nginx 配置
Nginx 配置使用pem 格式 证书
1、ssl_certificate 配置服务器证书
2、ssl_certificate_key配置服务器私钥
3、ssl_client_certificate 配置 颁发证书的CA机构的 根证书+中间证书
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
#ssl_certificate /opt/homebrew/etc/nginx/certs/pki-test/server.crt; #server公钥证书
#ssl_certificate_key /opt/homebrew/etc/nginx/certs/pki-test/server.key; #server私钥
#ssl_client_certificate /opt/homebrew/etc/nginx/certs/pki-test/chain-ca.crt; #根证书,可以验证所有它颁发的客户端证书
#ssl_verify_client on; #开启客户端证书验证
ssl_certificate /opt/homebrew/etc/nginx/certs/devops-certs/devops.pem; #server公钥证书
ssl_certificate_key /opt/homebrew/etc/nginx/certs/devops-certs/server-pem.pem; #server私钥
ssl_client_certificate /opt/homebrew/etc/nginx/certs/devops-certs/devops-chain.pem; #根证书+中间证书,可以验证所有它颁发的客户端证书
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_verify_client on; #双向认证
ssl_verify_depth 3; #指定双向认证客户端证书到根证书的深度,默认是1
#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
include servers/*;
}
验证
本地配置host
127.0.0.1 devops.xxx.com
证书配置泛域名和IP
[ alt_names ]
DNS.1 = *.xxx.com
DNS.2 = *.xxx-inc.com
DNS.3 = *.api.xxx.com
DNS.4 = *.devops.xxx-inc.com
DNS.5 = *.secure-dev.xxx-inc.com
IP.1 = 1xx.xxx.xxx.155
curl --insecure --key /opt/homebrew/etc/nginx/certs/devops-certs/secure-server.key --cert /opt/homebrew/etc/nginx/certs/devops-certs/secure.crt -v https://devops.xxx.com
网友评论