参考 https://blog.csdn.net/weixin_34296646/article/details/112642008

    工具地址 : https://github.com/square/certstrap

    1. chmod 777 certstrap
    2. # 要进行证书自签名,首先是生成一个自信任的CA认证证书。
    3. ./certstrap init --common-name "ca" --expires "20 years"
    5. ### 服务端证书
    6. # 首先创建CSR, 即证书签名请求
    7. ./certstrap request-cert -cn server -ip xxx.xxx.xxx.xxx
    9. # 生成CSR之后,通过刚刚生成的CA证书进行签名.
    10. ./certstrap sign server --CA ca
    11. 这样就完成了服务端证书的签名,签名后的证书就是:out/server.crt
    13. ### 客户端证书
    14. ./certstrap request-cert -cn client
    15. ./certstrap sign client --CA ca

    image.png
    (crt 改成pem即可)

    1. upstream imserver {
    2.     server 0.0.0.0:8088;
    3.     keepalive 32;
    4. }
    6. map $http_upgrade $connection_upgrade {
    7.     default upgrade;
    8.     ''      close;
    9. }
    11. server {
    12.     listen       80;
    13.     # 证书参数
    14.     listen       443 ssl;
    16.     # 证书参数
    17.        ssl_certificate      /etc/nginx/conf.d/ssl/server.crt;
    18.     ssl_certificate_key  /etc/nginx/conf.d/ssl/server.key;
    19.     # 证书参数
    20.     ssl on;
    21.     ssl_session_cache shared:SSL:50m;
    22.     ssl_session_timeout 300;
    23.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    24.     ssl_ciphers HIGH:!aNULL:!MD5;
    25.     ssl_prefer_server_ciphers on;
    28.     server_name  im;
    29.     access_log logs/im.log;
    30.     error_log logs/im.error;
    32.     location =/ {  
    33.       auth_basic    "valid user";
    34.       auth_basic_user_file /etc/nginx/htpasswd.users;
    35.       proxy_pass http://imserver;
    36.     }
    39.     location ~ /api/v[0-9]+/(users/)?websocket$ {
    40.        proxy_set_header Upgrade $http_upgrade;
    41.        proxy_set_header Connection "upgrade";
    42.        client_max_body_size 50M;
    43.        proxy_set_header Host $http_host;
    44.        proxy_set_header X-Real-IP $remote_addr;
    45.        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    46.        proxy_set_header X-Forwarded-Proto $scheme;
    47.        proxy_set_header X-Frame-Options SAMEORIGIN;
    48.        proxy_buffers 256 16k;
    49.        proxy_buffer_size 16k;
    50.        proxy_read_timeout 600s;
    51.         proxy_pass http://imserver;
    52.    }
    54.    location ~ /api/v4/trial-license/prev {
    55.        proxy_set_header Upgrade $http_upgrade;
    56.        proxy_set_header Connection "upgrade";
    57.        client_max_body_size 50M;
    58.        proxy_set_header Host $http_host;
    59.        proxy_set_header X-Real-IP $remote_addr;
    60.        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    61.        proxy_set_header X-Forwarded-Proto $scheme;
    62.        proxy_set_header X-Frame-Options SAMEORIGIN;
    63.        proxy_buffers 256 16k;
    64.        proxy_buffer_size 16k;
    65.        proxy_read_timeout 600s;
    66.         proxy_pass http://imserver;
    67.    }
    70.     location / {
    71.       proxy_pass http://imserver;
    72.     }
    74. }