一、 自签名根证书
1. 生成根证书密钥
|
1 |
openssl genrsa -out ./root.key 2048 |
2. 生成根证书
|
1 2 3 4 5 6 7 8 9 10 |
openssl req -x509 -new -key ./root.key -out ./root.pem -days 365
交互信息 Country Name (2 letter code) []:CN State or Province Name (full name) []:HeNan Locality Name (eg, city) []:HZG Organization Name (eg, company) []:www.hzg.com Organizational Unit Name (eg, section) []:HZG Common Name (eg, fully qualified host name) []:HZG Email Address []:123456789@qq.com |
二、生成应用证书
1. 生成应用证书密钥
|
1 |
openssl genrsa -out webdav.key 2048 |
2. 生成应用证书请求
|
1 |
openssl req -new -key webdav.key -out webdav.csr |
3. 创建证书附加用途文件
基于域名的证书
这里解决的问题是浏览器访问网页验证证书域名的问题,保存为 webdav.ext 文件,生成证书的时候使用
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
基于域名的证书 keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ] DNS.1=hzgwebdav.com DNS.2=*.hzgwebdav.com
基于IP的证书 keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ] IP.1=192.168.0.1 IP.2=192.168.0.2 |
4. 签发证书
|
1 |
openssl x509 -req -in webdav.csr -CA root.pem -CAkey root.key -CAcreateserial -out webdav.crt -days 365 -sha256 -extfile webdav.ext |
三、Nginx 部署 Webdav 服务
1. 生成 Webdav 用户密码文件
|
1 |
echo hzg:$(openssl passwd -crypt 12345678)>/path/certs/webdav/webdavpasswd |
2. Nginx WebDav 配置
注意 Nginx 需要安装以下模块
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
nginx-dav-ext-module ngx_http_headers_module
dav_ext_lock_zone zone=davlock:10m; # Http 配置 server { listen 8080; server_name hzgwebdav.com *.hzgwebdav.com;
location / { root /path/webdav; autoindex_localtime on;
set $dest $http_destination; if (-d $request_filename) { # 对目录请求、对URI自动添加"/" rewrite ^(.*[^/])$ $1/; set $dest $dest/; }
if ($request_method ~ (MOVE|COPY)) { # 对MOVE|COPY方法强制添加Destination请求头 more_set_input_headers 'Destination: $dest'; }
if ($request_method ~ MKCOL) { rewrite ^(.*[^/])$ $1/ break; }
client_body_temp_path /tmp;
dav_methods PUT DELETE MKCOL COPY MOVE; # DAV支持的请求方法 dav_ext_methods PROPFIND OPTIONS LOCK UNLOCK; # DAV扩展支持的请求方法 dav_ext_lock zone=davlock; # DAV扩展锁绑定的内存区域 create_full_put_path on; # 启用创建目录支持 dav_access user:rw group:r all:r; # 设置创建的文件及目录的访问权限
auth_basic "Authorized Users WebDAV"; auth_basic_user_file /path/certs/webdav/webdavpasswd; } }
# Https 配置 server { listen 443 ssl; server_name hzgwebdav.com *.hzgwebdav.com;
autoindex on;
ssl_certificate "/path/certs/webdav/webdav.crt"; ssl_certificate_key "/path/certs/webdav/webdav.key";
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 ; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling off;
location / { root /path/webdav; autoindex_localtime on;
set $dest $http_destination; if (-d $request_filename) { # 对目录请求、对URI自动添加"/" rewrite ^(.*[^/])$ $1/; set $dest $dest/; }
if ($request_method ~ (MOVE|COPY)) { # 对MOVE|COPY方法强制添加Destination请求头 more_set_input_headers 'Destination: $dest'; }
if ($request_method ~ MKCOL) { rewrite ^(.*[^/])$ $1/ break; }
client_body_temp_path /tmp;
dav_methods PUT DELETE MKCOL COPY MOVE; # DAV支持的请求方法 dav_ext_methods PROPFIND OPTIONS LOCK UNLOCK; # DAV扩展支持的请求方法 dav_ext_lock zone=davlock; # DAV扩展锁绑定的内存区域 create_full_put_path on; # 启用创建目录支持 dav_access user:rw group:r all:r; # 设置创建的文件及目录的访问权限
auth_basic "Authorized Users WebDAV"; auth_basic_user_file /path/certs/webdav/webdavpasswd; } } |
