Detailed explanation of the method of configuring total-station HTTPS secure connection in Nginx server _nginx

HTTPS is equal to HTTP plus TLS (SSL), and the HTTPS protocol has three main goals:

Data confidentiality. Ensure content is not seen by third parties during transmission. Just as the courier delivered the package, they couldn't know what was inside.
Data integrity. Timely detection of transmission content tampered with by third parties. Just as the courier does not know what is in the package, but he may be halfway, data integrity means that if the switch, we can easily find and reject.
Identity check. Ensure that the data reaches the desired destination of the user. Just like when we mail a parcel, it's a packaged, not-switched package, but we have to make sure that it doesn't get sent in the wrong place.

You need to have a certificate before enabling HTTPS, and the certificate needs to first create a CSR on its own server, the corresponding public and private key. Here I take the Nginx server for example, Apache is not too bad, are based on OpenSSL. Because I only have one host domain name www.jb51.net, so the certificate conveniently chooses Comodo's Positivessl, each year 9 knives. Note that the Comodo requires a certificate of at least 2048 digits, as shown in the following command. When activating a certificate, you need to pay attention to common name where you want to fill out your domain address, because I do not use jb51.net, so here is the www.jb51.net, need to pay attention to the two host address is different. Other organization name of the company or whatever. if not, write Na, don't leave it blank. Here's a quick step.

1, log in as root, upgrade the server. This is to resolve a large vulnerability in OpenSSL cve-2014-0224, because the problem of CHANGECIPHERSPEC messages can lead to man-in-the-middle attacks, decrypting and modifying communications between the attacked server and the client to obtain encrypted data.

Check the OpenSSL version to confirm at least 1.0.1h or above,

OpenSSL version-a

If not, upgrade the server, take Debian for example

Apt-get Update
Apt-get upgrade

2. Create CSR and private key

OpenSSL req-new-newkey rsa:2048-nodes-keyout www.jb51.net.key-out WWW.JB51.NET.CSR

Get 2 files, the private key Www.jb51.net.key,CSR file WWW.JB51.NET.CSR, in which the contents of the CSR will need to be submitted when the certificate is activated

3. Purchase certificate, complete activation, download certificate file

The downloaded certificate file is usually a compressed package, some are 2 files, some are 4 files

If it's 2 files, it's like this:

• Www_jb51_net.ca-bundle
• Www_jb51_net.crt

If there are 4 files, this is usually the case:

• Www_jb51_net.crt
• Comodorsadomainvalidationsecureserverca.crt
• Comodorsaaddtrustca.crt
• Addtrustexternalcaroot.crt

Where Www_slyar_com.ca-bundle is the product that automatically merges the other 3 files, one reason

4, merge the certificate, the order must not be wrong

Cat Www_jb51_net.crt www_slyar_com.ca-bundle > WWW.JB51.NET.CRT

Or

Cat Www_slyar_com.crt www_slyar_com.ca-bundle > WWW.JB51.NET.CRT

The resulting www.jb51.net.crt is the merging of 4 files, which, together with the previous Www.jb51.net.key, form the certificate that Nginx needs to use

5, the WWW.JB51.NET.CRT and Www.jb51.net.key copied to the nginx of the Conf directory, such as/usr/local/nginx/conf/

CP WWW.JB51.NET.CRT www.jb51.net.key/usr/local/nginx/conf/

6, modify the Nginx configuration file or vhost/under the virtual host configuration file, enable HTTPS, configure encryption methods, etc.

#合并80和443配置文件也可以, together with configuration, the final force transfer 80 to 443 can be
listen;
Listen 443;

#指定证书文件
ssl_certificate www.jb51.net.crt;
Ssl_certificate_key Www.jb51.net.key;

#禁用不安全的SSLv1 2 3, use only TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Ssl_prefer_server_ciphers on;

#RC4也是不安全的了, you can only remove
ssl_ciphers Eecdh+chacha20:eecdh+aes128:rsa+aes128:eecdh+aes256:rsa+aes256:eecdh+3des:rsa +3des:! MD5;

#301转移
if ($server _port =) {return
https://$server _name$request_uri
}

7. Test the Nginx configuration file and reload the configuration file again

Nginx-t
Service Nginx Reload

This way the server's HTTPS is configured.

Since HTTPS is very secure and digital certificate fees are low, why don't internet companies use HTTPS altogether? The main reasons are two points:

The effect of HTTPS on speed is obvious. Each HTTPS connection typically adds 1-3 RTT, plus the performance cost of decryption, which can increase by another dozens of milliseconds.
HTTPS consumes a lot of CPU computing power, and the Web server's processing power can be reduced to 10% or even less than HTTP when the full handshake is reached.

Why does HTTPS severely degrade performance? is mainly the handshake phase when the large number of operations. One of the most consuming properties is the private key decryption phase of the key exchange (the function is rsa_private_decryption). Performance consumption at this stage accounts for 95% of the overall SSL handshake performance.

However, with the successive follow-up of the major websites and the Moore's Law of the hardware, it is worthwhile to make this performance sacrifice for the sake of security.