nginx配置localhost https视频服务 素颜马尾好姑娘i 2022-09-14 00:10 130阅读 0赞 ### 第一种方法 ### step 1:增加alias到`/etc/hosts` 127.0.1.1 localhostssl step 2:创建ssl证书 $ sudo mkdir /usr/local/nginx/cert $ cd /usr/local/nginx/cert $ sudo openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt 查看证书内容 $ openssl x509 -text -noout -in localhost.crt step 3:配置nginx.conf server { server_name localhostssl; rewrite ^(.*) https://local.website.dev$1 permanent; } server { listen 443 ssl; ssl_certificate /usr/local/nginx/cert/localhost.crt; ssl_certificate_key /usr/local/nginx/cert/localhost.key; ssl_ciphers HIGH:!aNULL:!MD5; server_name localhostssl; location / { proxy_pass http://localhost; } } step 4:reload nginx $ sudo /usr/local/nginx/sbin/nginx -s reload step 5:浏览器访问`https://localhost` Your connection is not private Attackers might be trying to steal your information from localhostssl (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID To get Chrome’s highest level of security, turn on enhanced protection certutil方法报错 sudo apt-get install libnss3-tools certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt $ rm -rf $HOME/.pki/nssdb $ certutil -d $HOME/.pki/nssdb -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: 12345678 Re-enter password: 12345678 $ certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i /usr/local/nginx/cert/localhost.crt Enter Password or Pin for "NSS Certificate DB":12345678 hui@hui:/usr/local/nginx $ certutil -d sql:$HOME/.pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI localhost CT,c,c 试了下浏览器访问还是有问题,可以用下面这个办法设置下浏览器,但是播放已经是可以了。 chrome://flags/#allow-insecure-localhost 播放https视频测试 这时候用vlc播放原来搭建的hls源,发现已经是https了,虽然有报错信息。 vlc https://localhost/hls/playlist.m3u8 vlc https://localhostssl/hls/playlist.m3u8 [00007fad2c01b0e0] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. [00007fad2c12aa60] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 看log直接播放http的还是有区别的,说明https生效了,ffplay也行。 vlc http://localhost/hls/playlist.m3u8 ffplay http://localhost/hls/playlist.m3u8 -v debug -------------------- ### 第二种配置方法 ### step 1 $ openssl genrsa -des3 -out myCA.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..................................................................................+++++ ...................................+++++ e is 65537 (0x010001) Enter pass phrase for myCA.key:2048 Verifying - Enter pass phrase for myCA.key:2048 step 2 $ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem Enter pass phrase for myCA.key: 140352584024512:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:903:You must type in 4 to 1023 characters Enter pass phrase for myCA.key: Can't load /home/hui/.rnd into RNG 140352584024512:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:543:while reading strings 140352584024512:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:localhostssl Email Address []: step 3 $ openssl req -new -key localhost.key -out localhost.csr Can't load /home/hui/.rnd into RNG 140475862180288:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:localhostssl Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: step 4 $ > localhost.ext cat <<-EOF > authorityKeyIdentifier=keyid,issuer > basicConstraints=CA:FALSE > keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment > subjectAltName = @alt_names > [alt_names] > DNS.1 = localhost # Be sure to include the domain name here because Common Name is not so commonly honoured by itself > DNS.2 = bar.localhost # Optionally, add additional domains (I've added a subdomain here) > IP.1 = 192.168.31.122 # Optionally, add an IP address (if the connection which you have planned requires it) > EOF step 5 openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial\ -out localhost.crt -days 825 -sha256 -extfile localhost.ext step 6: verify $ openssl verify -CAfile myCA.pem -verify_hostname bar.localhost localhost.crtlocalhost.crt: OK step7: import in chrome Import myCA.pem as an "Authority" (not into "Your Certificates") in your Chrome \ settings (Settings > Manage certificates > Authorities > Import) Use the localhost.crt and localhost.key files in your server step8: 浏览器访问`https://localhostssl`OK -------------------- 参考 * [make https works with nginx on localhost][] 待验证 * [HTTPS on localhost with NGINX][] * [Getting Chrome to accept self-signed localhost certificate][] [make https works with nginx on localhost]: https://podinhtam.medium.com/how-to-make-https-works-with-nginx-on-localhost-development-environment-9fd0d63e32cb [HTTPS on localhost with NGINX]: https://imagineer.in/blog/https-on-localhost-with-nginx/ [Getting Chrome to accept self-signed localhost certificate]: https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate
还没有评论,来说两句吧...