安卓转发请求

• 打开文件

  /system/etc/hosts

• 修改内容

  127.0.0.1       localhost
  ::1             ip6-localhost
  
  # 下面这个ip如果不是本地服务器，则需要修改成接口服务器的ip
  127.0.0.1 pro.autojs.org
  
  127.0.0.1 data.flurry.com
  127.0.0.1 c.sayhi.360.cn
  127.0.0.1 android.bugly.qq.com
  127.0.0.1 recaptcha.net

Linux安装openssl

1、下载对应版本：openssl-1.1.1v.tar.gz

2、解压openssl包：

tar -xzf openssl-1.1.1n.tar.gz

2、得到openssl-1.1.1n目录，然后进入openssl-1.1.1n目录中，安装openssl到 /usr/local/openssl 目录，安装之后，编译：

cd openssl-1.1.1
./config shared zlib  --prefix=/usr/local/openssl && make && make install

3、安装结束后执行以下命令：

./config -t
make depend

4、进入/usr/local目录下，执行以下命令：

ln -s openssl ssl

5、在/etc/ld.so.conf文件的最后面，添加如下内容：

/usr/local/openssl/lib

更新缓存

ldconfig

6、添加OPESSL的环境变量,在etc／的profile的最后一行，添加：

export OPENSSL=/usr/local/openssl/bin
export PATH=$OPENSSL:PATH:$HOME/bin

7、重新加载环境变量：

source /etc/profile

8、检查OPENSSL是否安装成功：

openssl version -a

openssl生成证书

生成过程

创建文件夹ca

• 生成CA私钥

  openssl genpkey -algorithm RSA -out myCA.key -pkeyopt rsa_keygen_bits:2048

  生成如下：

  [root@VM-4-15-centos ca]# openssl genpkey -algorithm RSA -out myCA.key -pkeyopt rsa_keygen_bits:2048
  ....................+++++
  ...........................................+++++

• 生成CA证书
  注意此处更新了个-days 3650，将ca证书有效期设置成10年，不加的话都是默认一个月

  openssl req -new -x509 -sha384 -key myCA.key -out myCA.crt -days 3650

  生成如下：

  [root@VM-4-15-centos ca]# openssl req -new -x509 -sha384 -key myCA.key -out myCA.crt
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  ----
  Country Name (2 letter code) [AU]:CN
  State or Province Name (full name) [Some-State]:.
  Locality Name (eg, city) []:.
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
  Organizational Unit Name (eg, section) []:.
  Common Name (e.g. server FQDN or YOUR name) []:pro.autojs.org
  Email Address []:123456@qq.com

• 获取证书哈希值，

  openssl x509 -subject_hash -in myCA.crt

  生成如下：

  [root@VM-4-15-centos ca]# openssl x509 -subject_hash -in myCA.crt
  32a0c59b
  -----BEGIN CERTIFICATE-----
  MIID/zCCAuegAwIBAgIUHptUbjm8YgPGqUdfRUFfFeV1CIkwDQYJKoZIhvcNAQEM
  BQAwgY4xCzAJBgNVBAYTAkNOMQ8wDQYDVQQIDAZGVUpJQU4xDzANBgNVBAcMBlBV
  VElBTjERMA8GA1UECgwIV1VZQUtFSkkxEDAOBgNVBAsMB1hJQU5ZT1UxFzAVBgNV
  BAMMDnByby5hdXRvanMub3JnMR8wHQYJKoZIhvcNAQkBFhA5NDIwMDE4NjBAcXEu
  Y29tMB4XDTIzMDgxOTE0MTUzMFoXDTIzMDkxODE0MTUzMFowgY4xCzAJBgNVBAYT
  AkNOMQ8wDQYDVQQIDAZGVUpJQU4xDzANBgNVBAcMBlBVVElBTjERMA8GA1UECgwI
  V1VZQUtFSkkxEDAOBgNVBAsMB1hJQU5ZT1UxFzAVBgNVBAMMDnByby5hdXRvanMu
  b3JnMR8wHQYJKoZIhvcNAQkBFhA5NDIwMDE4NjBAcXEuY29tMIIBIjANBgkqhkiG
  9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwB/1EMfdNYTrmD0WlUK+PqDkezMj7iOABhLv
  YEZ0RevCJ9XaBmS54JrklONljII4R3BjcZTb+gVzx6HmpsDm+9NN4xo2VpDXDMBx
  dGxA9ZPuthRJsaOt9iHoV77Q9Z5JByj7qZS3ftkEfpd6N82IWDIwWSICd2/Akneb
  Sk2IJnhB61aLvVpvvBKQKUBpSM753X85Msd8wWgZ5DI/DZEtBSRIyDr/PTK0mLS7
  sOVUKLDan9G1H1UYK0zinVeJqPWc2IgvrhqlMgDutIQotzoY994zTejQ7Pp4mOVJ
  iti2yY9DDVARYUjBbC8SiPSjX9TosEkgrfyQNruarkZs2uUJgQIDAQABo1MwUTAd
  BgNVHQ4EFgQUFH6Iwyn8tqNR5mpn53VTta/WT+swHwYDVR0jBBgwFoAUFH6Iwyn8
  tqNR5mpn53VTta/WT+swDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQwFAAOC
  AQEAEXKGgsd0fvVCeVetCDJF9IUWVrvOEeYmjI1T4gHJcpDJKf6X1EPH91HMDNS0
  p7rwj2hYHPrFfWL31VVyEk8WFcMs0i3hVLIk2+NcoRlHCnxzPwinqe8u91XDrh6w
  qS6ywHj7vzR0fnRM92513WBfTmGEFsWKqVNr36MQ1wWP8iOSbMV55u/hG5Hxo6yn
  fleMkY4L59PKMLURRNu8a5ek94vCcMhibIXUdjhsfsh9MfOTumovvzNnNBDsh/PN
  WdTiXATuJSxvEtJiglnyKe/7jnIApclc7ofiMWmUXFHi8LABGt8pOPTgXyQR+ID3
  dP8xfDFM2dx/j4H3OFuLRRLYGg==
  -----END CERTIFICATE-----

  生成的哈希值为32a0c59b，新建 32a0c59b.0，并将 myCA.crt 的内容复制进去

创建文件夹certs

• 生成ssl证书私钥

  openssl genrsa -out localhost.key 2048

  生成如下：

  [root@VM-4-15-centos certs]# openssl genrsa -out localhost.key 2048
  Generating RSA private key, 2048 bit long modulus (2 primes)
  ..............................................................................+++++
  ...................................................................................................................................................................................................................................+++++
  e is 65537 (0x010001)

• 创建ssl证书私钥

  openssl req -new -key localhost.key -out localhost.csr

  生成如下：

  [root@VM-4-15-centos certs]# openssl req -new -key localhost.key -out localhost.csr
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:CN
  State or Province Name (full name) [Some-State]:.
  Locality Name (eg, city) []:.
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
  Organizational Unit Name (eg, section) []:.
  Common Name (e.g. server FQDN or YOUR name) []:pro.autojs.org
  Email Address []:123456@qq.com
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:autojs
  An optional company name []:autojs

• 创建cert.ext，文件内容：

  authorityKeyIdentifier=keyid,issuer
  basicConstraints=CA:FALSE
  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  subjectAltName = @alt_names
  
  [alt_names]
  DNS.1 = pro.autojs.org

• 创建ssl证书CSR

  openssl x509 -req -in localhost.csr -out localhost.crt -days 3650 \
  -CAcreateserial -CA ../ca/myCA.crt -CAkey ../ca/myCA.key \
  -CAserial serial -extfile cert.ext

  生成如下：

  [root@VM-4-15-centos certs]# openssl x509 -req -in localhost.csr -out localhost.crt -days 3650 \
  > -CAcreateserial -CA ../ca/myCA.crt -CAkey ../ca/myCA.key \
  > -CAserial serial -extfile cert.ext
  Signature ok
  subject=C = CN, ST = ., L = ., O = ., OU = ., CN = pro.autojs.org, emailAddress = 123456@qq.com
  Getting CA Private Key

• 使用CA验证一下证书是否通过

  openssl verify -CAfile ../ca/myCA.crt localhost.crt

  生成如下：

  [root@VM-4-15-centos certs]#  openssl verify -CAfile ../ca/myCA.crt localhost.crt
  localhost.crt: OK

生成结果

• --ca

  • ----myCA.key
  • ----myCA.crt
  • ----32a0c59b.0

• --certs

  • ----localhost.crt
  • ----localhost.csr
  • ----localhost.key
  • ----cert.ext
  • ----serial

附检查证书有效期的命令

两个都要检查（localhost.crt|myCA.crt）

openssl x509 -noout -dates -in crt文件路径

证书导入安卓机

• 将 32a0c59b.0 移动到：

  /system/etc/security/cacerts

• 修改属性：
  • 权限：644
  • 用户组：root
  • 所有者：root

证书部署

新建项目

• 网站-Node项目-添加Node项目
• 项目目录：接口文件夹目录
• 项目名称：ajlocal
• 启动选项：自定义启动命令-选择项目的接口运行文件路径
• 项目端口：接口文件运行端口
• 运行用户：root

部署SSl证书

• 域名管理 —> 添加域名

  pro.autojs.org

• 外网映射 —> 开启
• SSL
  • 左侧输入框内容：localhost.key
  • 右侧输入框内容：localhost.crt + myCA.crt

自启引导项

• 创建引导启动项文件：/etc/rc.local

• 修改属性：

  • 权限：644
  • 用户组：root
  • 所有者：root

• 文件内容

  export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  export MYVAR=example
  
  echo "reStarting bt"
  bt 1
  
  echo "Starting Nginx"
  /www/server/nginx/sbin/nginx
  
  echo "Starting Ajlocal_Server"
  node /www/wwwroot/ajlocal/main.js
  
  echo "Starting CodeServer"
  /www/wwwroot/code-server/bin/code-server --port 8088 --host 0.0.0.0 --auth password
  

附录

安卓用户证书安装后的存储位置

• 用户证书安装后的存储位置(root权限):

  /data/misc/user/0/cacerts-added/

• 系统证书路径

  /system/etc/security/cacerts/

  将安装用户证书后 ,将用户证书路径下的证书复制到系统证书路径下 即可变成系统证书 解决安装7.0后系统默认不信任用户证书

安卓证书导入显示需要提供私钥

安卓可以导入自签名的CA证书，但不可以导入没有CA签署的自签名SSL证书。
因此解决思路是：

1. 生成一个自签名的CA证书，安卓手机导入这个CA证书
2. 使用CA证书签署一个新的SSL证书，在服务器上使用这个新的SSL证书提供HTTPS服务这样安卓手机就可以通过HTTPS访问服务器了。

终端运行命令显示xx command not find

在root/.bashrc添加如下命令设置默认的系统环境变量

export PATH=/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin:$PATH

etc/rc.local运行命令显示xx command not find

在文件头部添加如下命令设置默认的系统环境变量

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export MYVAR=example