nginx配置localhost https视频服务

素颜马尾好姑娘i 2022-09-14 00:10 130阅读 0赞

### 第一种方法 ###

step 1：增加alias到`/etc/hosts`

127.0.1.1       localhostssl

step ２：创建ssl证书

$ sudo mkdir /usr/local/nginx/cert
    $ cd /usr/local/nginx/cert
    $ sudo openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt

查看证书内容

$ openssl x509 -text -noout -in localhost.crt

step ３：配置nginx.conf

server {
        
            server_name localhostssl;
            rewrite ^(.*) https://local.website.dev$1 permanent;
        }
        server {
        
            listen     443 ssl;
            ssl_certificate      /usr/local/nginx/cert/localhost.crt;
            ssl_certificate_key  /usr/local/nginx/cert/localhost.key;
            ssl_ciphers          HIGH:!aNULL:!MD5;
            server_name          localhostssl;
            location / {
        
                proxy_pass  http://localhost;
            }
        }

step ４：reload nginx

$ sudo /usr/local/nginx/sbin/nginx -s reload

step ５：浏览器访问`https://localhost`

Your connection is not private
    Attackers might be trying to steal your information from localhostssl (for example, passwords, messages, or credit cards). Learn more
    
    NET::ERR_CERT_AUTHORITY_INVALID
    
    To get Chrome’s highest level of security, turn on enhanced protection

certutil方法报错

sudo apt-get install libnss3-tools
    certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt

$ rm -rf $HOME/.pki/nssdb
    $ certutil -d $HOME/.pki/nssdb -N
    Enter a password which will be used to encrypt your keys.
    The password should be at least 8 characters long,
    and should contain at least one non-alphabetic character.
    
    Enter new password: 12345678
    Re-enter password: 12345678
    
    $ certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i /usr/local/nginx/cert/localhost.crt 
    Enter Password or Pin for "NSS Certificate DB":12345678
    hui@hui:/usr/local/nginx

$ certutil -d sql:$HOME/.pki/nssdb -L
    
    Certificate Nickname                                         Trust Attributes
                                                                 SSL,S/MIME,JAR/XPI
    
    localhost                                                    CT,c,c

试了下浏览器访问还是有问题，可以用下面这个办法设置下浏览器，但是播放已经是可以了。

chrome://flags/#allow-insecure-localhost

播放https视频测试

这时候用vlc播放原来搭建的hls源，发现已经是https了，虽然有报错信息。

vlc https://localhost/hls/playlist.m3u8
    vlc https://localhostssl/hls/playlist.m3u8
    [00007fad2c01b0e0] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
    [00007fad2c12aa60] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.

看log直接播放http的还是有区别的，说明https生效了，ffplay也行。

vlc http://localhost/hls/playlist.m3u8
    ffplay http://localhost/hls/playlist.m3u8 -v debug

--------------------

### 第二种配置方法 ###

step 1

$ openssl genrsa -des3 -out myCA.key 2048
    Generating RSA private key, 2048 bit long modulus (2 primes)
    ..................................................................................+++++
    ...................................+++++
    e is 65537 (0x010001)
    Enter pass phrase for myCA.key:2048
    Verifying - Enter pass phrase for myCA.key:2048

step 2

$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem
    Enter pass phrase for myCA.key:
    140352584024512:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:903:You must type in 4 to 1023 characters
    Enter pass phrase for myCA.key:
    Can't load /home/hui/.rnd into RNG
    140352584024512:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:543:while reading strings
    140352584024512:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:localhostssl
    Email Address []:

step 3

$ openssl req -new -key localhost.key -out localhost.csr
    Can't load /home/hui/.rnd into RNG
    140475862180288:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:localhostssl
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

step 4

$ > localhost.ext cat <<-EOF
    > authorityKeyIdentifier=keyid,issuer
    > basicConstraints=CA:FALSE
    > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    > subjectAltName = @alt_names
    > [alt_names]
    > DNS.1 = localhost # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
    > DNS.2 = bar.localhost # Optionally, add additional domains (I've added a subdomain here)
    > IP.1 = 192.168.31.122 # Optionally, add an IP address (if the connection which you have planned requires it)
    > EOF

step 5

openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial\
     -out localhost.crt -days 825 -sha256 -extfile localhost.ext

step 6: verify

$ openssl verify -CAfile myCA.pem -verify_hostname bar.localhost localhost.crtlocalhost.crt: OK

step7: import in chrome

Import myCA.pem as an "Authority" (not into "Your Certificates") in your Chrome \
     settings (Settings > Manage certificates > Authorities > Import)
    
    Use the localhost.crt and localhost.key files in your server

step8: 浏览器访问`https://localhostssl`OK

--------------------

参考

*  [make https works with nginx on localhost][] 待验证
 *  [HTTPS on localhost with NGINX][]
 *  [Getting Chrome to accept self-signed localhost certificate][]

[make https works with nginx on localhost]: https://podinhtam.medium.com/how-to-make-https-works-with-nginx-on-localhost-development-environment-9fd0d63e32cb
[HTTPS on localhost with NGINX]: https://imagineer.in/blog/https-on-localhost-with-nginx/
[Getting Chrome to accept self-signed localhost certificate]: https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate

nginx配置localhost https视频服务

发表评论取消回复

还没有评论，来说两句吧...

相关阅读