内容纲要

证书颁发机构不会信任 localhost 127.0.0.1 之类的站点,需要自制 CA 并添加到根证书,并用自制 CA 证书签名。

https://github.com/FiloSottile/mkcert 提供了一个自制 CA 添加到根证书的快捷工具。

[code]
$ mkcert -install
Created a new local CA at "/Users/filippo/Library/Application Support/mkcert" ?
The local CA is now installed in the system trust store! ⚡️
The local CA is now installed in the Firefox trust store (requires restart)! ?

$ mkcert example.com "*.example.org" myapp.dev localhost 127.0.0.1 ::1
Using the local CA at "/Users/filippo/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names ?
– "example.com"
– "*.example.org"
– "myapp.dev"
– "localhost"
– "127.0.0.1"
– "::1"

The certificate is at "./example.com+5.pem" and the key at "./example.com+5-key.pem" ✅
[/code]

example.com+5.pemexample.com+5-key.pem 改名为 server.crtserver.key,准备添加到 nginx 配置文件。

nginx 配置添加以下设置, 可以是虚拟主机设置。

在 443 端口配置下

[code]
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
[/code]

在 80 端口配置下,修改跳转到 SSL 站点

[code]
# 非 ssl 请求跳转到 ssl 站点
rewrite ^(.*) https://$host$1 permanent;
[/code]

发表评论

电子邮件地址不会被公开。 必填项已用*标注