背景:本地 python flask 项目,python 脚本运行 manage.py 启动 server,使用 ngrok 配置内网穿透无法模拟 https 地址 (报 502)
ngrok http -bind-tls=true localhost:443
ngrok http https://localhost:443
ngrok http 443
现做以下尝试:
1. 安装 Openssl(参考地址:https://tecadmin.net/install-openssl-on-windows/ )
下载地址:http://slproweb.com/products/Win32OpenSSL.html (windows openssl 下载地址,下载 43M 那个)
配置环境变量,bin 目录添加到 path 以方便使用:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
set Path=......Other Values here......;C:\Program Files\OpenSSL-Win64\bin
检测是否安装成功
Microsoft Windows [Version 10.0.17134.1069]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\jalchu>openssl
OpenSSL> version
OpenSSL 1.1.1d 10 Sep 2019
OpenSSL>
2. 创建私钥 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
PS D:\ssl> openssl genrsa -des3 -out rootSSL.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................+++++
...+++++
e is 65537 (0x010001)
Enter pass phrase for rootSSL.key:
Verifying - Enter pass phrase for rootSSL.key:
(注:上面的两个 key 输入相同的字符串)
3. 创建证书 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
PS D:\ssl> openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
Enter pass phrase for rootSSL.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zero Point Development
Organizational Unit Name (eg, section) []:Development
Common Name (e.g. server FQDN or YOUR name) []:zeropointdevelopment.com
Email Address []:hello@zeropointdevelopment.com
PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
Generating a RSA private key
.............................................................................................+++++
.......................................................................................................+++++
writing new private key to 'client-1.local.key'
-----
4. 证书授信 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )
(1)Step 1 – Press the Windows key + R
(2)Step 2 – Type “MMC” and click “OK”
(3)Step 3 – Go to “File > Add/Remove Snap-in”
(4)Step 4 – Click “Certificates” and “Add”
(5)Step 5 – Select “Computer Account” and click “Next”
(6)Step 6 – Select “Local Computer” then click “Finish”
(7)Step 7 – Click “OK” to go back to the MMC window
(8)Step 8 – Double-click “Certificates (local computer)” to expand the view
(9)Step 9 – Select “Trusted Root Certification Authorities”, right-click “Certificates” and select “All Tasks” then “Import”
(10)Step 10 – Click “Next” then Browse and locate the “rootSSL.pem” file we created in step 2
(11)Step 11 – Select “Place all certificates in the following store” and select the “Trusted Root Certification Authorities store”. Click “Next” then click “Finish” to complete the wizard.
5. 映射 Domain
修改 C:\Windows\System32\drivers\etc\hosts,结尾添加
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 client-1.local
6. 给 Domain 创建私钥
PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
=AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
Generating a RSA private key
.............................................................................................+++++
.......................................................................................................+++++
writing new private key to 'client-1.local.key'
-----
7. 发布证书
PS D:\ssl> openssl x509 -req -in client-1.local.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out client-1.loc
al.crt -days 500 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digit
alSignature, nonRepudiation, keyEncipherment, dataEncipherment\n subjectAltName=DNS:client-1.local"
Signature ok
subject=C = AU, ST = NSW, L = Sydney, O = Client One, OU = Dev, CN = client-1, emailAddress = hello@client-1.local
Getting CA Private Key
Enter pass phrase for rootSSL.key:
PS D:\ssl>
8.Nginx 配置
server {
listen 8080;
server_name client-1.local;
# New Lines below
listen 443 ssl;
ssl on;
ssl_certificate d:/ssl/client-1.local.crt;
ssl_certificate_key d:/ssl/client-1.local.key;
}
启动 / 关闭命令
C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe -s stop
9. 配置 Pycharm 启动参数,启动 pycharm
runserver --host 127.0.0.1 --port 8080 --threaded
10.Nginx 启动报错
PS C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in C:\Users\jalchu\Nginx\nginx-1.15.8/conf/nginx.conf:128
nginx: [emerg] bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)
第一个:高版本配置 ssl 时警告,可以移除掉 ssl on; 那一行
第二个:本地端口冲突,检查如下(也可以用任务管理器关闭该进程)
C:\Users\jalchu>netstat -aon|findstr "443"
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 8716
TCP 10.79.100.111:51627 66.163.36.181:443 ESTABLISHED 14904
TCP 10.79.100.111:52294 103.116.4.197:443 CLOSE_WAIT 2384
TCP 10.79.100.111:52313 103.116.4.197:443 CLOSE_WAIT 2384
TCP 10.79.100.111:52956 13.59.223.131:443 ESTABLISHED 14904
... ...
C:\Users\jalchu>tasklist | findstr 8716
vmware-hostd.exe 8716 Services 0 5,516 K
C:\Users\jalchu>tskill 8716
11. 重启,访问页面,公司内网给 block 了,白忙活一场 😃
SECURITY THREAT DETECTED AND BLOCKED