证书颁发
需要openssl 3.x以上。v1.1.1不可以。
可使用openssl version查看版本
CA证书(含私钥)生成,按提示操作输入国家、省份、公司等
openssl req -new -x509 -out ca.crt -noenc -keyout ca.pkey
网站证书(含私钥)生成,一定需要altname的IP或者域名(DNS)
openssl req -new -x509 -out web.crt -noenc -keyout web.pkey -CA ca.crt -CAkey ca.pkey -addext "subjectAltName = IP.0:192.168.3.8, DNS.1:yourdomain.cn"
Nginx配置
server {
listen 443 ssl;
server_name xxxx.com;
ssl_certificate ../web.crt;
ssl_certificate_key ../web.pkey;
location / {
proxy_pass https://xxxx.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Windows安装CA证书
将ca.crt放到Windows下,双击安装证书到“受信任的根证书颁发机构”。
如需替换远程文件为本地文件
server {
...
location / {
proxy_pass https://xxx.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ aaa.js {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization';
alias html/aaa.js;
}
}