配置HTTPS测试环境
方案1:使用自签名证书
1.1 快速生成自签名证书
# 创建SSL目录
sudo mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
# 生成自签名证书
sudo openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days 365 -nodes -subj "/C=CN/ST=Beijing/L=Beijing/O=Dev/OU=IT/CN=localhost"
1.2 配置Nginx使用自签名证书
server {
listen 443 ssl;
server_name localhost;
# 指向真实的自签名证书
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
方案2:使用mkcert工具(开发环境最佳选择)
2.1 安装mkcert
# Ubuntu/Debian
sudo apt install libnss3-tools
wget https://github.com/FiloSottile/mkcert/releases/latest/download/mkcert-v1.4.4-linux-amd64
sudo mv mkcert-v1.4.4-linux-amd64 /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
# 或者使用包管理器安装
# Ubuntu/Debian: sudo apt install mkcert
# macOS: brew install mkcert
2.2 生成受信任的本地证书
# 安装本地CA
mkcert -install
# 为localhost生成证书
mkcert localhost 127.0.0.1 ::1
# 生成的证书文件:localhost+2.pem 和 localhost+2-key.pem
2.3 配置Nginx使用mkcert证书
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /path/to/localhost+2.pem;
ssl_certificate_key /path/to/localhost+2-key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
🚀一键部署脚本
创建一个快速设置脚本 setup-https.sh:
#!/bin/bash
# 创建SSL目录
sudo mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
# 生成自签名证书
sudo openssl req -x509 -newkey rsa:2048 \
-keyout server.key -out server.crt \
-days 365 -nodes \
-subj "/C=CN/ST=Beijing/L=Beijing/O=Dev/OU=IT/CN=localhost"
# 设置权限
sudo chmod 600 server.key
sudo chmod 644 server.crt
echo "SSL证书已生成:"
echo "证书: /etc/nginx/ssl/server.crt"
echo "私钥: /etc/nginx/ssl/server.key"
🔍 验证配置
配置完成后,执行以下步骤验证:
# 检查Nginx配置语法
sudo nginx -t
# 重新加载Nginx配置
sudo systemctl reload nginx
# 测试HTTPS连接
curl -k https://localhost
好学若饥,谦卑若愚
posted on
浙公网安备 33010602011771号