配置
mkcert 会在本地生成一套根 CA(包含根证书和私钥),并把根证书导入系统/浏览器的信任列表。随后,它用这套 CA 的私钥为 localhost 等域名签发服务器证书;因为根证书已被信任,浏览器访问时就会把服务器证书视为可信。
brew install mkcert
mkcert -install
mkcert localhost
# The certificate is at "./localhost.pem" and the key at "./localhost-key.pem" ✅
# vi default.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/certs/localhost.pem;
ssl_certificate_key /etc/ssl/certs/localhost-key.pem;
# 只允许 TLSv1.2 和 TLSv1.3 协议,显示禁止 TLSv1.0 和 TLSv1.1 协议
ssl_protocols TLSv1.2 TLSv1.3;
# 只保留高强度、带身份验证、且不使用 MD5 的 TLS 1.2(及以下)套件
ssl_ciphers HIGH:!aNULL:!MD5;
# 优先使用服务器端加密套件
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
docker run -d --name nginx-ssl \
-p 8443:443 \
-v ./default.conf:/etc/nginx/conf.d/default.conf:ro \
-v ./localhost.pem:/etc/ssl/certs/localhost.pem:ro \
-v ./localhost-key.pem:/etc/ssl/certs/localhost-key.pem:ro \
nginx:alpine
# docker rm -f nginx-ssl
# docker container restart nginx-ssl
测试
游览器
游览器访问 https://localhost:8443/,如果证书是绿色的,说明成功了。
curl
curl -I https://localhost:8443/
HTTP/1.1 200 OK
Server: nginx/1.29.0
Date: Fri, 27 Jun 2025 01:54:36 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 24 Jun 2025 17:57:38 GMT
Connection: keep-alive
ETag: "685ae712-267"
Accept-Ranges: bytes
# -v 显示详细信息,查看 TLS 版本
curl -I https://localhost:8443/ -v
...
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
...
HTTP/2
当前使用的是 HTTP/1.1,如何启用 HTTP/2,请移步 NGINX 启用 HTTP/2 | ZYF.IM。
HTTP/3
References
– EOF –