Detailed explanation of Nodejs multi-site switching Htpps protocol
It’s purely a trendy person. After two days of trouble, I finally switched all the services of my personal website from the http protocol to https. Although the whole process is not too troublesome, I have to admit that I lack the knowledge of Internet security.
Letsencrypt is initiated by organizations such as Mozilla, Cisco and EFF. It provides SSL certificates to the majority of Internet websites for free. The purpose is to accelerate the transition from Http to Https. I am very happy to encounter it unexpectedly on weekends. This is definitely a great benefit for an Internet retail investor, so I decided to take the weekend to make a fuss: get the certificate first, and then change the program;
It is relatively simple to obtain the free SSL certificate issued by letsencrypt. I am still a Windows server and I am not able to toss with Linux at the moment, so I need to download the letsencrypt-win-simple installation package and run it: the first step is to enter the email address. If it is not the first time I apply, I will skip the first two steps. Then there are 5 options for you to choose. Generally, select M, enter M, and Enter will let you enter the domain that needs the certificate. Then enter the root directory of the site corresponding to this domain, and enter a field running online. The specified root directory needs to be directly accessible because it will access the domain you entered and a file in the root directory. I am very puzzled how he created the new directories and verification files on my site. That is to say, he will create a new two-layer directory and a verification file he needs to access in the directory you specified. To be precise, he needs to know a piece of garbled content in this garbled file to complete the authentication; after completing the authentication, he willC:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\Generate certificate files in the directory; the next steps are relatively free;
If you only have one main domain and one site, you can use the certificate to change the program;
If this is really the case, then does it feel too fast to have no experience? Follow the above steps to generate a certificate under one domain, then it is natural to repeat these steps to generate multiple certificates under multiple domains. The problem is the necessity, and perhaps the tossing is to pay for your innocence and weakness;
Ok, I'm very naive; I generated a certificate for the main domain and the two second-level domains, and then change the program!
My site is built with Nodejs, and it is set up by the http-proxy proxy internally. I did not use Nginx to understand Nodejs more with amateur playfulness; next, the main site listens to port 443, and the secondary site is distributed by the http-proxy proxy;
var https=require('https');
var http=require('http');
var fs=require('fs');
var server = (app);
var httpsServer=({
key: ('./'),
cert: ('./')
},app);
(443);
(80);
The approximate appearance of the proxy middleware:
(function(req,res,next){
var proxy = ({
headers:{
'x-forward-ip':(/([\w\.]+)/g)[1] }
});
('error', function (err, req, res) {
(500, {
'Content-Type': 'text/plain'
});
('Something went wrong.');
});
switch (){
case '':
(req, res, { target: 'https://localhost:2333' });
break;
case '':
(req, res, { target: 'https://localhost:3222' });
break;
default:
next();
}
});
There is no problem in accessing the main domain with https. The problem is that the browser of the secondary site always prompts the website's certificate to be untrusted. There is no way, so I have to visit the secondary site like this: 4000/. Yes, of course there is no problem with access with ports. In this way, I will not go to the proxy, but I always feel inconvenient and awkward, so I can only think of a solution again;
It was another chance. When I was about to get up and get off work, I saw an article. Except for the title, it was all in English, but my intuition told me that the content had what I wanted. I read it with a confused look on my face, and it became clear that I started to start letsencrypt plus the --san parameter in the command line to apply for a certificate. You can bind multiple attached domains to a domain, which means that multiple domains can share the same set of certificates, so the problem of proxy will naturally be solved; after entering the main domain, enter multiple domains and separate them with commas, and then he will go to each domain in turn to verify, and finally generate a shared set of certificates; so I decided: have a meal tonight!
The verification method of Letsencrypt is to access the address in this format:
/.well-known/acme-challenge/RHha4Dx3YaUzi7tu_C6p9mPk-TNpuLVN5hMQro2N1_Q
He will access the garbled file of each domain in turn. It is estimated that the file contains another garbled content he wants. Open it and check it out. The main site uses Express, native Nodejs used by the cdn site. The access results of both sites are directly downloaded. The MIME header may need to be changed, because now multiple domains want to access files in the same directory. So, when filling in the root directory, do not fill in the real root directory, but fill in a directory where multiple root directories belong together, such as D:\, modify the routing file as follows:
// www(Express)
('/.well-known/acme-challenge/:ids',function(req,res,next){
require('fs').readFile('D:/.well-known/acme-challenge/'+,function(err,data){
err&&(err);
(data);
});
});
// www(Koa2)
('/.well-known/acme-challenge/:ids',async (cx,next)=>{
await next();
let data=await ('D:'+);
=data;
});
// cdn
if (('acme-challenge')!=-1) {
var pathname=().pathname;
('D:'+pathname,function(err,data){
err&&(err);
(200,{
'content-type':'text/html'
});
(data);
return false;
});
}
return false;
In this way, multiple domains are verified and passed in sequence, and the same set of certificates is generated, which is valid for 3 months. If the system is normal during the validity period, it will be automatically renewed after 3 months. Then you can continue to use the http-proxy proxy, and the https access to secondary sites does not need to be equipped with a port; the next step is to replace all https to https, or directly remove the protocol, //The format is also OK, and the browser will automatically recognize and use the corresponding protocol;
Since the verification domain of Letsencrypt must be accessible online, local development needs to be configured separately. For example, using the openssl-equipped Git to generate a set of certificates as a way to use during development and debugging, but the browser will prompt the certificate to be not trusted;
In short, it is not complicated to say that it is complicated, and it is not that simple to say that it is simple. Things are just that. Trouble is just to pay for the innocent and weak knowledge!
Thank you for reading, I hope it can help you. Thank you for your support for this site!