Локальный HTTPS

# Локальный HTTPS Алексей Остапенко [@kbakba](http://t.me/kbakba) --- ### Алексей Остапенко * Telegram: [@kbakba](http://t.me/kbakba) * Twitter: [@kbakba](http://twitter.com/kbakba) * Mail: conf@kbakba.net --- ``` brew install openssl mkcert dnsmasq ``` --- # HTTP --- ``` npm init -y npm i -D webpack webpack-cli webpack-dev-server npx webpack-dev-server ``` --- # HTTPS --- # HyperText Transfer Protocol Secure --- Man in the middle <img width="800" style="border: none; box-shadow: none" src="https://downloader.disk.yandex.ru/preview/fab0f55b92412085cb24c72df0abf5bf816aeb8a5d464886d8036351d1cd9aba/5f4789bf/H6LVCh1xDElf0wozlCHhIwJ5SxUXGB4UCKstJ72KNItuXPFLfr0UgB-h7LznTfNILkKoSqyPA5PFW5UdvvKE-Q==?uid=0&filename=mitm.png&disposition=inline&hash=&limit=0&content_type=image%2Fpng&tknv=v2&owner_uid=41852928&size=2048x2048" /> --- ### Как это работает? --- <img height="600" style="border: none; box-shadow: none" src="https://downloader.disk.yandex.ru/preview/f031341515743abe0095e7f74a23e820748185a0b3683a96a7efcbe818c060d7/5f478cf9/NIxz7yJVvGcJfKd-KtxQCB6XxB2Q0_giyc4DWnxw9R0aB_5FMZb7veqOtulE_GEwhamNyKmYSzk_5vm9oJAbIw==?uid=0&filename=browser-server.png&disposition=inline&hash=&limit=0&content_type=image%2Fpng&tknv=v2&owner_uid=41852928&size=2048x2048"/> --- Как проверяется сертификат? <img style="border: none; box-shadow: none" src="https://downloader.disk.yandex.ru/preview/fc38ca0d65f1251c3b59c7854d9ea7ae51648bfe9ae89bef10ea4fe69da3d7ae/5f4789af/4_Yw-0ZsW9s-XlM5jqut2AJ5SxUXGB4UCKstJ72KNIvPVSTNkXemn7tmE_Y1QguhcJJXf3DRXu9pQfsDdCH8LA==?uid=0&filename=ca-chain.png&disposition=inline&hash=&limit=0&content_type=image%2Fpng&tknv=v2&owner_uid=41852928&size=2048x2048"/> --- ## Свой Root Certificate Authority --- [jamielinux.com/docs/openssl-certificate-authority/](https://jamielinux.com/docs/openssl-certificate-authority/) --- Cгенерировать ключ ``` openssl genrsa -out rootCA.key 2048 ``` --- Cгенерировать Root CA сертификат ``` openssl req -x509 -new -nodes -sha256 -days 1024 \ -key rootCA.key \ -out rootCA.pem ``` --- ### Устанавливаем Root CA сертификат в систему --- #### Firefox --- #### `NODE_EXTRA_CA_CERTS` --- [github.com/certifi](https://github.com/certifi) --- ### Создаем ключ для сертификата сайта и запрос на его создание --- <img style="border: none; box-shadow: none" src="https://downloader.disk.yandex.ru/preview/8125d51baa94843bb706e5a307a634f30d4881be26bddc1a11db4cc26e0999fe/5f4789ca/p0i9DRpanRMRttA4vdQ9jF5xr_KoexcxctpGI92z1-KG32WFthcCLf-pBRBuiqmfhy2EVTULYLSV5QtmHfSXRQ==?uid=0&filename=request.png&disposition=inline&hash=&limit=0&content_type=image%2Fpng&tknv=v2&owner_uid=41852928&size=2048x2048"/> --- Генерируем ключ ``` openssl genrsa -out server.key 2048 ``` --- ## Сертификат на несколько доменов --- openssl-csr.conf ``` [ req ] default_bits = 4096 req_extensions = req_ext distinguished_name = req_distinguished_name [ req_ext ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = DNS:localhost, DNS:app.localhost, DNS:*.app.localhost [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (eg, YOUR name or FQDN) ``` --- Создаем запрос для сертификата доменов ``` openssl req -new -key server.key \ -config openssl-csr.conf \ -reqexts req_ext \ -out server.csr ``` --- Подтверждаем запрос на несколько доменов своим RootCA ``` openssl x509 -days 500 -sha256 -req \ -set_serial 01 \ -extfile openssl-csr.conf \ -extensions req_ext \ -in server.csr \ -CA rootCA.pem \ -CAkey rootCA.key \ -CAcreateserial \ -out server.crt ``` --- ## Проверяем --- ## А можно проще? --- [certificatetools.com](https://certificatetools.com/) --- ## mkcert [github.com/FiloSottile/mkcert](https://github.com/FiloSottile/mkcert) --- ``` mkcert -install mkcert localhost app.localhost '*.app.localhost' ``` --- # SSL Termination --- nginx_localhost.conf ``` server { listen 443 ssl; server_name ~^(?<local_port>\d+)\.app\.localhost$; ssl_certificate /YOUR_PATH/server.crt; ssl_certificate_key /YOUR_PATH/server.key; location / { proxy_pass http://127.0.0.1:$local_port; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Ssl on; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; root /usr/share/nginx/html; index index.html index.htm; } } ``` --- ### [caddyserver.com](https://caddyserver.com/) --- ### [github.com/typicode/hotel](https://github.com/typicode/hotel) --- ## Local DNS --- `dnsmasq` --- /usr/local/etc/dnsmasq.conf ``` listen-address=127.0.0.1 conf-dir=/usr/local/etc/dnsmasq.d ``` --- ``` mkdir -p /usr/local/etc/dnsmasq.d tee /usr/local/etc/dnsmasq.d/localhost > /dev/null <<EOF address=/localhost/127.0.0.1 EOF ``` --- ``` sudo mkdir -p /etc/resolver sudo tee /etc/resolver/localhost >/dev/null <<EOF nameserver 127.0.0.1 EOF ``` --- # Вопросы?