Nginx To configure SSL is very simple, whether it is to go to the certification Center to buy SSL security certificate or self-signed certificate, but recently a company OA needs, to have a chance to actually toss it. At first, full station encryption, all access to HTTP:80 request cast (rewrite) to HTTPS, and then automated test results said that the response speed is too slow, HTTPS is 30 times times slower than HTTP, thinking how possible, ghosts know how they measured. So just try some of the page https (not only for some kind of dynamic request encryption) and two-way authentication. The following section describes.
The default nginx is not installed SSL module, you need to compile installation nginx to join--with-http_ssl_module选项。
For the SSL/TLS principle please refer to here, if you just want to test or self issue SSL certificate, refer here.
Tip: Nignx to back-end servers are generally intranet, so do not encrypt.
1. All-Station SSL
SSL is the most common use of a scene, the default port 443, and is generally one-way authentication.
server {
listen 443;
server_name example.com;
root/apps/www;
Index index.html index.htm;
SSL on;
Ssl_certificate.. /ssl/ittest.pem;
Ssl_certificate_key.. /ssl/ittest.key;
# Ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# Ssl_ciphers all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;
# ssl_prefer_server_ciphers on;
}
If you want to force HTTP requests to be transferred to https:
server {
listen ;
server_name example.me;
Rewrite ^ https://$server _name$request_uri? permanent;
### use return will be more efficient
# return https://$server _name$request_uri;
}
ssl_certificate
certificate is actually a public key that is sent to each client that connects to the server, ssl_certificate_key
the private key is used for decryption, so its permissions are protected but nginx the main process can read. Of course, private keys and certificates can be placed in a certificate file, and only public key certificates are sent to the client.
ssl_protocols
directive is used to initiate a specific cryptographic protocol. Nginx after 1.1.13 and version 1.0.12, the default is Ssl_protocols
sslv3 TLSv1 TLSv1.1 tlsv1.2,tlsv1.1
and TLSv1.2 to ensure that OpenSSL > = 1.0.1, SSLv3 There are a lot of places to use but there are a lot of vulnerable vulnerabilities.
ssl_ciphers
Select the encryption suite, and the packages (and order) supported by different browsers may be different. This specifies the method that the OpenSSL library can recognize, and you can openssl
-v cipher 'RC4:HIGH:!aNULL:!MD5'
look at the supported algorithm by (following the suite encryption algorithm that you specify).
ssl_prefer_server_ciphers on
When you set up a negotiated encryption algorithm, you prefer to use our service-side encryption suite instead of the client browser's encryption suite.
HTTPS Tuning Parameters
ssl_session_cache shared:SSL:10m;
: Sets the type and size of the SSL/TLS session cache. If this parameter is set, it is generallyshared
,buildin
may be parameter memory fragmentation, default isnone
Andoff
Almost, deactivate the cache. Such asshared:SSL:10m
Indicates that all of my nginx worker processes share SSL session caching, and the website says 1M can store about 4,000 sessions. Refer to the question and answer ssl_session_cache on serverfault in detail.
- Ssl_session_timeout: The client can reuse the expiration time of the SSL parameter in the session cache, the intranet system defaults to 5 minutes is too short, can be set to 30m, 30 minutes or even 4h.
Setting longer keepalive_timeout
can also reduce the cost of requesting SSL session negotiation, but it also takes into account the number of concurrent threads.
Tip: When generating a certificate request CSR file, if the password entered, nginx each boot will prompt input this password, you can use the private key to generate decrypted key to replace, the effect is the same, to achieve the effect of password-free restart:
OpenSSL rsa-in ittest.key-out Ittest_unsecure.key
Import Certificate
If you are looking for a reputable SSL certification authority such as VeriSign, Wosign, Startssl issued certificates, the browser has built and trusted these root certificates, if you are building a C or obtain a level two CA authorization, you need to add CA certificate to the browser, This will not show unsecured connections when you visit the site. The methods of adding individual browsing are not covered in this article.
2. Partial-page SSL
A site is not all information is very confidential, such as online shopping malls, general merchandise browsing can not be through HTTPS, while users log in and pay the time to force through HTTPS transmission, so that the user access speed and security are balanced.
But please be careful not to understand the wrong, is the page encryption and not for a request encryption, a page or address bar URL will generally initiate many requests, including CSS/PNG/JS and other static files and dynamic Java or PHP request, so the content to be encrypted contains pages of other resource files, Otherwise, there is a problem of mixing HTTP and HTTPS content. Page layout is not disorderly when HTTP pages are mixed with HTTPS content, and the browser blocks loading for security purposes when you include resources such as pictures, JS, and so on that are introduced as HTTP in the HTTPS page.
The following are the example.com/account/login
chestnuts that encrypt the login page only:
root/apps/www;
Index index.html index.htm;
server {Listen 80;
server_name example.com;
Location ^~/account/login {Rewrite ^ https://$server _name:443$request_uri Permanent;
} location/{Proxy_pass http://localhost:8080;
### Set Headers # proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_redirect off;
} server {listen 443 SSL;
server_name example.com;
SSL on; Ssl_certificate..
/SSL/ITTEST.PEM; Ssl_certificate_key..
/ssl/ittest.key;
Ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers all:! Adh:!
Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;
Ssl_prefer_server_ciphers on;
Location ^~/account/login {Proxy_pass http://localhost:8080;
Proxy_set_header Host $host;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_redirect off; ### Most PHP, Python, Rails, Java App can use this header-> HTTPS ### proxy_set_header X-forwarded-proto $scheme;
} location/{Rewrite ^ http://$server _name$request_uri? permanent;
}
}
About rewrite and location the reference here. When the browser accesses http://example.com/account/login.xx
, 301 to https://example.com/account/login.xx
, In this SSL encrypted virtual host also matches to/account/login, the reverse proxy to the back-end server, the subsequent transmission process is not HTTPS. The other resources under this login.xx page are also requested by HTTPS Nginx, the link to the homepage when the login succeeds is used HTTP, this may need to develop code inside control.
- Used in the above configuration
proxy_set_header X-Forwarded-Proto$scheme
, the JSP page is used to request.getScheme()
get HTTPS. If the requested $scheme protocol is not set in the header, the backend JSP page will always be considered HTTP and will cause an exception to the response.
- SSL configuration block also has an unencrypted 80 port similar
location>/
, it is the role of when the user directly through HTTPS access to the first page, automatically jump to the unencrypted port, you can remove it allows users to do so.
3. Realize two-way SSL authentication
The above two configurations are to authenticate the visited site domain name is true and trustworthy, and the transmission process encryption, but the server side does not authenticate the client is trustworthy. (In fact, unless it's a particularly important scene, there's no need to authenticate visitors unless it's like a bank U-shield)
To implement a two-way authentication Https,nginx the CA certificate (the root certificate/Intermediate level certificate) must be imported, because it is now up to the server to authenticate the client's information through the CA. It is also necessary to generate the client certificate in the same way as the server certificate is requested. After you obtain a client certificate, you also convert it to a browser-recognized format (most browsers recognize the PKCS12 format):
OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12
Then send this client.p12
to the person you believe, let it import into the browser, visit the site to establish a connection when Nginx will ask the client to send this certificate to their own authentication, if not this certificate denied access.
Also, don't forget to configure a trusted CA in nginx.conf: (if it's a level two CA, put the root CA behind it to form a CA certificate chain)
Proxy_ignore_client_abort on;
SSL on;
...
Ssl_verify_client on;
Ssl_verify_depth 2;
Ssl_client_certificate.. /ssl/ca-chain.pem;
#在双向location下加入:
proxy_set_header x-ssl-client-cert $ssl _client_cert;
Expanding: Using the GEO module
Nginx The default installation of a ngx_http_geo_module
, this GEO module can be based on client IP to create variable values, used in such as IP access from 172.29.73.0/24 to login when the use of two-way authentication, the other segments using a general one-way authentication.
Geo $duplexing _user {
default 1;
Include geo.conf; # Note that after version 0.6.7, include is relative to the nginx.conf directory
Syntax Geo [$address] $variable {...}
, located in the HTTP segment, the default address is $reoute _addr
, assuming conf/geo.conf
content:
127.0.0.1/32 Local; # Local
172.29.73.23/32 SEAN; # an IP
172.29.73.0/24 1; # IP segment, can be defined by country or region after the different values
Need to configure another virtual host Server{ssl 445}, which uses the above two-way authentication, and then in 80 or 443 use variables $duplexing_user
to judge, if 1 on the rewrite to 445, or rewrite to 443. The specific usage can refer to the Nginx Geo use method.
The above is the entire content of this article, I hope to help you learn, but also hope that we support the cloud habitat community.