本文承接上一篇博文:https://blog.youkuaiyun.com/yin_slin/article/details/81130568
为emq集群前端haproxy配置ssl双向认证,采用的方案为:客户端通过ssl访问haproxy,haproxy转发请求到后端不使用ssl。
一、生成自签名证书:
1、生成根证书私钥:
openssl genrsa -out ca.key 2048 -passout pass:changeit
2、生成根证书
openssl req -x509 -new -key ca.key -out ca.crt -days 36500 -subj "/C=CN/ST=SH/L=SHANGHAI/O=smtc/OU=saicmotor/CN=10.128.147.16" -passout pass:changeit
3、生成客户端私钥
openssl genrsa -out client.key 2048 -passout pass:changeit
4、生成客户端证书请求文件
openssl req -new -key client.key -out client.csr -passin pass:changeit -subj "/C=CN/ST=SH/L=SHANGHAI/O=smtc/OU=saicmotor/CN=10.128.147.23"
5、用根证书签发客户端证书请求文件,生成客户端证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt
6、生成服务端私钥
openssl genrsa -out server.key 2048 -passout pass:changeit
7、生成服务端证书请求文件
openssl req -new -key server.key -out server.csr -passin pass:changeit -subj "/C=CN/ST=SH/L=SHANGHAI/O=smtc/OU=saicmotor/CN=10.128.147.20"
8、用根证书签发服务端证书请求文件,生成服务端证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt
9、打包客户端证书和私钥
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pkcs12 -passin pass:changeit -passout pass:changeit -name client
10、打包服务端证书和私钥
openssl pkcs12 -export -in server.crt -inkey server.key -out server.pkcs12 -passin pass:changeit -passout pass:changeit -name server
11、生成客户端keystore,pkcs12转jks
keytool -importkeystore -srckeystore client.pkcs12 -destkeystore client.jks -srcstoretype pkcs12 -srckeypass changeit -destkeypass changeit -srcstorepass changeit -deststorepass changeit -destalias client -srcalias client
12、生成服务端keystore,pkcs12转jks
keytool -importkeystore -srckeystore server.pkcs12 -destkeystore server.jks -srcstoretype pkcs12 -srckeypass changeit -destkeypass changeit -srcstorepass changeit -deststorepass changeit -destalias server -srcalias server
13、生成客户端的truestore
A、导入根证书
echo y | keytool -importcert -alias ca -file ca.crt -keystore client-trust.jks -storepass changeit
B、导入客户端证书
echo y | keytool -importcert -alias client -file client.crt -keystore client-trust.jks -storepass changeit
14、生成服务端的truestore
A、导入根证书
echo y | keytool -importcert -alias ca -file ca.crt -keystore server-trust.jks -storepass changeit
B、导入服务端证书
echo y | keytool -importcert -alias server -file server.crt -keystore server-trust.jks -storepass changeit
15、将服务端证书和私钥打包成一个pem文件(haproxy使用)
cat server.key server.crt | tee server-allinone.pem
二、配置haproxy:
frontend client-tcp-in
mode tcp
option tcplog
bind 0.0.0.0:8888 ssl crt /opt/ssl/server-allinone.pem ca-file /opt/ssl/ca.crt verify required
default_backend to-emq-brokers
backend to-emq-brokers
mode tcp
balance roundrobin
server emq-1 10.135.78.20:1883 weight 1 maxconn 1500 inter 2000 check
server emq-2 10.135.78.23:1883 weight 1 maxconn 1500 inter 2000 check
server emq-3 10.135.78.54:1883 weight 1 maxconn 1500 inter 2000 check