提取jks证书配置Nginx使其支持https
证书配置在nginx上,对外提供https服务,内部和tomcat做反向代理走http,提取jks证书步骤如下:
提取jks证书(keytool命令安装jdk以后就默认安装了)
查看jks文件中的entry
keytool -list -keystore server.jks
查看是否有entries,如果有下个命令需要加 -srcalias 参数指定entry
转换jks文件为p12
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -deststoretype PKCS12
查看新格式(pkcs12)证书库
keytool -deststoretype PKCS12 -keystore server.p12 -list
使用openssl提取证书并合并
openssl pkcs12 -in server.p12 -nokeys -clcerts -out server-ssl.crt
openssl pkcs12 -in server.p12 -nokeys -cacerts -out gs_intermediate_ca.crt
server-ssl.crt是SSL证书,gs_intermediate_ca.crt是中级证书,合并到一起才是nginx所需要的证书
cat server-ssl.crt gs_intermediate_ca.crt > server.crt
提取私钥及免密码
openssl pkcs12 -nocerts -nodes -in server.p12 -out server.key
避免重启是总是要输入私有key的密码
openssl rsa -in server.key -out server.key.unsecure
配置nginx
worker_processes 8;
error_log logs/error.log notice;
pid logs/nginx.pid;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 300;
proxy_read_timeout 300;
add_header Access-Control-Allow-Origin *;
client_max_body_size 1000m;
client_header_buffer_size 100m;
large_client_header_buffers 4 102400k;
set_real_ip_from 10.201.21.199;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
ssl_certificate /etc/pki/cn/server.crt;
ssl_certificate_key /etc/pki/cn/server.key;
include gzip.conf;
include apmweb_upstream.conf;
server {
listen 80;
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/pki/cn/server.crt;
ssl_certificate_key /etc/pki/cn/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
#proxy_redirect http:// $scheme://;
proxy_redirect ~^http://inamp.xxx.com/(.*)$ https://inamp.xxx.com/$1;
port_in_redirect on;
proxy_set_header Host $host:$server_port;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /data/apm_static;
index index.html index.htm;
}
location ~* ^/$ {
rewrite ^/$ http://inamp.xxx.com/enrolment_web/enrolment/index.htm ;
}
include apmweb_tomcat.conf;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
apmweb_tomcat.conf内容
location ~* ^/management_service.*$ {
include deny.conf;
proxy_pass http://apmserapp6300;
include proxy.conf;
error_log logs/apm_management_service_error.log error;
access_log logs/apm_management_service_access.log main;
apmweb_upstream.conf内容
upstream apmwebapp6300 {
server 10.101.1.160:6300 weight=1 max_fails=2 fail_timeout=10s;
server 10.101.1.161:6300 weight=1 max_fails=2 fail_timeout=10s;
server 10.101.1.162:6300 weight=1 max_fails=2 fail_timeout=10s;
}
.......
gzip.conf
gzip on;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_proxied any;
gzip_min_length 1;
gzip_buffers 16 8k;
gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/jsp application/html application/htm;
Tag标签:「nginx https 证书 jks」更新时间:「2021-11-04 14:39:05」阅读次数:「1164」