生成自签证书,提供给Nginx代理,对外使用https访问业务系统。
1、在创建 /opt/ssl 路径;
2、在 /opt/ssl 路径下新建 openssl.cnf 文件,文件内容为:
req
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
req_distinguished_name
C = CN
ST = GuangDong
L = GuangZhou
O = Leatop
OU = Pmhub
CN = 172.16.119.22
v3_req
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
alt_names
IP.1 = 172.16.119.22
3、在 /opt/ssl 下执行命令(证书有效期10年为例):
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config openssl.cnf -extensions v3_req
此时生成了server.crt、server.key文件。
4、使用Nginx代理:
将生成的server.crt、server.key文件,放到Nginx的conf目录下,并配置Nginx配置文件:
server {
listen 8081 ssl; # ssl新增
server_name localhost_8082;
server_name_in_redirect off;
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
证书文件路径
ssl_certificate /etc/nginx/conf.d/server.crt; # ssl新增
ssl_certificate_key /etc/nginx/conf.d/server.key; # ssl新增
ssl_session_timeout 10m; # ssl新增
ssl_session_cache shared:SSL:10m; # ssl新增
ssl_protocols TLSv1.2 TLSv1.3; # ssl新增
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # ssl新增
ssl_prefer_server_ciphers on; # ssl新增
其他配置内容省略...
}