参考原文地址:windows 下搭建https + node.js + nginx | 船长的技术博客
先说需求,有一个https的主域名,主域名下有三个子域名,三个子域名需要指向同一台服务器的三个端口,需要同时支持http和https的请求。
子域名A -----> http://127.0.0.1:10000 https://127.0.0.1:10000
子域名B -----> http://127.0.0.1:10001 https://127.0.0.1:10001
子域名C -----> http://127.0.0.1:10002 https://127.0.0.1:10002
端口说明:
80: 默认的http请求端口
443:默认的https请求端口
环境安装
#OpenSSL 安装
#生成SSL证书
#Nginx 安装
#编写node代码
#配置SSL
一、OpenSSL 安装
1、官网地址:Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
注:(一定要下载这个140MB的文件)
2、下载完成后,进行安装,安装至 C:\OpenSSL-Win64
3、配置环境变量
我的电脑->属性->环境变量->用户变量->Path
添加路径:
C:\OpenSSL-Win64\bin;
4、查看OpenSSL版本
打开CMD窗口
openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
二、生成SSL证书
1、自签名证书生成
注:签名文件存储的路径不要带有空格或特殊符号否则会报错
#进入C盘ssl目录(存放签名文件的路径)
cd C:\ssl
#设置变量
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
#查看变量值
echo %OPENSSL_CONF%
#生成server.key
openssl genrsa -out server.key 4096
#生成request文件
openssl req -new -key server.key -out server.csr
#获取私钥
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
其中,server.crt就是我们的证书,server.key就是私钥。
注意一定要设置变量OPENSSL_CONF不然会有以下错误
c:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr
Can't open C:\Program Files\Common Files\SSL/openssl.cnf for reading, No such file or directory
6440:error:02001003:system library:fopen:No such process:crypto\bio\bss_file.c:74:fopen('C:\Program Files\Common Files\SSL/openssl.cnf','r')
6440:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:
Enter pass phrase for server.key:
unable to find 'distinguished_name' in config
problems making Certificate Request
6440:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:
完整过程如下:
C:\Users\Administrator>cd C:\\ssl
C:\ssl>set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
C:\ssl>echo %OPENSSL_CONF%
C:\OpenSSL-Win64\bin\openssl.cfg
C:\ssl>openssl genrsa -out server.key 4096
C:\ssl>openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:CHINA
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:demo
Organizational Unit Name (eg, section) []:demo
Common Name (e.g. server FQDN or YOUR name) []:demo
Email Address []:demo
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:demo
C:\ssl>openssl req -new -key server.key -out server.csr
C:\ssl>openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
操作完成后,文件列表如下:
三、Nginx搭建
官网地址:nginx: download
1、下载稳定版本:1.20.1
2、解压文件,将 nginx-1.20.1 拷贝至 C:\Program Files (x86)\目录
3、启动nginx
start nginx.exe #启动
4、相关的命令
start nginx.exe #启动
nginx.exe -s quit #停止
nginx.exe -s stop #强制停止
nginx.exe -s reload #重载配置
5、检测是否启动成功
C:\Users\Administrator>tasklist /fi "imagename eq nginx.exe"
映像名称 PID 会话名 会话# 内存使用
========================= ======== ================ =========== ============
nginx.exe 20280 Console 1 8,488 K
nginx.exe 18632 Console 1 8,776 K
有两个进程,说明启动成功,一个进程是nginx的主进程,另一个是工作进程。
这里提一点
解压完成后,最好是不要去直接点击nginx.exe文件安装,我就被坑过,解压完成后直接点击,当时什么也没发生,只有窗体闪烁了一下。等到cmd执行start nginx时,怎么都启动不起来。后来执行nginx -s reload后就对了。原因据说是双击运行程序会改变配置文件nginx.conf,所以需要reload。
当nginx启动后,正常情况下,访问localhost应该可以的,会有nginx欢迎页面
nginx的日志在 C:\Program Files (x86)\ nginx-1.20.1目录下的log目录。
注:log目录如果删除后,nginx不会主动创建,要手动创建,建议不要删除log目录。
四、编写node代码
1、编写代码
使用express创建个最简单node服务器,端口为3000
app.js
const express = require('express')
const app = express()
app.get('/getClientVersion', (req, res) => res.send('Hello World!'))
app.listen(10039, () => console.log('Example app listening on port 3000!'))
2、启动服务
node app.js
3、确保能访问到
127.0.0.1:10039
五、配置nginx
1、反向代理node服务,指向node的10039端口
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name www.mygame.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://127.0.0.1:10039;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
listen 443 ssl;
server_name www.mygame.com;
ssl_certificate C:\ssl\server.crt;
ssl_certificate_key C:\ssl\server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:10039;
}
}
}
2、重载nginx配置
nginx.exe -s reload #重载配置
3、配置host
注:这里配置host是为了方便测试
127.0.0.1 www.mygame.com
4、测试访问
注1:一定要下载140M的OpenSSL安装包
注2:签名文件存放的路径不要带有空格等特定符号,否则会报如下错误:
nginx: [emerg] invalid number of arguments in "ssl_certificate" directive in C:\Program Files (x86)\nginx/conf/nginx.conf:68