參考文章:https://fzambia.gitbooks.io/centrifugal/content/deploy/certificates.htmlhtml
TLS certificates
TLS/SSL layer is very important not only for securing your connections but also to increase a chance to establish Websocket connection. In most situations you will put TLS termination task on your reverse proxy/load balancing software such as Nginx.git
There are situations though when you want to serve secure connections by Centrifugo itself.github
There are two ways to do this: using TLS certificate cert and key files that you've got from your CA provider or using automatic certificate handling via ACME provider (only Let's Encrypt at this moment).web
Using crt and key files
In first way you already have cert and key files. For development you can create self-signed certificate - see this instruction as example.json
Then to start Centrifugo use the following command:安全
./centrifugo --config=config.json --ssl --ssl_key=server.key --ssl_cert=server.crt
Or just use configuration file:服務器
{
...
"ssl": true, "ssl_key": "server.key", "ssl_cert": "server.crt" }
And run:websocket
./centrifugo --config=config.json
Automatic certificates
For automatic certificates from Let's Encrypt add into configuration file:app
{
...
"ssl_autocert": true,
"ssl_autocert_host_whitelist": "www.example.com",
"ssl_autocert_cache_dir": "/tmp/certs",
"ssl_autocert_email": "user@example.com"
}
ssl_autocert says Centrifugo that you want automatic certificate handling using ACME provider.dom
ssl_autocert_host_whitelist is a string with your app domain address. This can be comma-separated list. It's optional but recommended for extra security.
ssl_autocert_cache_dir is a path to a folder to cache issued certificate files. This is optional but will increase performance.
ssl_autocert_email is optional - it's an email address ACME provider will send notifications about problems with your certificates.
When configured correctly and your domain is valid (localhost will not work) - certificates will be retrieved on first request to Centrifugo.
Also Let's Encrypt certificates will be automatically renewed.
There are tho options (new in v1.6.5) that allow Centrifugo to support TLS client connections from older browsers such as Chrome 49 on Windows XP and IE8 on XP:
ssl_autocert_force_rsa- this is a boolean option, by defaultfalse. When enabled it forces autocert manager generate certificates with 2048-bit RSA keys.ssl_autocert_server_name- string option, allows to set server name for client handshake hello. This can be useful to deal with old browsers without SNI support - see comment
實例:
阿里雲下載域名的證書
上傳到服務器 /home/websocket_cert/1522*******822.key , /home/websocket_cert/1522*****4822.pem
cat /data/centrifugo/config_ssl.json "log_level": "debug", "connection_lifetime": 10, "admin_password": "admin", "admin_secret": "admin_secret", "recover": true, "admin":true, "web":true, "anonymous": true, "ssl": true, "ssl_key": "/home/websocket_cert/152******4822.key", "ssl_cert": "/home/websocket_cert/152******4822.pem" }
啓動服務:
/data/centrifugo/centrifugo -d -c /data/centrifugo/config_ssl.json -p 9**2 --log_file /data/centrifugo/error_ssl.log --log_level debug --web &
如果阿里雲服務器 請在安全組開啓 相應端口容許 。
實例訪問效果:
