1. Generate SSL self-signed certificate
Self-signed certificate is a self-generated certificate, free of charge, does not support the deployment of browsers, supports browsers is charged, needs to be purchased, because it is a local test, so the self-signed certificate is used , the purchased certificate can skip the certificate generation part.
Install OpenSSL
OpenSSL is a tool for generating SSL. Here it is installed under Win10. The downloaded windows 64-bit can be installed directly in the next step. Then add the bin path of OpenSSL installation to the path of the environment variable.
download link
2. Start generating certificates
Generate RSA private key
des3 algorithm, 1024-bit strength, server.key secret key file name
openssl genrsa -des3 -out server.key 1024
Generate CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
Note: Common Name must be consistent with the domain name
Since it is tested on this machine, there is no domain name, but the domain name can be simulated by modifying the hosts file
The hosts file is in the C:\Windows\System32\drivers\etc directory, open and add 127.0.0.1 demo.joyios.com
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd ]:joyios
Organizational Unit Name (eg, section) []:info technology
Common Name (eg server FQDN or YOUR name) []:demo.joyios.com This item must be consistent with your domain name
Email Address []:liufan@ joyios.com
deletes the password in the private key
openssl rsa -in server.key -out server.key
generates a self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
certificate at this time It has been generated. It contains 3 files: server.key | server.csr | server.crt
2. Configure Nginx
to place the certificate
Open the conf directory of nginx, create the keys directory, and put the generated certificate (3 files) into the keys directory
Modify nginx.conf
server {
listen 80;
server_name www.xxx.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
location / {
proxy_pass http://www.xxx.com:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
server {
listen 443;
server_name www.xxx.com;
ssl on;
#配置证书的路径
ssl_certificate keys/server.crt;
ssl_certificate_key keys/server.key;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Ordinary https request
location / { # Configure forwarding to port 8080 proxy_pass http://www.xxx.com:8080; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } # WebSocket request location /websocketChat { proxy_pass http://www.xxx.com:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# WebSocket request
location /websocketAudio { proxy_pass http://www.xxx.com:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } Restart nginx and enter the nginx installation directory
nginx -s reload
3. You're done, the test
has been set up at this time, and the js part of WebSocket ws can be replaced with wss
Visit www.xxx.com directly to identify the SSL certificate, because all browsers will intercept it without authentication, and you can enter the mapped port 8080 (tomcat server) if you trust it