水滴石穿,点滴记忆
生成crt秘钥
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = cn
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = sc
localityName = Locality Name (eg, city)
localityName_default = cd
organizationName = Organization Name (eg, company)
organizationName_default = my
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = as
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = hy.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
DNS.1 = *
DNS.2 = 127.0.0.1
这里的作用有两个,一个是里面的生成信息每次都是一致的,另一个就是签发的IP可以随意修改。
需要注意的是,IP与DNS要成对配置。
openssl genrsa -out server.key 2048
这里生成csr可以使用上面创建的配置文件,也可以不使用,到最后生成crt文件的时候在使用config
使用config
openssl req -new -nodes -out server.csr -key server.key -config config.conf
不使用config
openssl req -new -nodes -out server.csr -key server.key
这里是创建了一个bat脚本,后面每次签发不同的IP,可以修改config.conf文件。在直接运行bat就可以了
@echo off
set /p ok=是否继续[Y/N]:
if "%ok%"=="y" (
set ok=Y
)
if "%ok%"=="Y" (
cd %~dp0
C:/OpenSSL-Win64/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extfile config.conf -extensions req_ext
@echo off
pause
)
配置NGINX
在nginx的conf目录下创建一个文件夹,取名httpsCofig,这个里面用来放上面生成的两个文件:
后续如果发生IP变化,可以直接更换这里的文件
下面看一下NGINX的配置
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
server_name 127.0.01;
ssl_certificate httpsConfig/server.crt;
ssl_certificate_key httpsConfig/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log logs/host.access.log main;
location /map/ {
alias googlemaps/roadmap/;
}
# http使用常规的nginx代理策略,前端正常使用https进行连接
location / {
root html;
index index.html index.htm;
proxy_pass http://127.0.0.1:12345;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 22m;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect http:// $scheme://;
}
# websocket使用nginx进行代理,这里用的是http握手方式,前端使用wss进行连接
location /MyWebSocket/websocket {
root html;
index index.html index.htm;
proxy_pass http://127.0.0.1:12346/MyWebSocket/websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
|