保护私有 IP 地址(https 证书) [英] Securing a private IP address (https certificate)

问题描述

我有一个不寻常的用例:

I have an unusual use case :

• 互联网上的网络服务器通过 HTTPS 提供网页服务，
• 在这些网页中，有对本地连接设备(IP over USB)的调用 XMLHttpRequests
  • 设备支持 HTTP 和 HTTPS，
  • 设备可通过 http(s)://192.168.0.1
  访问

  附带问题:由于设备本地连接到 PC，因此加密非常无用:是否存在允许不安全连接到特定 URL 的 http 标头?(比如跨域的CORS)

  Side question: Since the device is locally connected to the PC, the encryption is pretty useless: Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

  主要问题:是否可以获得私有 IP 地址的证书?

  Main question: Is it possible to obtain a certificate for a private IP address ?

  似乎 Plex 有一个类似的问题，并按照此 博客.这对我来说太大了.

  it seems that Plex had a similar problem and solved it the way described on this blog. This is a way too big for me.

  推荐答案

  是否可以获得私有IP地址的证书?

  Is it possible to obtain a certificate for a private IP address ?

  证书可以绑定到 IP 地址(参见 这个).您可以向私有地址颁发自签名证书，但受信任的 CA 不会向私有地址颁发证书，因为它无法验证其身份.

  A certificate can be bound to an IP address (see this). You can issue a self-signed certificate to a private address, but a trusted CA will not issue a certificate to a private address because it can not verify its identity.

  例如，颁发给 192.168.0.1 的证书理论上在任何情况下都是有效的，而可信 CA 不应允许这种情况

  For example a certificate issued to 192.168.0.1 would be theoretically valid in any context, and this should not be allowed by a trusted CA

  Plex 使用动态 DNS 和通配符证书解决了这个问题.连接是使用解析为私有 IP 的设备名称(而不是 IP)完成的

  Plex solves the problem with a Dynamic DNS and a wildcard certificate. The connection are done using the name (not the IP) of the device which is resolved to the private IP

  是否存在允许不安全连接到特定 URL 的 http 标头?(比如跨域的CORS)

  Does a http header exists that allows insecure connections to a specific URL ? (like CORS for cross domain)

  不，它不存在.浏览器会阻止您的 XHR 连接，因为它们是从 HTTPS 页面发起的 HTTP 连接(混合内容警告).理论上，攻击者可以读取或修改非安全内容，即使父页面是通过 HTTP 提供的，这是正常的，建议浏览器警告用户.

  No, it does not exist. The browser blocks your XHR connections because they are HTTP connections initiated from a HTTPS page (mixed-content warning). Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs, so is normal and recommended that the browser warns the user.

  要修复混合内容和 https 错误，您可以通过 HTTPS 和自签名证书提供内容，并要求用户在浏览器中导入您的根 CA.

  To fix the mixed-content and https errors, you could serve the content through HTTPS and a self-signed certificate, and request users to import your root CA at browser.

  这篇关于保护私有 IP 地址(https 证书)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！