配置SSL加密


一、配置SSL证书和密钥

  • 如果已经购买了SSL证书,请将证书和密钥按一下配置:
    将CA根证书重命名并放在 /opt/fit2cloud/rabbitmq_cacert.pem
    将网站的证书重命名并放在 /opt/fit2cloud/rabbitmq_cert.pem
    将私钥证书重命名并放在 /opt/fit2cloud/rabbitmq_key.pem

    接下来执行以下命令:

    cat /opt/fit2cloud/rabbitmq_cert.pem /opt/fit2cloud/rabbitmq_cacert.pem /opt/fit2cloud/rabbitmq_key.pem |tee /opt/fit2cloud/site.pem
    
  • 如果没有证书,需要生成自签名的证书.执行以下脚本,会生成自签名的证书文件:

if [ -d "testca" ];then
    rm -rf "testca"
fi
mkdir testca
cd testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt

cat << EOF > openssl.cnf
[ ca ]
default_ca = testca

[ testca ]
certificate = ./cacert.pem
database = ./index.txt
new_certs_dir = ./certs
private_key = ./private/cakey.pem
serial = ./serial

default_crl_days = 7
default_days = 365
default_md = sha1

policy = testca_policy
x509_extensions = certificate_extensions

[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional

[ certificate_extensions ]
basicConstraints = CA:false

[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions

[ root_ca_distinguished_name ]
commonName = hostname

[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign

[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOF

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365  -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

cd ..
if [ -d "server" ];then
    rm -rf "server"
fi
mkdir server
cd server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
cd ..
mv -f testca/cacert.pem /opt/fit2cloud/rabbitmq_cacert.pem
mv -f server/cert.pem /opt/fit2cloud/rabbitmq_cert.pem
mv -f server/key.pem /opt/fit2cloud/rabbitmq_key.pem

cat /opt/fit2cloud/rabbitmq_cert.pem /opt/fit2cloud/rabbitmq_cacert.pem /opt/fit2cloud/rabbitmq_key.pem |tee /opt/fit2cloud/site.pem

二、配置haproxy和rabbitmq

执行以下脚本修改fit2cloud的haproxy和rabbitmq配置:

unalias cp
cp -f /opt/f2c-ops/conf/haproxy.cfg.ssl.template /etc/haproxy/haproxy.cfg
cp -f /opt/f2c-ops/conf/rabbitmq.config.ssl /etc/rabbitmq/rabbitmq.config
cp -f /opt/f2c-ops/conf/iptables.ssl.template /etc/sysconfig/iptables
service iptables restart
service haproxy restart

service rabbitmq-server status
result=`echo $?`
if [ $result -eq 0 ];then
    service rabbitmq-server restart
else
    nohup rabbitmq-server -detach > /dev/null &
fi

三、修改 FIT2CLOUD 系统参数

用管理员账号登录到Fit2cloud中,将系统设置里的system.ssl 改为ture

alt