haproxy 实现多域名证书https
Posted 运维工匠实战(如果发现有错误请大家把正确的方法发送给我,方便
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了haproxy 实现多域名证书https相关的知识,希望对你有一定的参考价值。
[[email protected] keys]# openssl genrsa -out www.app01.com.key 2048 Generating RSA private key, 2048 bit long modulus ....+++ .....................................+++ e is 65537 (0x10001) [[email protected] keys]# openssl req -new -key www.app01.com.key -out www.app01.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:espressos.cn Organizational Unit Name (eg, section) []:app Common Name (eg, your name or your server‘s hostname) []:www.app01.com Email Address []:[email protected]163.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] keys]# ls www.app01.com.csr www.app01.com.key
[[email protected]a02 keys]# openssl x509 -req -days 365 -in www.app01.com.csr -signkey www.app01.com.key -out www.app01.com.crt Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=espressos.cn/OU=app/CN=www.app01.com/[email protected]163.com Getting Private key
[[email protected] keys]# cat www.app01.com.crt www.app01.com.key |tee www.app01.com.pem -----BEGIN CERTIFICATE----- MIIDkjCCAnoCCQDXDebyNmUGrDANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC Q04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxFTATBgNVBAoM DGVzcHJlc3Nvcy5jbjEMMAoGA1UECwwDYXBwMRYwFAYDVQQDDA13d3cuYXBwMDEu Y29tMRowGAYJKoZIhvcNAQkBFgtja0AuMTYzLmNvbTAeFw0xNjEyMTcyMDU5MzRa Fw0xNzEyMTcyMDU5MzRaMIGKMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpSmlu ZzEQMA4GA1UEBwwHQmVpSmluZzEVMBMGA1UECgwMZXNwcmVzc29zLmNuMQwwCgYD VQQLDANhcHAxFjAUBgNVBAMMDXd3dy5hcHAwMS5jb20xGjAYBgkqhkiG9w0BCQEW C2NrQC4xNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uZv jbDySKIsPOLErlcJGQ+6mpPN+2XvOmS0piY+r14EHfKW6SZ1o8zNl0AQPMZOikVf KvwDnEhp0FWjnMZOpppRCEYvbuHEwzdgUNoPqwKae0agYLA5r4HpR30r8hj87pDT p3ukFzBgRzfuqjUB++1eaot3UEpkV1tMKd/85ziU7CtUaFj+S7l4j0i7LVO3Iu3T oz80KBB+d31P3qCbgenOcxNs8ohte3Xpk4JWcEKgtYuvdVY6VZcvCmIWYPH7PWC4 DWBkmB6Ub78pdkG5c6PaSFaJrEJdyjel0DuYMpRl7bTGxzQsDpI7Bx6Lq2hD0k5m p/dIvKKz4KzRcLxPtQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAoo30ox/XXPbSJ vrIBcAK7ZPWNV7pW8KQ2sZ4LPkNVylwIpKirOmRQ6e9ZBHdPIxU0Ic+aNhsEJ5Et b11fWwMxAmLMmpwx7ngWsIrFXLBkyda5Zq8DLzLmFQACAW53O4/6EN+HBPXPTP0b tmzNQaf8AIVpviraOMLSk291+lEws/c0ATvkz5FaRjw5oZjDDozoY3doRnap/hQO n+i07uJ8PEXnX9P4Th2gYxle/7AvK46Dk7zglG3dpcoveRqOKChKVSZIxta5A0eL 6fpp7R+oU8S4trQY8GB1ECX7/cqUi4G8JwSiC63PKys9JEeLmdpNTZ1d6uv+fHUH RUeiLjAX -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA2uZvjbDySKIsPOLErlcJGQ+6mpPN+2XvOmS0piY+r14EHfKW 6SZ1o8zNl0AQPMZOikVfKvwDnEhp0FWjnMZOpppRCEYvbuHEwzdgUNoPqwKae0ag YLA5r4HpR30r8hj87pDTp3ukFzBgRzfuqjUB++1eaot3UEpkV1tMKd/85ziU7CtU aFj+S7l4j0i7LVO3Iu3Toz80KBB+d31P3qCbgenOcxNs8ohte3Xpk4JWcEKgtYuv dVY6VZcvCmIWYPH7PWC4DWBkmB6Ub78pdkG5c6PaSFaJrEJdyjel0DuYMpRl7bTG xzQsDpI7Bx6Lq2hD0k5mp/dIvKKz4KzRcLxPtQIDAQABAoIBAQCtb0hRVjIQtFUi hHVawGDX92tcz+Cy3+e0N1geEE04OuA+Lhe9cJhiiIEX5k03KdPOn/owH25o48La qw+vxjtIqxmq2Zj5XG2+UmDAjpU9ZBmrtKCbGuUJln+TAazQ61VzW1Im78JqEQ0n QDybpNYGmeJlvkxxVA++Wvq0buB8/RLJJokKiPe1e0AeGAUkvHcdxqUrcJfqbzZz z/XUmI1GJMLnJw0WB8mxTtHq0YEATOOqgsAdoK2bAIl9LhCw4N4anSoD+KgRBbFG k2SSCsk3bvBWmLBx7yq35hX92U511j42xVg/OxAC/LdVjPX20wBQp85CDZAkfYjb 48BONOMdAoGBAPuPVUEigz6Nk0FpQ+7bV0MXtuQga1OzwFcOsVToQS8CH4kI8q9s iGutOEvL9GKHY/8nSRpJ/l204lpO1DKB8eCilO2eqMteq3JWAyvuU9TlKdMlD3Ed Z7D2zX7S40M4cDoF1/AQNBdlBEYzLP7KgTrmxVoumhu8Wu7pqqtIidJPAoGBAN7D h8w5N/PDjtI50pfFRUml3u6X9us2PcymP+LIMdmNL22zFcT8wk6fVlhUaa6pRA4Y xEhxoQUNTEiv5sg0AkX2ms0iMUK2CCbOumRqux7V0NMw0iCEZ3QRtqZOn2YpvSFd alC4KEpF31UbtLbUnx4VBbQ6tkcx5jvYKsSVeVC7AoGBAMHy4Gg3k7jGrqHf5uBh fAXeYsO/uv/ttn1odpBgAOGdYXLl0zYtF4DtLFpEBUdx20b9ov8BzXux2lKGNFQ8 m5/1uZz6lmk1tDmS1x8nwLqDdJu2FxG++hMWNZlyPoW1HdGeb75Gv+LJn2IAUtCe kMQ46C9/fpGjxvgsb8lfQ+NBAoGAY2iiazKFk5SLYalIH057UxhgWd0a5XA5N+Bg 1hU8mbb1mWC3sEaTd36Hi7dvye/jXN8UiLecgaKjjjRhKqp68TnRbwV5MioFjTvn 1fQDOQl1vSkmPDiZ6iQVfDXN0EuECSWk0gy8fhicR2CrzoMn1sbO2tTwjujns4EN 5NhHYQ0CgYEAlp6XGwJ+Dih/uQgrRQA5BXB3GYlYpMOEUNJk/3oWh+tl+/vzPRjy IEZ9jsJ7E3DGhWC9l/MTY8rWEq30B8Qca9trZilcKgLTlHUIVQJnlkLAS3t+48qa faL1ev3/gJMIw06u/OT8Yl5D8ZzyK1R4YDvjOusdpfRSE6Jwq9Wrgoo= -----END RSA PRIVATE KEY-----
[[email protected] keys]# ls
www.app01.com.crt www.app01.com.csr www.app01.com.key www.app01.com.pem
按照以上方法依次生www.app02.com.pem
[[email protected] keys]# openssl genrsa -out www.app02.com.key 2048 Generating RSA private key, 2048 bit long modulus ..........................................................................+++ ..................................+++ e is 65537 (0x10001) [[email protected] keys]# openssl req -new -key www.app02.com.key -out www.app02.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BeiJing Locality Name (eg, city) [Default City]:BeiJing Organization Name (eg, company) [Default Company Ltd]:espressos Organizational Unit Name (eg, section) []:espressos Common Name (eg, your name or your server‘s hostname) []:www.app02.com Email Address []:[email protected]163.com Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] keys]# ls www.app01.com.crt www.app01.com.key www.app02.com.csr www.app01.com.csr www.app01.com.pem www.app02.com.key
[[email protected] keys]# openssl x509 -req -days 365 -in www.app02.com.csr -signkey www.app02.com.key -out www.app02.com.crt Signature ok subject=/C=CN/ST=BeiJing/L=BeiJing/O=espressos/OU=espressos/CN=www.app02.com/[email protected]163.com Getting Private key [[email protected] keys]# cat www.app02.com.crt www.app02.com.key |tee www.app02.com.pem -----BEGIN CERTIFICATE----- MIIDljCCAn4CCQCReUnUAKlUyDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC Q04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoM CWVzcHJlc3NvczESMBAGA1UECwwJZXNwcmVzc29zMRYwFAYDVQQDDA13d3cuYXBw MDIuY29tMRkwFwYJKoZIhvcNAQkBFgpja0AxNjMuY29tMB4XDTE2MTIxNzIxMDgy MFoXDTE3MTIxNzIxMDgyMFowgYwxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlK aW5nMRAwDgYDVQQHDAdCZWlKaW5nMRIwEAYDVQQKDAllc3ByZXNzb3MxEjAQBgNV BAsMCWVzcHJlc3NvczEWMBQGA1UEAwwNd3d3LmFwcDAyLmNvbTEZMBcGCSqGSIb3 DQEJARYKY2tAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AK4xvT3wr0ndQqIJWjlHwZZ4fA/OzqXF4Nfg7WwnP4tITVnv/t2UdVAGJllCjcK6 cC6zLXVQ7vHkXVGlmuKhlwgrkXfFd6L1PuS4H5QTT8jFxIVJ+GsyqzXyceqxOcn4 n4yhyc+is0CdapC5QuRjXLFja6fjA2QJzlH2D2gFuQVOD80hhu+lLTlW+hkxUUfz bthuUDg4WobUVENCdwlr1HjQPqmuo9Nh8tn6BXLtDYiQ4QPHJSFYQutYCbMovUuf ETP49ovvahdCe2QaB0mrl32hQLTc8FRHqf9doukNycthI7KpVchcPoDseJcjVg34 UOSmQtN50vsC2UyFCb9fb8sCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEATHnHS+ZF qUf8NuuZn6Iyw/U9ip5ArsJ/13pzjQmmD+eEDmw13ZDkHeiHD8bKxparZqq4zkg5 bBaj8bFWtWcMOc7MCFmd8RIjDATwOs15Uv7x+JHnxUVWCzOVFT0RNovVG1yEp+Rq 6Hu1zBj+yhK6Uj2cFTZOzBZH7+KSGzLOhSJmmqRoNVtnaw7bGqbUgUY/FgFS1rFw 5XXR1Ky02hx58HptF7GXEPav596g8HB+8SiLgkwESl//PYOISbb/KSVg68g7+c8N SOdS1hci8GtmEW+c1b8tVy5xQZqO3T2Ob024xkNnZkvR0xeCor5loJh9EliSljCy 9s1F/eE2Rv2n4g== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEArjG9PfCvSd1CoglaOUfBlnh8D87OpcXg1+DtbCc/i0hNWe/+ 3ZR1UAYmWUKNwrpwLrMtdVDu8eRdUaWa4qGXCCuRd8V3ovU+5LgflBNPyMXEhUn4 azKrNfJx6rE5yfifjKHJz6KzQJ1qkLlC5GNcsWNrp+MDZAnOUfYPaAW5BU4PzSGG 76UtOVb6GTFRR/Nu2G5QODhahtRUQ0J3CWvUeNA+qa6j02Hy2foFcu0NiJDhA8cl IVhC61gJsyi9S58RM/j2i+9qF0J7ZBoHSauXfaFAtNzwVEep/12i6Q3Jy2EjsqlV yFw+gOx4lyNWDfhQ5KZC03nS+wLZTIUJv19vywIDAQABAoIBAQCMRgOVqIcPnTy2 TX+5Vr5e1IFbHXetaM6qKTgn+uch20Rm42vCtXVOztT81ipgIFCMWr+FlHoGkpZP VGOIkwWTj7oh0AOKV6Gg/2B2lqKOFCwwBaQldvUGiUkQ7EyUB0E8N2DTcrqUku8o wfdLAXS4aE5eMOIfIgJiYBqB8vHOgXxhouuTGVrIucEUtdNFsAzgfEP6ZIA82Ju6 