Skip to content

Instantly share code, notes, and snippets.

@Ran-Xing

Ran-Xing/gen_crt.sh

Created November 1, 2021 10:02
Show Gist options
  • Save Ran-Xing/e09f7852ea29a23cd2d3041a7cb1095d to your computer and use it in GitHub Desktop.
Save Ran-Xing/e09f7852ea29a23cd2d3041a7cb1095d to your computer and use it in GitHub Desktop.
Download ZIP
Nginx two-way authentication
Raw
gen_crt.sh
#!/bin/sh
Echo_c(){
echo "\033[1;33m\n$1\n\033[0m"
}
Rand_Name(){
openssl rand -base64 8 | md5sum | cut -c1-8
}
Gen_Cert(){
mkdir /etc/ssl/xrsec/
Echo_c "Generate /etc/ssl/xrsec/.rnd random file"
openssl rand -writerand /etc/ssl/xrsec/.rnd
Echo_c "Generate random name"
rndca=$(Rand_Name)
rndserver=$(Rand_Name)
rndclient=$(Rand_Name)
Echo_c "Generate CA certificate"
openssl genrsa -out /etc/ssl/xrsec/ca.key 4096
openssl req -new -x509 -days 3650 -key /etc/ssl/xrsec/ca.key -out /etc/ssl/xrsec/ca.crt -subj /C=CN/ST=$rndca/L=$rndca/O=$rndca/OU=$rndca/CN=$rndca
Echo_c "Generate Server certificate"
openssl genrsa -out /etc/ssl/xrsec/server.key 4096
openssl req -new -key /etc/ssl/xrsec/server.key -out /etc/ssl/xrsec/server.csr -subj /C=CN/ST=$rndserver/L=$rndserver/O=$rndserver/OU=$rndserver/CN=$rndserver
Echo_c "Use CA certificate to issue server certificate"
openssl x509 -req -in /etc/ssl/xrsec/server.csr -CA /etc/ssl/xrsec/ca.crt -CAkey /etc/ssl/xrsec/ca.key -CAcreateserial -out /etc/ssl/xrsec/server.crt -days 3650
Echo_c "Generate Client Certificate"
openssl genrsa -out /etc/ssl/xrsec/client.key 4096
openssl req -new -key /etc/ssl/xrsec/client.key -out /etc/ssl/xrsec/client.csr -subj /C=CN/ST=$rndclient/L=$rndclient/O=$rndclient/OU=$rndclient/CN=$rndclient
Echo_c "Use CA certificate to issue Client certificate"
openssl x509 -req -in /etc/ssl/xrsec/client.csr -CA /etc/ssl/xrsec/ca.crt -CAkey /etc/ssl/xrsec/ca.key -CAcreateserial -out /etc/ssl/xrsec/client.crt -days 3650
Echo_c "Export the pfx certificate, please remember the password"
openssl pkcs12 -export -inkey /etc/ssl/xrsec/client.key -in /etc/ssl/xrsec/client.crt -out /etc/ssl/xrsec/client.pfx
}
Gen_Cert
Echo_c "Configuration complete"
Raw
nginx.conf
# map $http_upgrade $connection_upgrade {
# default upgrade;
# '' close;
# }
server {
# include /etc/nginx/conf.d/viper.conf;
ssl on;
listen 3389;
ssl_client_certificate /etc/ssl/xrsec/ca.crt;
ssl_verify_client on;
ssl_certificate /etc/ssl/xrsec/server.crt;
ssl_certificate_key /etc/ssl/xrsec/server.key;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_name webhost;
gzip on;
gzip_min_length 1k;
gzip_comp_level 9;
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
gzip_vary on;
gzip_disable "MSIE [1-6]\.";
client_max_body_size 200m;
error_page 497 https://$host:$server_port$uri;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
# location /api {
# uwsgi_connect_timeout 3000;
# uwsgi_read_timeout 3000;
# uwsgi_send_timeout 3000;
# uwsgi_pass unix:/root/viper/uwsgi.sock;
# include /etc/nginx/uwsgi_params;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
# location /ws {
# proxy_pass http://unix:/root/viper/daphne.sock;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment