一.安装 Nginx、OpenSSL# 更新 sudo apt update # 安装nginx与openssl证书工具 sudo apt install -y nginx openssl # 验证 nginx -v openssl version二、生成内网 IP 自签 SSL 证书内网无域名必须添加 SAN 扩展 IP 字段否则浏览器报证书不匹配。1. 创建证书存放目录sudo mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl2. 一键生成带 IP SAN 的证书有效期 10 年替换 192.168.28.200 为你的服务器内网 IPsudo mkdir -p /etc/nginx/ssl cd /etc/nginx/ssl sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout server.key \ -out server.crt \ -subj /CCN/STSichuan/LChengdu/O内部业务/OUIT/CN192.168.28.200 \ -addext subjectAltNameIP:192.168.28.200,IP:127.0.0.1设置证书权限安全加固sudo chmod 600 server.key sudo chmod 644 server.crt再次校验openssl x509 -in server.crt -text -noout三、Nginx配置仅供参考# HTTP 80端口强制跳转HTTPS server { listen 80; server_name 192.168.28.200; return 301 https://$host$request_uri; } # HTTPS反向代理SpringBoot服务 server { listen 443 ssl http2; server_name 192.168.28.200; # 证书路径 ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; # SSL安全协议配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; location / { # SpringBoot本地地址 proxy_pass http://127.0.0.1:8080/; proxy_connect_timeout 60s; proxy_read_timeout 60s; # 透传客户端真实信息 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 告知后端当前为HTTPS访问 proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Port $server_port; } # 静态资源缓存优化可选 location ~* \.(jpg|png|css|js|ico)$ { proxy_pass http://127.0.0.1:8080; expires 7d; add_header Cache-Control public; } }四、客户端安装证书一Windows客户端安装证书1.将server.crt另存到本地。2.右键 server.crt → 安装证书。3.存储位置本地计算机。4.证书存储选择受信任的根证书颁发机构。5.完成后重启浏览器无警告。二UOS客户端安装证书复制证书文件 /etc/nginx/ssl/server.crt 到桌面。1.Chrome浏览器安装证书设置-隐私与安全-安全-管理证书-本地证书-导入。2.UOS自带浏览器安装证书设置-安全隐私-证书安全-证书管理器-信任的CA证书-导入。