Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.

老问题，但对那些降落在这里的人来说。没有专家。请咨询您当地的安全专家，否则请咨询。

Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.

Axios 是一个 http(s) 客户端，http 客户端通常匿名参与 TLS。换句话说，服务器接受他们的连接而不识别谁在尝试连接。这与相互 TLS 不同，其中服务器和客户端在完成握手之前相互验证。

The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.

互联网是一个可怕的地方，我们希望保护我们的客户免于连接到欺骗性的公共端点。我们通过确保我们的客户在发送任何私人数据之前识别服务器来做到这一点。

// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE
const httsAgent = new https.Agent({ rejectUnauthorized: false });

This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what's worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server's identity, their poor client has no way of knowing if the connection they just made to the company's intranet has bad actors listening on the line.

这通常作为 StackOverflow 上关于任何语言的 https 客户端连接失败的答案发布（并且更令人震惊地赞成）。更糟糕的是，它通常有效，解锁开发人员，他们继续他们的快乐方式。然而，虽然他们肯定进了门，但那是谁的门呢？由于他们选择不验证服务器的身份，他们可怜的客户端无法知道他们刚刚与公司内部网建立的连接是否有坏人在线上监听。

If the service has a public SSL cert, the https.Agentusually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.comwith little fuss.

如果服务有公共 SSL 证书，https.Agent通常不需要进一步配置，因为您的操作系统提供了一组公共信任的 CA 证书。这通常是您的浏览器配置为使用的同一组 CA 证书，这也是默认 axios 客户端可以轻松访问https://google.com 的原因。

If the service has a private SSL cert (self signed for testing purposes or one signed by your company's private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:

如果该服务具有私有 SSL 证书（出于测试目的自签名或由您公司的私有 CA 签名以保护其内部机密），则必须将 https 代理配置为信任用于签署服务器证书的私有 CA：

const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE });

where MY_CA_BUNDLEis an array of CA certs in .pemformat.

哪里MY_CA_BUNDLE是.pem格式的 CA 证书数组。

Create a custom agent with SSL certificate:

使用 SSL 证书创建自定义代理：

const httpsAgent = new https.Agent({
  rejectUnauthorized: false, // (NOTE: this will disable client verification)
  cert: fs.readFileSync("./usercert.pem"),
  key: fs.readFileSync("./key.pem"),
  passphrase: "YYY"
})

axios.get(url, { httpsAgent })

// or

const instance = axios.create({ httpsAgent })

From https://github.com/axios/axios/issues/284

来自https://github.com/axios/axios/issues/284

These configuration worked for me (In a Mutual Authentication scenario).

这些配置对我有用（在相互身份验证场景中）。

const httpsAgent = new https.Agent({
  ca: fs.readFileSync("./resource/bundle.crt"),        
  cert: fs.readFileSync("./resrouce/thirdparty.crt"),
  key: fs.readFileSync("./resource/key.pem"), 
})

Note: bundle.crt was prepared from provided certificates (root,intermediate,end entry certificate). Unfortunately no clear documentation found in this regards.

注意：bundle.crt 是根据提供的证书（根证书、中间证书、最终条目证书）准备的。不幸的是，在这方面没有找到明确的文件。