安装openresty
2025/10/12大约 2 分钟
安装openresty
# 安装导入 GPG 公钥时所需的几个依赖包(整个安装过程完成后可以随时删除它们):
sudo apt-get -y install --no-install-recommends wget gnupg ca-certificates
# 导入 GPG 密钥:
wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -
# 添加官方 APT 仓库:
echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" \
| sudo tee /etc/apt/sources.list.d/openresty.list
# 更新 APT 索引:
sudo apt-get update
#安装
sudo apt-get -y install openresty配置自签名SSL
server {
listen 9883 ssl;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate cert/mqtts.xiaolizi.tech.pem;
ssl_certificate_key cert/mqtts.xiaolizi.tech.key;
ssl_verify_depth 2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# 添加 CA 证书及开启验证客户端证书参数即可启用双向认证
# ssl_client_certificate /usr/local/nginx/certs/ca.pem;
# ssl_verify_client on;
# ssl_verify_depth 1;
proxy_pass mqtt_servers;
# 启用此项时,对应后端监听器也需要启用 proxy_protocol
proxy_protocol off;
proxy_connect_timeout 10s;
# 默认心跳时间为 10 分钟
proxy_timeout 1800s;
proxy_buffer_size 3M;
tcp_nodelay on;
limit_conn addr 10; #最大并发数
limit_conn_log_level error;
}名称也可以是这样
# 动态证书加载
ssl_certificate cert/mqtts.xiaolizi.tech.crt;
ssl_certificate_key cert/mqtts.xiaolizi.tech.key;一键生成脚本generate_100year_cert.sh
#!/bin/bash
# generate_100year_cert.sh
DOMAIN="mqtts.xiaolizi.tech"
DAYS=36525
CERT_DIR="/etc/ssl/$DOMAIN"
echo "为域名 $DOMAIN 生成100年SSL证书..."
# 创建目录
sudo mkdir -p $CERT_DIR
cd $CERT_DIR
# 生成私钥(4096位,更安全)
echo "生成私钥..."
sudo openssl genrsa -out $DOMAIN.key 4096
# 生成配置文件
echo "生成配置文件..."
sudo tee openssl.conf << EOF
[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
req_extensions = req_ext
[dn]
C = CN
ST = Beijing
L = Beijing
O = Xiaolizi Technology Co., Ltd.
OU = IoT/MQTT Service
CN = $DOMAIN
emailAddress = admin@xiaolizi.tech
[v3_req]
subjectAltName = @alt_names
basicConstraints = CA:TRUE
keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $DOMAIN
DNS.2 = *.$DOMAIN
DNS.3 = mqtt.xiaolizi.tech
DNS.4 = *.xiaolizi.tech
DNS.5 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
EOF
# 直接生成自签名证书(一步完成)
echo "生成自签名证书(有效期100年)..."
sudo openssl req -x509 -new -nodes -key $DOMAIN.key \
-days $DAYS -out $DOMAIN.crt \
-config openssl.conf \
-extensions v3_req
# 生成PEM格式(包含私钥和证书)
echo "生成PEM文件..."
sudo cat $DOMAIN.key $DOMAIN.crt > $DOMAIN.pem
# 生成PKCS12格式(用于Java等)
echo "生成PKCS12文件..."
sudo openssl pkcs12 -export -out $DOMAIN.p12 \
-inkey $DOMAIN.key -in $DOMAIN.crt \
-password pass:xiaolizi123
# 设置权限
echo "设置文件权限..."
sudo chmod 600 $DOMAIN.key
sudo chmod 644 $DOMAIN.crt $DOMAIN.pem
sudo chmod 600 $DOMAIN.p12
# 显示证书信息
echo -e "\n=== 证书生成完成 ==="
echo "证书位置: $CERT_DIR"
echo -e "\n证书有效期:"
sudo openssl x509 -in $DOMAIN.crt -noout -dates
echo -e "\n证书指纹:"
sudo openssl x509 -in $DOMAIN.crt -noout -fingerprint -sha256
echo -e "\n主题信息:"
sudo openssl x509 -in $DOMAIN.crt -noout -subject
echo -e "\n备用名称:"
sudo openssl x509 -in $DOMAIN.crt -noout -ext subjectAltName
# 生成CA证书(可选)
echo -e "\n生成CA证书..."
sudo openssl req -x509 -new -nodes -key $DOMAIN.key \
-days $DAYS -out ca.crt \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Xiaolizi Tech CA/CN=Xiaolizi Root CA"
echo -e "\n=== 生成的文件列表 ==="
ls -la $CERT_DIR/验证证书
# 运行验证脚本
echo "验证证书..."
cd /etc/ssl/mqtts.xiaolizi.tech
# 检查有效期
echo "1. 有效期检查:"
sudo openssl x509 -in mqtts.xiaolizi.tech.crt -noout -dates
echo -e "\n2. 证书详细信息:"
sudo openssl x509 -in mqtts.xiaolizi.tech.crt -text -noout | head -50
echo -e "\n3. 验证证书链:"
sudo openssl verify -CAfile mqtts.xiaolizi.tech.crt mqtts.xiaolizi.tech.crt
echo -e "\n4. 测试SSL连接(模拟):"
echo "可以使用以下命令测试:"
echo "openssl s_client -connect mqtts.xiaolizi.tech:8883 -servername mqtts.xiaolizi.tech"