#!/bin/bash
# 一键生成内网IP-HTTPS证书 & 配置Nginx
# 使用前请确认已安装 nginx & openssl

# ------------------------------
# 配置参数
SERVER_IP="10.105.36.**"     # <-- 修改为你的内网IP
PORT1=3001
PORT2=444
PORT3=445
BACKEND1=3000
BACKEND2=4000
BACKEND3=5000
SSL_DIR="/home/ssl"
NGX_CONF_DIR="/etc/nginx/conf.d"
# ------------------------------

set -e

echo "==== 2. 生成根CA--有效期10年 ===="
sudo openssl genrsa -out myCA.key 4096
sudo openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.crt \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/OU=IT/CN=MyInternalCA"

echo "==== 3. 生成站点私钥 ===="
sudo openssl genrsa -out site.key 2048

echo "==== 4. 创建站点CSR配置(包含SAN: $SERVER_IP) ===="
cat > site.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext

[dn]
C = CN
ST = Beijing
L = Beijing
O = MyCompany
OU = IT
CN = $SERVER_IP

[req_ext]
subjectAltName = @alt_names

[alt_names]
IP.1 = $SERVER_IP
EOF

echo "==== 5. 生成站点CSR ===="
sudo openssl req -new -key site.key -out site.csr -config site.cnf

echo "==== 6. 配置v3.ext以支持SAN ===="
cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = $SERVER_IP
EOF

echo "==== 7. 用根CA签发站点证书(有效期1年) ===="
sudo openssl x509 -req -in site.csr -CA myCA.crt -CAkey myCA.key -CAcreateserial \
  -out site.crt -days 365 -sha256 -extfile v3.ext

echo "==== ✅部署完成 ===="
echo "根CA证书文件: $SSL_DIR/myCA.crt （导入到客户端受信任根证书颁发机构）"
echo "IP访问地址:"
echo "  https://$SERVER_IP:$PORT1  → 后端 $BACKEND1"
echo "  https://$SERVER_IP:$PORT2  → 后端 $BACKEND2"
echo "  https://$SERVER_IP:$PORT3  → 后端 $BACKEND3"
echo
echo "💡 导入根CA后,浏览器应显示安全小锁。"
echo "- Windows: 双击myCA.crt → 安装到本地计算机 → 受信任的根证书颁发机构"
echo "- macOS: 双击myCA.crt → 钥匙串(系统) → 始终信任"
echo "- Linux(Ubuntu): sudo cp myCA.crt /usr/local/share/ca-certificates/ && sudo update-ca-certificates"