kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

nginx https/nginx 配置

curl wget 不验证证书进行https请求

1
2
wget 'https://x.x.x.x/get_ips' --no-check-certificate
curl 'https://x.x.x.x/get_ips' -k

服务端

生成证书和私匙

1
openssl req -newkey rsa:4096 -nodes -keyout test_private.perm -new -x509 -sha512 -days 3650 -subj "/CN=test.com/" -out test.crt

test_private.perm 是私匙, test.crt 是证书

其中CN和nginx.conf中的server_name一样

https://cloud.tencent.com/document/product/400/35244

vim /etc/nginx/nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
http {
	server {
		listen  443;
		server_name test.com;
		ssl on;
		# ssl_certificate /root/test.crt;
		# ssl_certificate_key /root/test_private.perm;
		ssl_certificate /root/kk/www.npcable.cn_nginx/www.npcable.cn_bundle.crt;
		ssl_certificate_key /root/kk/www.npcable.cn_nginx/www.npcable.cn.key;
		location / {
			root /var/www/html;
			index index.html;
		}
	}
	...
}

客户端

自建证书得不到信任,所以会提示: curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.

解决方法:

拿服务器证书

1
openssl s_client -showcerts -connect www.baidu.com:443

curl 参数带证书

1
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time --cacert /root/test.crt

或者将证书加到信任的证书列表中

1
2
cat /root/test.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time

访问的host一定要是证书中CN(commonname), 不然会提示: curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.

tools, nginx

« git tag常用操作 lvs fwmark 模式 »