用户登录
您的IP:3.145.176.228您的操作系统:Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
创建多域名根证书
CA
vi /etc/pki/tls/openssl.cnf
dir=/etc/pki/CA
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Guizhou
localityName = Locality Name (eg, city)
localityName_default = Guiyang
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Gzrbbks
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Gzrbbks
#commonName = common name (eg, your name or your server\'s hostname)
#commonName_max = 64
0.commonName = *.dev (eg, your name or your server\'s hostname)
0.commonName_max = 64
1.commonName = *.trial (eg, your name or your server\'s hostname)
1.commonName_max = 64
cd /etc/pki/CA/private/
密钥key
openssl genrsa -out bksca.key 1024
证书请求文件csr
openssl req -new -key bksca.key -out bksca.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Guizhou]:
Locality Name (eg, city) [Guiyang]:
Organization Name (eg, company) [Gzrbbks]:
Organizational Unit Name (eg, section) [Gzrbbks]:
Common Name (eg, your name or your server's hostname) []:*.dev
Common Name (eg, your name or your server's hostname) []:*.trial
Email Address []:gzrbs@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Common Name (eg, your name or your server's hostname) []:*.dev
Email Address []:gzrbs@qq.com
证书crt
openssl x509 -req -in bksca.csr -signkey bksca.key -out bksca.crt
把bksca.crt下载到客户端,导入到受信任的根证书颁发机构中。
为user.dev颁发证书
WEB
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl/
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guizhou
Locality Name (eg, city) [Default City]:Guiyang
Organization Name (eg, company) [Default Company Ltd]:Gzrbs
Organizational Unit Name (eg, section) []:Gzrbs
Common Name (eg, your name or your server's hostname) []:user.dev
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
scp server.csr root@10.1.4.11:/etc/pki/CA/private/
CA
cd /etc/pki/CA/private/
vi server.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
#IP.1=10.1.4.84
#IP.2=10.1.4.83
DNS.1=user.dev
openssl x509 -req -sha256 -CA bksca.crt -CAkey bksca.key -CAcreateserial -in server.csr -out user_dev.crt -days 3650 -extfile server.ext
scp user_dev.crt root@10.1.4.84:/etc/nginx/ssl/
nginx.conf
user nginx;
worker_processes 4;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;
events {
use epoll;
worker_connections 65535;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'"$request" $status $bytes_sent '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'"$gzip_ratio"';
log_format download '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$http_range" "$sent_http_content_range"';
client_max_body_size 500m;
client_body_buffer_size 128k;
client_header_buffer_size 132K;
large_client_header_buffers 4 32k;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
client_header_timeout 10;
client_body_timeout 10;
send_timeout 10;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default;
server_name news.dev;
root /home/www/news;
charset utf-8;
access_log /home/logs/access.log main;
error_log /home/logs/error.log warn;
proxy_buffer_size 256k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 512k;
if ($request_method = 'OPTIONS') {
return 204;
}
location / {
root /home/www/news;
index index.php index.html index.htm;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
if (!-e $request_filename){
rewrite ^/paper/(\w+)\.html$ /news/index.php?act=paper&op=index&id=$1 last;
rewrite ^(.*)/(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3 last;
rewrite ^(.*)/(\w+)-(\w+)-(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3&$4=$5 last;
rewrite ^(.*)/(\w+)-(\w+)-(\w+)-(\w+)-(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3&$4=$5&$6=$7 last;
}
}
location /nginx_status {
stub_status on;
access_log off;
allow 10.10.60.93/32;
deny all;
}
location ~ ^/(WEB-INF)/ {
deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root /home/www/news;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
}
location ~ .*\.(css|js|gif|png|jpg|jpeg|bmp|swf|map)$ {
access_log off;log_not_found off;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name news.dev;
root /home/www/news;
ssl_certificate "/etc/nginx/ssl/news_dev.crt";
ssl_certificate_key "/etc/nginx/ssl/news_dev.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
error_page 404 /404.html;
location = /40x.html {
}
charset utf-8;
access_log /home/logs/access.log main;
error_log /home/logs/error.log warn;
proxy_buffer_size 256k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 512k;
if ($request_method = 'OPTIONS') {
return 204;
}
location / {
root /home/www/news;
index index.php index.html index.htm;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
if (!-e $request_filename){
rewrite ^/paper/(\w+)\.html$ /news/index.php?act=paper&op=index&id=$1 last;
rewrite ^(.*)/(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3 last;
rewrite ^(.*)/(\w+)-(\w+)-(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3&$4=$5 last;
rewrite ^(.*)/(\w+)-(\w+)-(\w+)-(\w+)-(\w+)-(\w+)\.html$ $1/index.php?act=$2&op=$3&$4=$5&$6=$7 last;
}
}
location /nginx_status {
stub_status on;
access_log off;
allow 10.10.60.93/32;
deny all;
}
location ~ ^/(WEB-INF)/ {
deny all;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ \.php$ {
root /home/www/news;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
}
location ~ .*\.(css|js|gif|png|jpg|jpeg|bmp|swf|map)$ {
access_log off;log_not_found off;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
}
}
客户端
更改chrome的默认搜索引擎不为google。
https://user.dev/index.php
星期四, 08/27/2020 - 16:53 — 杨超