生成CA私钥
openssl genrsa -out ca.key 2048
生成 CA 根证书 (自签名)
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt -subj "/C=CN/ST=State/L=City/O=Organization/OU=Unit/CN=Root CA"
生成服务端私钥(给 Nginx 用)
openssl genrsa -out server.key 2048
生成服务端证书签名请求,下面ip需修改为域名或部署机器的ip
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=State/L=City/O=Organization/OU=Unit/CN=192.168.2.129"
使用CA签发服务端证书,可修改签发有效期
openssl x509 -req -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
生成客户端私钥(给浏览器或其它接入程序使用)
openssl genrsa -out client.key 2048
生成客户端证书签名请求,下面的client_name需修改为接入端身份标识
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=State/L=City/O=Organization/OU=Unit/CN=client_name"
使用CA签发客户端证书,可修改签发有效期
openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
打包客户端证书为PKCS12格式(给浏览器或其他接入程序使用)
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt
nginx.conf配置
events {
worker_connections 1024;
}
http {
upstream gateway {
server 192.168.1.111:8080 weight=1 max_fails=1 fail_timeout=30s;
}
server {
listen 443 ssl;
ssl_certificate /usr/local/nginx/nginx_cert/server.crt;
ssl_certificate_key /usr/local/nginx/nginx_cert/server.key;
ssl_client_certificate /usr/local/nginx/nginx_cert/ca.crt;
# 开启客户端验证 (on 代表客户端服务端双端验证)
#ssl_verify_client on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
location / {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_pass http://gateway;
}
}
}