Перейти к содержанию

▍Nginx Proxy Manager

Nginx Proxy Manager

Настройка Nginx Proxy Manager

Самоподписанный сертификат:

Установка mkcert для генерации самоподписанного сертификата:

sudo apt install mkcert

Генерируем сертификат

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=RU/ST=North-West/L=Saint-Petersburg/O=My Company/OU=Engineering/CN=home.lab" -keyout ca.key -out ca.crt
openssl genrsa -out "home.lab.key" 2048
openssl req -new -key home.lab.key -out home.lab.csr -config openssl.cnf
openssl x509 -req -days 3650 -in home.lab.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.cnf -out home.lab.crt
openssl x509 -inform PEM -outform DER -in home.lab.crt -out home.lab.der.crt
nano openssl.cnf
[req]
default_bits = 2048
encrypt_key  = no # Change to encrypt the private key using des3 or similar
default_md   = sha256
prompt       = no
utf8         = yes

# Specify the DN here so we aren't prompted (along with prompt = no above).

distinguished_name = req_distinguished_name

# Extensions for SAN IP and SAN DNS

req_extensions = v3_req

# Be sure to update the subject to match your organization.

[req_distinguished_name]
C  = RU
ST = North-West
L  = Saint-Petersburg
O  = My Company
OU = Engineering
CN = home.lab

# Allow client and server auth. You may want to only allow server auth.
# Link to SAN names.

[v3_req]
basicConstraints     = CA:TRUE
subjectKeyIdentifier = hash
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = clientAuth, serverAuth
subjectAltName       = @alt_names

# Alternative names are specified as IP.# and DNS.# for IP addresses and
# DNS accordingly.

[alt_names]
DNS.1 = *.home.lab

/C=RU/ST=Moscow/L=Moscow/O=Companyname/OU=Admin/CN=136.243.142.156/emailAddress=[email protected] -out ca.crt

# Country Name (2 letter code)
  C_="RU"
# State or Province Name (full name)
  ST_="North-West"
# Locality Name (eg, city)
  L_="Saint-Petersburg"
# Organizational Name (eg, company)
  O_=""
# Organizational Unit Name (eg, section)
  OU_=""
# Common Name (eg, YOUR name, domain or host name, don't add *. for wildcards)
  CN_=""
# Email Address
  EM_=""
# Subject Alternative Names (enter * for wildcard certificate)
  SAN_=""

┌─( [email protected] ) - ( 25 files,  ) - ( /srv/docker/data/ssl )
└─> mkcert home.lab *.home.lab
Created a new local CA 💥
Note: the local CA is not installed in the system trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️

Created a new certificate valid for the following names 📜
 - "home.lab"
 - "*.home.lab"

Reminder: X.509 wildcards only go one level deep, so this won't match a.b.home.lab ℹ️

The certificate is at "./home.lab+1.pem" and the key at "./home.lab+1-key.pem"
It will expire on 23 February 2026 🗓

Чтобы убрать предупреждение в браузере установим сертификат в доверенное хранилище:

┌─( [email protected] ) - ( 25 files,  ) - ( /srv/docker/data/ssl )
└─> mkcert -install
The local CA is now installed in the system trust store! ⚡️

Вручную в Ubuntu:

cp home.lab+1.pem /usr/local/share/ca-certificates/ && update-ca-certificates

Вручную в Alt linux:

cp home.lab+1.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust

Для установки на Android необходимо задать пароль иначе будет ошибка при установки

openssl pkcs12 -export -in home.lab+1.pem -inkey home.lab+1-key.pem -out home.lab.p12
Enter Export Password:
Verifying - Enter Export Password:
К началу