ca 自签名证书 并实现HAProxy https功能
2016-12-16 15:12
375 查看
mkdir /etc/ssl/xip.io [root@ha02 haproxy-1.4.26]# openssl genrsa -out /etc/ssl/xip.io/xip.io.key 1024 Generating RSA private key, 1024 bit long modulus ........++++++ ...........++++++ e is 65537 (0x10001) [root@ha02 haproxy-1.4.26]# openssl req -new -key /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家代码 State or Province Name (full name) []:china #省 Locality Name (eg, city) [Default City]:beijing #市 Organization Name (eg, company) [Default Company Ltd]:iseastar #公司名称 Organizational Unit Name (eg, section) []:iseastar #可以不写 Common Name (eg, your name or your server's hostname) []:iseastar #可以不写 Email Address []: #邮箱地址 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:
[root@ha02 haproxy-1.4.26]# openssl x509 -req -days 365 -in /etc/ssl/xip.io/xip.io.csr -signkey /etc/ssl/xip.io/xip.io.key -out /etc/ssl/xip.io/xip.io.crt Signature ok subject=/C=CN/ST=china/L=beijing/O=iseastar/OU=iseastar/CN=iseastar Getting Private key
这样就生成了下面的三个文件:
[root@ha02 haproxy-1.4.26]# tree /etc/ssl/xip.io/ /etc/ssl/xip.io/ ├── xip.io.crt ├── xip.io.csr └── xip.io.key 0 directories, 3 files
在创建了证书之后,我们需要创建pem文件。pem文件本质上只是将证书 密钥及证书中心证书(可有可无)拼接成一个文件。在我们在这里只是简单地将证书及密钥文以这个顺序拼接在起来创建xip.io.pen文件 。这就是HAProxy读取SSL证书首选的方式。
[root@ha02 haproxy-1.4.26]# cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key |tree /etc/ssl/xip.io/xip.io.pem /etc/ssl/xip.io/xip.io.pem [error opening dir] 0 directories, 0 files [root@ha02 haproxy-1.4.26]# ls /etc/ssl/xip.io/ xip.io.crt xip.io.csr xip.io.key 有报错,并没有生成.pem结尾的文件
后来细心看一下一个命命看错了应该是tee而不是tree
[root@ha02 haproxy-1.4.26]# cat /etc/ssl/xip.io/xip.io.crt /etc/ssl/xip.io/xip.io.key |tee /etc/ssl/xip.io/xip.io.pem -----BEGIN CERTIFICATE----- MIICRzCCAbACCQCp15MeAY6YFzANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJD TjEOMAwGA1UECAwFY2hpbmExEDAOBgNVBAcMB2JlaWppbmcxETAPBgNVBAoMCGlz ZWFzdGFyMREwDwYDVQQLDAhpc2Vhc3RhcjERMA8GA1UEAwwIaXNlYXN0YXIwHhcN MTYxMjE2MDUxMzM5WhcNMTcxMjE2MDUxMzM5WjBoMQswCQYDVQQGEwJDTjEOMAwG A1UECAwFY2hpbmExEDAOBgNVBAcMB2JlaWppbmcxETAPBgNVBAoMCGlzZWFzdGFy MREwDwYDVQQLDAhpc2Vhc3RhcjERMA8GA1UEAwwIaXNlYXN0YXIwgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBANEKpgCx8Hd0J2gZd/YJRpqjac0nZNU29pyOpXbl VxOy9tUR4bHX6y7IDW/G297orwc2AIGetNVSYEVKTh6pCZz6H/E+FZG7+A2ftJ8I 823Hx7iW10Q1sP95UsYB2N0wd5AtKfywuv3Bjwe2nQj3R47+LuwABNnXS0mYp93y 4EkxAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEABd+XL1YdowVUWivoxki751bAdqpv L9WizV1LW0Whf4GWS10wnubXSOHqR3Ybcm9Nnq1adqoV1g8pcJMWGYk+JKjA+N+i tiiBSwvKw7kEC3/r2EH0vmVtv4TLcohTJrIil2WslPYcHVcWJX/HdgBD5yhSNp4D INwzh2GWxZ2HAE8= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDRCqYAsfB3dCdoGXf2CUaao2nNJ2TVNvacjqV25VcTsvbVEeGx 1+suyA1vxtve6K8HNgCBnrTVUmBFSk4eqQmc+h/xPhWRu/gNn7SfCPNtx8e4ltdE NbD/eVLGAdjdMHeQLSn8sLr9wY8Htp0I90eO/i7sAATZ10tJmKfd8uBJMQIDAQAB AoGAc8J10wS2qS/FcrxH1hOk6ZV8zYL3L6tUPbYwovq1kc8VKUDRvu5W6n0WE8QH lhU8d73L4fvFICyR600OnaP2EdtslR0BLwR0r55PMGxm6hpE5KI8N3nrxRQSkbPs u8o9rS9IaWXjKk5gYcrTQTfGuaez4TzsUtQr/oVJfviZ25ECQQDxq/ZpTzbr6TFH V+iLFI3dwz6wH72DTFPo5FrZ+s7VTuuYi8mb1LDxXFxWKCgaD1vAZf8hFddXthjA 20Kk7+DXAkEA3W9u7VWa6C85NbGQ6VH6AVSk9uDgzWafxWw0in3tdsV/VEZxu3PF iXFHVHUhy4dc7UZksl7GACtkPiMV6iJ9NwJBAJpNZYNPpI1z0pbutfc3JG1XYAsr +OCAN4MXajqLPMxNG3fGqO7qGh/BDOOluBULgVWSyhbhzyCdj6hzVlXhIvkCQF2k mVGO6TKVfekiDXlOLJ7Rb+3jjc3vP1Pa/aEvvfODc+Rs4f326KvGFvc1jbQnq3nA UidIgw1hTEQmzEa2jSMCQGDoM8ginUV7o33WcKLog5arhYFVOXuZi478GAhtauX9 Dcv8CRWpfdi3LuOM8yCRWDEyPfBw+3CfIBlXjVBkD7w= -----END RSA PRIVATE KEY----- [root@ha02 haproxy-1.4.26]# tree /etc/ss ssh/ ssl/ [root@ha02 haproxy-1.4.26]# tree /etc/ssl/xip.io/ /etc/ssl/xip.io/ ├── xip.io.crt ├── xip.io.csr ├── xip.io.key └── xip.io.pem 0 directories, 4 files
当购买真正的证书时,你不一定会获取并接后的文件。可能需要自己拼接生成,但也有机构提供拼接好的文件 给你。但可能不是pem文件,而是dundel ,cert, cert, key文件或一些相同概念但名称类似的文件。
pem文件是HAProxy只需简单配置就可以处理SSLL连接了。
要在HAProxy使用SSL连接 ,我们现在就可以添加校准SSL端口443的绑定,并让HAProxy知道SSL证书的位置 :
stats admin if TRUE | stats admin if TRUE mode http | mode http #server sshd 192.168.1.104:22 check port 22 inter | #server sshd 192.168.1.104:22 check port 22 inter | frontend app01_www.app01.com:8010 | frontend app01_www.app01.com:8010 bind *:8010 | bind *:8010 bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | --------------------------------------------------------- timeout client 8h | timeout client 8h mode http | mode http default_backend server_app01 | default_backend server_app01 backend server_app01 | backend server_app01 mode http | mode http timeout server 8h | timeout server 8h cookie SERVERID insert nocache | cookie SERVERID insert nocache server app01 10.100.0.37:8010 check port 8010 rise| server app01 10.100.0.37:8010 check port 8010 ris frontend app02_www.app02.com:8020 | frontend app02_www.app02.com:8020 bind *:8020 | bind *:8020 bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | --------------------------------------------------------- timeout client 8h | timeout client 8h mode http | mode http default_backend server_app02 | default_backend server_app02 backend server_app02 | backend server_app02 mode http | mode http timeout server 8h | timeout server 8h + +-- 2 lines: cookie SERVERID insert nocache--------------|+ +-- 2 lines: cookie SERVERID insert nocache-------------
看看下在的改动只是加了一行代码:
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
上面的配置可以支持https也支持http
下面只支持https,看一下这三个文件的不同:
+ +-- 30 lines: global--------------------------------------|+ +-- 30 lines: global-------------------------------------
mode http | mode http
#server sshd 192.168.1.104:22 check port 22 inter | #server sshd 192.168.1.104:22 check port 22 inter
|
frontend app01_www.app01.com:8010 | frontend app01_www.app01.com:8010
bind *:8010 | bind *:8010
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
redirect scheme https if !{ ssl_fc } | ---------------------------------------------------------
timeout client 8h | timeout client 8h
mode http | mode http
default_backend server_app01 | default_backend server_app01
backend server_app01 | backend server_app01
mode http | mode http
timeout server 8h | timeout server 8h
cookie SERVERID insert nocache | cookie SERVERID insert nocache
server app01 10.100.0.37:8010 check port 8010 rise| server app01 10.100.0.37:8010 check port 8010 ris
frontend app02_www.app02.com:8020 | frontend app02_www.app02.com:8020
bind *:8020 | bind *:8020
redirect scheme https if !{ ssl_fc } | ---------------------------------------------------------
bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem | bind *:443 ssl crt /etc/ssl/xip.io/xip.io.pem
timeout client 8h | timeout client 8h
mode http | mode http
default_backend server_app02 | default_backend server_app02
backend server_app02 | backend server_app02
mode http | mode http
+ +-- 3 lines: timeout server 8h---------------------------|+ +-- 3 lines: timeout server 8h--------------------------前左边的只支持https右边是支持https和http
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Nginx基础知识————生成自签名ca 证书 使nginx 支持https
- iOS使用自签名证书实现HTTPS请求
- iOS 用自签名证书实现 HTTPS 请求的原理实例讲解
- HttpClient之配置ssl,采用设置信任自签名证书实现https
- [置顶] iOS使用自签名证书实现HTTPS请求
- Haproxy实现多域名证书HTTPS
- iOS开发HTTPS实现之信任SSL证书和自签名证书
- iOS用自签名证书实现HTTPS请求的原理实例讲解
- iOS 用自签名证书实现 HTTPS 请求的原理
- [转]Android上实现带自签名客户端证书的双向校验HTTPS连接
- 生成自签名ca 证书 使nginx 支持https
- iOS使用自签名证书实现HTTPS请求
- iOS开发HTTPS实现之信任SSL证书和自签名证书
- iOS开发信任SSL证书和自签名证书实现HTTPS
- iOS使用自签名证书实现HTTPS请求
- 如何通过httpd来实现https?(CA自签署证书的实现)
- 轻松把玩HttpClient之配置ssl,采用设置信任自签名证书实现https
- iOS开发信任SSL证书和自签名证书实现HTTPS
- 从https的实现看数字证书、SSL、数字签名、摘要算法、对称/非对称加密
- iOS使用自签名证书实现HTTPS请求