极客教程Node.js 如何使用SSL/TLS
TLS/SSL用于在互联网上建立安全连接。如今,大多数网站使用HTTPS与客户端通信。HTTPS基本上是在TLS/SSL上运行的HTTP。像浏览器这样的网页客户端会向用户提示不使用HTTPS的网站,因为这些网站容易受到网络攻击。因此,我们必须确保我们的Web应用程序在HTTPS上运行。要设置HTTPS服务器,我们需要一个SSL/TLS证书。本文简要介绍如何在Node.js中使用SSL/TLS。
我们将构建两个简单的表达式应用程序,分别运行一个HTTP服务器和一个HTTPS服务器。导入所需的模块并设置HTTP服务器。我们创建一个server.js文件,并将以下代码添加到其中。
server.js
const express = require("express")
const https = require("https")
const http = require("http")
const path = require("path")
const fs = require("fs")
const app = express()
app.get("/", (req, res) => {
res.send("Hello geeks, I am running on http!")
})
const httpServer = http.createServer(app)
httpServer.listen(3000, () => {
console.log("HTTP server up and running on port 3000")
})
输出: 执行上面的代码后,我们可以前往localhost:3000查看应用程序。
上面的应用程序不安全,因为它在普通的HTTP上运行。如果我们点击URL左边的符号,我们可以看到以下内容。
生成自签名证书: 要生成自签名证书,我们需要以下内容 –
- 私钥
- CSR(证书签名请求)
- TLS / SSL证书
我们将使用OpenSSL https://www.geeksforgeeks.org/practical-uses-of-openssl-command-in-linux/?ref=gcse 来创建私钥和证书。请确保以管理员身份执行以下命令。
步骤1: 创建私钥。
openssl genrsa -out <location_of_private_key>
openssl genrsa -out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\key.pem
This creates a 2048 bit private key using RSA algorithm.
-out -> this specifies the location where the generated private key will be stored
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAmxyRK0ZmY7h9zh6ED+1J5S/UC/mcQlH9daKt0tRPptSrfML4
VcT3TKUXUxv19pgoccm52IjEIbCKUx+5Vi5vL/d2fK0yOvR4v2ZCmj4t6y4cj9KS
zzAFYZ8GxHSkXheh5vU/Yv1E4RSV+Ti6lmGy5nzqvV9TevD8pB5Qw8XdC54EI9aX
Q5nAVRnCfptZaDXs/af/hc/BhFZnXUf+d4C5BF0cuUI8Qgyb2ePkxeQK0xv0kEsT
pzgMw3OKR78N+YY5S6Rx9mECVlJLpNPnxE9+Zd79iyNvj3570x+LV/ckpvdyjrLf
njizvWEODleddvx8wElMrdVbfKO+lwt9zb25pwIDAQABAoIBAAOS5u1eU+GcUJm9
LkHHr9ot/e7As477oKFjPCoNZkBryf+35kzjmucTLrRlgodJ/jSQ90076Xj1Plqn
8nc/3qP2Sa6ZtvyQwW93hbVUFW7Dwzi1G1jWvGkBZwCDx327gal2oR1AxKOC++mg
Gvx4B80zt5zhY2UDxG5rnGTGXE92LWaUYrM7WuU0NLpbSKk5aibQon2C/dnbZylD
RR5VWvUZr3inOyFnPZpuDy6j3Lw2lsB5c8K4LiY/yr5Qu+uO0Tvu8UqeFjur7pI2
Gm2z+muiRsiIZpIFPv+aZ+Ac1RHxTGdrsXRJyVoR/RFzcy2lTmJBYmFfCoqW/2Im
ZCY7QTECgYEAzNr6wPKa1N72kGUZOYZPmSVQhI80jYxBbBzZ3ie3SgEKid2VIniz
NLtycirj3oh81SfbwWhCwPQqbr7VCtPyiI2lbmURaDJBhEugypAm4FGelnpJtLMQ
KYIMOU33tpAhpl5kRi8fBbLDIjvV81lNSuSZOJGPnDqdiraKE7q0OisCgYEAwdZJ
0aJdKRP1brLEaQk4Jl7SAN9MTpyopQOpvQfStXZ/ksz6G1/VrAGt3k/jdS3qO7W1
eDFnwWUqbDdJQHgvh5ZLb85zD4BD8ANMxm8WoC3nJ9xuvCVc2yh83Er60lLJ3w4L
UIlWb1ZXikOrQ4e7ZXi3xPp2lqG4jztqToD/bHUCgYEAvgxplZd9DP/MvykLvdJd
