lua-resty-ssl-bump
"A Lua module for dynamic generation and caching of SSL certificates for wildcard domains"
$ opm get iakuf/lua-resty-ssl-bumplua-resty-ssl-bump
A Lua module for dynamic generation and caching of SSL certificates for wildcard domains, similar to Squid's SSL Bump functionality.
Installation
To install this module, you can use the OpenResty Package Manager (opm):
opm get iakuf/lua-resty-ssl-bumpDependencies
This module requires the lua-cjson and lua-resty-openssl libraries to work. Ensure that both libraries are installed and accessible in your OpenResty environment.
Install lua-cjson
You can install lua-cjson using OPM:
opm get ledgetech/lua-cjsonInstall lua-resty-openssl
You can install lua-resty-openssl using OPM:
opm get fffonion/lua-resty-openssl Usage
Generating Your Own CA Certificate
To generate your own CA certificate, use the following command:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -extensions v3_ca -keyout /path/to/ca_cert.key -out /path/to/ca_cert.crtReplace /path/to/ca_cert.key and /path/to/ca_cert.crt with the actual paths where you want to save your CA key and certificate.
Nginx Configuration
Add the following configuration to your nginx.conf file:
Define shared dictionary:
http {
lua_shared_dict cert_cache 20m; # Approximately stores 4000 certificate pairs
}Initialize the module in the worker:
http {
init_worker_by_lua_block {
local ssl_bump = require("resty.ssl_bump")
local ok, err = ssl_bump.init("/path/to/ca_cert.crt", "/path/to/ca_cert.key", {
C = "CN",
ST = "Beijing",
L = "Beijing",
O = "Geelevel Corp"
})
if not ok then
ngx.log(ngx.ERR, "failed to initialize ssl_bump: ", err)
return
end
}
}Set SSL configurations:
http {
server {
listen 443 ssl;
ssl_certificate /path/to/ca_cert.crt; # 占位
ssl_certificate_key /path/to/ca_cert.key; # 占位
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Dynamic generation of certificates
ssl_certificate_by_lua_block {
local ssl_bump = require("resty.ssl_bump")
ssl_bump.run()
}
location / {
proxy_pass http://your_backend;
}
}
}Example
Here is an example nginx.conf file with the necessary configuration:
http {
lua_shared_dict cert_cache 20m; # Approximately stores 4000 certificate pairs
init_worker_by_lua_block {
local ssl_bump = require("resty.ssl_bump")
local ok, err = ssl_bump.init("/path/to/ca_cert.crt", "/path/to/ca_cert.key", {
C = "CN",
ST = "Beijing",
L = "Beijing",
O = "Geelevel Corp"
})
if not ok then
ngx.log(ngx.ERR, "failed to initialize ssl_bump: ", err)
return
end
}
server {
listen 443 ssl;
ssl_certificate /path/to/ca_cert.crt; # 占位
ssl_certificate_key /path/to/ca_cert.key; # 占位
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Dynamic generation of certificates
ssl_certificate_by_lua_block {
local ssl_bump = require("resty.ssl_bump")
ssl_bump.run()
}
location / {
proxy_pass http://your_backend;
}
}
}Importing Your CA Certificate
On Linux
To import your CA certificate on Ubuntu:
cp /path/to/ca_cert.crt /usr/local/share/ca-certificates/ca_cert.crt
update-ca-certificatesOn Windows
To import your CA certificate on Windows:
certmgr.exe /add %cd%\ca_cert.crt /s /r localMachine root License
MIT
Authors
"Fu Kai <iakuf@163.com>"
License
mit
Versions
-
iakuf/lua-resty-ssl-bump 1.0.1"A Lua module for dynamic generation and caching of SSL certificates for wildcard domains" 2024-07-27 06:46:22
-
"A Lua module for dynamic generation and caching of SSL certificates for wildcard domains" 2024-07-26 07:18:09