Featured image of post nginx反代http转https访问
linux

nginx反代http转https访问

nginx反代http转https访问

生成证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

#!/bin/sh

HOST=$1
PASSWORD="123@Abc.com"
SUBJECT="/C=CN/ST=Hubei/L=Wuhan/O=GeoStar/CN=$HOST"

# 创建自签名证书
echo "Create server key..."
openssl genrsa \
        -passout pass:$PASSWORD \
        -des3 \
        -out $HOST.key 4096

echo "Create server certificate signing request..."
openssl req \
        -passin pass:$PASSWORD \
        -new -subj $SUBJECT \
        -key $HOST.key \
        -out $HOST.csr

echo "Remove password..."
mv $HOST.key $HOST.origin.key
openssl rsa \
        -passin pass:$PASSWORD \
        -in $HOST.origin.key \
        -out $HOST.key

echo "Sign SSL certificate..." 
# 这里的SAN(subjectAltName)必须要加,否则jdk校验ssl会报错。
# 也可以加多个,逗号分隔
# 如果是域名subjectAltName=DNS:*.domain1.com, DNS:*domain2.com
openssl x509 -req \
        -passin pass:$PASSWORD \
        -days 3650 \
        -in $HOST.csr \
        -signkey $HOST.key \
        -out $HOST.crt \
        -extfile <(printf "subjectAltName=IP:172.15.110.34")

echo "Change certificate mod to readonly"
chmod 0444 ./*

echo "Example TODO:"
echo "Copy $HOST.crt to /etc/nginx/ssl/$HOST.crt"
echo "Copy $HOST.key to /etc/nginx/ssl/$HOST.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$HOST.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$HOST.key;"
echo "}"

1

bash -x cert_creat.sh 172.15.110.34

配置openresty

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

server {
    # 省略部分...
    listen              9010 ssl;
    server_name         172.15.110.34;
    ssl_certificate     /etc/nginx/ssl/172.15.110.34.crt;
    ssl_certificate_key /etc/nginx/ssl/172.15.110.34.key;
    error_page          497 307 https://$host:$server_port$request_uri;
    sub_filter_types    *;
    sub_filter_once     off;
    sub_filter          'http://172.15.110.34:9010' 'https://172.15.110.34:9010';
    # 省略部分...
}

配置应用

1
2
3
4
5
6
7
8
9

# 将nginx的证书加入jdk可信名单中,这里的别名
keytool -import \
        -noprompt \
        -trustcacerts \
        -keystore "$JAVA_HOME/lib/security/cacerts" \
        -storepass changeit \
        -keypass changeit \
        -alias 172.15.110.34 \
        -file /root/172.15.110.34.crt 

1
2
3
4
5

# 检查是否已经成功加入
keytool -list \
        -keystore "$JAVA_HOME/lib/security/cacerts" \
        -storepass changeit \
        | grep 172.15.110.34

1
2
3
4
5

# 如果要更换可以删除再重复上面的
keytool -delete \
        -alias 172.15.110.34 \
        -keystore "$JAVA_HOME/lib/security/cacerts" \
        -storepass changeit

再修改应用的调用地址为https即可,重启应用加载配置即可。