The deployment of HTTPS on Nginx relies on the OpenSSL library and the include files, that is, the Libssl-dev must be installed first, and Ln-s/usr/lib/x86_64-linux-gnu/libssl.so/usr/lib/, Then specify--with-http_ssl_module when compiling the Nginx configuration. In addition, to run the OpenSSL command in the shell, also install the OpenSSL package, I use the openssl-1.0.2g. Note: This article uses the operating example on Ubuntu 16.04 .
Demonstrates the signing and validation principle (process) of a digital certificate (a CA-signed public key certificate used in HTTPS):
- self-signed certificate : Generate certificates can be executed on other machines, Then copy the generated SERVER.CRT and Server.key to the Nginx/usr/local/nginx/conf
$ cd/usr/local/ Nginx/conf$ OpenSSL genrsa -des3-out server.key 1024x768 #建议: 2048 $ OpenSSL req -new-key Server.key- out SERVER.CSR #证书签名请求 (CSR) $ CP Server.key server.key.org$ OpenSSL RSA -in server.key.org-out server.key$ OpenSSL x509 -req-days 365 -in server.csr-signkey server.key-out SERVER.CRT
- Modify Profile nginx.conf: to reduce CPU load, it is recommended to run only one worker process and turn on keep-alive. In addition, version 0.6.7 The default association directory for Nginx Ssl_certificate and Ssl_certificate_key is the directory where nginx.conf resides, and the default file name is Cert.pem
Worker_processes 1;server { server_name your_domainname_here; Listen 443 SSL; Listen; if ($scheme = http) { rewrite ^ (. *) $ https://$server _name$1 permanent; } Ssl_certificate server.crt; Ssl_certificate_key Server.key; Keepalive_timeout 70;}
- Restart nginx:HTTPS on Nginx deployment is nearly complete, and then can be accessed through the Https://YOUR_DOMAINNAME_HERE. Because this example uses a self-signed certificate (different from the CA self-signing root certificate), you will see a warning message under Chrome that the certificate is untrusted. By default, the browser has a number of CA-agency certificates built into it, so that the certificates issued by these institutions are trusted.
- Private key Protection : The private key is an important property, as far as possible to limit access to the private key person
- Generate a private key and a CSR (Certificate Signing requests) on a trusted computer. There are some CAs that generate keys and CSRs for you, but this is obviously inappropriate.
- Password-protected keys can prevent interception in the backup system
- After the discovery is intercepted, recall the old certificate, generate a new key and certificate
- Renew the certificate every year, always use the latest private key
- Deploy the certificate chain : The certificate chain (Certificate Chain) includes the trust anchor (CA certificate) and the signing certificate, which is a sequence of certificates issued by a series of CA certificates and ends with the root CA certificate; Web The browser has pre-configured a set of root CA certificates that are automatically trusted by the browser, and all certificates from other certificate authorities must be accompanied by a certificate chain to verify the validity of these certificates. in many deployment scenarios, a single server certificate appears to be insufficient, and multiple certificates require a chain of trust to be established. A common problem is to correctly configure the server certificate but forget to include other required certificates. In addition, although other certificates usually have a long validity period, they also expire, and if they expire, they affect the entire chain. Your CA should provide all the additional required certificates. An invalid certificate chain can cause server certificate invalidation and client browser warning, which is sometimes not so easy to detect because some browsers can reconstruct a complete chain of trust themselves and some do not. About the Nginx deployment certificate chain:
If you had a chain certificate file (sometimes called an intermediate certificate) you don ' t specify it separately like yo u do in Apache. Instead need to add the information from the chain cert to the end of your main certificate file. This can is done by typing "cat chain.crt >> mysite.com.crt" on the command line. Once that was done Youwon ' t with the chain cert file for anything else, and you just a point Nginx to the main certificate file
Shows how the certificate chain works:
- nginx SSL configuration directive Description : The following is only part of the list, more configuration items can refer to http://www.nginx.cn/doc/optional/ssl.html.
- SSL: turn on HTTPS
Syntax: SSL [On|off]
Default: SSL Off
Context: Main, Server
- ssl_certificate: The certificate file, the default certificate, and the key are all in Cert.pem, and the file can contain additional certificates. Since version 0.6.7, the default association directory for ssl_certificate is the directory where nginx.conf resides.
Syntax: ssl_certificate File
Default: ssl_certificate Cert.pem
Context: Main, Server
- Ssl_certificate_key: Certificate key file, the default key is in Cert.pem. Since version 0.6.7, the default association directory for Ssl_certificate_key is the directory where nginx.conf resides.
Syntax: Ssl_certificate_key File
Default: Ssl_certificate_key Cert.pem
Context: Main, Server
- ssl_client_certificate: Indicates file with certificates CA in PEM format, utilized for checking the client Cert Ificates.
Syntax: ssl_client_certificate File
Default: None
Context: Main, Server
- ssl_dhparam : Indicates file with Diffie-hellman parameters in PEM format, utilized for negotiating TLS session keys.
syntax: ssl_dhparam file
default: none
context: Main, Server
- ssl_ciphers : Directive Describes the permitted ciphers. Ciphers is assigned in the formats supported by OpenSSL.
syntax: ssl_ciphers file
default: ssl_ciphers all:! Adh:rc4+rsa:+high:+medium:+low:+sslv2:+exp
context: Main, Server
ssl_ciphers all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;
Complete list can is looked with the following command:
OpenSSL ciphers
- ssl_prefer_server_ciphers: Requires protocols SSLv3 and TLSV1 server ciphers is preferred over the client ' s cipher S.
Syntax: ssl_prefer_server_ciphers [On|off]
Default: ssl_prefer_server_ciphers off
Context: Main, Server
- ssl_protocols: Directive enables the protocols indicated. TLS v1.0 above version is more secure, preferably deprecated SSLv3 version below, SSLv2 resolutely not
Syntax: Ssl_protocols [SSLv2] [SSLv3] [TLSV1]
Default: ssl_protocols SSLv2 SSLv3 TLSv1
Context: Main, Server
- Ssl_session_cache: The directive sets the types and sizes of caches to store the SSL sessions.
Syntax: ssl_session_cache off|none|builtin:size and/or shared:name:size
Default: Ssl_session_cache off
Context: Main, Server
Ssl_session_cache builtin:1000 shared:ssl:10m;
- ssl_session_timeout: Assigns the time during which the client can repeatedly use the parameters of the session, Which is stored in the cache.
Syntax: ssl_session_timeout Time
Default: ssl_session_timeout 5m
Context: Main, Server
- SSL/TLS deployment Best Practices : http://www.techug.com/post/ssl-tls.html
- Nginx httpssl: http://www.nginx.cn/doc/optional/ssl.html
Deploy HTTPS on Nginx