BjcX++LfXnJAP4yEkxVFdeKBZGWtdc2Ec+dyxXgE7u6w4Q+ZUFTpmRjsRNHF08XN
u+GtGD2raH83SQTgpwwVBQazmebZekqlM9zyejdbGIOetDndzT7qCN9PKPNaCelP
S6vIejKQiN/YSFgQwTz09wECgYEAhVvKA9miIJ3jsNp7OQynvfZko0b99+PeP1GK
2UvlkwVI9hXiSS0hE6tAFQB/rGH/kj8M7/mFuc/BZRyQYDOP98fWdMDj9pk3pIyQ
qMFLHr8WFx2YbgeCoCF17hYEBOoCi1zdOfaTKhyMM8skrFxY+JIaVQJAzpfLI3gs
RoCHuvUCgYBqTMK4fvv2KG3x8sHm4rVUyww8P1YDhPK4pXnRYtzkYzlIlDlBvH9M
wmOcvWIE5nSa3wUfR5l2YaH8GpO9Ul6bsuN8ot8nsv+rJI/hv1T1pUDC1C/J6X9g
bm70rcj82jV6VaAJCV3nwltYhpKr73GbcYHwMM5qcOCmJbTNQ91eqQ==
-----END RSA PRIVATE KEY-----
步骤2: 创建CSR
openssl req -new -key <private_key> -out <location_of_csr>
openssl req -new -key D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates
\key.pem -out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\csr.pem
这个命令主要用于创建和处理证书签名请求(CSR)。
-new -> 它告诉openssl生成一个新的CSR。
-key -> 它指定了私钥的位置。生成相应的公钥需要私钥。
-out -> 它用于指定存储CSR的位置。
证书签发请求(CSR)包含证书颁发机构所需的重要信息,如上图所示。它还包括用于加密数据的您的网站/应用程序的公钥。然而,私钥不是CSR的一部分。
-----BEGIN CERTIFICATE REQUEST-----
MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCSU4xEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKc2Vy
dmVyIFRMUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsckStGZmO4
fc4ehA/tSeUv1Av5nEJR/XWirdLUT6bUq3zC+FXE90ylF1Mb9faYKHHJudiIxCGw
ilMfuVYuby/3dnytMjr0eL9mQpo+LesuHI/Sks8wBWGfBsR0pF4Xoeb1P2L9ROEU
lfk4upZhsuZ86r1fU3rw/KQeUMPF3QueBCPWl0OZwFUZwn6bWWg17P2n/4XPwYRW
Z11H/neAuQRdHLlCPEIMm9nj5MXkCtMb9JBLE6c4DMNzike/DfmGOUukcfZhAlZS
S6TT58RPfmXe/Ysjb49+e9Mfi1f3JKb3co6y3544s71hDg5XnXb8fMBJTK3VW3yj
vpcLfc29uacCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBgtIW/OVhoCf9/GBAy
7tbLneFPWZJp3jkAk7m2ppPwj8gSm/Otqsx6ajEooixUrPA3xfbQMGPuMeQ37vcL
K0AoVRsV3wbXIS3T6YSTmqoLlCioK+PomFA8p1pWvWyb9i+00Ss0M+hBArg18hCf
OORXEUrFOJve2huygZO3/fMSifGC7qgTeVr6yx8bbIVzFoky+oikmWXSK9gBTNoM
64sPBNSf33AvK1p64q8yuSPXkZGmdvEjczXEL2diKuNcFHHwv7YLTI1NKKDsWZuu
LxY8TNEEFGPf1VZYD3hoGadFk6CvkXlSzskxxtH0sGwgGpAMa+5jnQGbpWYgWzk2
9CLK
-----END CERTIFICATE REQUEST-----
步骤3: 创建SSL证书
openssl x509 -req -days <validity_days> -in <csr_input> -signkey
<private_key> -out <location_ssl_certificate>
openssl x509 -req -days 365 -in D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates
\csr.pem -signkey D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\key.pem
-out D:\tech_stuff\Gfg_freelance\node_ssl_tls\certificates\cert.pem
x509 specifies the digital certificate standard that is used in the public key infrastructure.
