Deploying HTTPS and security tuning under Nginx

What is https?#

HTTPS (full name: Hyper Text Transfer Protocol over secure Socket Layer) is a security-targeted HTTP channel and is simply a secure version of HTTP.

For more basic information, please refer to:

• What is a digital signature? (Illustrated, clearly understood, key recommendations)
• HTTPS on WIKI
• Cryptography Notes
• SSL and digital certificates
• Another illustrated note, for reference--pan domain SSL Certificate construction strategy

A few questions to be clarified:

• The relationship between HTTPS and SSL and the implementation of basic technology;
• The type of SSL certificate;
• What is a certificate authority and why it exists;
• Certificate certification level, DV, OV and EV respective meanings;
• What is泛域名 SSL 证书 (Wildcard Domain SSL Certificates)

Operation Steps #

An approximate flow is as follows:

1. Pre-purchase preparation-the server generates CSR and key files;
2. Purchase certificate-use the CSR file generated above to purchase the certificate;
3. After the successful purchase of the certificate has two, one is the domain name certificate, one is the chain certificate, the two of them in order to merge into CRT files;
4. Nginx configuration key and CRT files, and do security tuning.

Before you buy a certificate # #. Generate Certificate CSR and key#

mkdir -p /etc/nginx/ssl/phphubcd /etc/nginx/ssl/phphub

2. Generate Orig File #

openssl genrsa -out phphub.orig 2048

3. Generate the CSR file #

Run

openssl req -new -key phphub.orig -out phphub.csr

Output, you need to fill in the content:

You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:BeiJingLocality Name (eg, city) []:BeiJingOrganization Name (eg, company) [Internet Widgits Pty Ltd]:The EST GroupOrganizational Unit Name (eg, section) []:DevCommon Name (e.g. server FQDN or YOUR name) []:*.phphub.org // ----------注意这个地方要认真填写Email Address []: emailaddress @ gmail.comPlease enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:  ----------注意不填写----------An optional company name []:  ----------注意不填写----------

4. Generate private Key File #

openssl rsa -in phphub.orig -out phphub.key

There are three files in this folder:

[email protected]:/etc/nginx/ssl/phphub# tree.├── ikbcity.csr├── phphub.key└── phphub.orig

Purchase Certificate #

Purchase details are omitted here, it is necessary to look for more authoritative certification bodies to buy ...

After the successful purchase, you will be issued two certificates SERVER.CRT and SERVER.INTERMEDIATE.CRT to generate the final SERVER.CHAINED.CRT

cat server.crt server.intermediate.crt > phphub.crt

This file can be used with the key file generated above to configure Nginx:

ssl_certificate     /etc/nginx/ssl/phphub/phphub.crt;ssl_certificate_key /etc/nginx/ssl/phphub/phphub.key;

Configuring a secure ngxin#

Link:

• Best Nginx configuration for security
• Nginx config on Gits
• Top Nginx WebServer Best Security practices
• SSL Server Test--Security Test tool

Force the use of https#

server {    listen 80;    listen 443 ssl;    server_name example.com;    if ($scheme = http) {        return 301 https://$server_name$request_uri;    }    ....}    

Removal of Nginx X-Powered-Byheader#

fastcgi_hide_header X-Powered-By;

Remove Nginx version #

server_tokens off;

Not allowed to be loaded by IFRAME #

add_header X-Frame-Options SAMEORIGIN;

Other references to this Gits:nginx config on Gits

Static Content #

In general, the CDN server cannot access the HTTPS source server problem, you can use a dedicated domain name static.phphub.org to solve, this domain is dedicated to transport static content:

server {    listen 80;    server_name static.phphub.org;    root /var/www/phphub/public;    location ~* \.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|html|htm|txt|css|js) {            add_header        Cache-Control public;            add_header        Cache-Control must-revalidate;            expires           7d;    }    location  / {            deny all;    }}

Conclusion

You can use the SSL Server test-the Security Test tool to test if your HTTPS is safe enough.

Attach the Phphub test

Deploying HTTPS and security tuning under Nginx