首页 > 代码库 > haproxy 实现多域名证书https

haproxy 实现多域名证书https

 

[root@ha02 keys]# openssl genrsa -out www.app01.com.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
.....................................+++
e is 65537 (0x10001)
[root@ha02 keys]# openssl req -new -key www.app01.com.key -out www.app01.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:espressos.cn
Organizational Unit Name (eg, section) []:app                      
Common Name (eg, your name or your servers hostname) []:www.app01.com
Email Address []:ck@.163.com

Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ha02 keys]# ls
www.app01.com.csr  www.app01.com.key
[root@ha02 keys]# openssl x509 -req -days 365 -in www.app01.com.csr -signkey www.app01.com.key -out www.app01.com.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=espressos.cn/OU=app/CN=www.app01.com/emailAddress=ck@.163.com
Getting Private key
[root@ha02 keys]# cat www.app01.com.crt www.app01.com.key |tee www.app01.com.pem
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQDXDebyNmUGrDANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxFTATBgNVBAoM
DGVzcHJlc3Nvcy5jbjEMMAoGA1UECwwDYXBwMRYwFAYDVQQDDA13d3cuYXBwMDEu
Y29tMRowGAYJKoZIhvcNAQkBFgtja0AuMTYzLmNvbTAeFw0xNjEyMTcyMDU5MzRa
Fw0xNzEyMTcyMDU5MzRaMIGKMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpSmlu
ZzEQMA4GA1UEBwwHQmVpSmluZzEVMBMGA1UECgwMZXNwcmVzc29zLmNuMQwwCgYD
VQQLDANhcHAxFjAUBgNVBAMMDXd3dy5hcHAwMS5jb20xGjAYBgkqhkiG9w0BCQEW
C2NrQC4xNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2uZv
jbDySKIsPOLErlcJGQ+6mpPN+2XvOmS0piY+r14EHfKW6SZ1o8zNl0AQPMZOikVf
KvwDnEhp0FWjnMZOpppRCEYvbuHEwzdgUNoPqwKae0agYLA5r4HpR30r8hj87pDT
p3ukFzBgRzfuqjUB++1eaot3UEpkV1tMKd/85ziU7CtUaFj+S7l4j0i7LVO3Iu3T
oz80KBB+d31P3qCbgenOcxNs8ohte3Xpk4JWcEKgtYuvdVY6VZcvCmIWYPH7PWC4
DWBkmB6Ub78pdkG5c6PaSFaJrEJdyjel0DuYMpRl7bTGxzQsDpI7Bx6Lq2hD0k5m
p/dIvKKz4KzRcLxPtQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAoo30ox/XXPbSJ
vrIBcAK7ZPWNV7pW8KQ2sZ4LPkNVylwIpKirOmRQ6e9ZBHdPIxU0Ic+aNhsEJ5Et
b11fWwMxAmLMmpwx7ngWsIrFXLBkyda5Zq8DLzLmFQACAW53O4/6EN+HBPXPTP0b
tmzNQaf8AIVpviraOMLSk291+lEws/c0ATvkz5FaRjw5oZjDDozoY3doRnap/hQO
n+i07uJ8PEXnX9P4Th2gYxle/7AvK46Dk7zglG3dpcoveRqOKChKVSZIxta5A0eL
6fpp7R+oU8S4trQY8GB1ECX7/cqUi4G8JwSiC63PKys9JEeLmdpNTZ1d6uv+fHUH
RUeiLjAX
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2uZvjbDySKIsPOLErlcJGQ+6mpPN+2XvOmS0piY+r14EHfKW
6SZ1o8zNl0AQPMZOikVfKvwDnEhp0FWjnMZOpppRCEYvbuHEwzdgUNoPqwKae0ag
YLA5r4HpR30r8hj87pDTp3ukFzBgRzfuqjUB++1eaot3UEpkV1tMKd/85ziU7CtU
aFj+S7l4j0i7LVO3Iu3Toz80KBB+d31P3qCbgenOcxNs8ohte3Xpk4JWcEKgtYuv
dVY6VZcvCmIWYPH7PWC4DWBkmB6Ub78pdkG5c6PaSFaJrEJdyjel0DuYMpRl7bTG
xzQsDpI7Bx6Lq2hD0k5mp/dIvKKz4KzRcLxPtQIDAQABAoIBAQCtb0hRVjIQtFUi
hHVawGDX92tcz+Cy3+e0N1geEE04OuA+Lhe9cJhiiIEX5k03KdPOn/owH25o48La
qw+vxjtIqxmq2Zj5XG2+UmDAjpU9ZBmrtKCbGuUJln+TAazQ61VzW1Im78JqEQ0n
QDybpNYGmeJlvkxxVA++Wvq0buB8/RLJJokKiPe1e0AeGAUkvHcdxqUrcJfqbzZz
z/XUmI1GJMLnJw0WB8mxTtHq0YEATOOqgsAdoK2bAIl9LhCw4N4anSoD+KgRBbFG
k2SSCsk3bvBWmLBx7yq35hX92U511j42xVg/OxAC/LdVjPX20wBQp85CDZAkfYjb
48BONOMdAoGBAPuPVUEigz6Nk0FpQ+7bV0MXtuQga1OzwFcOsVToQS8CH4kI8q9s
iGutOEvL9GKHY/8nSRpJ/l204lpO1DKB8eCilO2eqMteq3JWAyvuU9TlKdMlD3Ed
Z7D2zX7S40M4cDoF1/AQNBdlBEYzLP7KgTrmxVoumhu8Wu7pqqtIidJPAoGBAN7D
h8w5N/PDjtI50pfFRUml3u6X9us2PcymP+LIMdmNL22zFcT8wk6fVlhUaa6pRA4Y
xEhxoQUNTEiv5sg0AkX2ms0iMUK2CCbOumRqux7V0NMw0iCEZ3QRtqZOn2YpvSFd
alC4KEpF31UbtLbUnx4VBbQ6tkcx5jvYKsSVeVC7AoGBAMHy4Gg3k7jGrqHf5uBh
fAXeYsO/uv/ttn1odpBgAOGdYXLl0zYtF4DtLFpEBUdx20b9ov8BzXux2lKGNFQ8
m5/1uZz6lmk1tDmS1x8nwLqDdJu2FxG++hMWNZlyPoW1HdGeb75Gv+LJn2IAUtCe
kMQ46C9/fpGjxvgsb8lfQ+NBAoGAY2iiazKFk5SLYalIH057UxhgWd0a5XA5N+Bg
1hU8mbb1mWC3sEaTd36Hi7dvye/jXN8UiLecgaKjjjRhKqp68TnRbwV5MioFjTvn
1fQDOQl1vSkmPDiZ6iQVfDXN0EuECSWk0gy8fhicR2CrzoMn1sbO2tTwjujns4EN
5NhHYQ0CgYEAlp6XGwJ+Dih/uQgrRQA5BXB3GYlYpMOEUNJk/3oWh+tl+/vzPRjy
IEZ9jsJ7E3DGhWC9l/MTY8rWEq30B8Qca9trZilcKgLTlHUIVQJnlkLAS3t+48qa
faL1ev3/gJMIw06u/OT8Yl5D8ZzyK1R4YDvjOusdpfRSE6Jwq9Wrgoo=
-----END RSA PRIVATE KEY-----
[root@ha02 keys]# ls
www.app01.com.crt  www.app01.com.csr  www.app01.com.key  www.app01.com.pem