It is a multi purpose certificate utility. In this scenario, we are using it
to sign a certificate request.
-req -> By default this command expects a certificate as an input.
With this flag, it expects a certificate signing request as an input.
-days -> Specifies the number of days for which the certificate will be valid.
-in -> specifies the input file (in this case it is the csr.pem file)
-signkey -> This option tells openssl to self sign the input file with
the provided private key. (in this
case it is the one we created earlier)
-out -> specifies the location of the generated certificate.
-----BEGIN CERTIFICATE-----
MIIDMDCCAhgCCQDXC8xtR20hBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJJ
TjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMRMwEQYDVQQDDApzZXJ2ZXIgVExTMB4XDTIyMTIwMzA5MjAxM1oX
DTIzMTIwMzA5MjAxM1owWjELMAkGA1UEBhMCSU4xEzARBgNVBAgMClNvbWUtU3Rh
dGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwK
c2VydmVyIFRMUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsckStG
ZmO4fc4ehA/tSeUv1Av5nEJR/XWirdLUT6bUq3zC+FXE90ylF1Mb9faYKHHJudiI
xCGwilMfuVYuby/3dnytMjr0eL9mQpo+LesuHI/Sks8wBWGfBsR0pF4Xoeb1P2L9
ROEUlfk4upZhsuZ86r1fU3rw/KQeUMPF3QueBCPWl0OZwFUZwn6bWWg17P2n/4XP
wYRWZ11H/neAuQRdHLlCPEIMm9nj5MXkCtMb9JBLE6c4DMNzike/DfmGOUukcfZh
AlZSS6TT58RPfmXe/Ysjb49+e9Mfi1f3JKb3co6y3544s71hDg5XnXb8fMBJTK3V
W3yjvpcLfc29uacCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHLhnk1nlccCbygcI
qCmJBv0AHmHlV/sHMQz9hUE2vqb5b6U+UpfCdQjfAletZTsR88U39Ab/peXRyUOj
ZlxM/jcRAqYJY4lM32HozSXo4O3LwU3Gc9v7TisajnUgEa1R3sVbT0c7hNr5j1q8
q9nWVB23JYu43dEmbNQbNfhSmHN+j3gXOl8bx20gGwrhobufXvvZkzT6EvbXTHak
0NjDWZ+X2gwUCzDHMUXSwk1SR5FLVzyCXvnqzqVDUmT58vUq7NDdYlBI6HH/zMym
rvN3y+OVcTPij24I+MU9kTN2bCAAw5SknoP+G4TZBN0ixFnyZ/J258wDZTUItOKl
Xhl1Vw==
-----END CERTIFICATE-----
设置HTTPS服务器: 在创建HTTPS服务器时,我们必须在https.createServer()方法中指定私钥和SSL/TLS证书。同样,在server.js文件中,我们将添加以下代码。
const tlsApp = express()
tlsApp.get("/", (req, res) => {
res.send("Hello geeks, I am running on https!")
})
const httpsServer = https.createServer(
{
key: fs.readFileSync(path.join(__dirname,
"certificates", "key.pem")),
cert: fs.readFileSync(path.join(__dirname,
"certificates", "cert.pem")),
},
tlsApp
)
httpsServer.listen(3001, () => {
console.log("HTTPS server up and running on port 3001")
})
输出: 我们可以在 localhost:3001 上查看应用程序。
尽管我们使用了SSL/TLS证书,但浏览器仍然显示为不安全。原因是我们创建了一个自签名证书。像Google Chrome这样的浏览器只信任由经过认证的证书颁发机构(如Let’s Encrypt,DigiCert等)签名的证书。
因此,在创建一个将要部署到生产环境中的应用程序时,我们必须只使用由授权证书颁发机构签发的证书。