当前位置：首页 > news >正文

使用ssl_certificate_by_lua指令动态加载证书

news 2025/9/14 12:32:06

1、下载 OpenResty - 下载

根据自己系统选择下载，我的是64位

2、解压到目录

3、启动openresty

进入解压后的目录，执行nginx.exe

浏览器输入 http://localhost 查看是否正常。显示以下画面就表示没有问题。

接下来可以开始准备动态安装证书

4、使用openssl-win64生成测试证书（待补充）

openssl 下载地址。也可以使用csdn下载

5、进入conf目录，编辑nginx.conf

#增加ssl server配置server {listen       443 ssl;server_name  localhost;ssl_certificate      cert/server.crt;ssl_certificate_key  cert/server.key;ssl_certificate_by_lua_file conf\cert\ssl.lua;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}}

6、编写ssl.lua ，放到conf/cert下

local ssl = require "ngx.ssl"-- 清除之前设置的证书和私钥
local ok, err = ssl.clear_certs()
if not ok thenngx.log(ngx.ERR, "failed to clear existing (fallback) certificates")return ngx.exit(ngx.ERROR)
end-- 获取证书内容，比如 io.open("my.crt"):read("*a")
local cert_data, err
cert_data = io.open("conf\\cert\\localhost.crt"):read("*a")
if not cert_data thenngx.log(ngx.ERR, "failed to get PEM cert: ", err)return
end-- 解析出 cdata 类型的证书值，你可以用 lua-resty-lrucache 缓存解析结果
local cert, err = ssl.parse_pem_cert(cert_data)
if not cert thenngx.log(ngx.ERR, "failed to parse PEM cert: ", err)return
endlocal ok, err = ssl.set_cert(cert)
if not ok thenngx.log(ngx.ERR, "failed to set cert: ", err)return
endlocal pkey_data, err
pkey_data = io.open("conf\\cert\\localhost.key"):read("*a")
if not pkey_data thenngx.log(ngx.ERR, "failed to get DER private key: ", err)return
endlocal pkey, err = ssl.parse_pem_priv_key(pkey_data)
if not pkey thenngx.log(ngx.ERR, "failed to parse pem key: ", err)return
endlocal ok, err = ssl.set_priv_key(pkey)
if not ok thenngx.log(ngx.ERR, "failed to set private key: ", err)return
end

查看全文

http://www.lryc.cn/news/221699.html