按照以上方法依次生www.app02.com.pem

[root@ha02 keys]# openssl genrsa -out www.app02.com.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................................................+++
..................................+++
e is 65537 (0x10001)
[root@ha02 keys]# openssl req -new -key www.app02.com.key -out www.app02.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:espressos
Organizational Unit Name (eg, section) []:espressos
Common Name (eg, your name or your servers hostname) []:www.app02.com
Email Address []:ck@163.com

Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ha02 keys]# ls
www.app01.com.crt  www.app01.com.key  www.app02.com.csr
www.app01.com.csr  www.app01.com.pem  www.app02.com.key
[root@ha02 keys]# openssl x509 -req -days 365 -in www.app02.com.csr -signkey www.app02.com.key -out www.app02.com.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=espressos/OU=espressos/CN=www.app02.com/emailAddress=ck@163.com
Getting Private key
[root@ha02 keys]# cat www.app02.com.crt www.app02.com.key |tee www.app02.com.pem
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CCQCReUnUAKlUyDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMC
Q04xEDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoM
CWVzcHJlc3NvczESMBAGA1UECwwJZXNwcmVzc29zMRYwFAYDVQQDDA13d3cuYXBw
MDIuY29tMRkwFwYJKoZIhvcNAQkBFgpja0AxNjMuY29tMB4XDTE2MTIxNzIxMDgy
MFoXDTE3MTIxNzIxMDgyMFowgYwxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlK
aW5nMRAwDgYDVQQHDAdCZWlKaW5nMRIwEAYDVQQKDAllc3ByZXNzb3MxEjAQBgNV
BAsMCWVzcHJlc3NvczEWMBQGA1UEAwwNd3d3LmFwcDAyLmNvbTEZMBcGCSqGSIb3
DQEJARYKY2tAMTYzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AK4xvT3wr0ndQqIJWjlHwZZ4fA/OzqXF4Nfg7WwnP4tITVnv/t2UdVAGJllCjcK6
cC6zLXVQ7vHkXVGlmuKhlwgrkXfFd6L1PuS4H5QTT8jFxIVJ+GsyqzXyceqxOcn4
n4yhyc+is0CdapC5QuRjXLFja6fjA2QJzlH2D2gFuQVOD80hhu+lLTlW+hkxUUfz
bthuUDg4WobUVENCdwlr1HjQPqmuo9Nh8tn6BXLtDYiQ4QPHJSFYQutYCbMovUuf
ETP49ovvahdCe2QaB0mrl32hQLTc8FRHqf9doukNycthI7KpVchcPoDseJcjVg34
UOSmQtN50vsC2UyFCb9fb8sCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEATHnHS+ZF
qUf8NuuZn6Iyw/U9ip5ArsJ/13pzjQmmD+eEDmw13ZDkHeiHD8bKxparZqq4zkg5
bBaj8bFWtWcMOc7MCFmd8RIjDATwOs15Uv7x+JHnxUVWCzOVFT0RNovVG1yEp+Rq
6Hu1zBj+yhK6Uj2cFTZOzBZH7+KSGzLOhSJmmqRoNVtnaw7bGqbUgUY/FgFS1rFw
5XXR1Ky02hx58HptF7GXEPav596g8HB+8SiLgkwESl//PYOISbb/KSVg68g7+c8N
SOdS1hci8GtmEW+c1b8tVy5xQZqO3T2Ob024xkNnZkvR0xeCor5loJh9EliSljCy
9s1F/eE2Rv2n4g==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEArjG9PfCvSd1CoglaOUfBlnh8D87OpcXg1+DtbCc/i0hNWe/+
3ZR1UAYmWUKNwrpwLrMtdVDu8eRdUaWa4qGXCCuRd8V3ovU+5LgflBNPyMXEhUn4
azKrNfJx6rE5yfifjKHJz6KzQJ1qkLlC5GNcsWNrp+MDZAnOUfYPaAW5BU4PzSGG
76UtOVb6GTFRR/Nu2G5QODhahtRUQ0J3CWvUeNA+qa6j02Hy2foFcu0NiJDhA8cl
IVhC61gJsyi9S58RM/j2i+9qF0J7ZBoHSauXfaFAtNzwVEep/12i6Q3Jy2EjsqlV
yFw+gOx4lyNWDfhQ5KZC03nS+wLZTIUJv19vywIDAQABAoIBAQCMRgOVqIcPnTy2
