▍Nginx Proxy Manager¶
Настройка Nginx Proxy Manager¶
Самоподписанный сертификат:
Установка mkcert для генерации самоподписанного сертификата:
Генерируем сертификат
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=RU/ST=North-West/L=Saint-Petersburg/O=My Company/OU=Engineering/CN=home.lab" -keyout ca.key -out ca.crt
openssl genrsa -out "home.lab.key" 2048
openssl req -new -key home.lab.key -out home.lab.csr -config openssl.cnf
openssl x509 -req -days 3650 -in home.lab.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf -out home.lab.crt
openssl x509 -inform PEM -outform DER -in home.lab.crt -out home.lab.der.crt
nano openssl.cnf
[req]
default_bits = 2048
encrypt_key = no # Change to encrypt the private key using des3 or similar
default_md = sha256
prompt = no
utf8 = yes
# Specify the DN here so we aren't prompted (along with prompt = no above).
distinguished_name = req_distinguished_name
# Extensions for SAN IP and SAN DNS
req_extensions = v3_req
# Be sure to update the subject to match your organization.
[req_distinguished_name]
C = RU
ST = North-West
L = Saint-Petersburg
O = My Company
OU = Engineering
CN = home.lab
# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.
[v3_req]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.
[alt_names]
DNS.1 = *.home.lab
/C=RU/ST=Moscow/L=Moscow/O=Companyname/OU=Admin/CN=136.243.142.156/emailAddress=[email protected] -out ca.crt
# Country Name (2 letter code)
C_="RU"
# State or Province Name (full name)
ST_="North-West"
# Locality Name (eg, city)
L_="Saint-Petersburg"
# Organizational Name (eg, company)
O_=""
# Organizational Unit Name (eg, section)
OU_=""
# Common Name (eg, YOUR name, domain or host name, don't add *. for wildcards)
CN_=""
# Email Address
EM_=""
# Subject Alternative Names (enter * for wildcard certificate)
SAN_=""
┌─( [email protected] ) - ( 25 files, ) - ( /srv/docker/data/ssl )
└─> mkcert home.lab *.home.lab
Created a new local CA 💥
Note: the local CA is not installed in the system trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️
Created a new certificate valid for the following names 📜
- "home.lab"
- "*.home.lab"
Reminder: X.509 wildcards only go one level deep, so this won't match a.b.home.lab ℹ️
The certificate is at "./home.lab+1.pem" and the key at "./home.lab+1-key.pem" ✅
It will expire on 23 February 2026 🗓
Чтобы убрать предупреждение в браузере установим сертификат в доверенное хранилище:
┌─( [email protected] ) - ( 25 files, ) - ( /srv/docker/data/ssl )
└─> mkcert -install
The local CA is now installed in the system trust store! ⚡️
Вручную в Ubuntu:
Вручную в Alt linux:
Для установки на Android необходимо задать пароль иначе будет ошибка при установки