第一步:生成自签名证书(如果是生产环境,该证书一般去第三机构购买)
创建数据库
[root@proxy01 ~]# cd /etc/pki/CA/ && touch index.txt && echo 01 > serial
生成秘钥
[root@proxy01 CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
...........................................................................++
......................................................................................................................................................................................++
e is 65537 (0x10001)
生成CA证书
[root@proxy01 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:51yuki.cn
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.51yuki.cn
Email Address []:admin@51yuki.cn
客户端申请证书
[root@proxy01 CA]# (umask 077;openssl genrsa -out /etc/pki/tls/private/boke.51yuki.cn.key 2048)
Generating RSA private key, 2048 bit long modulus
...........................+++
...........................................................................+++
[root@proxy01 CA]# openssl req -new -key /etc/pki/tls/private/boke.51yuki.cn.key -days 760 -out /etc/pki/tls/boke.51yuki.cn.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:51yuki.cn
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:boke.51yuki.cn
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
然后把这个csr文件拷贝到证书服务器,让CA签署
[root@proxy01 CA]# openssl ca -in /etc/pki/tls/boke.51yuki.cn.csr -out /etc/pki/CA/certs/boke.51yuki.cn.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 8 08:38:48 2018 GMT
Not After : Feb 8 08:38:48 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = 51yuki.cn
organizationalUnitName = ops
commonName = boke.51yuki.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
46:66:13:5C:B7:87:E2:87:89:7B:E9:45:5B:C4:36:3D:AF:0A:65:9C
X509v3 Authority Key Identifier:
keyid:E1:00:ED:E1:1F:4F:69:3D:D2:27:38:91:61:6A:64:A5:D5:3B:7A:E1
Certificate is to be certified until Feb 8 08:38:48 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
第二步:配置haproxy
[root@proxy01 CA]# ll
total 12
-rw-r--r--. 1 root root 5806 Feb 8 17:55 boke.51yuki.cn.crt
-rw-------. 1 root root 1675 Feb 8 17:56 boke.51yuki.cn.key
[root@proxy01 CA]# cat /opt/CA/boke.51yuki.cn.crt > boke.51yuki.cn.pem
[root@proxy01 CA]# cat /opt/CA/boke.51yuki.cn.key >> boke.51yuki.cn.pem
80和443共存
frontend weblb
bind *:80
acl is_http hdr_beg(host) www.chinasoft.com
use_backend httpserver if is_http
backend httpserver
balance source
server web1 192.168.3.200:8080 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
frontend weblb443
bind *:443 ssl crt /etc/haproxy/chinasoft.pem
acl is_443 hdr_beg(host) www.chinasoft.com
use_backend httpserver443 if is_443
backend httpserver443
balance source
server web1 192.168.3.200:8080 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3
第二种
bind *:443 ssl crt /opt/CA/boke.51yuki.cn.pem
#redirect scheme https if !{ ssl_fc }
- 第一章:集群理论介绍
- 第二章:共享存储
- 第一节:搭建基于 IP SAN 的 ISCSI 存储系统(在centos6系统)
- 第二节:基于openfiler搭建共享存储
- 第三章:高可用HA集群
- 第一节:Heartbeat高可用集群
- 第二节:corosync+pacemaker高可用nginx集群
- 第四章:反向代理(负载均衡)集群
- 第一部分:haproxy服务
- 第一节:haproxy基本介绍
- 第二节:在Centos7安装HAProxy
- 第三节: haproxy配置文件参数详解
- 第四节:haproxy+nginx+mysql+discuz
- 第五节:haproxy配置文件
- 第六节: Haproxy搭建全站ssl