HTTPS Secure Communication Based on Nginx server and iOS9

HTTPS Secure Communication Based on Nginx server and iOS9
Introduction

In network communication, packet capture software can be used to analyze network requests and replay attacks. The replay attack solution generally uses a changed parameter, such as the RSA encrypted timestamp, however, considering the network transmission latency, the timestamp must have a certain error margin, so that it still cannot fundamentally prevent replay attacks. To better solve the problem of replay attacks, we should consider using HTTPS communication. HTTPS is a network protocol built by the SSL + HTTP protocol that can be encrypted for transmission and identity authentication, which is safer than HTTP.

Implementation

For websites accessed by a browser, you must apply for a certificate from the CA to ensure that the HTTPS webpage is browsed normally. Otherwise, the website is warned that it is not secure or not authenticated, for some background data transmission, use the self-signed certificate.

Server Configuration

Generate Certificate
Perform the following operations under the command line of the server:
① To generate the private key of the server, enter a 4 ~ Password with 8191 bits

openssl genrsa -des3 -out server.key 2048

② Remove the password of the key file. Enter the password entered in ①.

openssl rsa -in server.key -out server.key

③ Generate the csr file. You must enter multiple types of information in this step. You can skip this step by pressing enter.

openssl req -new -key server.key -out server.csr

④ Generate a crt file. In this step, the period is valid after-days and can be written a little longer.

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

⑤ Merge the crt and key to make the pem, which is used to generate the cer for client verification.

cat server.crt server.key > server.pem

6. Use pem to generate a cer. the cer file is stored on the client for verification.

openssl x509 -in server.pem -outform der -out server.cer

Modify nginx configuration file
If you do not know the path of the configuration file, use the following command to print it.

nginx -t

This command can be used to test whether the configuration file is correct and print the path.

Open nginx. conf Based on the printed content and you will find an http {... } Configuration Tag: Add a server configuration tag to the http tag.

Server {listen 443; server_name localhost; # configure the root directory of the website and the name and type of the homepage index index.html index.htm index. php; root <enter the root directory of the website> ssl on; ssl_certificate <enter the crt file server here. crt full path> ssl_certificate_key <enter the private key file server here. key full path> # The following is the php configuration. If not configured, the php file cannot be parsed normally. This configuration is copied from nginx's port 80 configuration for HTTP, if this configuration item does not work properly, copy it from your server's configuration file for port 80. Location ~ . * \. (Php | php5 )? $ {# Fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1: 9000; fastcgi_index index. php; include fastcgi. conf;} location ~ . * \. (Gif | jpg | jpeg | png | bmp | swf) $ {expires 30d;} location ~ . * \. (Js | css )? $ {Expires 1 h ;}# if you do not know how to fill in, please refer to the 80 port configuration file include
  
   
/Rewrite/default. conf; access_log
   
    
/Default. log ;}
   
  

Update Configuration

Nginx-t # test whether the configuration file is correct nginx-s reload # reload the configuration file

By now, the server configuration is complete.

Client Configuration

If the certificate is issued by the CA, you can directly use the HTTPS request, but we sign the certificate. If you access the certificate directly, an error is returned, the following describes how to use AFN to configure HTTPS requests for self-signed certificates.

Import the cer certificate mentioned above to the App Bundle.

Configure the following before using AFN for requests: <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD4NCjxwcmUgY2xhc3M9 "brush: java;"> AFSecurityPolicy * policy = [AFSecurityPolicy policyWithPinningMode: AFSSLPinningModePublicKey]; policy. allowInvalidCertificates = YES; AFHTTPSessionManager * manager = [AFHTTPSessionManager]; manager. securityPolicy = policy; // use manager for HTTPS requests.