签证

  1. #!/usr/bin/env bash
  3. __main() {
  5.     _subj="/C=CN/ST=Zhejiang/L=Hangzhou/O=lwmacct/OU=universal domain name/CN=lwm.icu"
  6.     _openssl_conf=$(printf "[SAN]\nsubjectAltName=DNS:*.port.local.lwm.icu")
  7.     # ca
  8.     openssl genrsa -out ca.key 2048
  9.     openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "$_subj"
  11.     # 服务端
  12.     openssl genrsa -out server.key 2048                                                                                                                                                # 创建私钥
  13.     openssl req -new -key server.key -out server.csr -subj "$_subj" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(echo "$_openssl_conf"))                                          # 生成 csr
  14.     openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(echo "$_openssl_conf")) # 生成证书
  16.     # 客户端
  17.     openssl genrsa -out client.key 2048                                                                                                                                                # 创建私钥
  18.     openssl req -new -key client.key -out client.csr -subj "$_subj" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(echo "$_openssl_conf"))                                          # 生成 csr
  19.     openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(echo "$_openssl_conf")) # 生成证书
  21.     # 客户端公钥秘钥打包为 pfx
  22.     openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -passout pass:kuaicdn
  24. }
  26. __main

Nginx

  1. server {
  2.     listen 80;    #监听ipv4
  3.     server_name *.port.local.lwm.icu;    #虚拟主机域名
  4.     rewrite ^(.*)$ https://$host$1 permanent;    #rewrite跳转
  5. }
  7. server {
  8.     listen       443 ssl http2;
  9.     server_name ~^(?<port>\d+)\.port\.work\.kuaicdn\.cn$;
  11.     # access_log  /var/log/nginx/host.access.log  main;
  13.     ssl_verify_client on;
  14.     ssl_verify_depth 2;
  15.     ssl_client_certificate /etc/nginx/lwm.icu/openssl/ca.crt;
  17.     ssl_certificate /etc/nginx/lwm.icu/openssl/server.crt; #证书在conf文件同级;
  18.     ssl_certificate_key /etc/nginx/lwm.icu/openssl/openssl/server.key;
  19.     ssl_session_timeout 5m;
  20.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  21.     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  22.     ssl_prefer_server_ciphers on;
  24.     location / {
  25.         proxy_pass http://$_ip:$port$request_uri;
  26.         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  27.         proxy_set_header Host $host;
  28.         proxy_http_version 1.1; 
  29.         proxy_set_header X-Real-IP $remote_addr;
  30.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  31.         proxy_set_header X-Forwarded-Proto https;
  32.         proxy_set_header Upgrade $http_upgrade;  
  33.         proxy_set_header Connection "upgrade"; 
  34.         proxy_set_header Origin "";
  35.     }
  37.     error_page   500 502 503 504  /50x.html;
  38.     location = /50x.html {
  39.         root   /usr/share/nginx/html;
  40.     }
  41. }