Nginx 和 node https配置
本地配置https服务,供内部学习使用,可以使用浏览器硬件设备权限。
1.生成证书
自制CA私钥
openssl genrsa -des3 -out ca.key 4096
自制CA证书
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
自制Server私钥,生成免密码版本
openssl genrsa -des3 -out server.key 4096
openssl rsa -in server.key -out server.nosecret.key
制作csr文件
openssl req -new -key server.key -out server.csr
用CA证书私钥对csr签名(CA不能用X509,这点需要注意)生成Server证书
openssl ca -days 3650 -in server.csr -cert ca.crt -keyfile ca.key -out server.crt
如果出现类似报错: /etc/pki/CA/index.txt: No such file or directory
找不到文件或目录;
执行下面的命令就可以了
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
Echo “01” > /etc/pki/CA/serial
2.添加ngnix服务
安装nginx,修改Nginx.cfg文件。
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.nosecret.key;
location /t {
echo "Hello World";
}
}
参考文章
3.另一种证书生成方式
1、生成私钥key文件:
openssl genrsa -out private.pem 1024
2、通过私钥生成CSR证书签名 (需要填一些信息、可直接回车)
openssl req -new -key private.pem -out nodeserver.crt
3、通过私钥和证书签名生成证书文件
openssl x509 -req -in nodeserver.crt -signkey private.pem -out nodeserver.pem
4、添加信任证书,双击nodeserver.pem打开安装
4.创建node服务端
安装node环境,新建demo文件夹。打开终端输入命令:
npm init
npm install express
新建serve.js编写以下代码:
var app = require('express')();
var fs = require('fs');
var http = require('http');
var https = require('https');
var privateKey = fs.readFileSync('private.pem', 'utf8');
var certificate = fs.readFileSync('nodeserver.pem', 'utf8');
var credentials = {key: privateKey, cert: certificate};
var httpServer = http.createServer(app);
var httpsServer = https.createServer(credentials, app);
var PORT = 18080;
var SSLPORT = 18081;
httpServer.listen(PORT, function() {
console.log('HTTP Server is running on: http://localhost:%s', PORT);
});
httpsServer.listen(SSLPORT, function() {
console.log('HTTPS Server is running on: https://localhost:%s', SSLPORT);
});
// Welcome
app.get('/', function(req, res) {
if(req.protocol === 'https') {
res.send('https Server');
}
if(req.protocol === 'http') {
res.send('http Server');
}
});
终端运行开启服务:
node serve.js
浏览器访问:
https://localhost:18081/
http://localhost:18080/
5.配置服务转发
配置转发实现http和https共同访问
server {
listen 80;
server_name www.example.com;
# 重定向到https请求
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
server_name www.example.com;
ssl on;
# 你的证书目录
ssl_certificate /root/my/httpsNode/nodeserver.pem;
ssl_certificate_key /root/my/httpsNode/private.pem;
location / {
proxy_pass http://localhost:18080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
6.本地配置DNS域名解析
- windows
通过这个路径C:/WINDOWS/system32/drivers/etc/hosts找到hosts文件,添加
127.0.0.1 www.example.com
- Linux
在/etc/hosts文件中添加
127.0.0.1 www.example.com
保存文件后再ping一下www.example.com就会连接到本地了
总结
通过这次学习发现对证书这块完全不懂,目前知道这两种证书的编码格式不同。Nginx服务配置有待进一步提高。
如有错误请指正,欢迎交流学习!