First, what is HTTPS?
According to Wikipedia's explanation:
Copy Code code as follows:
Hypertext Transfer Security Protocol (abbreviation: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and identification of network server identities. HTTPS connections are often used for transaction payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.
HTTPS is now the first choice for all privacy and security sites, with the continuous development of technology, HTTPS site is no longer a large site patents, all ordinary personal webmaster and blog can build a secure encrypted website.
If a Web site is not encrypted, then all your account passwords are in clear text transmission. It is conceivable that if the privacy and financial issues involved, unencrypted transmission is a terrible thing.
Since the readers of this blog are close to the professionals, we no longer have to waste more words, directly into the business.
Ii. using OpenSSL to generate SSL Key and CSR
Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted Web site, rather than appear the certificate error prompts. So we skip the steps from the visa book and start by signing the SSL certificate that the third party can trust.
OpenSSL is installed by default in conventional systems such as Linux, OS X, and because of some security issues, the current Third-party SSL certification authorities require a minimum of 2048-bit RSA encrypted private keys.
At the same time, the common SSL certificate authentication is divided into two forms, one is DV (domain validated), there is a OV (organization validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, The latter must be better.
Whether you use DV or OV to generate the private key, you need to fill out some basic information, here we assume the following:
Domain name, also known as Common name, because a special certificate is not necessarily a domain name: example.com
Organization or company name (organization): Example, Inc.
Department (Department): Can not fill in, here we write Web security
City: Beijing
Province (state/province): Beijing
Country (Country): CN
Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit
According to the above information, the command to generate key and CSR using OpenSSL is as follows
Copy Code code as follows:
OpenSSL req-new-newkey rsa:2048-sha256-nodes-out example_com.csr-keyout example_com.key-subj "/C=CN/ST=Beijing/L=Be Ijing/o=example inc./ou=web security/cn=example.com "
PS: If it is a generic domain name certificate, you should fill in the *.example.com
You can run this command anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory
Next you can look at the EXAMPLE_COM.CSR and get a long string of text like this
Copy Code code as follows:
-----BEGIN Certificate REQUEST-----
Miicujccaaicaqawdtelmakga1uebhmcq04xedaobgnvbagtb0jlawppbmcxedao
Bgnvbactb0jlawppbmcxftatbgnvbaotdev4yw1wbgugsw5jljevmbmga1uecxmm
V2viifnly3vyaxr5mrqwegydvqqdewtlegftcgxllmnvbtccasiwdqyjkozihvcn
Aqebbqadggepadccaqocggebapme+nvvcdgn9vwn+vp7jkmoodpourympvclibsi
Id7mgn982ocl22o9wcv/4tl6dptcxfnx+ewd7cnekt4i+jygqllqp3/cojhkemiy
Sf3jwncvp6vost/hszemynb71xwynxfcgqsye3qjxmq9ae38h2lipcllfd1l7ivp
Ax4i2+hvgthfzb0xnmmlzq4hyvueimoywizx8hq+kweahkpbdfawkocirkbolfew
Sejlyhy+nruxutmqx1d7lzzcxut5sm5at9al0bf5foaajyltewnepfkp3l29gtou
Qg1t9q8wufifk9vxqqqwg8j1muk7kksnbycopnngpx36kzscaweaaaaama0gcsqg
Sib3dqebbquaa4ibaqchgiuhpcgrsnwduw6731/devwq2x3zrqrbuj9/m8oonqen
1qiacbifemr+ma+c+wipt3bhvtxef8ccajar9sq4svy7m0w25dwrwawijxcf/j8u
Audl/029ckauewfcdbiltraaedqxsasuyibigtit+uqi+epgg4olykk/mf13fxdj
/okyrsjdtp1xr9r7iqgcs/zl5qwmdaln7/qxbk6vx2r/hlhok0aki1zq4czep7mr
8ezjdiako87nb/aisfykrt6ze3jof0/vnnpw7pmvhq+folwdtvxddjd9dpr2x1nc
Y5hnop4k6kvrxdjq4otduqq4p+szu4hb41giqez4
-----End Certificate REQUEST-----
This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is validated, the certification authority will issue you with a EXAMPLE_COM.CRT
And Example_com.key is to be used in Nginx configuration and EXAMPLE_COM.CRT with the use of, need to take good care of, do not leak to any third party.
