Implementation of debugging code through nginx reverse proxy

background

Now the company's projects are developed in a way that the front-end and back-end are separated. Sometimes, due to some new development requirements or bug fixes, I want the front-end to connect directly to my local development environment for debugging, but I don't have the front-end code, so I can only test it through the test environment deployed by the front-end. The easiest way is to directly change the host to point the domain name of the back-end test environment to my local IP. This is very easy to do for HTTP protocol services, but the company's test environment is all HTTPS, and my local service is HTTP protocol. Even if the host is changed, the request will fail due to the different protocols, so the local service needs to be upgraded to HTTPS.

plan

In fact, springboot itself supports HTTPS (howto-configure-ssl), but this requires changing the project code, which is not very elegant. So I want to use nginx to reverse proxy to the local service directly. In this way, there is no need to change the code to do HTTPS at nginx level. You only need to modify the host to point后端測試環境域名to the IP of nginx service, and it can also be applied to other HTTP service development and debugging.

Issuance of certificates

First, you need to generate a set of certificates for nginx's SSL configuration. Use the openssl tool to generate a set of根證書and corresponding服務證書.

Root certificate generation

# Generate an RSA private key openssl genrsa -out root.key 2048
# Generate a root certificate using the private key openssl req -sha256 -new -x509 -days 365 -key root.key -out root.crt \
  -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=work/CN=fakerRoot"

Server Certificate Generation

# Generate an RSA private key openssl genrsa -out server.key 2048
# Generate a certificate signing request file with SAN extension openssl req -new \
  -sha256 \
  -key server.key \
  -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=work/CN=xxx.com" \
  -reqexts SAN \
  -config <(cat /etc/pki/tls/openssl.cnf \
    <(printf "[SAN]\nsubjectAltName=DNS:*.xxx.com,DNS:*.test.xxx.com")) \
  -out server.csr
# Use the previously generated root certificate to issue openssl ca -in server.csr \
  -md sha256 \
  -keyfile root.key \
  -cert root.crt \
  -extensions SAN \
  -config <(cat /etc/pki/tls/openssl.cnf \
    <(printf "[SAN]\nsubjectAltName=DNS:xxx.com,DNS:*.test.xxx.com")) \
  -out server.crt

This gives us three key files:

• root.crt : root certificate
• server.key : server certificate private key
• server.crt : server certificate

Note: The domain name of the generated server certificate must support the domain name accessed by the test environment, otherwise the browser will prompt that the certificate is not secure.

nginx configuration

For convenience, we directly use docker to start an nginx container for access, and mount the certificate and configuration file to the corresponding directory:

nginx.conf

server {
  listen 443 ssl;
  server_name _;
  ssl_certificate "/usr/local/nginx/ssl/server.pem";
  ssl_certificate_key "/usr/local/nginx/ssl/server.key";
  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:3000;
    proxy_redirect off;
    proxy_http_version 1.1;
  }
}

Specify the server's certificate and private key by configuring ssl_certificate and ssl_certificate_key , and specify the access address of the development environment by proxy_pass .

start up

docker run -d --name https -p 443:443 -v ~/forword/ssl:/usr/local/nginx/ssl -v ~/forword/config/nginx.conf:/etc/nginx/conf.d/default.conf nginx

Mount the nginx configuration and certificate-related files to the corresponding directory and expose port 443, so that you can access the local development environment through https after the service is started.

Install the root certificate

Since the service certificate is self-signed and will not be trusted by the browser,根證書needs to be installed in the operating system.

Open Chrome browser->Settings->Advanced->Manage Certificates

Trusted Root Certification Authorities -> Import

Select the previously generated root certificate root.crt to import

Modify host

When debugging is needed, you only need to start the local service, resolve the domain name to be tested in the host to the IP of the nginx server, and then forward the front-end request to the development environment. The certificate can be seen through小鎖圖標in the browser address bar, and the verified service has been deployed successfully.

postscript

In fact, two solutions have been mentioned in this article. In fact, there are other solutions, such as using fidder , a man-in-the-middle attack, which I will not go into here.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.