为了在开发态支持 HTTPS 协议,可以使用 mkcert 生成本地 CA 证书:Ï
# 安装 mkcert
brew install mkcert
# 执行以下命令,生成本地 CA 证书
# 进入项目目录
# mkcert example.com "*.example.com" example.test localhost 127.0.0.1 ::1
mkcert ziyi.com 30.120.112.54 localhost 127.0.0.1 ::1
# 打印信息
# ziyi.com 会在 iHosts 中进行 IP 映射
Created a new certificate valid for the following names 📜
- "ziyi.com"
- "30.120.112.54"
- "localhost"
- "127.0.0.1"
- "::1"
The certificate is at "./ziyi.com+4.pem" and the key at "./ziyi.com+4-key.pem" ✅
It will expire on 19 July 2025 🗓Ï生成本地的 CA 证书后将 Niginx 的配置进行 HTTPS 更改
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# server {
# # 设置主应用的代理端口为 4001
# listen 4001;
# server_name localhost;
# #charset koi8-r;
# #access_log logs/host.access.log main;
# location / {
# # root html;
# # index index.html index.htm;
# # 代理到主应用的地址
# proxy_pass 'http://30.120.112.54:4000';
# }
# #error_page 404 /404.html;
# # redirect server error pages to the static page /50x.html
# #
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# root html;
# }
# # proxy the PHP scripts to Apache listening on 127.0.0.1:80
# #
# #location ~ .php$ {
# # proxy_pass http://127.0.0.1;
# #}
# # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# #
# #location ~ .php$ {
# # root html;
# # fastcgi_pass 127.0.0.1:9000;
# # fastcgi_index index.php;
# # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# # include fastcgi_params;
# #}
# # deny access to .htaccess files, if Apache's document root
# # concurs with nginx's one
# #
# #location ~ /.ht {
# # deny all;
# #}
# }
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
# 使用 HTTPS 协议,代理到主应用
server {
listen 4001 ssl;
server_name localhost;
ssl_certificate /Users/zhuxiankang/Desktop/Github/micro-framework/ziyi.com+4.pem;
ssl_certificate_key /Users/zhuxiankang/Desktop/Github/micro-framework/ziyi.com+4-key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# root html;
# index index.html index.htm;
proxy_pass 'http://30.120.112.54:4000';
}
}
# HTTPS server
# 使用 HTTPS 协议,代理到微应用
server {
listen 3001 ssl;
server_name localhost;
ssl_certificate /Users/zhuxiankang/Desktop/Github/micro-framework/ziyi.com+4.pem;
ssl_certificate_key /Users/zhuxiankang/Desktop/Github/micro-framework/ziyi.com+4-key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
# root html;
# index index.html index.htm;
proxy_pass 'http://30.120.112.54:3000';
}
}
include servers/*;
}
本地 CA 证书和自签名证书的区别?
| 特征 | 本地CA证书 | 自签名证书 |
|---|---|---|
| 签发主体 | 本地私有CA机构 | 证书使用者自己 |
| 信任链 | 需要安装CA根证书 | 无信任链,自闭环 |
| 浏览器信任 | 安装CA证书后全信任 | 显示安全警告 |
| 适用场景 | 企业内网、开发测试环境集群 | 个人项目、临时测试 |
| 密钥管理 | CA私钥需严格保护 | 单证书私钥管理 |
| 吊销机制 | 可通过CRL/OCSP吊销 | 无法有效吊销 |
| 扩展性 | 可批量签发子证书 | 每个证书独立生成 |