分类: Linux

提取jks证书配置Nginx使其支持https

证书配置在nginx上,对外提供https服务,内部和tomcat做反向代理走http,提取jks证书步骤如下:
提取jks证书(keytool命令安装jdk以后就默认安装了)
查看jks文件中的entry

keytool -list -keystore server.jks

查看是否有entries,如果有下个命令需要加 -srcalias 参数指定entry

转换jks文件为p12

keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12

查看新格式(pkcs12)证书库

keytool -deststoretype PKCS12 -keystore server.p12 -list

使用openssl提取证书并合并

openssl pkcs12 -in server.p12 -nokeys -clcerts -out server-ssl.crt
openssl pkcs12 -in server.p12 -nokeys -cacerts -out gs_intermediate_ca.crt

server-ssl.crt是SSL证书,gs_intermediate_ca.crt是中级证书,合并到一起才是nginx所需要的证书

cat server-ssl.crt gs_intermediate_ca.crt > server.crt

提取私钥及免密码

openssl pkcs12 -nocerts -nodes -in server.p12 -out server.key

避免重启是总是要输入私有key的密码

openssl rsa -in server.key -out server.key.unsecure

配置nginx


worker_processes  8;

error_log  logs/error.log  notice;

pid        logs/nginx.pid;


events {
    worker_connections  65535;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout 300;
    proxy_read_timeout 300;
    add_header Access-Control-Allow-Origin *;
    client_max_body_size    1000m;
    client_header_buffer_size 100m;
    large_client_header_buffers 4 102400k;
    set_real_ip_from  10.201.21.199;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;
    ssl_certificate   /etc/pki/cn/server.crt;
    ssl_certificate_key /etc/pki/cn/server.key;
    include gzip.conf;
    include apmweb_upstream.conf;


    server {
        listen       80;
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate   /etc/pki/cn/server.crt;
        ssl_certificate_key /etc/pki/cn/server.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 1d;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

        #proxy_redirect http:// $scheme://;
        proxy_redirect ~^http://inamp.xxx.com/(.*)$  https://inamp.xxx.com/$1;

        port_in_redirect on;
        proxy_set_header Host $host:$server_port;
        #charset koi8-r;
        #access_log  logs/host.access.log  main;

        location / {
            root   /data/apm_static;
            index  index.html index.htm;
        }

       location ~*  ^/$ {
        rewrite ^/$ http://inamp.xxx.com/enrolment_web/enrolment/index.htm ;
       }

        include apmweb_tomcat.conf;

        error_page  404              /404.html;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }


    }

}

apmweb_tomcat.conf内容

           location ~* ^/management_service.*$ {
           include deny.conf;

           proxy_pass http://apmserapp6300;
           include proxy.conf;

           error_log  logs/apm_management_service_error.log error;
           access_log  logs/apm_management_service_access.log  main;
       

apmweb_upstream.conf内容

    upstream apmwebapp6300 {
      server 10.101.1.160:6300 weight=1 max_fails=2 fail_timeout=10s;
      server 10.101.1.161:6300 weight=1 max_fails=2 fail_timeout=10s;
      server 10.101.1.162:6300 weight=1 max_fails=2 fail_timeout=10s;
    }
.......

gzip.conf

gzip on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_proxied any;
gzip_min_length 1;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/jsp application/html application/htm;

相关文章

发表新评论