SSL principle HTTP and HTTPS differences
HTTP default port is 80,https default port is 443;
HTTP transmits data to plaintext, HTTPS transmits data is encrypted;
HTTP is the HTTP protocol that runs on top of TCP. All transmitted content is plaintext, the client and the server can not verify the identity of the other side;
HTTPS is HTTP running over SSL/TLS, and SSL/TLS is running over TCP. All transmitted content is encrypted and encrypted with symmetric encryption, but the symmetric encryption key is asymmetric encrypted with the server-side certificate. In addition, the client can verify the identity of the server side, and if client authentication is configured, the server side can also verify the identity of the client.
HTTPS Work Flow
1. Complete the TCP three synchronization handshake
2. Client Authentication server certificate, pass, go to step 3
Secret key and hash algorithm of 3.DH algorithm for negotiation of symmetric encryption algorithm
4.SSL secure encryption is broken until the negotiation is completed;
5. The Web page is transmitted by encryption, encrypted with the negotiated encryption algorithm to ensure that the data is intact and not tampered with;
Generate an SSL key pair
The normal website HTTPS use SSL certificate is need to purchase, we do the experiment just need to generate one on the line, but not on the network to circulate;
Download OpenSSL build Software
yum install -y openssl
Enter the key pair directory
Set secret key to prevent directory
cd /usr/local/nginx/conf/
Generate private key
Note that you need to set a password here
openssl genrsa -des3 -out tmp.key 2048
Convert to a private key without a password
Note: Here will be prompted to enter the old private key file Tmp.key password;
openssl rsa -in tmp.key -out test.key删除老的私钥rm -rf tmp.key
Generate a certificate Request file
You need to set the details, you can go directly to the default
openssl req -new -key test.key -out test.csr
Set public key validity period, generate public key
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Note: TEST.CRT is the public key, TEST.CSR just request the file, Test.key is the private key;
Nginx configuration SSL Create SSL configuration file
vim /usr/local/nginx/conf/vhost/ssl.conf
Code
server{ listen 443; //设置端口为443 server_name shu.com; //设置网站域名为shu.com index index.html index.php; root /data/wwwroot/shu.com; //设置web的站点目录 ssl on; //开启ssl功能 ssl_certificate test.crt; //指定公钥名字 ssl_certificate_key test.key; //指定私钥名字 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}
Detection and entry into force
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test
View listening port, 443 successful
netstat -lntp
Use https://shu.com access, success;
SSL Error Handling:
Error message on-t detection
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed提示:nginx不支持ssl,这是因为我们编译安装nginx时是最简单的模式编译的,没有指定ssl;
Ideas:
Recompile install Nginx
To view the parameters that were compiled before Nginx
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)configure arguments: --prefix=/usr/local/nginx
Enter the source package
cd /usr/local/src/nginx-1.12.2/
Query SSL requires additional configuration
./configure --help |grep -i ssl结果为:--with-http_ssl_module
Re-compiling Nginx
./configure --prefix=/usr/local/nginx --with-http_ssl_modulemake && make install
Restart Nginx Service
/etc/init.d/nginx restart
SSL (HTTPS) Introduction, lab environment generation key pair, nginx configuration SSL, HTTPS