AAw0yL1jZSEDVcpNaiPk3aUDQab3PdafSq7/Jv+r4ON9UFxjSWBUHO28Fv4tBLnP /dDzy6+wNwOhMywMtyMIk9QCks3hw2FM6rF6XELTI0yqJrVhY0C34uaLtg9kSy6x Xhjl9vfBAoGBAOA9zBONdoN9a60Ow2HZQGe59rZBYU9S7l728UAnlFqrOvbLcNrV sTzLTqIsv1cTGGoFOlkVQavrT86YlWSMmQ81WAySJz5/5Tde1FswUXJhJ+YHuCTH HOBOPIE5Fhr614cNB78sdWvNN1WF/fRFxqJOSSuPoYjsTBfbfzw8AUTrAoGBAMbd aRcrid9yRZ+ZSk5ut5gxjyZT/fpZdCpwuTRWGwHuDT+PtAtJHicq9OWp41RrlK15 C5hX8d2M7NxpJPf0lQP7KLUd3QSEpoXlRLyAXDgAKpQJKf01nU5rnk7Z3pUs616Q tHhyUm/OojcMzYHpwib86TfZf42uNavqeQMtU0ihAoGAGSb1WBAbBf6wcDXitnv+ 3GOgh6rntlUQBbjfMJn/6vef4oTJQNKNUctgI5KvV539tA6oD8vxlM4NIpg80Y1v saQDH03ZdwozdLV/TkcqK5E4P3YIMp/e3k4IPVpg31/Zgv10K/5ZoWDgXwhrhtW4 xQXQ8UDoFoqisl5ddC0q20cCgYA9TozTY8zBYg0swqkxvNhExyKGgmZOA73YR6AR DmqNEcJr0fWDdSsikA+nrdQzdmcDg8mbUaFy17s9x/xppLE75PYLwAUfG3Xq2V9z bW8ApKx7rsePFDRGtM69KFWCT7LQGHRKnZPkfCNuLTg90L7WHioX2amFGCvbsBFW dWazgQKBgCNS9WU81O67RnE18ymcjzmogBCV1us1SxaWQ7zJZwAc5of8717TqB+l ZSgPkb8aSkQIVBp3qKYOgNn51/WK6fSFE2jKVQFHCGrVcs7f1Ofru3Wey38qMZ0y xz5HBI0G/G+ICzsQwTUNTjw2vcUWWwV4jaKpQkOGUlcJVDIJO/l6 -----END RSA PRIVATE KEY----- [[email protected] keys]# ls www.app01.com.crt www.app01.com.key www.app02.com.crt www.app02.com.key www.app01.com.csr www.app01.com.pem www.app02.com.csr www.app02.com.pem
[[email protected] haproxy-1.4.26]# cat conf/haproxy.cfg global log 127.0.0.1 local0 info maxconn 51200 user nobody group nobody daemon nbproc 1 pidfile /var/run/haproxy.pid defaults log global option tcplog option httpclose option forwardfor except 127.0.0.0/8 option redispatch option dontlognull retries 3 timeout client 1m timeout server 1m timeout http-request 10s timeout http-keep-alive 10s timeout queue 1m maxconn 10000 listen admin_stats bind 0.0.0.0:8000 stats refresh 30s stats uri /vip stats realm hello chenlin stats auth admin:[email protected]! stats hide-version stats admin if TRUE mode http #server sshd 192.168.1.104:22 check port 22 inter 5000 fall 5 frontend www.app01.com mode http bind 0.0.0.0:443 ssl crt /etc/ssl/keys/www.app01.com.pem crt /etc/ssl/keys/www.app02.com.pem use_backend www_app01_com if { ssl_fc_sni www.app01.com } use_backend www_app02_com if { ssl_fc_sni www.app02.com } backend www_app01_com mode http server app01 192.168.1.108:8010 backend www_app02_com mode http server app02 192.168.1.109:8020
haproxy 实现了多域https
[[email protected] haproxy-1.5.2]# ./sbin/haproxy -v HA-Proxy version 1.5-dev19 2013/06/17 Copyright 2000-2013 Willy Tarreau <[email protected]>
以上是关于haproxy 实现多域名证书https的主要内容,如果未能解决你的问题,请参考以下文章