一、制作证书

1.下载mkcert,地址:mkcert的下载链接
2.下载后,打开cmd命令窗口并cd到mkcert目录中,用命令mkcert-v1.4.4-windows-amd64.exe 127.0.0.1 生成证书(127.0.0.1.pem)和密钥(127.0.0.1-key.pem)
在这里插入图片描述
3.安装openssl,地址:openssl下载链接,并配置环境变量:D:\Tools\OpenSSL-Win64\bin(这个是我安装的目录)
4.用命令openssl pkcs12 -export -clcerts -in 127.0.0.1.pem -inkey 127.0.0.1-key.pem -out server.p12 导出p12证书给后端使用。注意此时会让你输入证书的密码,mkcert生成的证书默认密码为:changeit
在这里插入图片描述
5.将127.0.0.1.pem改为server.crt,将127.0.0.1-key.pem改为server.key(名称可以自己取,我这里用的server)
在这里插入图片描述
6.自此前后端使用的证书已经制作完成,注意p12证书必须是由已生成的pem和key.pem导出的,不能用命令mkcert -pkcs12 127.0.0.1直接生成,因为前端和后端必须使用同一个证书才行,否则会出现后端不受信任的情况

二、后端配置

1.eureka配置ssl

server:
  port: 8090
  ssl:
    enabled: true # 开启 SSL
    key-password: changeit # mkcert 创建证书时使用的默认密码
    key-store: server.p12 # 这地方写你自己的证书名称
    key-store-password: changeit # mkcert 创建证书时使用的默认密码
    key-store-type: PKCS12
spring:
  application:
    name: eurekaserver # eureka的服务名称
eureka:
  instance:
    hostname: 127.0.0.1
    prefer-ip-address: true
    secure-port-enabled: true
    non-secure-port-enabled: false
    status-page-url: https://${eureka.instance.hostname}:${server.port}/info
    health-check-url: https://${eureka.instance.hostname}:${server.port}/health
    home-page-url: https://${eureka.instance.hostname}:${server.port}/
    non-secure-port: 8090
  client:
    register-with-eureka: false
    fetch-registry: false
    service-url:
      defaultZone: https://${eureka.instance.hostname}:${server.port}/eureka/

2.服务提供者配置ssl

server:
  port: 8081
  ssl:
    enabled: true
    key-store: server.p12
    key-store-password: changeit
    key-store-type: PKCS12
    key-password: changeit
spring:
  application:
    name: userservice
eureka:
  client:
    service-url:
      defaultZone: https://127.0.0.1:8090/eureka/
  instance:
    hostname: 127.0.0.1
    secure-port-enabled: true
    non-secure-port-enabled: false
    secure-port: ${server.port}
    prefer-ip-address: true
    health-check-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/ctx/health
    status-page-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/ctx/info
    home-page-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/ctx

3.服务消费者配置ssl,配置文件和服务提供者相同,但需要加入feign调用ssl的配置类

import feign.Client;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.cloud.netflix.ribbon.SpringClientFactory;
import org.springframework.cloud.openfeign.ribbon.CachingSpringLoadBalancerFactory;
import org.springframework.cloud.openfeign.ribbon.LoadBalancerFeignClient;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.net.ssl.*;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

@Configuration
public class FeignConfiguration {
    @Bean
    @ConditionalOnMissingBean
    public Client feignClient(CachingSpringLoadBalancerFactory cachingFactory,
                              SpringClientFactory clientFactory) throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext ctx = SSLContext.getInstance("TLSv1.2");// "SSL"
        X509TrustManager tm = new X509TrustManager() {
            @Override
            public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
            }
            @Override
            public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
            }
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        };
        ctx.init(null, new TrustManager[]{tm}, null);
        return new LoadBalancerFeignClient(new Client.Default(ctx.getSocketFactory(),
                new HostnameVerifier() {
                    public boolean verify(String hostname, SSLSession sslSession) {
                        return true;
                    }
                }),
                cachingFactory, clientFactory);
    }
}

4.将前面制作的server.p12证书,放在父工程的pom.xml同级目录或jar包的同级目录中
5.配置好后启动eureka、服务消费者和提供者,此时服务注册到eureka会报证书无效的错误:unable to find valid certification path to requested target。解决方法可以看这个彻底解决unable to find valid certification path to requested target
6.重启所有服务后正常使用

三、前端配置

1.配置nginx

server {
    listen  443 ssl; #https默认访问端口
    server_name  192.168.20.254;
    # 注意证书文件位置,是从/etc/nginx/下开始算起的
    ssl_certificate      cert/server.crt;
    ssl_certificate_key  cert/server.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
 }

2.将server.crt和server.key放在/rtc/nginx/cert下
3.启动nginx

Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