Nginx to build HTTPS server and enforce access using HTTPS method

About HTTPS
HTTPS (Hyper Text Transfer Protocol Secure) is a SSL/TLS-based HTTP that all HTTP data is transmitted on top of the SSL/TLS protocol package. HTTPS protocol is based on the HTTP protocol, the addition of SSL/TLS handshake and data encryption transmission, also belongs to the application layer protocol. The default port used by HTTPS is 443. More HTTPS principle can refer to Nanyi Teacher's article: http://www.ruanyifeng.com/blog/2014/02/ssl_tls.html

SSL Certificate
Introduction to certificate types
To set up a secure server, use the public key to create a pair of public private keys. In most cases, you send a certificate request (including your own public key), your company proves the material, and the cost to a certification authority (CA). The CA verifies the certificate request and your identity, and then returns the certificate to your secure server.
But the intranet to achieve a server-side and client transmission of content encryption, you can issue their own certificates, only need to ignore the browser does not trust the alarm!
A certificate signed by a CA provides two important features for your server:

1. The browser automatically recognizes the certificate and allows a secure connection to be created without prompting the user.
2. When a CA generates a signed certificate, it provides the identity guarantee for the organization that provides the Web page to the browser.

Most SSL-enabled Web servers have a list of CAs whose certificates are automatically accepted. When a browser encounters a certificate whose authorized CA is not in the list, the browser will ask the user whether to accept or reject the connection.

Making CA certificates
Ca.key CA Private Key:

OpenSSL genrsa-des3-out Ca.key 2048

CA.CRT CA Root certificate (public key):

OpenSSL req-new-x509-days 365-key ca.key-out ca.crt

Create a certificate for your website and certify it with CA signature
Here, assuming the site domain name is www.example.com, generate the com.example.com certificate private key:

Make the decrypted www.example.com certificate private key:

To generate a signature request:

The site's certificate can be produced by filling in the site domain name in common name.
To sign with a CA:

Copy CodeThe code is as follows:

OpenSSL ca-policy policy_anything-days 365-cert ca.crt-keyfile ca.key-in www.example.com.csr-out www.example.com.crt

The "I am unable to access the./democa/newcerts Directory" issue occurs when a signature may be executed:

Workaround:

  Mkdir-p democa/newcerts   Touch democa/index.txt   Touch democa/serial   

Then execute the signing command again.

Building HTTPS virtual host based on Nginx
Virtual Host configuration file

  Upstream SSLFPM {server 127.0.0.1:9000 weight=10 max_fails=3 fail_timeout=20s;      } server {Listen 192.168.1.*:443;           server_name 192.168.1.*;     #为一个server开启ssl支持 SSL on;      #为虚拟主机指定pem格式的证书文件 SSL_CERTIFICATE/HOME/WANGZHENGYI/SSL/WANGZHENGYI.CRT;      #为虚拟主机指定私钥文件 Ssl_certificate_key/home/wangzhengyi/ssl/wangzhengyi_nopass.key;     #客户端能够重复使用存储在缓存中的会话参数时间 ssl_session_timeout 5m;      #指定使用的ssl协议 ssl_protocols SSLv3 TLSv1; #指定许可的密码描述 ssl_ciphers all:! Adh:!      Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;         #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码 ssl_prefer_server_ciphers on;       Location/{root/home/wangzhengyi/ssl/;         AutoIndex on;         Autoindex_exact_size off;     Autoindex_localtime on;       } # REDIRECT Server error pages to the static page/50x.html # Error_page 502 503 504/50x.html;        Error_page 404/404.html; Location =/50x.html {root/usr/share/nginx/www;       } location =/404.html {root/usr/share/nginx/www; } # Proxy The PHP scripts to FPM location ~ \.php$ {Access_log/var/log/nginx/ssl/ssl.access.log m       Ain       Error_log/var/log/nginx/ssl/ssl.error.log;        root/home/wangzhengyi/ssl/;         Fastcgi_param HTTPS on;          Include/etc/nginx/fastcgi_params;       Fastcgi_pass sslfpm;  }   }

HTTPS Server Optimization
Method
SSL operations consume CPU resources, so in multiprocessor systems, multiple worker processes need to be started, and the number needs to be no less than the number of available CPUs. The SSL operation that consumes the most CPU resources is the SSL handshake, and there are two ways to minimize the number of handshake operations per client:

Keep a client long connection, send multiple requests on an SSL connection
Reuse SSL session parameters in concurrent connections or subsequent connections, which avoids SSL handshake operations.

Session caching is used to hold SSL sessions, which are shared between worker processes and can be configured using the Ssl_session_cache directive. A 1M cache can hold approximately 4,000 sessions. The default cache time-out is 5m, and you can use ssl_session_timeout to increase it.
Ssl_session_cache directive

Syntax: Ssl_session_cache off|none|builtin:size|shared:name:size
Usage Environment: Main,server
Cache type:
Off-hard shutdown, Nginx explicitly tells the client that this session is not reusable
None-soft shutdown, Nginx tells client sessions to be reused, but Nginx does not actually reuse them
Bultin--OpenSSL has a built-in cache that can be used only for one worker process. May cause memory fragmentation
GKFX-Shared cache for all worker processes. (1) Cache size specified in bytes (2) Each cache must have its own name (3) cache with the same name can be used for multiple virtual hosts

Optimization examples

  #优化ssl服务   ssl_session_cache  shared:wzy:10m;    #客户端能够重复使用存储在缓存中的会话参数时间   

Nginx enforces HTTPS access (HTTP jumps to HTTPS)

Based on Nginx built an HTTPS access to the virtual host, listening to the domain name is test.com, but many users do not know the difference between HTTPS and HTTP, it will be easy to knock into HTTP. test.com, 404 error will be reported, so I need to do the test.com domain-based HTTP to HTTPS forced jump

The rewrite method of Nginx

Ideas
This should be the easiest way for everyone to think about it, and rewrite all HTTP requests via rewrite to HTTPS.

Configuration

  server {     listen 192.168.1.111:80;     server_name test.com;          Rewrite ^ (. *) $ https://$host $ permanent;   

Once this virtual host is built, you can rewrite all of the http://test.com's requests to https://test.com.

Nginx 497 Status Code

Error code 497  

Explanation: When this virtual site allows only HTTPS access, Nginx will report a 497 error code when it is accessed with HTTP

Ideas
Use the Error_page command to redirect the link of the 497 status code to the domain name of https://test.com

Configuration

  server {     listen    192.168.1.11:443; #ssl端口     listen    192.168.1.11:80;  #用户习惯用http访问, plus 80, followed by 497 status code to let it automatically jump to 443 port     server_name test.com;     #为一个server {...} Turn on SSL support     SSL on         ;     #指定PEM格式的证书文件      ssl_certificate   /etc/nginx/test.pem;      #指定PEM格式的私钥文件     Ssl_certificate_key/etc/nginx/test.key;          #让http请求重定向到https请求      error_page 497 https://$host $uri $args;   

Index.html Refresh Web page

Ideas
Both of these methods will consume the resources of the server, we use Curl to access baidu.com try to see how Baidu's company is to achieve baidu.com to www.baidu.com jump

Can see Baidu very clever use Meta refresh function, will baidu.com jump to www.baidu.com. So we can also write a index.html based on the http://test.com of the virtual host path, the content is http to https jump

Index.html     
 
      

