IT数码 购物 网址 头条 软件 日历 阅读 图书馆
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
图片批量下载器
↓批量下载图片,美女图库↓
图片自动播放器
↓图片自动播放器↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁
 
   -> 网络协议 -> nginx配置localhost https视频服务 -> 正文阅读

[网络协议]nginx配置localhost https视频服务

第一种方法

step 1:增加alias到/etc/hosts

127.0.1.1       localhostssl

step 2:创建ssl证书

$ sudo mkdir /usr/local/nginx/cert
$ cd /usr/local/nginx/cert
$ sudo openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt

查看证书内容

$ openssl x509 -text -noout -in localhost.crt

step 3:配置nginx.conf

    server {
        server_name localhostssl;
        rewrite ^(.*) https://local.website.dev$1 permanent;
    }
    server {
        listen     443 ssl;
        ssl_certificate      /usr/local/nginx/cert/localhost.crt;
        ssl_certificate_key  /usr/local/nginx/cert/localhost.key;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        server_name          localhostssl;
        location / {
            proxy_pass  http://localhost;
        }
    }

step 4:reload nginx

$ sudo /usr/local/nginx/sbin/nginx -s reload

step 5:浏览器访问https://localhost

Your connection is not private
Attackers might be trying to steal your information from localhostssl (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

To get Chrome’s highest level of security, turn on enhanced protection

certutil方法报错

sudo apt-get install libnss3-tools
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt
$ rm -rf $HOME/.pki/nssdb
$ certutil -d $HOME/.pki/nssdb -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 12345678
Re-enter password: 12345678

$ certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i /usr/local/nginx/cert/localhost.crt 
Enter Password or Pin for "NSS Certificate DB":12345678
hui@hui:/usr/local/nginx

$ certutil -d sql:$HOME/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

localhost                                                    CT,c,c

试了下浏览器访问还是有问题,可以用下面这个办法设置下浏览器,但是播放已经是可以了。

chrome://flags/#allow-insecure-localhost

播放https视频测试

这时候用vlc播放原来搭建的hls源,发现已经是https了,虽然有报错信息。

vlc https://localhost/hls/playlist.m3u8
vlc https://localhostssl/hls/playlist.m3u8
[00007fad2c01b0e0] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 
[00007fad2c12aa60] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 

看log直接播放http的还是有区别的,说明https生效了,ffplay也行。

vlc http://localhost/hls/playlist.m3u8
ffplay http://localhost/hls/playlist.m3u8 -v debug

第二种配置方法

step 1

$ openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................+++++
...................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:2048
Verifying - Enter pass phrase for myCA.key:2048

step 2

$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem
Enter pass phrase for myCA.key:
140352584024512:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:903:You must type in 4 to 1023 characters
Enter pass phrase for myCA.key:
Can't load /home/hui/.rnd into RNG
140352584024512:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:543:while reading strings
140352584024512:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhostssl
Email Address []:

step 3

$ openssl req -new -key localhost.key -out localhost.csr
Can't load /home/hui/.rnd into RNG
140475862180288:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhostssl
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

step 4

$ > localhost.ext cat <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> subjectAltName = @alt_names
> [alt_names]
> DNS.1 = localhost # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
> DNS.2 = bar.localhost # Optionally, add additional domains (I've added a subdomain here)
> IP.1 = 192.168.31.122 # Optionally, add an IP address (if the connection which you have planned requires it)
> EOF

step 5

openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial\
 -out localhost.crt -days 825 -sha256 -extfile localhost.ext

step 6: verify

$ openssl verify -CAfile myCA.pem -verify_hostname bar.localhost localhost.crtlocalhost.crt: OK

step7: import in chrome

Import myCA.pem as an "Authority" (not into "Your Certificates") in your Chrome \
 settings (Settings > Manage certificates > Authorities > Import)

Use the localhost.crt and localhost.key files in your server

step8: 浏览器访问https://localhostsslOK


参考

  网络协议 最新文章
使用Easyswoole 搭建简单的Websoket服务
常见的数据通信方式有哪些?
Openssl 1024bit RSA算法---公私钥获取和处
HTTPS协议的密钥交换流程
《小白WEB安全入门》03. 漏洞篇
HttpRunner4.x 安装与使用
2021-07-04
手写RPC学习笔记
K8S高可用版本部署
mySQL计算IP地址范围
上一篇文章      下一篇文章      查看所有文章
加:2021-09-30 12:17:32  更:2021-09-30 12:17:47 
 
开发: C++知识库 Java知识库 JavaScript Python PHP知识库 人工智能 区块链 大数据 移动开发 嵌入式 开发工具 数据结构与算法 开发测试 游戏开发 网络协议 系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑 笔记本 显卡 显示器 固态硬盘 硬盘 耳机 手机 iphone vivo oppo 小米 华为 单反 装机 图拉丁

360图书馆 购物 三丰科技 阅读网 日历 万年历 2024年11日历 -2024/11/26 2:02:15-

图片自动播放器
↓图片自动播放器↓
TxT小说阅读器
↓语音阅读,小说下载,古典文学↓
一键清除垃圾
↓轻轻一点,清除系统垃圾↓
图片批量下载器
↓批量下载图片,美女图库↓
  网站联系: qq:121756557 email:121756557@qq.com  IT数码