Third, Nginx configure HTTPS Web site and increase security configuration
As mentioned earlier, you will need to submit a CSR file to a third party SSL certification authority, after certification, they will issue you a CRT file, we named EXAMPLE_COM.CRT
Also, for the sake of unification, you can move all three files to the/etc/ssl/private/directory.
You can then modify the Nginx configuration file
Copy Code code as follows:
server {
Listen 80;
Listen [::]:80 SSL Ipv6only=on;
Listen 443 SSL;
Listen [::]:443 SSL Ipv6only=on;
server_name example.com;
SSL on;
SSL_CERTIFICATE/ETC/SSL/PRIVATE/EXAMPLE_COM.CRT;
Ssl_certificate_key/etc/ssl/private/example_com.key;
}
Check the configuration file and reread the Nginx.
Copy Code code as follows:
Nginx-t && Nginx-s Reload
But this is not safe, the default is SHA-1 form, and now the mainstream of the scheme should be avoided SHA-1, in order to ensure greater security, we can take the Diffie–hellman-Herman key Exchange
First, enter the/etc/ssl/certs directory and generate a DHPARAM.PEM
Copy Code code as follows:
Cd/etc/ssl/certs
OpenSSL dhparam-out DHPARAM.PEM 2048 # If your machine is strong enough, you can use 4,096-bit encryption.
After the build is completed, add the following Nginx SSL configuration
Copy Code code as follows:
Ssl_prefer_server_ciphers on;
SSL_DHPARAM/ETC/SSL/CERTS/DHPARAM.PEM;
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Ssl_ciphers "EECDH+ECDSA+AESGCM eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 EECDH+aRSA+SHA384 EECDH+aRSA +sha256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! The SRP! Dss! RC4 ";
Keepalive_timeout 70;
Ssl_session_cache shared:ssl:10m;
Ssl_session_timeout 10m;
At the same time, if the whole station HTTPS and do not consider HTTP, you can join HSTs tell your browser this site full station encryption, and forced to use HTTPS access
Copy Code code as follows:
Add_header strict-transport-security max-age=63072000;
Add_header x-frame-options DENY;
Add_header x-content-type-options Nosniff;
At the same time can also open a separate Nginx configuration, HTTP access requests are 301 to the HTTPS
Copy Code code as follows:
server {
Listen 80;
Listen [::]:80 Ipv6only=on;
server_name example.com;
return to Https://example.com$request_uri;
}
Four, reliable Third-party SSL issuing agency
As we all know, some NIC agencies have burst into a scandal over the issuance of certificates for Google domain names, so it is important to select a reliable Third-party SSL issuer.
At present, the general market for small and medium-sized owners and enterprises of the SSL certification authorities are:
Startssl
Comodo/Sub-brand Positive SSL
GlobalSign/Sub Brand Alphassl
GeoTrust/Sub Brand RapidSSL
Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub brands, are generally three level four certificate, so you will need to increase the CA certificate chain to your CRT file.
Take Comodo Positive SSL For example, you need to concatenate CA certificates, assuming your domain name is example.com
Then, the concatenation command is:
Copy Code code as follows:
Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.SIGNED.CRT
Use EXAMPLE_COM.SIGNED.CRT in Nginx configuration
If it is a common aplhassl generic domain name certificate, they are not sent to you CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file
Alphassl Intermediate ca:https://www.alphassl.com/support/install-root-certificate.html
Five, EV SSL for the Enterprise
EV SSL, the abbreviation of Extended Validation, is more focused on the security of corporate websites and strict certification.
The most obvious difference is that usually the EV SSL display is a green bar, such as the SSL certificate for this site is EV SSL.
The above is how to use SSL under the Nginx to build the entire content of HTTPS website, I hope you can enjoy