diff --git a/nginx/docker-compose.yml b/nginx/docker-compose.yml new file mode 100644 index 0000000000000000000000000000000000000000..ac1a1df64316cf2cecbb607c456646094d6ee15e --- /dev/null +++ b/nginx/docker-compose.yml @@ -0,0 +1,5 @@ +version: 3 +services: + nginx-test: # 容器名字 + restart: always # 如果容器内应用退出了,尝试重启 + image: nginx #表示使用 Ghost 镜像 diff --git a/tls.sh b/tls.sh new file mode 100644 index 0000000000000000000000000000000000000000..7794fd159d02885c54373fe1090214692114fbe2 --- /dev/null +++ b/tls.sh @@ -0,0 +1,43 @@ +#!/bin/bash +#创建 Docker TLS 证书 +#相关配置信息 +SERVER="platform.kuopu.net/" +PASSWORD="123456" +COUNTRY="HN" +STATE="湖南省" +CITY="长沙市" +ORGANIZATION="KIM" +ORGANIZATIONAL_UNIT="KIM" +EMAIL="fengyuchenglun@foxmail.com" +###开始生成文件### +echo "开始生成文件" +#切换到生产密钥的目录 +cd /etc/docker +#生成ca私钥(使用aes256加密) +openssl genrsa -aes256 -passout pass:$PASSWORD -out ca-key.pem 2048 +#生成ca证书,填写配置信息 +openssl req -new -x509 -passin "pass:$PASSWORD" -days 3650 -key ca-key.pem -sha256 -out ca.pem -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$SERVER/emailAddress=$EMAIL" +#生成server证书私钥文件 +openssl genrsa -out server-key.pem 2048 +#生成server证书请求文件 +openssl req -subj "/CN=$SERVER" -new -key server-key.pem -out server.csr +#配置白名单 你使用的是服务器Ip的话,请将前面的DNS换成IP echo subjectAltName = IP:$SERVER,IP:0.0.0.0 >> extfile.cnf +sh -c 'echo "subjectAltName = DNS:'$SERVER',IP:0.0.0.0" >> extfile.cnf' +sh -c 'echo "extendedKeyUsage = serverAuth" >> extfile.cnf' +#使用CA证书及CA密钥以及上面的server证书请求文件进行签发,生成server自签证书 +openssl x509 -req -days 3650 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out server-cert.pem -extfile extfile.cnf +#生成client证书RSA私钥文件 +openssl genrsa -out key.pem 2048 +#生成client证书请求文件 +openssl req -subj '/CN=client' -new -key key.pem -out client.csr +sh -c 'echo extendedKeyUsage=clientAuth >> extfile.cnf' +#生成client自签证书(根据上面的client私钥文件、client证书请求文件生成) +openssl x509 -req -days 3650 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin "pass:$PASSWORD" -CAcreateserial -out cert.pem -extfile extfile.cnf +#更改密钥权限 +chmod 0400 ca-key.pem key.pem server-key.pem +#更改密钥权限 +chmod 0444 ca.pem server-cert.pem cert.pem +#删除无用文件 +rm client.csr server.csr +echo "生成文件完成" +###生成结束### \ No newline at end of file