多域名自动化生成证书及OpenResty使用 lua-resty-auto-ssl 配置证书

需求:我有100+个一级域名需要做ssl证书

  1. 安装OpenResty 官网推荐使用15.8.1以上:
    https://github.com/auto-ssl/lua-resty-auto-ssl

  2. 安装luarocks

wget http://luarocks.org/releases/luarocks-2.0.13.tar.gz //下载
tar -xzvf luarocks-2.0.13.tar.gz //解压
cd luarocks-2.0.13/
//这里需要注意prefix 路径跟自己的openresty安装路径是否匹配
./configure --prefix=/usr/local/openresty/luajit \
    --with-lua=/usr/local/openresty/luajit/ \
    --lua-suffix=jit \
    --with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1
make
sudo make install
  1. 安装组件
cd /usr/local/openresty/luajit
./luarocks install lua-resty-auto-ssl
mkdir /usr/local/openresty/ssl
mkdir /usr/local/openresty/ssl/resty-auto-ssl
chown -R nobody.nobody /usr/local/openresty/ssl/resty-auto-ssl
chmod -R 777 /usr/local/openresty/ssl

多域名自动化生成证书及OpenResty使用 lua-resty-auto-ssl 配置证书_第1张图片

  1. 制作自签证书
cd /usr/local/openresty/ssl/resty-auto-ssl
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
  -subj '/CN=sni-support-required-for-valid-ssl' \
  -keyout /usr/local/openresty/ssl/resty-auto-ssl-fallback.key \
  -out /usr/local/openresty/ssl/resty-auto-ssl-fallback.crt
  1. 配置nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    lua_shared_dict auto_ssl 1m;
    lua_shared_dict auto_ssl_settings 64k;
    resolver 8.8.8.8;

    init_by_lua_block {
      auto_ssl = (require "resty.auto-ssl").new()

    -- 用于保存配置、临时文件和证书文件的文件夹,文件夹必须保证 nginx worker 进程可写,默认/etc/resty-auto-ssl
    auto_ssl:set("dir", "/usr/local/openresty/ssl/resty-auto-ssl")

    -- 认证任务监听端口,默认8999
    auto_ssl:set("hook_server_port", 8999)

    -- 更新检查评率,单位秒,默认86400(一天)
    auto_ssl:set("renew_check_interval", 30)

    -- 定义一个函数用于决定哪个域名自动处理和注册新证书。默认是不允许任务域名。所以该配置也是必须项。
    -- 替换 example.com 为自己的域名,直接返回 true 表示所有请求进来的域名都颁发证书
    auto_ssl:set("allow_domain", function(domain)
        -- return ngx.re.match(domain, "(luozixu2.com|luozixu.net)$", "ijo")
        -- ^()& 是只能指定的域名,无法为二级域名颁发证书
        -- return ngx.re.match(domain, "^(example.com|example.net)$", "ijo")
        -- example.com$ 可以为所有 example.com 子域名颁发证书
        -- return ngx.re.match(domain, "example.com$", "ijo")
        return true
    end)

    auto_ssl:init()
  }

  init_worker_by_lua_block {
    auto_ssl:init_worker()
  }






server {
    listen 80;
    listen 443;
    server_name 112.20.58.5; #自己OpenResty服务器的公网ip
    return 403;
}


    server {
        listen       80;
        server_name _;
     
        #charset koi8-r;
         location /.well-known/acme-challenge/ {
      content_by_lua_block {
        auto_ssl:challenge_server()
      }
    }

    location / {
        return 301 https://$host$request_uri;
    }

  }

        #access_log  logs/host.access.log  main;

   #     location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
     #   error_page   500 502 503 504  /50x.html;
     #   location = /50x.html {
     #       root   html;
     #   }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
   # }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}
  server {
    listen 127.0.0.1:8999;
    client_body_buffer_size 128k;
    client_max_body_size 128k;

    location / {
      content_by_lua_block {
        auto_ssl:hook_server()
      }
    }
  }



    # HTTPS server
    #
   # include conf.d/luo.conf;
    server {
        listen       443 ssl;
            ssl_certificate_by_lua_block {
      auto_ssl:ssl_certificate()
    }
    
     ssl_certificate /usr/local/openresty/ssl/resty-auto-ssl/resty-auto-ssl-fallback.crt;
    ssl_certificate_key /usr/local/openresty/ssl/resty-auto-ssl/resty-auto-ssl-fallback.key;
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
    more_set_headers "Access-Control-Allow-Methods: GET,POST,OPTIONS,PUT,DELETE";
    more_set_headers "Access-Control-Allow-Headers: *";
    more_set_headers "Access-Control-Allow-Credentials: true";
    location / {
        proxy_pass http://tocmat;
    }

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

     #   location / {
     #       root   html;
     #       index  index.html index.htm;
     #   }
     }
include upstream.conf;
}


  1. 启动
cd /usr/local/openresty/nginx/sbin/
nginx -t
nginx 
  1. dns绑定域名指定到nginx上
    curl https://域名

查看证书路径是否生成了证书:
多域名自动化生成证书及OpenResty使用 lua-resty-auto-ssl 配置证书_第2张图片
多域名自动化生成证书及OpenResty使用 lua-resty-auto-ssl 配置证书_第3张图片

查看问题也可以在nginx的错误日志也可以看到:
多域名自动化生成证书及OpenResty使用 lua-resty-auto-ssl 配置证书_第4张图片

你可能感兴趣的:(openresty,linux,lua,lua,自动化,openresty)