Background: Most web applications are developed based on HTTP, and some additional functions are involved in privacy security. For example, video and audio transmission requires HTTPS links. Under the premise of not changing the original web architecture, HTTPS requests initiated by the client need to be proxy through Nginx. WebSocket + SSL is used for communication between the client and Nginx server, and WebSocket is used for communication between Nginx service and server.

Docker environment installation

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
Copy the code

Nginx image package export, and load

Docker pull nginx:mainline-alpine-perl docker save e310e1d4a8bb -o /home/nginx.tar docker load -i nginx.tar // Transfer the jar package, Docker run --name nginx -d -p 8010:8010 -p 8011:8011 -p 433:433 nginx:mainline-alpine-perl --restart always //restart = 'always' docker run --name nginx -d -p 8010:8010 -p 8011:8011 -p 433 nginx // Run nginx mirroring and set up port mappingCopy the code

Nginx. conf file and directory

None Mount directory

Conf CD /XXX/XXX/XXX/ /find The path to find vim nginx.conf docker start nginxCopy the code

Mount the directory

Docker run --name nginx -d -p 8090:80 -p 443:443 -v docker run --name nginx -d -p 8090:80 -p 443:443 -v /home/nginx/nginx.conf:/etc/nginx/nginx.conf -v /home/nginx/conf.d:/etc/nginx/conf.d -v /home/ssl:/home nginx // Modify the files in the corresponding directoryCopy the code

Iv. Certificate generation (solve invalid self-signed certificate)

Chrome authentication certificates are strict and must have a Subject Alternative Name.

Find the openssl. CNF file in Linux. Cp a copy to the current open folder.

cp /etc/pki/tls/openssl.cnf ~/open/
Copy the code

First, in the [req] section add:

req_extetions = v3_req
Copy the code

Second, add the configuration for the V3_req section

[ v3_req ] # Extensions to add to a certificate request 
basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
subjectAltName = @alt_names
Copy the code

Third, add a trusted domain name to alt_names. The trusted domain name should be used only by the following domain names. Otherwise, COMMON_NAME_INVALID will be reported.

[alt_names] dnS.1 = localhost (specific domain name) DNS.2 = specific domain name dns.3 = specific domain nameCopy the code

Step 4: Generate a certificate

openssl req -sha256 -newkey rsa:2048 -nodes -keyout server.key -x509 -days 3650 -out server.crt -config ./openssl.cnf -extensions _req // The country, province, city, organization, community, domain name, and email address can be set as normal when the certificate is generated.Copy the code

Step 5, place the certificate in the folder specified by Nginx, and change the certificate configuration item corresponding to server to the path where the certificate resides.

Nginx configuration file (default introduction +SSL configuration)

Nginx default configuration introduction

User nginx (nginx); #Nginx worker_processes 1 Error_log /var/log/nginx/error.log warn; Pid /var/run/nginx.pid; events { worker_connections 1024; HTTP {include /etc/nginx/mime.types; Default_type application/octet-stream; Log_format main '$remote_addr - $remote_user [$time_local] "$request" "$status $body_bytes_SENT "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; #nginx sendFile on; Tcp_nopush on; Keepalive_timeout 65; #gzip on; #gzip on; Include /etc/nginx/conf.d/*.conf; # Included subconfig item locations and files}Copy the code

Nginx. Conf SSL configuration

http { server { listen 443 ssl; Server_name Specific domain name (localhost); ssl_certificate server.crt; ssl_certificate_key server.key; error_log logs/error.log; client_max_body_size 60M; client_body_buffer_size 512k; Location ~/.* {proxy_pass http://127.0.0.1:7080; } } server { listen 8083 ssl; Server_name Specific domain name (localhost); ssl_certificate server.crt; ssl_certificate_key server.key; Ssl_protocols SSLv3 SSLv2 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; # ssl_prefer_server_ciphers on; The location/ws {# reverse proxy to MQTT ws port 8083, at the same time protocol conversion for HTTP, so server-side code don't need to do to modify proxy_pass http://192.168.55.111:8083; Proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; Proxy_set_header Connection: the websocket handshake fails because the server source code only matches the "Upgrade" string, so the server will treat the HTTP request as a normal request if it is filled with "Upgrade"  "Upgrade"; proxy_set_header Remote_addr $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 600s; }}}Copy the code

Vi. Browser certificate installation

For self-generated certificates, you need to install them manually in the browser. For details about how to install the certificate, see Certificate Installation.

Change the configuration of C:\Windows\System32\drivers\etc\hosts file by filling in the following mapping:

192.5.52.128 Specific domain name (matches the domain name when the certificate is generated)Copy the code