企业定制项目中网络环境多为企业内网,访问系统时需要启用SSL传输加密功能,但只有IP,没有域名和证书。这种情况下多可提供了一种免费可行的方式,通过openSSL生成免费证书。 此方法生成证书浏览器会提示证书不安全,但可以使用,具体方式如下:
1. 安装OpenSSL
利用 OpenSSL 签发证书需要 OpenSSL 软件及库,一般情况下 CentOS、Ubuntu 等系统均已内置, 可执行 openssl 确认,如果提示 oepnssl: command not found,则需手动安装,本文以OpenEuler为例:
yum install openssl openssl-devel -y
2. 创建cert-gen.sh脚本文件,内容如下
#! /bin/bash
IP=192.168.1.12
DOMAIN=dyhy.com
# IP=$(ip addr|awk '/^[0-9]+: / {}; /inet.*global/ {print gensub(/(.*)\/(.*)/, "\\1", "g", $2)}'|head -n 1) # 当前节点ip
DOMAIN_EXT=$IP
DATE=3650
echo 'ip为 '$IP
rm -rf ${DOMAIN} ca.key ca.csr ca.crt
mkdir ${DOMAIN}
# 生成CA根证书
## 准备ca配置文件,得到ca.conf
cat > ${DOMAIN}/ca.conf << EOF
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BeiJing
localityName = Locality Name (eg, city)
localityName_default = BeiJing
organizationName = dyhy (eg, company)
organizationName_default = dyhy
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = dyhy CA Center
EOF
## 生成ca秘钥,得到ca.key
openssl genrsa -out ca.key 4096
## 生成ca证书签发请求,得到ca.csr
openssl req -new -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dyhy/CN=dyhy CA Center" -sha256 -out ca.csr -key ca.key -config ${DOMAIN}/ca.conf
## 生成ca根证书,得到ca.crt
openssl x509 -req -days ${DATE} -in ca.csr -signkey ca.key -out ca.crt
# 生成终端用户证书
## 准备配置文件,得到server.conf
cat > ${DOMAIN}/server.conf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BeiJing
localityName = Locality Name (eg, city)
localityName_default = BeiJing
organizationName = Organization Name (eg, company)
organizationName_default = dyhy
commonName = zhaorx (e.g. server FQDN or YOUR name)
commonName_max = 64
EOF
echo commonName_default "=" ${DOMAIN} >> ${DOMAIN}/server.conf
cat >> ${DOMAIN}/server.conf << EOF
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
EOF
echo DNS.1 = ${DOMAIN} >> ${DOMAIN}/server.conf
echo DNS.2 = ${DOMAIN_EXT} >> ${DOMAIN}/server.conf
echo IP = ${IP} >> ${DOMAIN}/server.conf
## 生成秘钥,得到server.key
openssl genrsa -out server.key 2048
## 生成证书签发请求,得到server.csr
openssl req -new -subj "/C=CN/ST=BeiJing/L=BeiJing/O=dyhy/CN=${DOMAIN}" -sha256 -out server.csr -key server.key -config ${DOMAIN}/server.conf
## 用CA证书生成终端用户证书,得到server.crt
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -extensions req_ext -extfile ${DOMAIN}/server.conf
然后增加运行权限chmod +x cert-gen.sh
3. 执行cert-gen.sh脚本文件,生成证书
4. Nginx配置https
#https 配置
server {
listen 443 ssl;
server_name dyhy.com;
root /var/app/dyhy/dist; #文件地址
index index.html index.htm; #默认首页
ssl_certificate /var/cret/server.crt; #证书
ssl_certificate_key /var/cret/server.key; #私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#代理请求http接口(如果api是http的,那么请求接口就会被拒绝,需要使用nginx做代理转发)
location /apis/{
proxy_pass http://xxx.xxx.xx.xx:xxxx/api/;
}
}
#http请求自动重订向https
server {
listen 80;
server_name dyhy.com;
rewrite ^/(.*)$ https://dyhy.com:443/$1 permanent;
}
5. 访问验证
下面以域名访问示例,首先客户端添加hosts(127.0.0.1 dyhy.com),然后chrome访问 https://dyhy.com ,结果提示了不安全连接。
这主要是因为我们的证书不受操作系统信任,可以手动点击信任来绕过此提示,但是更推荐直接安装证书一劳永逸(windows系统通过"运行" -> "certmgr.msc"可以查看当前安装的证书)
关闭chorme后重新打开访问,就完全正常了
