From 0e49c534b2e308f7cf3fb22639016d9afe48dc58 Mon Sep 17 00:00:00 2001
From: lc <admin@wiz.cn>
Date: Wed, 22 Oct 2025 02:50:34 +0000
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20lssl.sh?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

内网证书部署
---
 lssl.sh | 81 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 lssl.sh

diff --git a/lssl.sh b/lssl.sh
new file mode 100644
index 0000000..fd7d2aa
--- /dev/null
+++ b/lssl.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# 一键生成内网IP-HTTPS证书 & 配置Nginx
+# 使用前请确认已安装 nginx & openssl
+
+# ------------------------------
+# 配置参数
+SERVER_IP="10.105.36.33"     # <-- 修改为你的内网IP
+PORT1=3001
+PORT2=444
+PORT3=445
+BACKEND1=3000
+BACKEND2=4000
+BACKEND3=5000
+SSL_DIR="/home/ssl"
+NGX_CONF_DIR="/etc/nginx/conf.d"
+# ------------------------------
+
+set -e
+
+echo "==== 2. 生成根CA（有效期10年） ===="
+sudo openssl genrsa -out myCA.key 4096
+sudo openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.crt \
+  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyInternalCA"
+
+echo "==== 3. 生成站点私钥 ===="
+sudo openssl genrsa -out site.key 2048
+
+echo "==== 4. 创建站点CSR配置（包含SAN: $SERVER_IP） ===="
+cat > site.cnf <<EOF
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+C = CN
+ST = Beijing
+L = Beijing
+O = MyCompany
+OU = IT
+CN = $SERVER_IP
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = $SERVER_IP
+EOF
+
+echo "==== 5. 生成站点CSR ===="
+sudo openssl req -new -key site.key -out site.csr -config site.cnf
+
+echo "==== 6. 配置v3.ext以支持SAN ===="
+cat > v3.ext <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = $SERVER_IP
+EOF
+
+echo "==== 7. 用根CA签发站点证书（有效期1年） ===="
+sudo openssl x509 -req -in site.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial \
+  -out site.crt -days 365 -sha256 -extfile v3.ext
+
+echo "==== ✅部署完成 ===="
+echo "根CA证书文件: $SSL_DIR/myCA.crt （导入到客户端受信任根证书颁发机构）"
+echo "IP访问地址:"
+echo "  https://$SERVER_IP:$PORT1  → 后端 $BACKEND1"
+echo "  https://$SERVER_IP:$PORT2  → 后端 $BACKEND2"
+echo "  https://$SERVER_IP:$PORT3  → 后端 $BACKEND3"
+echo
+echo "💡 导入根CA后，浏览器应显示安全小锁。"
+echo "- Windows: 双击myCA.crt → 安装到本地计算机 → 受信任的根证书颁发机构"
+echo "- macOS: 双击myCA.crt → 钥匙串(系统) → 始终信任"
+echo "- Linux(Ubuntu): sudo cp myCA.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates"