SSL (HTTPS) Introduction, lab environment generation key pair, nginx configuration SSL, HTTPS

Source: Internet
Author: User
Tags openssl build openssl rsa openssl x509 ssl certificate

SSL principle HTTP and HTTPS differences

HTTP default port is 80,https default port is 443;
HTTP transmits data to plaintext, HTTPS transmits data is encrypted;

HTTP is the HTTP protocol that runs on top of TCP. All transmitted content is plaintext, the client and the server can not verify the identity of the other side;
HTTPS is HTTP running over SSL/TLS, and SSL/TLS is running over TCP. All transmitted content is encrypted and encrypted with symmetric encryption, but the symmetric encryption key is asymmetric encrypted with the server-side certificate. In addition, the client can verify the identity of the server side, and if client authentication is configured, the server side can also verify the identity of the client.

HTTPS Work Flow

1. Complete the TCP three synchronization handshake
2. Client Authentication server certificate, pass, go to step 3
Secret key and hash algorithm of 3.DH algorithm for negotiation of symmetric encryption algorithm
4.SSL secure encryption is broken until the negotiation is completed;
5. The Web page is transmitted by encryption, encrypted with the negotiated encryption algorithm to ensure that the data is intact and not tampered with;

Generate an SSL key pair

The normal website HTTPS use SSL certificate is need to purchase, we do the experiment just need to generate one on the line, but not on the network to circulate;

Download OpenSSL build Software
yum install -y openssl
Enter the key pair directory

Set secret key to prevent directory

cd /usr/local/nginx/conf/
Generate private key

Note that you need to set a password here

openssl genrsa -des3 -out tmp.key 2048
Convert to a private key without a password

Note: Here will be prompted to enter the old private key file Tmp.key password;

openssl rsa -in tmp.key -out test.key删除老的私钥rm -rf tmp.key
Generate a certificate Request file

You need to set the details, you can go directly to the default

openssl req -new -key test.key -out test.csr
Set public key validity period, generate public key
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

Note: TEST.CRT is the public key, TEST.CSR just request the file, Test.key is the private key;

Nginx configuration SSL Create SSL configuration file
vim /usr/local/nginx/conf/vhost/ssl.conf

Code

server{    listen 443;                         //设置端口为443    server_name shu.com;                //设置网站域名为shu.com    index index.html index.php;    root /data/wwwroot/shu.com;         //设置web的站点目录    ssl on;                             //开启ssl功能    ssl_certificate test.crt;           //指定公钥名字    ssl_certificate_key test.key;       //指定私钥名字    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}
Detection and entry into force
/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload
Test

View listening port, 443 successful

netstat -lntp

Use https://shu.com access, success;

SSL Error Handling:

Error message on-t detection

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed提示:nginx不支持ssl,这是因为我们编译安装nginx时是最简单的模式编译的,没有指定ssl;
Ideas:

Recompile install Nginx

To view the parameters that were compiled before Nginx
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)configure arguments: --prefix=/usr/local/nginx
Enter the source package
cd /usr/local/src/nginx-1.12.2/
Query SSL requires additional configuration
./configure --help |grep -i ssl结果为:--with-http_ssl_module
Re-compiling Nginx
./configure --prefix=/usr/local/nginx --with-http_ssl_modulemake && make install
Restart Nginx Service
/etc/init.d/nginx restart

SSL (HTTPS) Introduction, lab environment generation key pair, nginx configuration SSL, HTTPS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.