TX+5Vr5e1IFbHXetaM6qKTgn+uch20Rm42vCtXVOztT81ipgIFCMWr+FlHoGkpZP
VGOIkwWTj7oh0AOKV6Gg/2B2lqKOFCwwBaQldvUGiUkQ7EyUB0E8N2DTcrqUku8o
wfdLAXS4aE5eMOIfIgJiYBqB8vHOgXxhouuTGVrIucEUtdNFsAzgfEP6ZIA82Ju6
AAw0yL1jZSEDVcpNaiPk3aUDQab3PdafSq7/Jv+r4ON9UFxjSWBUHO28Fv4tBLnP
/dDzy6+wNwOhMywMtyMIk9QCks3hw2FM6rF6XELTI0yqJrVhY0C34uaLtg9kSy6x
Xhjl9vfBAoGBAOA9zBONdoN9a60Ow2HZQGe59rZBYU9S7l728UAnlFqrOvbLcNrV
sTzLTqIsv1cTGGoFOlkVQavrT86YlWSMmQ81WAySJz5/5Tde1FswUXJhJ+YHuCTH
HOBOPIE5Fhr614cNB78sdWvNN1WF/fRFxqJOSSuPoYjsTBfbfzw8AUTrAoGBAMbd
aRcrid9yRZ+ZSk5ut5gxjyZT/fpZdCpwuTRWGwHuDT+PtAtJHicq9OWp41RrlK15
C5hX8d2M7NxpJPf0lQP7KLUd3QSEpoXlRLyAXDgAKpQJKf01nU5rnk7Z3pUs616Q
tHhyUm/OojcMzYHpwib86TfZf42uNavqeQMtU0ihAoGAGSb1WBAbBf6wcDXitnv+
3GOgh6rntlUQBbjfMJn/6vef4oTJQNKNUctgI5KvV539tA6oD8vxlM4NIpg80Y1v
saQDH03ZdwozdLV/TkcqK5E4P3YIMp/e3k4IPVpg31/Zgv10K/5ZoWDgXwhrhtW4
xQXQ8UDoFoqisl5ddC0q20cCgYA9TozTY8zBYg0swqkxvNhExyKGgmZOA73YR6AR
DmqNEcJr0fWDdSsikA+nrdQzdmcDg8mbUaFy17s9x/xppLE75PYLwAUfG3Xq2V9z
bW8ApKx7rsePFDRGtM69KFWCT7LQGHRKnZPkfCNuLTg90L7WHioX2amFGCvbsBFW
dWazgQKBgCNS9WU81O67RnE18ymcjzmogBCV1us1SxaWQ7zJZwAc5of8717TqB+l
ZSgPkb8aSkQIVBp3qKYOgNn51/WK6fSFE2jKVQFHCGrVcs7f1Ofru3Wey38qMZ0y
xz5HBI0G/G+ICzsQwTUNTjw2vcUWWwV4jaKpQkOGUlcJVDIJO/l6
-----END RSA PRIVATE KEY-----
[root@ha02 keys]# ls
www.app01.com.crt  www.app01.com.key  www.app02.com.crt  www.app02.com.key
www.app01.com.csr  www.app01.com.pem  www.app02.com.csr  www.app02.com.pem
[root@ha02 haproxy-1.4.26]# cat conf/haproxy.cfg
global
    log 127.0.0.1 local0 info
    maxconn 51200
    user nobody
    group nobody
    daemon
    nbproc 1
    pidfile /var/run/haproxy.pid
defaults
    log global
    option tcplog
    option httpclose
    option forwardfor except 127.0.0.0/8
    option redispatch
    option dontlognull
    retries 3
    timeout client 1m
    timeout server 1m
    timeout http-request    10s
    timeout    http-keep-alive    10s
    timeout    queue    1m
    maxconn    10000
listen admin_stats
    bind 0.0.0.0:8000
    stats refresh 30s
    stats uri /vip
    stats realm hello chenlin
    stats auth admin:admin@!
    stats hide-version
    stats admin if TRUE
    mode http
    #server sshd 192.168.1.104:22 check port 22 inter 5000 fall 5
    
frontend www.app01.com
    mode http
    bind 0.0.0.0:443 ssl crt /etc/ssl/keys/www.app01.com.pem crt /etc/ssl/keys/www.app02.com.pem
    use_backend www_app01_com if { ssl_fc_sni www.app01.com }
    use_backend www_app02_com if { ssl_fc_sni www.app02.com }
backend www_app01_com
    mode http
    server app01 192.168.1.108:8010
backend www_app02_com
    mode http
    server app02 192.168.1.109:8020

haproxy 实现了多域https

[root@ha02 haproxy-1.5.2]# ./sbin/haproxy -v
HA-Proxy version 1.5-dev19 2013/06/17
Copyright 2000-2013 Willy Tarreau <w@1wt.eu>

 

haproxy 实现多域名证书https