轉自:https://troyyang.com/2017/11/07/windows-ssl-node-nginx/
windows 下搭建https + node.js + nginx
最近做一個微信小程序的時候因爲要求所有請求都得是https的連接,服務器端https 倒是搭建好了,可本地測試沒法進行啊,於是只能自己在本地搭建個https的服務。
步驟很少,和把大象放進冰箱需要的步驟一樣!只需要三步:
第一步:要使用ssl,肯定需要生成證書,這裏我就生成的自簽名證書
第二部:安裝nginx和配置ssl
第三部:用nginx反向代理到node服務端口
證書生成
安裝Openssl
下載地址:http://slproweb.com/products/Win32OpenSSL.html
(根據系統選擇32位或者64位版本下載安裝)。
下載完成後,進行安裝,默認安裝在 C:\OpenSSL-Win64文件夾中。
配置環境變量。在環境變量中添加環境變量Path :C:\OpenSSL-Win64\bin;
自簽名證書生成
cd c:\ssl
// 設置變量
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
echo %OPENSSL_CONF%
//生成server.key
>openssl genrsa -out server.key 4096
//生成request文件
openssl req -new -key server.key -out server.csr
//獲取私鑰
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
其中,server.crt就是我們的證書,server.key就是私鑰。
注意一定要設置變量OPENSSL_CONF不然會有以下錯誤
c:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr
Can't open C:\Program Files\Common Files\SSL/openssl.cnf for reading, No such file or directory
6440:error:02001003:system library:fopen:No such process:crypto\bio\bss_file.c:74:fopen('C:\Program Files\Common Files\SSL/openssl.cnf','r')
6440:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:
Enter pass phrase for server.key:
unable to find 'distinguished_name' in config
problems making Certificate Request
6440:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:
完整過程如下:
D:\ssl>openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
..............................................................................................................................................................................................................++
.................................................................................................++
e is 65537 (0x010001)
D:\ssl>openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SC
Locality Name (eg, city) []:ChengDu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:troyyang
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D:\ssl>x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
'x509' is not recognized as an internal or external command,
operable program or batch file.
D:\ssl>openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = SC, L = ChengDu, O = Internet Widgits Pty Ltd, CN = troyyang, emailAddress = [email protected]
Getting Private key
D:\ssl>
nginx 搭建
下載安裝
從官網下載nginx 最新穩定版Stable version (非常的小,只有不到2M,我的版本號是1.12.2) http://nginx.org/en/download.html
然後根據官方文檔提示解壓安裝
cd c:\
// unzip nginx-1.12.2.zip (可以手動解壓)
cd nginx-1.12.2
start nginx
檢測是否啓動成功
6
C:\nginx-1.12.2>tasklist /fi "imagename eq nginx.exe"
Image Name PID Session Name Session# Mem Usage
=============== ======== ============== ========== ============
nginx.exe 652 Console 0 2 780 K
nginx.exe 1332 Console 0 3 112 K
有兩個進程,說明啓動成功,一個進程是nginx的主進程,另一個是工作進程。
這裏提一點
解壓完成後,最好是不要去直接點擊nginx.exe文件安裝,我就被坑過,解壓完成後直接點擊,當時什麼也沒發生,只有窗體閃爍了一下。等到cmd執行start nginx時,怎麼都啓動不起來。後來執行nginx -s reload後就對了。原因據說是雙擊運行程序會改變配置文件nginx.conf,所以需要reload。
當nginx啓動後,正常情況下,訪問localhost應該可以的,會有nginx歡迎頁面,如果沒有,檢查是不是IIS服務器沒關,因爲IIS會有可能把80端口占用
配置SSL
此時nginx只支持http,所以需要把剛纔生成的自簽名證書配置到nginx裏,找到配置文件”C:\nginx-1.12.2\conf\nginx.conf”,然後取消下面註釋並配置路徑
server {
listen 443 ssl;
server_name localhost;
ssl_certificate D:\ssl\server.crt;
ssl_certificate_key D:\ssl\server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}訪問https://localhost就應該可以看到https安全提醒,選擇繼續就可以得到如下結果
image
反向代理Node 服務
使用express創建個最簡單node服務器,端口爲3000
app.js
const express = require('express')
const app = express()
app.get('/', (req, res) => res.send('Hello World!'))
app.listen(3000, () => console.log('Example app listening on port 3000!'))
運行服務並確保localhost:3000能訪問到。
1
node app.js
Nginx 反向代理配置
找到上述Nginx配置文件,將443的server location 改爲下面部分:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate D:\ssl\server.crt;
ssl_certificate_key D:\ssl\server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:3000;}
}
如果一切OK,訪問https://localhost 會得到hello world的輸出。至此,一個在windows平臺上使用ssl + node + nginx的服務就搭建好了。
參考:
https://stackoverflow.com/questions/7360602/openssl-and-error-in-reading-openssl-conf-file
https://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/