每个节点服务器多个 SSL 证书
[英]Multiple SSL Certificates per node server
问题描述
We want to support the landing pages created on our website to be served over https on the custom domains that our user wish to server the page.
我们希望支持在我们的网站上创建的登录页面通过 https 在我们的用户希望为页面提供服务的自定义域上提供服务。 So we can have the separate SSL certificate for our each user and we have a node server.因此,我们可以为每个用户拥有单独的 SSL 证书,并且我们有一个节点服务器。 We want to achieve the below things:我们想要实现以下目标:
1) Attach multiple SSL certificates with node server. 1) 将多个 SSL 证书附加到节点服务器。 2) We need a way to attach the certificates at any instance of time to the server eg. 2)我们需要一种在任何时候将证书附加到服务器的方法,例如。 whenever we got a domain from our customers.每当我们从客户那里获得域名时。
2 个解决方案
解决方案1
2 2019-10-31 07:11:58
Let's Encrypt w/ Greenlock Express v3让我们用 Greenlock Express v3加密
I'm the author if Greenlock Express, which is Let's Encrypt for Node.js, Express, etc.我是 Greenlock Express 的作者,它是 Let's Encrypt for Node.js、Express 等。
I'm still in the middle of writing the v3 documentation (lots of broken links to examples that haven't been converted from v2 yet), but the setup looks a little like this:我仍在编写v3 文档(许多尚未从 v2 转换的示例的断开链接),但设置看起来有点像这样:
require("greenlock-express")
.init(function getConfig() {
return {
package: require("./package.json")
manager: 'greenlock-manager-fs',
cluster: false,
configFile: '~/.config/greenlock/manager.json'
};
})
.serve(httpsWorker);
function httpsWorker(server) {
// Works with any Node app (Express, etc)
var app = require("./my-express-app.js");
// See, all normal stuff here
app.get("/hello", function(req, res) {
res.end("Hello, Encrypted World!");
});
// Serves on 80 and 443
// Get's SSL certificates magically!
server.serveApp(app);
}
It uses http2 by default on node v12+, and also works with node cluster so that you can take advantage of multiple cores.它在节点 v12+ 上默认使用 http2,并且还与节点集群一起使用,以便您可以利用多个内核。
It uses SNICallback to dynamically add certificates on the fly.它使用SNICallback动态添加证书。
Site Management现场管理
The default manager plugin uses files on the file system, but there's great documentation on how to build your own.默认管理器插件使用文件系统上的文件,但有很多关于如何构建自己的文档。
Just to get started, the file-based plugin looks like this:刚开始,基于文件的插件如下所示:
~/.config/greenlock/manager.json : ~/.config/greenlock/manager.json :
{
"subscriberEmail": "letsencrypt-test@therootcompany.com",
"agreeToTerms": true,
"sites": [
{
"subject": "example.com",
"altnames": ["example.com", "www.example.com"]
}
]
}
Key and Certificate Management密钥和证书管理
Likewise, the default Key and Cert plugin is filesystem-based (actually based on certbot, from the early days), but there's a plugins for connecting to databases ( greenlock-store-sequelize ) so that you can manage your certs however you like.同样,默认的 Key 和 Cert 插件是基于文件系统的(实际上是基于 certbot,从早期开始),但是有一个用于连接数据库的插件( greenlock-store-sequelize ),以便您可以随意管理您的证书。
The default plugin stores them in ~/.config/greenlock/ .默认插件将它们存储在~/.config/greenlock/中。
DNS-01 and HTTP-01 challenge plugins DNS-01 和 HTTP-01 质询插件
There are plugins for various DNS providers (Name.com, NameCheap, DNSimple, GoDaddy, etc), and there's a test suite that makes it easy to write the couple of callbacks you need to make your own:有各种 DNS 提供程序(Name.com、NameCheap、DNSimple、GoDaddy 等)的插件,并且有一个测试套件可以轻松编写您需要制作的几个回调:
Management API管理 API
There's already an API, which I won't document here because I'm busy (right now) writing the official documentation for it, but essentially you'll do something like this:已经有一个 API,我不会在这里记录,因为我正忙于(现在)为其编写官方文档,但基本上你会做这样的事情:
greenlock.add({
subject: 'example.com',
altnames: ['example.com', '*.example.com']
})
There are some CLI tools in the works, and Greenlock Pro, forthcoming, will have a UI for it, as well as routing tools (ie serve domain X from this directory, proxy domain Y to port 2345 with websocket support enabled, etc)有一些 CLI 工具正在开发中,即将推出的 Greenlock Pro 将为它提供一个 UI,以及路由工具(即从这个目录服务域 X,代理域 Y 到端口 2345 并启用 websocket 支持等)
I'll be back我会回来的
Once I have more of the official docs ready, I'll come back and add some updates here.一旦我准备好更多的官方文档,我会回来在这里添加一些更新。
Feel free to contact me on Keypairs.请随时就密钥对与我联系。 I'm @coolaj86 there.我是@coolaj86。
解决方案2
0 2019-10-30 14:34:46
1) Attach multiple SSL certificates with node server.
Managing such dynamic configuration at an instance is really hard to update and maintain.在实例中管理这种动态配置确实很难更新和维护。 As suggested in comment go for LB and place LB on the top of EC2 instance and handle certificate and New Domain integration with AWS SDK.正如评论 go 中所建议的 LB 并将 LB 放在 EC2 实例的顶部并处理证书和与 AWS SDK 的新域集成。
In high-level flow will be在高层流中将
Attach multiple SSL certificates with node server
- Place LB on top of each instance and you will not need to manage SSL at instance level and AWS will take care of it.将 LB 放在每个实例的顶部,您将不需要在实例级别管理 SSL,AWS 会处理它。 Also, you will be saving CPU cost by putting this SSL encrypt and decrypt load on LB.此外,通过将此 SSL 加密和解密负载放在 LB 上,您将节省 CPU 成本。
whenever we got a domain from our customers.
- using AWS SDK, create a request for new ACM使用 AWS SDK,创建新 ACM 请求
- Once certificate approved, update AWS LB certificate list from SDK or manually but better to for automation.一旦证书获得批准,从 SDK 或手动更新 AWS LB 证书列表,但最好是自动化。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.