专注于WEB前端开发, 追求更好的用户体验, 更好的开发体验 [长沙前端QQ群:234746733]

Mac自签名ssl证书, 绑定域名启用https

生成root CA(仅需一次)

自签名证书, IOS 13/macOS 10.15有了新规定, 所以需要按如下方式生成.

# 多个域名都可以用root CA签名
mkdir ~/.ssl; cd ~/.ssl;
openssl genrsa -out rootca.key 2048;
openssl req -new -key rootca.key -out rootca.csr -sha256 -subj "/CN=Dev Root CA"
echo "basicConstraints=CA:true" > rootca.cnf;
openssl x509 -req -in rootca.csr -signkey rootca.key -out rootca.crt -extfile rootca.cnf -sha256 -days 825;
open rootca.crt; # Mac钥匙串 打开(或, 双击文件名)
# 钥匙串: 搜索 Dev Root CA, 双击证书, 设置始终信任 (Trust - When using this certificate: Always Trust).
# for Android:
# openssl x509 -inform PEM -outform DER -in rootca.crt -out rootca.der.crt

创建本地ssl证书(使用lvh.me域名)

openssl req -new -newkey rsa:2048 -nodes -keyout lvh.me.key -out lvh.me.csr -sha256 -subj "/CN=lvh.me"
cat > domain.cnf <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:false
keyUsage=digitalSignature,keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
[alt_names]
DNS.1=lvh.me
DNS.2=*.lvh.me
DNS.3=*.test.lvh.me
EOF
# 使用root CA签名
openssl x509 -req -in lvh.me.csr -out lvh.me.crt -extfile domain.cnf -CA rootca.crt -CAkey rootca.key -CAcreateserial -sha256 -days 825

lvh.me 是一个指向127.0.0.1的泛域名服务, 优点: 不需要改DNS/hosts, 各项目使用不同的域名方便隔离(比如cookies/密码管理器). 类似的还有xip.io, nip.io, localtest.me, fuf.me, vcap.me等.

使用Apache或Nginx 绑定域名

  • 使用Apache

    # 1. 编辑 `/etc/apache2/httpd.conf`
    # 注释掉 这些行:
    LoadModule mpm_prefork_module libexec/apache2/mod_mpm_prefork.so
    Include /private/etc/apache2/extra/httpd-ssl.conf
    # 最下面添加:
    Listen 443
    ServerName localhost
    LoadModule mpm_event_module libexec/apache2/mod_mpm_event.so
    LoadModule proxy_module libexec/apache2/mod_proxy.so
    LoadModule proxy_http_module libexec/apache2/mod_proxy_http.so
    LoadModule macro_module libexec/apache2/mod_macro.so
    LoadModule ssl_module libexec/apache2/mod_ssl.so
    LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
    LoadModule http2_module libexec/apache2/mod_http2.so
    Include /Users/leon/.ssl/httpd-vhosts.conf
    
    # 2. 编辑 ~/.ssl/httpd-vhosts.conf, 增加:
    <Macro SSLLvh>
      SSLEngine on
      SSLCertificateFile /Users/leon/.ssl/lvh.me.crt
      SSLCertificateKeyFile /Users/leon/.ssl/lvh.me.key
      Protocols h2 http/1.1
    </Macro>
    <Macro Test>
      ServerName test.lvh.me
      ProxyRequests off
      <Location />
        ProxyPass http://localhost:3000/
        ProxyPassReverse http://localhost:3000/
      </Location>
    </Macro>
    <VirtualHost *:80>
      Use Test
    </VirtualHost>
    <VirtualHost *:443>
      Use SSLLvh
      Use Test
    </VirtualHost>
    <Macro Demo>
    # ...
    </Macro>
    <VirtualHost *:443>
      Use SSLLvh
      Use Demo
    </VirtualHost>
    
    # 3. 启动Apache
    # sudo apachectl configtest # test
    sudo apachectl -k restart # 启动
    # sudo apachectl -e debug # print errors
    # sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist # 开机启动
  • 使用 Nginx

    sudo apachectl -k stop # 停止 apache 服务
    brew install nginx # 用brew安装
    # 编辑 `/usr/local/etc/nginx/nginx.conf`
    # listen 80; 改为: listen 80;
    # root   html; 改为:
    # root /Users/leon/Downloads;
    # autoindex on;
    # include servers/*; 改为: include conf.d/*.conf;
    
    chmod 755 /Users/leon/Downloads
    mkdir /usr/local/etc/nginx/conf.d;
    # 编辑 `/usr/local/etc/nginx/conf.d/test.conf`;
    server {
      listen 80;
      server_name test.lvh.me;
      # include lvh_ssl.conf;
      listen 443 ssl http2;
      ssl_certificate /Users/leon/.ssl/lvh.me.crt;
      ssl_certificate_key /Users/leon/.ssl/lvh.me.key;
      ssl_session_timeout 5m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
      ssl_prefer_server_ciphers on;
      location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
      }
    }
    # fix Permission denied while uploading
    sudo chmod o+x /usr/local/var
    sudo chown -vhR nobody:admin /usr/local/var/run/nginx
    # brew services list
    sudo brew services restart nginx # 启动
    # sudo brew services stop nginx
    sudo nginx -s reload # 重启

接下来就可以使用 https://test.lvh.me 访问本地项目了.

/ 分类: 工具,实践 / TrackBackhttps://xhl.me/archives/set-up-local-https/trackback标签: https

添加新评论 »