Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

快速搭建本地HTTP/2服务

$
0
0

2015年5月HTTP/2 标准协议正式发布后,已得到绝大部分的浏览器的支持,但截止发文时使用的网站占比还不到1/3。 本文目的是为了快速搭建一个本地 HTTP/2 服务,以供研发小伙伴开发测试,从而加深对 HTTP/2 的理解。

环境 OpenSSL : 1.0.2q Nginx : 1.15.7 步骤 生成本地根证书: # 使用AES256-bit编码加密生成4096位的根秘钥 openssl genrsa -aes256 -out rootCA.key 4096 Enter pass phrase for rootCA.key: password Verifying - Enter pass phrase for rootCA.key: password 复制代码

各参数可以查看 man ca 或者 查阅这里。

# 使用根秘钥生成根证书 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem Enter pass phrase for rootCA.key: password You are about to be asked to enter information that will be incorporated ... ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:Lovecoding.org Organizational Unit Name (eg, section) []:Lovecoding CA Common Name (e.g. server FQDN or YOUR name) []:Lovecoding ROOT CA Email Address []: Generating a RSA private key 复制代码 生成本地自签证书 #生成自签秘钥 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf #生成自签证书 openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 600 -sha256 -extfile v3.ext 复制代码

其中 server.csr.cnf :

[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name [ req_distinguished_name ] C = CN ST = Beijing L = Beijing O = MyOrganization OU = MyOrganizationUnit emailAddress = lovecoding@example.com CN = localhost 复制代码

v3.ext :

authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName=@alt_names [alt_names] DNS.1=localhost 复制代码 配置nginx

将 server.crt 和 server.key 添加到nginx:

server { listen [::]:443 ssl http2 ipv6only=on; listen 443 ssl http2; ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:1m; server_name localhost; ... 复制代码

重启nginx:

sudo nginx -t sudo nginx -s reload 复制代码 信任自签证书

首次打开网页时,会提示证书无效,那么将自签的证书加入信任列表即可:

Mac OS : sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain server.crt 复制代码 Ubuntu : sudo cp server.crt /usr/local/share/ca-certificates/server.crt sudo update-ca-certificates 复制代码

其他系统可以查阅这里。

此时打开浏览器可以看到:


快速搭建本地HTTP/2服务

说明自签证书已有效,并支持 HTTP/2 服务。

总结

本文介绍了本地快速搭建 HTTP/2 服务,希望对研发伙伴有所帮助。目前所有代码都已放到 local-http2 ,喜欢的同学可以 Star :)。 还有HTTP/3草案已出,感兴趣的可以了解一下。

参考 local-cert-generator OpenSSL Certificate Authority How to create csr using Openssl without prompt Adding trusted root certificates to the server

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles