本地主机通配符 SSL 与 Puma
[英]Localhost wildcard SSL with Puma
问题描述
I have a Rails 6.0 app with Puma 4.3.
我有一个带有 Puma 4.3 的 Rails 6.0 应用程序。 I need to set up a wildcard SSL certificate using a custom domain.我需要使用自定义域设置通配符 SSL 证书。 I've looked at a bunch of different resources out there but I can't seem to get anything working correctly.我查看了一堆不同的资源,但似乎无法正常工作。 Most everything I've seen out there caters to non-wildcard setups.我在那里看到的大多数东西都迎合了非通配符设置。
Here is my config/puma.rb .这是我的config/puma.rb 。 I've tried the current configurations as well as the stuff that is commented out.我已经尝试了当前的配置以及注释掉的内容。
##
# Configure Puma server
require 'fileutils'
workers Integer(ENV.fetch('WEB_CONCURRENCY', 2))
threads_count = Integer(ENV.fetch('MAX_THREADS', 5))
threads threads_count, threads_count
key = %w[. config ssl myapp-local.com.key].join('/')
crt = %w[. config ssl myapp-local.com.crt].join('/')
ssl_bind '127.0.0.1', '9292', {
key: key,
cert: crt,
verify_mode: :peer
}
# if ENV['ENVIRONMENT'] == 'development'
# unless File.exist?(key)
# def generate_root_cert(root_key)
# root_ca = OpenSSL::X509::Certificate.new
# root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
# root_ca.serial = 0x0
# root_ca.subject = OpenSSL::X509::Name.parse "/C=BE/O=A1/OU=A/CN=*.myapp-local.com"
# root_ca.issuer = root_ca.subject # root CA's are "self-signed"
# root_ca.public_key = root_key.public_key
# root_ca.not_before = Time.now
# root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
#
# root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
# root_ca
# end
#
# root_key = OpenSSL::PKey::RSA.new(2048)
# file = File.new(key, "wb")
# file.write(root_key)
# file.close
#
# root_cert = generate_root_cert(root_key)
#
# file = File.new(cert, "wb")
# file.write(root_cert)
# file.close
# end
#
# ssl_bind '127.0.0.1', '9292', {
# key: key,
# cert: cert,
# verify_mode: :peer
# }
#
# puts "Using local SSL cert..."
# end
preload_app!
rackup DefaultRackup
port ENV.fetch('PORT', 3000)
environment ENV.fetch('RACK_ENV', 'development')
on_worker_boot do
##
# Force Scout Agent launch. Required because of use of nginx in Procfile
ScoutApm::Agent.instance.start_background_worker
end
on_worker_fork { FileUtils.touch('/tmp/app-initialized') }
I'm using foreman .我正在使用foreman 。 Here is my Procfile.dev :这是我的Procfile.dev :
redis: (ps aux | grep 6379 | grep redis | awk '{ print $2 }' | xargs kill -s SIGINT) && redis-server --port 6379
resque: rake resque:workers QUEUE='*' COUNT='5'
scheduler: rake resque:scheduler
web: puma
Then in /etc/hosts I have:然后在/etc/hosts我有:
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 app.myapp-local.com
When I go to https://app.myapp-local.com:3000 I get an ERR_SSL_PROTOCOL_ERROR error from Chrome.当我访问https://app.myapp-local.com:3000我收到来自 Chrome 的ERR_SSL_PROTOCOL_ERROR错误。
I've also tried manually generating the certificate like so:我也试过像这样手动生成证书:
name=myapp-local.com
openssl req \
-new \
-newkey rsa:2048 \
-sha256 \
-days 3650 \
-nodes \
-x509 \
-keyout $name.key \
-out $name.crt \
-config <(cat <<-EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = $name
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $name
DNS.2 = *.$name
EOF
)
mv myapp-local.com.crt myapp-local.com.key config/ssl
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain config/ssl/myapp-local.com.crt
I've run out of ideas.我已经没有想法了。 I can't use a different hostname (eg lvh.me or localhost) because of how the app is configured, so I need it to work with *.myapp-local.com:3000 .由于应用程序的配置方式,我不能使用不同的主机名(例如 lvh.me 或 localhost),因此我需要它与*.myapp-local.com:3000 。 Any help is greatly appreciated!任何帮助是极大的赞赏!
UPDATE更新
So I changed my config file like so:所以我像这样改变了我的配置文件:
if ENV['ENVIRONMENT'] == 'development'
key = %w[. config ssl myapp-local.com.key].join('/')
crt = %w[. config ssl myapp-local.com.pem].join('/')
ca = "/Users/Daniel Bonnell/Library/Application\ Support/Certificate\ Authority/myapp/myapp.certAuthorityConfig"
ssl_bind '127.0.0.1', '3000', {
key: key,
cert: crt,
ca: ca,
verify_mode: :peer
}
end
Now when I boot the app I see this in the logs:现在,当我启动应用程序时,我在日志中看到了这一点:
17:12:45 web.1 | [68495] * Listening on ssl://127.0.0.1:3000?cert=./config/ssl/myapp-local.com.pem&key=./config/ssl/myapp-local.com.key&verify_mode=peer&no_tlsv1=false&no_tlsv1_1=false&ca=/Users/Daniel Bonnell/Library/Application Support/Certificate Authority/myapp/myapp.certAuthorityConfig
17:12:45 web.1 | [68495] * Listening on tcp://0.0.0.0:5300
If I go to https://app.myapp-local.com:3000 I see the following error:如果我转到https://app.myapp-local.com:3000我会看到以下错误:
17:14:19 web.1 | 2020-03-28 17:14:19 -0500: SSL error, peer: 127.0.0.1, peer cert: /O=member: F4B00436-9C90-4941-B053-A83BCB633934 DD31B694-6F02-4C8D-98C2-640DABBEB3F8/CN=member: F4B00436-9C90-4941-B053-A83BCB633934 DD31B694-6F02-4C8D-98C2-640DABBEB3F8, #<Puma::MiniSSL::SSLError: OpenSSL certificate verification error: unable to get local issuer certificate - 20>
If I go to https://app.myapp-local.com:5300 I see the following error:如果我转到https://app.myapp-local.com:5300我会看到以下错误:
17:15:32 web.1 | 2020-03-28 17:15:32 -0500: HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
I followed these steps using mkcert to generate a certificate and then I set up a local CA in my keychain (MacOS).我按照这些步骤使用mkcert生成证书,然后在我的钥匙串 (MacOS) 中设置本地 CA。
1 个解决方案
解决方案1
1 2020-03-29 00:49:12
I managed to get my setup working correctly.我设法让我的设置正常工作。 I think there were two problems.我认为有两个问题。 First, I was binding SSL to port 3000 and then further down, binding Puma to port 3000. I changed port ENV.fetch('PORT', 3000) to port ENV.fetch('PORT', 3001) .首先,我将 SSL 绑定到端口 3000,然后进一步向下,将 Puma 绑定到端口 3000。我将port ENV.fetch('PORT', 3000)更改为port ENV.fetch('PORT', 3001) 。 Second, I was pointing to the wrong CA.其次,我指向了错误的 CA。 The setup below seems to work for me now.下面的设置现在似乎对我有用。 I can access my app on port 3000 and I no longer see that pesky SSL error.我可以在端口 3000 上访问我的应用程序,并且不再看到那个讨厌的 SSL 错误。 Hope this helps someone.希望这可以帮助某人。 I spent 10 hours figuring it out.我花了 10 个小时才弄明白。 🙃 🙃
##
# Configure Puma server
require 'fileutils'
workers Integer(ENV.fetch('WEB_CONCURRENCY', 2))
threads_count = Integer(ENV.fetch('MAX_THREADS', 5))
threads threads_count, threads_count
# Note: Must generate an SSL certificate for local use.
# See: https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/
if ENV['ENVIRONMENT'] == 'development'
key = File.expand_path('./config/ssl/local_key.pem')
crt = File.expand_path('./config/ssl/local_cert.pem')
ca = File.expand_path('~/Library/Application Support/mkcert/rootCA.pem')
ssl_bind '127.0.0.1', 3000, {
key: key,
cert: crt,
ca: ca,
verify_mode: :peer
}
end
preload_app!
rackup DefaultRackup
port ENV.fetch('PORT', 3001)
environment ENV.fetch('RACK_ENV', 'development')
on_worker_boot do
##
# Force Scout Agent launch. Required because of use of nginx in Procfile
ScoutApm::Agent.instance.start_background_worker
end
on_worker_fork { FileUtils.touch('/tmp/app-initialized') }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.