Nginx--Configure HTTPS encryption reverse proxy access – self-signed CA

Reprint Please specify source: http://blog.csdn.net/l1028386804/article/details/46695495

For corporate access considerations, the use of a CA is a native OpenSSL self-signed generated, and therefore cannot be verified through the Internet work letter root CA, so the site is not trusted or the security certificate is not valid prompt. Skip directly, direct access to ask!

The principle of HTTPS and the interview process:

Server Prerequisites

A server private key key file

A CA certificate that matches the server domain name (public key, generated based on private key key)

Interview Process:

The 1,client browser visits server 443port with the HTTPS protocol and obtains the server's certificate (public key); The client browser will find some Internet trusted ROOTCA (authoritative certification authority) to verify that the currently acquired certificate is valid. PS: These rootca are installed in the system with the operating system preset;

2, assuming that the certificate is trusted by ROOTCA, and that the server name labeled in the certificate is consistent with the current access ServerURL address, it will use the public key included in the certificate to decrypt the contents of the Web page transmitted by the server through its own key (private key). Thus the content of the page is displayed normally;

3, assuming that ROOTCA validation does not pass. Stating that the certificate is not legally ROOTCA signed and authorized, and therefore cannot prove the authority of the server currently being visited, the client browser displays a warning at this time. Prompting the user for the current server identity cannot be verified, asking the user whether to continue browsing! (This is usually the case with self-signed CA certificates)

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbdewmjgzody4mdq=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

You need to pay attention here. Verify the validity of the CA. Only proves that the current server identity is valid. Whether it has credibility and identity uniqueness to prevent others from impersonating the site. It does not affect the encryption of the Web page, although the CA certificate cannot be certified as authoritative. However, it includes the public key and the server used to encrypt the page's private key is still a matching pair, so the server with its own private key encrypted Web content, the client browser is still able to use this certificate to decrypt, normal display page content, so when the user click "continue to browse this site (not recommended)" When The Web page will be open.

Self-signed CA certificate generation

1. Randomly generate server key with OpenSSL, and certificate request file CSR

2, self-issued certificates for themselves

#opensslx509-req-days 3650-in MOONFLY.NET.CSR-SIGNKEYMOONFLY.NET.KEY-OUTMOONFLY.NET.CRT

-days 3650 Certificate of validity period, oneself to issue a certificate, want to have how long period of validity, how long, I get a 10 years of validity;

-INMOONFLY.NET.CSR Specifying a CSR file

-signkeymoonfly.net.key specifying the server's private key file

-OUTMOONFLY.NET.CRT set the generated certificate file name

An order, oneself to self-stamped identity card Moonfly.net.crt was born!

Note: In fact strictly speaking, here is generated only a rootca, not the strict meaning of the server certificate Serverca, the real serverca is the need to use this rootca and then to the server signed out of the certificate to calculate But we're just here to talk about how to implement SSL encryption for Web pages. So I used the ROOTCA directly. It is also possible to implement the encryption function normally.

Nginx configuration Enable HTTPS and configure the crypto reverse proxy

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvbdewmjgzody4mdq=/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center "width=" 607 "height=" 293 ">

After the configuration file changes complete, with NGINX-T test configuration is correct, reload the Nginx service. Check if the 443port is listening:

Configuration complete, HTTPS is already working, can now access the site through HTTPS

Nginx--Configure HTTPS encryption reverse proxy access – self-signed CA