使用openssl生成自定义证书放到配置目录下的/certs文件夹下,取名为private.key 和 public.crt
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out minio.csr -config openssl.cnf -extensions v3_req
openssl x509 -req -in minio.csr -signkey private.key -out public.crt -extfile openssl.cnf -extensions v3_req
Country Name (2 letter code) []:CN // 输入国家代码,中国填写 CN
State or Province Name (full name) []:FJ // 输入省份,这里填写 FJ
Locality Name (eg, city) []:FZ // 输入城市,我们这里也填写 FZ
Organization Name (eg, company) []:centerm // 输入组织机构(或公司名)
Organizational Unit Name (eg, section) []:xtfab // 输入机构部门
Common Name (eg, fully qualified host name) []:centerm.com // 输入域名
Email Address []:weifei@centerm.com // 你的邮箱地址
编辑 openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = FJ
localityName = Locality Name (eg, city)
localityName_default = FZ
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = centerm
commonName = Internet Widgits Ltd
commonName_max = 64
[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.17.70.6
配置nginx安全认证(如果是docker注意把证书文件进行映射)
upstream minio {
server [YOUR IP]:9001;
server [YOUR IP]:9002;
server [YOUR IP]:9003;
server [YOUR IP]:9004;
}
server {
listen 9000;
server_name minio;
ssl on;
ssl_certificate_key /etc/minio/certs/private.key;
ssl_certificate /etc/minio/certs/public.crt;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://minio;
proxy_set_header Host $http_host;
client_max_body_size 1000m;
}
}
重启Nginx后访问 https://[YOUR IP]:9000