[+] 证书终端请求ID

docs/Deploy.md

@@ -412,5 +412,41 @@ firewall-cmd --list-ports
 ## 证书
 
 ```
-keytool -genkeypair -keyalg RSA -dname "CN=localhost, OU=acgist, O=taoyao, L=GZ, ST=GD, C=CN" -alias taoyao -validity 3650 -ext ku:c=dig,keyE -ext eku=serverAuth -ext SAN=dns:localhost,ip:127.0.0.1 -keystore taoyao.jks -keypass 123456 -storepass 123456
+mkdir /data/certs
+cd /data/certs
+vim server.ext
+
+---
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName=@SubjectAlternativeName
+
+[ SubjectAlternativeName ]
+IP.1=127.0.0.1
+IP.2=192.168.1.100
+IP.3=192.168.1.110
+IP.4=192.168.8.100
+IP.5=192.168.8.110
+DNS.1=localhost
+DNS.2=acgist.com
+DNS.3=www.acgist.com
+DNS.4=taoyao.acgist.com
+---
+
+# CA
+openssl genrsa -out ca.key 2048
+openssl req -x509 -new -key ca.key -out ca.crt -days 3650
+openssl x509 -in ca.crt -subject -issuer -noout
+# subject= /C=cn/ST=gd/L=gz/O=acgist/OU=acgist/CN=acgist.com
+# issuer= /C=cn/ST=gd/L=gz/O=acgist/OU=acgist/CN=acgist.com
+
+# Server
+
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -out server.csr
+openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extfile server.ext
+openssl x509 -in server.crt -subject -issuer -noout
+# subject= /C=cn/ST=gd/L=gz/O=acgist/OU=taoyao/CN=taoyao.acgist.com
+# issuer= /C=cn/ST=gd/L=gz/O=acgist/OU=acgist/CN=acgist.com
+openssl pkcs12 -export -clcerts -in server.crt -inkey server.key -out server.p12 -name taoyao
 ```

docs/Learning.md

@@ -26,6 +26,7 @@ https://www.cnblogs.com/ssyfj/p/14843082.html
 
 ## 更多资料
 
+https://zhuanlan.zhihu.com/p/466172240
 http://koca.szkingdom.com/forum/t/topic/218
 http://www.manoner.com/post/音视频基础/WebRTC核心组件和协议栈/
 https://blog.csdn.net/ababab12345/article/details/115585378

docs/certs/ca.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDjzCCAnegAwIBAgIJAKPjuujtbFnoMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
+BAYTAmNuMQswCQYDVQQIDAJnZDELMAkGA1UEBwwCZ3oxDzANBgNVBAoMBmFjZ2lz
+dDEPMA0GA1UECwwGYWNnaXN0MRMwEQYDVQQDDAphY2dpc3QuY29tMB4XDTIzMDIy
+NzEzMzUyNloXDTMzMDIyNDEzMzUyNlowXjELMAkGA1UEBhMCY24xCzAJBgNVBAgM
+AmdkMQswCQYDVQQHDAJnejEPMA0GA1UECgwGYWNnaXN0MQ8wDQYDVQQLDAZhY2dp
+c3QxEzARBgNVBAMMCmFjZ2lzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDbt9orZnoTtzbaI9+S8uqqvi8rqOzi+b3tRHOYE+JVQNxWf8vTvKJ5
+mDDrBqICVy2SCtwkxXgrjDcRQVKK1IiDqxQ4oY6DCZetx4gQhYk9ychYsPPKnRg8
+bQEG48DM1EhmxhozUv7kaiUMS0LNODfzLTH/C25Nhgt3laGCtcIWOQliO9AVOxam
+EasfYP01AfL2qahk1s5N7fK9poLpbR9BS8ZUYMxZ5xOIUcc5eithBgGvuHUv9nEY
+Dart6XPC4z3YE9liwrxYwcBxztdvCA2EWeh1k0wNcrT/eJG3cuGgzsPDjI/BORq1
+DWFKJOXrWmhmIlw+VaQ6PIiD4/aQ50xfAgMBAAGjUDBOMB0GA1UdDgQWBBR98tbO
+eDI9mBcuZ96keDld1w54OzAfBgNVHSMEGDAWgBR98tbOeDI9mBcuZ96keDld1w54
+OzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCavKK+pJCmWDqFNMoX
+YwdRPDJS7LoCFV7C8oTkX5myCKNOi11bzlyqP/EkelubtRgaNr+GZCyhwxPiJvRx
+ZrWsoWpOH8OEdADM9lU+UXR23Ufmo9jFFEL7jZ9u9OmOJWAM5xM1KqCBd5+KRvfE
+oEHXdayfy6l00F+rsgaMm6IKdZcthAxVVEKO60GfwavcuvIiHVVLxW21H8BMoqd6
+Erigq7wJRRH+qm7Q5fVpmo1L7E6T2cBvGcFHKuQFdoxDlH4N6tPRDuRSODKFE//O
+D1ViQY65nn35mawbz2AgUUPvWiBDYYomeKIiGl859PukeP1jwDZcECFtrhH4s1p+
+at2z
+-----END CERTIFICATE-----

docs/certs/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA27faK2Z6E7c22iPfkvLqqr4vK6js4vm97URzmBPiVUDcVn/L
+07yieZgw6waiAlctkgrcJMV4K4w3EUFSitSIg6sUOKGOgwmXrceIEIWJPcnIWLDz
+yp0YPG0BBuPAzNRIZsYaM1L+5GolDEtCzTg38y0x/wtuTYYLd5WhgrXCFjkJYjvQ
+FTsWphGrH2D9NQHy9qmoZNbOTe3yvaaC6W0fQUvGVGDMWecTiFHHOXorYQYBr7h1
+L/ZxGA2q7elzwuM92BPZYsK8WMHAcc7XbwgNhFnodZNMDXK0/3iRt3LhoM7Dw4yP
+wTkatQ1hSiTl61poZiJcPlWkOjyIg+P2kOdMXwIDAQABAoIBAQC7SeS2yguVcr9X
+Au05Hcfa83LSDJSghbHX5lmCcLClazxmn1jnjAwTCh/otyaySA2YR5mP3qOou0TV
+eJEbtj8HvXTnMQ+Bs1OP1l2td6ac/LvCnlOximd2WpRdgxZ9gxaURJlg1oZfvfsG
+l8DBngJTT1smxF+pxXFQ5kNeYACpXzDEN38paW2M4YFbEvFwp0lB1GbuozJ23RPw
+lb1muYHPk8vqJHjnrJJAuX01HMB+RwOyVvLd+mdtmARga1yRFHxyoEml1APH8Kxq
+KK11JsEGNOs+L8nC2NozoFxdR8OLi1p0c/n96XZevz3bSVrPddpc3YQ5Cn4ILR91
+d2d6EizBAoGBAO1aSji+KoF8hDgdNtG1QWDAd4L/E6vuzvTpmLqWnFZ3NAvhPrx7
+O5dQwXWhRnYzJu7iikeJowUPwlYz+SmnKCAhfR5bWvQPpb5/N0fna8T64QdBWa3k
+YV6RUEe3jKqgZvadTSI3XrAV4m5bH6SbJXpaZKdPnxt7+yG5R1Iwg+GVAoGBAOz6
+5DHSt8JV8+L8NL59sieidwcQvKPrkcM4Dk4Tulh+U5Qvh4Yw1mfiBIq3y1irxAJM
+ToaQvs/4BQHVw97t7+sgOPhe2e+H42up1ZeIGrvPuRoo/jplLcy2jM/k+Ll/ZwEG
+XEAIwYEhXCmxXHqlgzpvDgZcqeP6lYn5P8uPTmEjAoGBAJQ3ZtPqRKbZd8OG0r2/
+31Sou7jMyp76ILilyt7xwCzqgVDN1pxipALIxhZLoLGdHbndM5aap3c4sRWdnQFa
+xd7SqswzJif0QX8k+ANpy02VkMI0F+lUDU29lpFCWJAQXFuyPQGZ7AIvmFdrheYH
+kC7IlcQ5H1VNZbRYe+YiL6jFAoGAdReqtSuG/JD3xsoTTaRR6N+PrIAKlXwKM8l4
+1/9LbfpNVcT+U8HBzuaQk/IomZGVcgU+L6NJhPzpjHSRKY+roiPzwlUrnf0o08PA
+8/SeMPp8XX6vzy67KJFyli5u70kSHiGEZ2dsJV/UaA1ownkRlEfXSDF1CF6CkQAF
+E5Glir0CgYEAxhcwMb1gbmdE9iFdS0J7mef7A6PBrQjNzRbqEb9+kFbUzr12LJ0j
+5RJ9VXUBLwXDJ5lR1rtkdG9sgOoC5YQKVqiwpZbe9AO7a7+wSrteQKKMGBafBtVh
+2VTpqC6pnVGfhKiM5nP/a89eoe9QazZSiEvJV5Q7K/yrp/lklJq4E2I=
+-----END RSA PRIVATE KEY-----

docs/certs/ca.srl

@@ -0,0 +1 @@
+C75F31B213340862

docs/certs/server.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID2TCCAsGgAwIBAgIJAMdfMbITNAhiMA0GCSqGSIb3DQEBCwUAMF4xCzAJBgNV
+BAYTAmNuMQswCQYDVQQIDAJnZDELMAkGA1UEBwwCZ3oxDzANBgNVBAoMBmFjZ2lz
+dDEPMA0GA1UECwwGYWNnaXN0MRMwEQYDVQQDDAphY2dpc3QuY29tMB4XDTIzMDIy
+NzEzMzg0OFoXDTMzMDIyNDEzMzg0OFowZTELMAkGA1UEBhMCY24xCzAJBgNVBAgM
+AmdkMQswCQYDVQQHDAJnejEPMA0GA1UECgwGYWNnaXN0MQ8wDQYDVQQLDAZ0YW95
+YW8xGjAYBgNVBAMMEXRhb3lhby5hY2dpc3QuY29tMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAmeQvh6OwHR87DKvm04z1xjbHgh6fxi6y+5jMJ7K7LvPT
+l+7haNB/eeSgEnHL38Naaw2cQvNkSAVPK210q574tQZW6Am2icRb9EJnMx2tKdaG
+8QtTGxddScebyO++7qzf8CwECPRpsZRRp1a5ompCouDXY4VWJatXBMnZX05ZqUJH
+0u6nioDwvd+YBOui4nGCxoF8tcVsidvHWx0JTfC7simyMp/5VvVYt7V4ENuU+3NT
+wDF7sEW1z8Sx1ErE4NLQIyy+PpGmV+h2HgNb0Bnre+jq7v/1Ue2Irsd6xe9iHf3P
+ji/mnkrRdAxd36KszFvmQjLAClJM1tRjc7gGyO8yCQIDAQABo4GSMIGPMAsGA1Ud
+DwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0RBFow
+WIcEfwAAAYcEwKgBZIcEwKgBbocEwKgIZIcEwKgIboIJbG9jYWxob3N0ggphY2dp
+c3QuY29tgg53d3cuYWNnaXN0LmNvbYIRdGFveWFvLmFjZ2lzdC5jb20wDQYJKoZI
+hvcNAQELBQADggEBAKDYyUUMFDchfTYwEhUWHHtUpJTzVz2opAoKjUU2yH4pT4dT
+Fb1s4NAuopoU9ycX4MJaApmxMioWwQzkoBLbnr+4RPfOYR9nlU0s+dx5JcpOgJtR
+6X08ZDmW2DqhfIqR89uvIOgOU0oc6nUxQ0+doihDYyuyvXkvkZLjl8hrv6phuL8e
+qhtx9++4umD3RYbRsASRmB8/iYTgi7WAvFyNM9kkS5pwkJOaHN+vtKx5xpytEROT
+pbdUgGdXcYzYwzqDJ7Wbe0pIKeZ97rx6mF+0/92sWhd2U54jn5M1gp1sCQqG/syd
+tER+0jG77mvqkls5VCNmUE1+pOa53MvB5TuTTsA=
+-----END CERTIFICATE-----

docs/certs/server.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICqjCCAZICAQAwZTELMAkGA1UEBhMCY24xCzAJBgNVBAgMAmdkMQswCQYDVQQH
+DAJnejEPMA0GA1UECgwGYWNnaXN0MQ8wDQYDVQQLDAZ0YW95YW8xGjAYBgNVBAMM
+EXRhb3lhby5hY2dpc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAmeQvh6OwHR87DKvm04z1xjbHgh6fxi6y+5jMJ7K7LvPTl+7haNB/eeSgEnHL
+38Naaw2cQvNkSAVPK210q574tQZW6Am2icRb9EJnMx2tKdaG8QtTGxddScebyO++
+7qzf8CwECPRpsZRRp1a5ompCouDXY4VWJatXBMnZX05ZqUJH0u6nioDwvd+YBOui
+4nGCxoF8tcVsidvHWx0JTfC7simyMp/5VvVYt7V4ENuU+3NTwDF7sEW1z8Sx1ErE
+4NLQIyy+PpGmV+h2HgNb0Bnre+jq7v/1Ue2Irsd6xe9iHf3Pji/mnkrRdAxd36Ks
+zFvmQjLAClJM1tRjc7gGyO8yCQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAC2M
+KwMJv8TKM7QL6UE3skEoMhXgxwwODuIBiiloySHmRsb+fVEYcF1f+gN9UxSVwaIx
+BP7sb/+xy/N9G+28QVTbVlSc1MneQRPHjlx2MQqRHhfxtJ2/Zf6qFUuR2LimuHth
+HwIgQotnUbe6C2630bNeYV5mOyF/rltw0pSoaPlMG9WsNtzZJ1LYzyNp5ztXPR3W
+O2MkNQ3ZWqsR7dQXdUJbgruniwfxVGKxab6wBg+GZsHjiHujEmljjt3MIwimVDT+
+Z1V/R8C1Rlk98lJY5hSVBXZ09C5hox9NAvYkGfZ+ZqupOLoPOrvux7zETsDPxzV9
+mvAXPwkT0zVn/YvUCvo=
+-----END CERTIFICATE REQUEST-----

docs/certs/server.ext

@@ -0,0 +1,14 @@
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName=@SubjectAlternativeName
+
+[ SubjectAlternativeName ]
+IP.1=127.0.0.1
+IP.2=192.168.1.100
+IP.3=192.168.1.110
+IP.4=192.168.8.100
+IP.5=192.168.8.110
+DNS.1=localhost
+DNS.2=acgist.com
+DNS.3=www.acgist.com
+DNS.4=taoyao.acgist.com

docs/certs/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAmeQvh6OwHR87DKvm04z1xjbHgh6fxi6y+5jMJ7K7LvPTl+7h
+aNB/eeSgEnHL38Naaw2cQvNkSAVPK210q574tQZW6Am2icRb9EJnMx2tKdaG8QtT
+GxddScebyO++7qzf8CwECPRpsZRRp1a5ompCouDXY4VWJatXBMnZX05ZqUJH0u6n
+ioDwvd+YBOui4nGCxoF8tcVsidvHWx0JTfC7simyMp/5VvVYt7V4ENuU+3NTwDF7
+sEW1z8Sx1ErE4NLQIyy+PpGmV+h2HgNb0Bnre+jq7v/1Ue2Irsd6xe9iHf3Pji/m
+nkrRdAxd36KszFvmQjLAClJM1tRjc7gGyO8yCQIDAQABAoIBAFSpGhTO0lZTFhM0
+hrofNB6liEBnRJKsoj6Tosy8IQoFjYRqIIufGGIgiodbH0OsnxOB21Nhvut4MEO9
+5Y9812oPYMQqg8dqxQOtfES8sMTxhi8ZgdDHm8S5EVULv8hiRphEPrwGahcNd5ZN
+ubZGKv6cHyJa+jei+S5jNTifS+g2+hEvKyxRdoWFaRJTPeBPr4ayJevDY8zlllh6
+APqLYuJxMrgp0J/XSlwtFZ7O83opj0dt5sZiHV1drNytZU9PMSy6krkXPVV1Ahgo
+QpIFKmrWjjk5ehyyGyexFmVKWCZenrLN14oOvxgKezV7PQwAhWWlpxMLEwP+e4Nu
+o1aqgAECgYEAyMWFZnB5s0R//QhQm8uZEMbauAJtIWvfjWSR1Gtb9g+ykoYOv5TB
+2nG/yCrbtrDvMPYP9ZTG/dB0+PmtJQPNy+ZyIdOeeVACKAzvBQnfUKV8soSsh79+
+RI/GJXfNJ+GcJv1F5t3pEOY/xmp6aZIdTCBkjzseyJAaRLLQzZXMKAECgYEAxDlT
+aSbjyeZomsaN/WSny0qT61spfYOgJyy/B5SLY6ZFRS7p60IjSeAr5LoD4pmqK4B9
+pM7KHPvWyRGkeCqx8A7rJ1VkpwapZn+Lv9SsUpyW9SWqo/0cQ0U/Hu1dBfULdypH
+uQDS1xIrQqLEeA9yLyB90pEvTHHjHybZvcUxygkCgYEAjCqqGXyI2okGOedmL36S
+3E2YQUMgYWboadQ+o2hYiY8oAnepMENwm0sys1KIliEsvKftOGyoCGdSYsgdA2yG
+bsXyBH+zccpT1xZAgOoFiE4goplRwmwEgWVG1r2u8xrlY6sK9EUVBAFboPCRicbC
+wXUT/5MsyKUiUbftYrokEAECgYEAgF/wzg5/YIu5S+ky4+CCVmHIPGY70r3WfUqs
+/8yTFPKmxwhWSW/PnnlmvhFkkU9vIV7C1JvlZujsMEe2jleAakmYVvdrDksxcLlp
+OGtvAe0oZeHqrbbeUrRvA1DPVyJmCeRDYCnFxqdAXiwW1WVlkqdzKduKUj0AFlVY
+husIE+ECgYEAt3DPoPHcAb5PSyoWm2r1FS7j7a0tMGHSDIkUwSRRaB77g7IP1I1N
+jzJmd5VZm69vwXbaxPtJ0YM5SrIq8HbBfNjJmPRinEZjkeq2vrUw8lzoTTZh35Wg
+wgni/eFijGhBkSXcvDuZ2QNi3jtQtaiMwBohGNCjCtfGss/41RNpmGU=
+-----END RSA PRIVATE KEY-----

docs/nginx/nginx.conf

@@ -0,0 +1,91 @@
+user             nginx;
+worker_processes auto;
+
+pid       /var/run/nginx.pid;
+error_log /var/log/nginx/error.log notice;
+
+events {
+    use                epoll;
+    worker_connections 1024;
+}
+
+http {
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+    
+    access_log /var/log/nginx/access.log main buffer=32k flush=10s;
+
+    include      /etc/nginx/mime.types;
+    include      /etc/nginx/conf.d/*.conf;
+    default_type application/octet-stream;
+
+    gzip            on;
+    gzip_types      text/xml text/css text/plain text/javascript image/gif image/png image/jpg image/webp image/jpeg image/x-icon image/svg+xml application/json application/javascript font/woff application/octet-stream application/vnd.ms-fontobject;
+    gzip_min_length 1k;
+
+    sendfile                 on;
+#   tcp_nopush               on;
+    server_tokens            off;
+    keepalive_timeout        60;
+    client_max_body_size     16m;
+    fastcgi_intercept_errors on;
+
+    upstream taoyao {
+        server    https://localhost:8888;
+        keepalive 60;
+    }
+
+    server {
+        listen 80  default_server;
+        listen 443 ssl default_server;
+        ssl_certificate     /data/certs/server.crt;
+        ssl_certificate_key /data/certs/server.key;
+        error_page 497 https://$host:$server_port$request_uri;
+        return     301 https://taoyao.acgist.com$request_uri;
+    }
+    
+    server {
+        listen      443 ssl http2;
+        server_name taoyao.acgist.com;
+
+        access_log  /var/log/nginx/taoyao.acgist.com.log main buffer=32k flush=10s;
+
+        ssl_certificate     /data/certs/server.crt;
+        ssl_certificate_key /data/certs/server.key;
+        ssl_ciphers   TLS13-AES-128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA256:ECDHE-ECDSA-AES128-CBC-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_session_timeout       30m;
+        ssl_prefer_server_ciphers on;
+
+#       proxy_http_version 1.1;
+        proxy_http_version 2.0;
+
+#       proxy_set_header   Connection         close;
+        proxy_set_header   Connection         keep-alive;
+        proxy_set_header   Host               $host;
+#       proxy_set_header   Host               $host:$server_port;
+#       proxy_set_header   X-Scheme           $scheme;
+        proxy_set_header   X-Real-IP          $remote_addr;
+#       proxy_set_header   X-Http-scheme      $scheme;
+        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host   $host;
+        proxy_set_header   X-Forwarded-Proto  $scheme;
+        proxy_set_header   X-Forwarded-Server $host;
+
+        add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload";
+
+        location = /websocket.signal {
+            proxy_set_header      Upgrade    $http_upgrade;
+            proxy_set_header      Connection "Upgrade";
+            keepalive_timeout     1200s;
+            proxy_read_timeout    1200s;
+            proxy_send_timeout    1200s;
+            proxy_connect_timeout 30s;
+            proxy_pass            taoyao;
+        }
+
+        location / {
+            proxy_pass taoyao;
+        }
+    }
+    
+}