{"id":18594615,"url":"https://github.com/kuluce/nginx_ssl","last_synced_at":"2026-01-25T16:01:50.537Z","repository":{"id":245777803,"uuid":"819201286","full_name":"kuluce/nginx_ssl","owner":"kuluce","description":"cfssl nginx ssl ","archived":false,"fork":false,"pushed_at":"2024-06-24T03:30:43.000Z","size":4,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-16T11:39:36.228Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kuluce.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-24T03:25:51.000Z","updated_at":"2024-06-24T03:31:00.000Z","dependencies_parsed_at":"2024-06-24T04:39:53.190Z","dependency_job_id":"fb99609d-6712-4728-ac2f-86f8bb215c76","html_url":"https://github.com/kuluce/nginx_ssl","commit_stats":null,"previous_names":["kuluce/nginx_ssl"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/kuluce/nginx_ssl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kuluce%2Fnginx_ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kuluce%2Fnginx_ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kuluce%2Fnginx_ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kuluce%2Fnginx_ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kuluce","download_url":"https://codeload.github.com/kuluce/nginx_ssl/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kuluce%2Fnginx_ssl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28755045,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-25T13:59:49.818Z","status":"ssl_error","status_checked_at":"2026-01-25T13:59:33.728Z","response_time":113,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T01:16:24.034Z","updated_at":"2026-01-25T16:01:50.519Z","avatar_url":"https://github.com/kuluce.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# 使用说明\n\n# cfssl安装\n\n```bash\n$ go install github.com/cloudflare/cfssl/cmd/...@latest\n```\n\n## 初始化\n\n```bash\ncfssl print-defaults config \u003e ca-config.json\ncfssl print-defaults csr \u003e ca-csr.json\n```\n\n## 1 CA证书\n### 1.1 修改ca-config.json\n```json\n{\n  \"signing\": {\n    \"default\": {\n      \"expiry\": \"87660h\"\n    },\n    \"profiles\": {\n      \"peer\": {\n        \"expiry\": \"87660h\",\n        \"usages\": [\"signing\", \"key encipherment\", \"server auth\", \"client auth\"]\n      },\n      \"server\": {\n        \"expiry\": \"87660h\",\n        \"usages\": [\"signing\", \"key encipherment\", \"server auth\"]\n      },\n      \"client\": {\n        \"expiry\": \"87660h\",\n        \"usages\": [\"signing\", \"key encipherment\", \"client auth\"]\n      }\n    }\n  }\n}\n```\n\n### 1.2 生成CA证书\n\n```bash\ncfssl gencert -initca ca-csr.json | cfssljson -bare ca -\n```\n\n## 2 服务器证书\n\n### 2.1 生成服务端证书配置模板\n\n模版文件： server-csr.json\n\n```json\n{\n    \"CN\":\"hongsheng\",\n    \"hosts\":[\n        \"127.0.0.1\",\n        \"192.168.1.110\", \n        \"dev.hhs\",\n        \"*.dev.hhs\"\n    ],\n    \"key\":{\n        \"algo\":\"rsa\",\n        \"size\":4096\n    },\n    \"names\":[\n        {\n            \"C\":\"CN\",\n            \"L\":\"SH\",\n            \"ST\":\"Shanghai\",\n            \"O\":\"hhs\",\n            \"OU\":\"dev\"\n        }\n    ]\n}\n```\n\n### 2.2 生成服务端证书 \n\n```bash\ncfssl gencert -ca=ca.pem \\\n-ca-key=ca-key.pem \\\n-config=ca-config.json \\\n-profile=server server-csr.json \\\n| cfssljson -bare server\n```\n\n## 3 客户端证书\n\n### 3.1 生成客户端证书配置模板\n\n模板文件: client1-csr.json\n\n```json\n{\n    \"CN\": \"client1\",\n    \"key\": {\n      \"algo\": \"rsa\",\n      \"size\": 4096\n    },\n    \"names\": [\n      {\n        \"C\":\"CN\",\n        \"L\":\"SH\",\n        \"ST\":\"Shanghai\", \n        \"O\": \"Client Certificate 1\",\n        \"OU\": \"Client Certificate 1\"\n      }\n    ],\n    \"hosts\": [\n      \"127.0.0.1\"\n    ]\n  }\n```\n\n### 3.2 生成客户端证书\n```bash\ncfssl gencert -ca=ca.pem \\\n-ca-key=ca-key.pem \\\n-config=ca-config.json \\\n-profile=client client1-csr.json \\\n| cfssljson -bare client_1\n```\n\n\n\n# Nginx双向认证配置\n\n\n\nserver 段配置\n\n```shell\n# 双向认证站点例子\nserver {\n    listen       443 ssl; \n    server_name localhost *.dev.hhs; \n\n    access_log  logs/28083/access.log  main;\n    error_log   logs/28083/error.log;\n\n    # 服务器证书和私钥\n    ssl_certificate      cert/28083/server.crt;                    # 服务端证书\n    ssl_certificate_key  cert/28083/server-key.pem;                # 服务端私钥\n\n    # 客户端证书\n    ssl_client_certificate  cert/28083/ca.pem;\n    ssl_verify_client on;                                          # 开启客户端证书校验\n    ssl_verify_depth 6;                                            # 校验深度\n\n    # CA证书\n    ssl_trusted_certificate cert/28083/ca.pem;                     # 将CA证书设为受信任的证书\n\n    # 可选的SSL配置项  \n    ssl_prefer_server_ciphers on;                                  # 优先采取服务器算法\n    ssl_session_cache    shared:SSL:1m;                            # 配置共享会话缓存大小\n    ssl_session_timeout  5m;                                       # session有效期5分钟\n    ssl_protocols  TLSv1.2;                                        #启用指定的协议\n    ssl_ciphers  ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL; #加密算法 \n\n    # 应用上下文\n    location ~* ^/(hello|hello2|admin|) {        \n        proxy_pass http://127.0.0.1:19999; \n        proxy_connect_timeout 300s;\n        proxy_send_timeout 300s;\n        proxy_read_timeout 300s;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n        proxy_set_header X-Forwarded-Proto http;\n    } \n\n    error_page   500 502 503 504  /50x.html;\n    location = /50x.html {\n        root   html;\n    }\n\n    # 禁止访问根目录\n    location / {\n        return 403;\n    }\n\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuluce%2Fnginx_ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkuluce%2Fnginx_ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuluce%2Fnginx_ssl/lists"}