A detailed tutorial on enabling HTTPS on the server _nginx

Now, you should be able to see a nice little green lock in the address bar when you visit https://konklone.com, because I changed the site to HTTPS protocol. It's done without a penny spent.

Why to use the HTTPS protocol:

• While SSL is not invulnerable, we should try to raise the cost of eavesdropping as much as possible
• Encrypted communication should not be a fluke, all connections should be encrypted
• Benefits: After using HTTPS, you can get more complete source information (such as Hacker News) from Google Analytics if the site's visitors jump from other sites that already use HTTPS.

This article will show you how to build a harmonious and secure Internet by opening the HTTPS protocol on your website. Although there are a lot of steps, each step is simple, and you should be able to handle it within 1 hours.

Summary: Now you want to use HTTPS on the web, you need to obtain a certificate file that is signed by a company that is trusted by the browser. Once you have it, you specify its location on your Web server and the location of the private key associated with you, and open port 443 for use. You don't need to be a professional software developer to do this, but you need to be proficient with command line operations and skilled at configuring the servers you manipulate.

Most of the certificates were for money, but I followed Micah Lee's advice and used Startssl. That's what EFF is using, and their basic certificate for individuals is free. (They will ask you to pay for a more advanced certificate if your site is actually a commercial site.) It's important to note that their site is very difficult to use at the start-especially if you're unfamiliar with the concepts and terminology lurking behind SSL (like me). Luckily, it's not as difficult as it might seem, but there are a lot of subtle steps.

Below, we will start from the registration step-by-step to create your own certificate. We will also cover installation knowledge in nginx environments, but you can use the certificate on any Web server you wish to use.

They'll send you a captcha by email. Do not close the tab or browser during this time, so just keep it open until you get the verification code and paste it.

Wait a few minutes to get an integer. Once you have applied, they will send you an email with a special connection and a verification code.

When you're done, you'll be given a private key, a private key generated on their server, but this is not the key to creating the SSL certificate. They use this private key to generate a separate "Authentication certificate" that you can use to log into the Startssl Control Panel, and you will create an integer for your site.

Finally, they'll ask you to install the certificate.

Install the authentication certificate on your browser

If you use the chrome you will see the following information in the browser header

Again, it just proves that you jump to this page through your email address after you log in Startssl

Now we need to make STARTSSL believe we have our own domain name and we want to generate a new certificate for him. From the control Panel, tap validations Wizard, and then select the Domain Name Validation option in the Drop-down form.

Enter your domain name.

Next, you choose an email address that STARTSSL will use to verify your domain address. As you can see, Startssl will believe that you have this domain name, if you are able to use domain name control webmaster@,postmaster@, orhostmaster@ or your email address has been listed as part of the domain name registrant information (as far as I am concerned, This is the current konklone@gmail.com). Then choose an e-mail address that you can receive from your mailbox.

They will send you a verification code, you can enter it into the text box to verify your domain name.

Generate certificate

Now that Startssl knows who you are and you know your domain name, you can use your private key to generate the certificate.

At this point Startssl can generate a private key for you-in their FAQ (FAQ) Like you make sure they only generate high quality random keys, and will not later be the key-you can create one yourself, very simple.

This will guide you through the command line to create via. When you choose Startssl, you can back up the boot step, where you apply for a certificate for the domain name.

Open the terminal and create a new 2048-bit RSA key

OpenSSL genrsa-aes256-out My-private-encrypted.key 2048

Will let you enter a password. Select one and remember it. This generates an encrypted private key, and if you need to transfer your key over the network, you can use this encrypted version.

The next step is to decode it so that it generates a "certificate issuance request." Use the following command to decode your private key:

OpenSSL rsa-in my-private-encrypted.key-out My-private-decrypted.key

Then, a certificate issuance request is generated:

OpenSSL Req-new-key my-private-decrypted.key-out MYDOMAIN.COM.CSR

Go back to Startssl's control Panel and click the Certificates Wizard tab, and then select Web Server ssl/tls Certificate in the Drop-down list.

Since we have generated our own private key, you can click Skip here.

Then, paste the contents of the. csr file that we generated earlier in the text box.

If it's all right, it prompts you to say that you have received your certificate issue request.

Now, select the domain name of the certificate that you have previously validated.

It will require you to add a subdomain and I'll add it to myself as "www".

It will ask you for confirmation, and if it looks right, click "Continue".

Note: There is a "need for additional validation" that you may encounter when you wait for a message to be approved. Step, the first time I did not encounter, but the second time encountered, and then my license in about 30 minutes to be approved, once you have permission, you need to click the "Tool Box" tab page And through the "Retrieve certificate" to obtain your certificate.

Then it should be-your certificate will appear in a text field for you to copy and paste into a file. Just give the file a name you want to call, but in the next section of this guide you will use the name MYDOMAIN.COM.CRT to refer to it. ASMYDOMAIN.COM.CRT, in reference to the MYDOMAIN.COM.CRT name below, it should be a spelling error that is not added as a space.

Installing certificates in Nginx

First, verify that port 443 is already open on your Web server. Many web hosting has already opened the port for you by default. If you use Amazon AWS, you need to be sure that 443 ports are open in your instance security group.

Next, we will create a "certificate chain" for the Web server to use. It contains your certificate and STARTSSL intermediary certificate (it is not necessary to include the STARTSSL with the certificate because the browser already contains the certificate) startssl download the intermediary certificate:

wget HTTP://WWW.STARTSSL.COM/CERTS/SUB.CLASS1.SERVER.CA.PEM

Then connect your certificate to their certificate:

Cat Mydomain.com.crt Sub.class1.server.ca.pem > UNIFIED.CRT

Finally, tell your Web server your uniform certificate and your decryption key. I use nginx--below is the nginx you need to configure. It uses 301 permanent redirection to redirect all HTTP requests from the HTTPS request, and then directs the server to use the certificate for the key.

Copy Code code as follows:

server {
Listen 80;
server_name konklone.com;
return https://$host $request_uri;
}

server {
Listen 443 SSL;
server_name konklone.com;

SSL_CERTIFICATE/PATH/TO/UNIFIED.CRT;
Ssl_certificate_key/path/to/my-private-decrypted.key;
}

# for a more complete, secure config:
# https://gist.github.com/konklone/6532544

You can get a more comprehensive nigix configuration, he turned on SPDY, HSTs, SSL session resumption, and Perfect Forward.

The Qualys ' SSL lab provides the perfect SSL test tool, and you can see what you're doing through it.

Now, verify that your configuration of Nginx is correct (this also verifies that the keys and certificates work properly):

sudo nginx-t

Then start Nginx:

sudo service nginx restart

Wait a moment and test in your browser. If it goes well, it will appear in your browser.

Mixed content Warning

If your site is running in HTTPS, make sure that all linked resources-images, stylesheets, JavaScript, etc.-are all HTTPS protocol links. If you do not, the user's browser will not be able to access normally. Comparing the new Firefox browser will ensure that unsafe content appears on a secure page.

Fortunately, almost every major service code will embed an HTTPS version, and in most cases it will be processed automatically (including Google Analytics and Typekit). You should consider some individual cases for other people.

Back up your keys and certificates

Don't forget to back up your SSL certificate, and its encryption private key. I put them in a private git library and put a description text file to describe each file and the program or command that created it.

You should also back up your authentication certificates, which you use to log on Startssl. Startssl's FAQ page has explained-it is a. p12 file that you exported from your own browser that contains certificates and keys.