前言

今天刚用新 MacBook Pro 打包 iOS 应用；而公司又没有扩展坞；本想通过 WI-FI 调试，但是需先用数据线链接到电脑；只好用 OTA 方式安装。

搭建 OTA 过程

生成内网 IP https 证书

具体操作，参考 王王王勇旭 的解决自签名证书在 Chrome 上的“不是私密连接问题”

相关配置如下

-- 建立LocalCA.cnf
touch LocalCA.cnf
内容如下：

[ req ]
distinguished_name  = req_distinguished_name
x509_extensions     = root_ca

[ req_distinguished_name ]

# define CA
countryName             = CN (2 letter code)
countryName_min         = 2
countryName_max         = 2
stateOrProvinceName     = GuangDong
localityName            = GuangZhou
0.organizationName      = LocalCompany
organizationalUnitName  = technology
commonName              = develop
commonName_max          = 64
emailAddress            = local@email.com
emailAddress_max        = 64

[ root_ca ]
basicConstraints            = critical, CA:true


--建立LocalCA.ext
touch LocalCA.ext
内容如下：

subjectAltName = @alt_names
extendedKeyUsage = serverAuth

[alt_names]

# domain
DNS.1 = domain.com
# IP地址
IP.1 = 192.168.2.221
IP.2 = 127.0.0.1


-- 生成证书命令
-- CA证书，给设备使用
openssl req -x509 -newkey rsa:2048 -out LocalCA4Device.cer -outform PEM -keyout LocalCA4Device.pvk -days 10000 -verbose -config LocalCA.cnf -nodes -sha256 -subj "/CN=LocalCompany CA"

-- 生成SSL证书

openssl req -newkey rsa:2048 -keyout LocalCA4Nginx.pvk -out LocalCA4Nginx.req -subj /CN=localhost -sha256 -nodes

openssl x509 -req -CA LocalCA4Device.cer -CAkey LocalCA4Device.pvk -in LocalCA4Nginx.req -out LocalCA4Nginx.cer -days 10000 -extfile LocalCA.ext -sha256 -set_serial 0x1111

将 CA 证书安装到相关设备即可；Window 需安装到指定目录【受信任的根证书颁发机构】

OTA 下载的 html 内容

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <title>iOS-测试包下载</title>
    <meta
      name="viewport"
      content="width=device-width,initial-scale=1,user-scalable=0"
    />
    <meta name="apple-mobile-web-app-capable" content="yes" />
    <meta name="apple-mobile-web-app-status-bar-style" content="black" />
    <meta http-equiv="Cache-Control" content="no-siteapp" />
    <meta http-equiv="Cache-Control" content="no-transform" />
    <meta name="format-detection" content="telephone=no" />
  </head>

  <body>
    <div>
      <a
        href="itms-services://?action=download-manifest&amp;url=https://192.168.2.188/app/download/ios/manifest.plist"
        >点我安装</a
      >
      <a href="http://192.168.2.188/app/download/ios/LocalCA4Device.cer"
        >下载证书</a
      >

      <div>
        <h2>常见问题</h2>
        <div class="row">问题：无法连接到 "xx.xx.xx.xx"</div>
        <div class="row">
          解决：【设置 > 通用 > 关于本机 > 证书信任设置】勾选信任
        </div>
        <br />
        <div class="row">问题：未受信任的企业级开发者</div>
        <div class="row">
          解决：【设置 > 通用 > 描述文件与设备管理】添加到信任
        </div>
      </div>
    </div>
  </body>
</html>

nginx 配置

user  nginx;
worker_processes  2;
pid     /opt/nginx-1.16.1/nginx.pid;
error_log /data/logs/nginx/error.log;

events {
   use epoll;
   worker_connections  10240;
}

http {
    include             mime.types;
    default_type        application/octet-stream;
    log_format          main    '$remote_addr $request_length $request_time [$time_local] "$request" $status $bytes_sent '
                                '$http_host "$proxy_add_x_forwarded_for" "$http_referer" $upstream_addr $upstream_response_time';
    access_log                  /data/logs/nginx/access.log main;
    server_tokens               off;

    gzip                        on;
    gzip_proxied                any;
    gzip_vary                   on;
    gzip_min_length             100k;
    gzip_buffers                4 16k;
    gzip_comp_level             3;
    gzip_types                  application/x-javascript text/plain application/xml text/xml application/xhtml+xml text/css text/javascript;
    sendfile                    on;
    port_in_redirect            on;
    keepalive_timeout           60;
    keepalive_requests          1000;
    log_not_found               on;
    client_max_body_size        50M;
    client_header_buffer_size   16k;
    large_client_header_buffers 8 32k;
    client_body_timeout         300;
    client_body_buffer_size     3072k;

    upstream ota-server {
        server 192.168.2.222:8080;
    }

server {
        listen 80 ;
        server_name 192.168.2.188;
        root       /home/nginx/html/;
        error_page 404 502 = @fetch;
        location  @fetch {
                 default_type application/json;
                 return 200 '{"result":500,"state":false,"msg":"server error"}';
        }
        location ~ / {
                proxy_pass http://ota-server;
                proxy_read_timeout      7200;
                proxy_connect_timeout   5;
                proxy_set_header        Host                $Host;
                proxy_set_header        X-Forwarded-For     $remote_addr;
        }
}


server {
        listen 443 ;
        server_name 192.168.2.188;
        ssl on;
        ssl_certificate /opt/nginx-1.16.1/certs/LocalCA4Nginx.cer;
        ssl_certificate_key /opt/nginx-1.16.1/certs/LocalCA4Nginx.pvk;
        ssl_ciphers HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        root    /home/nginx/html/;
        error_page 404 502 = @fetch;
        location  @fetch {
                 default_type application/json;
                 return 200 '{"result":500,"state":false,"msg":"server error"}';
        }

        location ~ / {
                proxy_pass http://ota-server;
                proxy_read_timeout      7200;
                proxy_connect_timeout   5;
                proxy_set_header        Host                $Host;
                proxy_set_header        X-Forwarded-For     $remote_addr;
        }
    }
}