Signature ok subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd Getting Private key #6、nginx添加配置如下: #### 示例 server { listen 443 ssl; #监听443端口 server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding 'gzip'; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 2G; proxy_pass https://rancher; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } #### 实际配置 server { listen 443 ssl; server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; location / { proxy_pass https://rancher; proxy_redirect off; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #下面的参数取决环境需要 #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 2G; #允许客户端请求的最大单文件字节数 client_body_buffer_size 512k; #缓冲区代理缓冲用户端请求的最大字节数 proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 300; #连接成功后,后端服务器响应时间(代理接收超时) proxy_buffer_size 4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小 fastcgi_buffer_size 128k; fastcgi_buffers 8 128k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; } location = /50x.html { root /usr/share/nginx/html; } } #### 8443 是自动部署rancher 暴露的端口 https协议 upstream rancher{ server 10.0.0.24:8443; server 10.0.0.24:8080; }

相关推荐
MilesShi35 分钟前
从 scheduler_tick 到上下文切换:深入解析 Linux 内核的 TIF_NEED_RESCHED 标志设置流程
linux·运维·单片机
方渐鸿3 小时前
【2024】k8s集群 图文详细 部署安装使用(两万字)
java·运维·容器·kubernetes·k8s·运维开发·持续部署
我爱云计算4 小时前
K8S详解(5万字详细教程)
linux·运维·云原生·容器·kubernetes
明明跟你说过4 小时前
【k8s】资源限制管理:Namespace、Deployment与Pod的实践
运维·docker·云原生·容器·kubernetes·k8s
打码人的日常分享6 小时前
运维服务方案,运维巡检方案,运维安全保障方案文件
大数据·运维·安全·word·安全架构
荣光波比7 小时前
Nginx 实战系列(一)—— Web 核心概念、HTTP/HTTPS协议 与 Nginx 安装
linux·运维·服务器·nginx·云计算
武文斌777 小时前
单片机:DS18B20测温度、74HC595扩展芯片、8*8LED矩阵
运维·服务器·单片机·嵌入式硬件
fengfuyao9857 小时前
诊断并修复SSH连接Github时遇到的“connection closed“错误
运维·ssh·github
scugxl8 小时前
centos7 docker离线安装
运维·docker·容器
绿箭柠檬茶9 小时前
Ubuntu 使用 Samba 共享文件夹
linux·运维·ubuntu