碼上快樂

相關內容    簡體    繁體

websocket使用ssl 證書,開啟加密服務

本文轉載自   查看原文   2018-03-30 17:45   4990    websocket使用ssl 證書/ 開啟加密服務

參考文章:https://fzambia.gitbooks.io/centrifugal/content/deploy/certificates.html

 

TLS certificates

TLS/SSL layer is very important not only for securing your connections but also to increase a chance to establish Websocket connection. In most situations you will put TLS termination task on your reverse proxy/load balancing software such as Nginx.

There are situations though when you want to serve secure connections by Centrifugo itself.

There are two ways to do this: using TLS certificate cert and key files that you've got from your CA provider or using automatic certificate handling via ACME provider (only Let's Encrypt at this moment).

Using crt and key files

In first way you already have cert and key files. For development you can create self-signed certificate - see this instruction as example.

Then to start Centrifugo use the following command:

./centrifugo --config=config.json --ssl --ssl_key=server.key --ssl_cert=server.crt

Or just use configuration file:

{
  ...
  "ssl": true, "ssl_key": "server.key", "ssl_cert": "server.crt" }

And run:

./centrifugo --config=config.json

Automatic certificates

For automatic certificates from Let's Encrypt add into configuration file:

{
  ...
  "ssl_autocert": true,
  "ssl_autocert_host_whitelist": "www.example.com",
  "ssl_autocert_cache_dir": "/tmp/certs",
  "ssl_autocert_email": "user@example.com"
}

ssl_autocert says Centrifugo that you want automatic certificate handling using ACME provider.

ssl_autocert_host_whitelist is a string with your app domain address. This can be comma-separated list. It's optional but recommended for extra security.

+

 

ssl_autocert_cache_dir is a path to a folder to cache issued certificate files. This is optional but will increase performance.

ssl_autocert_email is optional - it's an email address ACME provider will send notifications about problems with your certificates.

When configured correctly and your domain is valid (localhost will not work) - certificates will be retrieved on first request to Centrifugo.

Also Let's Encrypt certificates will be automatically renewed.

There are tho options (new in v1.6.5) that allow Centrifugo to support TLS client connections from older browsers such as Chrome 49 on Windows XP and IE8 on XP:

  • ssl_autocert_force_rsa - this is a boolean option, by default false. When enabled it forces autocert manager generate certificates with 2048-bit RSA keys.
  • ssl_autocert_server_name - string option, allows to set server name for client handshake hello. This can be useful to deal with old browsers without SNI support - see comment

實例:

阿里雲下載域名的證書 

上傳到服務器  /home/websocket_cert/1522*******822.key  ,   /home/websocket_cert/1522*****4822.pem

 

cat /data/centrifugo/config_ssl.json 


 "log_level": "debug",
  "connection_lifetime": 10,
  "admin_password": "admin",
  "admin_secret": "admin_secret",
  "recover": true,
  "admin":true,
  "web":true,
  "anonymous": true,
  "ssl": true,
  "ssl_key": "/home/websocket_cert/152******4822.key",
  "ssl_cert": "/home/websocket_cert/152******4822.pem"
}

 

啟動服務:

/data/centrifugo/centrifugo -d -c /data/centrifugo/config_ssl.json -p 9**2  --log_file /data/centrifugo/error_ssl.log --log_level debug --web &

若是阿里雲服務器 請在安全組開啟 相應端口允許 。 

 

實例訪問效果:

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 MySQL開啟SSL加密 nodejs-websocket+ssl證書 使用mqtt+ssl加密 WebSocket 客戶端連接 MQTT 服務器以及ws+wss協議 SSL數字證書的簽發及使用(服務器證書) 如何讓服務端同時支持WebSocket和SSL加密的WebSocket(即同時支持ws和wss)? MySQL8開啟ssl加密 用nodejs快速實現websocket服務端(帶SSL證書生成) CentOS7 Linux系統 Nginx web服務器配置SSL證書開啟https協議 阿里雲服務器配置SSL證書成功開啟Https(記錄趟過的各種坑) Python-開啟ssl證書校驗
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM