-
-
Save zhangshine/4f84d26b6aead1bef32e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #user nobody; | |
| worker_processes 1; | |
| #error_log logs/error.log; | |
| #error_log logs/error.log notice; | |
| error_log logs/error.log debug; | |
| #pid logs/nginx.pid; | |
| daemon off; | |
| user www-data; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| include mime.types; | |
| default_type text/html; | |
| server_tokens off; | |
| lua_shared_dict my_locks 100k; | |
| lua_package_path "lua/?.lua;../lua-resty-core/lib/?.lua;;"; | |
| resolver 8.8.8.8; | |
| sendfile on; | |
| keepalive_timeout 65; | |
| init_by_lua ' | |
| '; | |
| server { | |
| listen 0.0.0.0:3128; | |
| server_name _; | |
| location / { | |
| proxy_set_header Host $host; | |
| proxy_pass_header Server; | |
| proxy_pass http://$host:80; | |
| } | |
| } | |
| server { | |
| listen 0.0.0.0:3129 ssl; | |
| server_name _; | |
| ssl on; | |
| ssl_session_cache builtin:1000 shared:SSL:10m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; | |
| ssl_prefer_server_ciphers on; | |
| ssl_certificate ./ssl/test.crt; | |
| ssl_certificate_key ./ssl/test.key; | |
| ssl_certificate_by_lua ' | |
| local ssl = require "ngx.ssl" | |
| local resty_lock = require "resty.lock" | |
| ssl.clear_certs() | |
| local common_name = ssl.server_name() | |
| if common_name == nil then | |
| common_name = "unknown" | |
| end | |
| local key_data = nil; | |
| local f = io.open(string.format("/usr/local/openresty/nginx/conf/ssl/%s-key.der", common_name), "r") | |
| if f then | |
| key_data = f:read("*a") | |
| f:close() | |
| end | |
| local cert_data = nil; | |
| local f = io.open(string.format("/usr/local/openresty/nginx/conf/ssl/%s-cert.der", common_name), "r") | |
| if f then | |
| cert_data = f:read("*a") | |
| f:close() | |
| end | |
| if key_data and cert_data then | |
| local ok, err = ssl.set_der_priv_key(key_data) | |
| if not ok then | |
| ngx.log(ngx.ERR, "failed to set DER priv key: ", err) | |
| return | |
| end | |
| local ok, err = ssl.set_der_cert(cert_data) | |
| if not ok then | |
| ngx.log(ngx.ERR, "failed to set DER cert: ", err) | |
| return | |
| end | |
| return | |
| end | |
| -- prevent creating same certificate twice using lock | |
| local lock = resty_lock:new("my_locks") | |
| local elapsed, err = lock:lock(common_name) | |
| if not elapsed then | |
| return fail("failed to acquire the lock: ", err) | |
| end | |
| -- generate new private key | |
| ngx.log(ngx.INFO, "generating key") | |
| local key_data, err = ssl.rsa_generate_key(2048) | |
| if not key_data then | |
| ngx.log(ngx.ERR, "failed to generate rsa key: ", err) | |
| return | |
| end | |
| local csr, err = ssl.generate_certificate_sign_request(key_data, { | |
| country = "NL", | |
| state = "Test", | |
| city = "City", | |
| organisation = "Organisation", | |
| common_name = common_name | |
| }) | |
| if not csr then | |
| ngx.log(ngx.ERR, "failed to create sign request: ", err) | |
| return | |
| end | |
| ngx.log(ngx.ERR, "generated csr: ", csr, err) | |
| -- load ca key | |
| local f = assert(io.open("/usr/local/openresty/nginx/conf/ssl/ca.pem")) | |
| local ca = f:read("*a") | |
| f:close() | |
| if not ca then | |
| ngx.log(ngx.ERR, "failed to load cakey: ", err) | |
| return | |
| end | |
| -- create certificate using csr req | |
| cert_data, err = ssl.sign_csr({ | |
| ca = ca, | |
| csr = csr | |
| }) | |
| if not cert_data then | |
| ngx.log(ngx.ERR, "failed to sign: ", err) | |
| return | |
| end | |
| -- write certificate to cache | |
| local f = assert(io.open(string.format("/usr/local/openresty/nginx/conf/ssl/%s-key.csr", common_name), "w")) | |
| f:write(key_data) | |
| f:close() | |
| local ok, err = ssl.set_der_priv_key(key_data) | |
| if not ok then | |
| ngx.log(ngx.ERR, "failed to set DER priv key: ", err) | |
| return | |
| end | |
| local f = assert(io.open(string.format("/usr/local/openresty/nginx/conf/ssl/%s-cert.der", common_name), "w")) | |
| f:write(cert_data) | |
| f:close() | |
| local ok, err = ssl.set_der_cert(cert_data) | |
| if not ok then | |
| ngx.log(ngx.ERR, "failed to set DER cert: ", err) | |
| return | |
| end | |
| local ok, err = lock:unlock() | |
| if not ok then | |
| return fail("failed to unlock: ", err) | |
| end | |
| '; | |
| lua_need_request_body on; | |
| client_max_body_size 100k; | |
| client_body_buffer_size 100k; | |
| server_tokens off; | |
| location / { | |
| proxy_ssl_verify off; | |
| proxy_set_header Host $host; | |
| proxy_pass_header Server; | |
| proxy_pass https://$host:443; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment