Linux nginx HTTPS network security Access Service

1th. HTTPS Network security Access Service 1.1 issues related to network security

①. Network security issues-data confidentiality issues Transmitted data may be visible to third parties at all times ②. Network security issues-data integrity issues Transferred data cannot be arbitrarily modified by anyone ③. Network security Issues-authentication issues In the first communication, it is necessary to confirm the identity of both sides of the communication

1.1.1 Resolution of data confidentiality issues

A) Use common cryptographic algorithms to address confidentiality Using the corresponding algorithm, the transmitted data (plaintext data) is encrypted (ciphertext data), and then the corresponding algorithm is used to decrypt the encrypted data into real data. Advantages: The data secret transmission is realized, which avoids the danger of transmitting data in plaintext. Disadvantage: The use of encryption algorithm, the text is converted to ciphertext, if the third party obtains the encryption algorithm, can transfer ciphertext again into clear text b) using symmetric encryption algorithms to address confidentiality (an important encryption method) Symmetric cryptography is like putting the rules of a common algorithm into a safe, and only getting the safe and safe keys to get the algorithm handbook Advantages: The key encryption algorithm is very fast and solves the security problem of ordinary encryption algorithm. Disadvantage: The security of the encryption and decryption process is completely dependent on the key, and the symmetric encryption key is public and cannot resolve the key management problem when there are too many communication encryption objects.

1.1.1 Data Integrity Problem solving

a) using a single encryption algorithm (full network backup data integrity) *************************************************************** extension description: 01: Signatures of different data (data fingerprint information) are not consistent data input, signature information output must be the same · The avalanche effect, the small change in input, will cause a huge change in output fixed-length output, regardless of the source data, but the results are the same irreversible, can not be based on the data fingerprint, restore the original data information. **************************************************************************** cons: no consideration of the effect of middle-man xxx on data information

b) using a single encryption algorithm (cryptographic signature) The symmetric encryption algorithm is used to encrypt the data, and the characteristic code is also encrypted. The receiver has the same key as the sender to decrypt the encrypted data and signatures But the man-in-the-middle encryption signature is no way for the receiver to decrypt, so the receiver can not get the signature, directly discard the data **************************************************************************** Extension Description: 01: How can the symmetric key be effectively made available to both sides of the communication? A symmetric key negotiation process is required, that is, through the key exchange mechanism (Internet key exchange IKE) The protocol that implements the key exchange mechanism is called the Diffie-hellman protocol. ****************************************************************************

1.1.1 Authentication Problem Resolution

A) Using asymmetric key encryption algorithm (public key encryption algorithm) The sender establishes the private key and the public key, sends the public key to the receiver, thereby enabling the authentication of the sending data party Public key information is called a certificate (XXX) during web site access.

1.1.1 The conclusion of network security

To achieve network security, the order in which the issues need to be resolved is: 1. Resolve the authentication issue 2. Resolve Data integrity Issues 3. Resolving data confidentiality issues

1.2 Network security Certificate 1.2.1 The origin of the security certificate

According to the above conclusions, the first problem of network security is authentication; The main way to solve the authentication problem is to use the private key and the public key and the main public key information acquisition becomes particularly important; using third party justice, impartial public key information

What is included in the 1.2.2 certificate information

Public key information, and certificate expiration Time Legal owner information of the certificate How the certificate should be used (no concern) CA Issuing Authority Information Check code for CA signature

1.1.1 How to obtain a network security certificate

1.1.1 Symmetric encryption algorithm

1.1.1 One-way encryption algorithm

1.1.2 Asymmetric Encryption algorithm

1.1 OpenSSL software detailed description 1.1.1 OpenSSL software introduction

On a computer network, OpenSSL is an open source software library package that the application can use to secure communication, avoid eavesdropping, and confirm the identity of the other end of the connector. This package is widely used in Internet Web server. Its main library is written in C language, realizes the basic encryption function, realizes the SSL and TLS protocol. OpenSSL can run on OpenVMS, Microsoft windows, and most Unix-like operating systems (including Solaris,linux,mac OS X with various versions of the open source BSD operating system). It also provides a ported version that can operate on IBM I (os/400). Although the software is open source, its license terms are in conflict with the GPL, so the GPL (e.g. wget) must be given an exception to OpenSSL when using OpenSSL.

1.1.2 Obtaining version information for OpenSSL software

OpenSSL version <-viewing OpenSSL release information

1.1.3 Obtaining OpenSSL profile information

/ETC/PKI/TLS/OPENSSL.CNF <-OpenSSL profile, used primarily when configured as a private CA Description: Basically the OpenSSL configuration file does not require an operation to modify the configuration too much

1.1.4 OpenSSL simple to use

#举例说明, encrypt a file # OpenSSL enc-des3-salt-a-in inittab-out initab.des3 <-password is successfully encrypted # OpenSSL enc-des3-d-salt-a-in initab.des3-out inittab <-Enter key after decryption is successful Description: The salt parameter in the command, mainly used to avoid the password encryption, the key string of the reverse push #生成和用户一样的密码串 OpenSSL passwd-1 <-uses MD5 encrypted user cipher string to convert plaintext password to ciphertext Description: Implement the user password information in the database, and implement the user password information reset. #生成伪随机数方法 OpenSSL rand-base64 <-gives an arbitrary number, generates arbitrary random numbers.

1.1.5 OpenSSL software establishes a private CA (certification authority)

Implement https: 1) Generate the private key (birth certificate) and request certificate file (hukou)---operation and maintenance needs to be completed 2) Depending on the request certificate file information, the certification authority generates a certificate file (XXX)---certification authority to complete 3) The Enterprise website uses the certificate, realizes the user security authentication access---operation and maintenance needs to complete

1.1.6 a simulated certification Authority issue program

01) Generate private Key file information method OpenSSL Genrsa 2048 >server.key <-creates private key information and specifies a private key length of 2048, and generates The private key information is saved in a file OpenSSL genrsa-out Server.key 2048 <-The private key information is stored directly, the length of the encryption must be placed in the output Behind files (Umask 077;openssl genrsa-out server1024.key 1024x768) <-use parentheses to implement child shell functions, Temporarily modify the umask so that it creates a private key file permission of 600

02) Generate self-signed certificate [email protected] ~]# OpenSSL req-new-x509-key server1024.key-out server.crt-days 365 Req <-for creating a new certificate New <-indicates that the certificate was created X509 <-indicates that the format of the definition certificate is in standard format Key <-represents the private key file information for the call Out <-indicates output certificate file information Days <-indicates the validity period of the certificate You is about-to is asked to-enter information that'll be incorporated into your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blank For some fields there would be a default value, If you enter '. ', the field would be a left blank. ----- Country Name (2 letter code) [XX]:CN <-defines the country that generated the certificate State or province name (full name) []:BJ <-defines the province in which the certificate is generated Locality Name (eg, city) [Default city]:bj <-define the cities where the certificate is generated Organization Name (eg, company) [Default Ltd]:oldboy <-defines the organization that generated the certificate Organizational unit Name (eg, section) []:it <-define the function that generated the certificate Common name (eg, your name or your server ' s hostname) []:oldboy.com.cn <-define host server name Note: This output information is very important, before the client obtains the certificate, it uses the host name to establish a connection between the corresponding server, and then obtains the certificate Email Address []: #openssl x509-text-in server.crt <-to view the information in a certificate

1.1.7 CA Self-signed certificate actual creation process

cd/etc/pki/ca/private/<-into the private key save directory (Umask 077;openssl genrsa-out./CAKEY.PEM 2048) <-Create a CA private key file Cd/etc/pki/ca <-into the CA self-signed save directory OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem <-generate self-signed certificate Note: Because some certificate information is defined in the following configuration file, the default input can be

1.2 HTTPS Practice Deployment 1.2.1 Using certificates for HTTPS access Nginx service

1) Install OPESSL software # yum Install OpenSSL # yum Install Openssl-devel

2) Planning the certificate directory # cd/application/nginx/conf/<-Compiler installation Nginx program directory # mkdir Key # CD key/

3) Create a private key file Create a server private key , the command will let you enter a password: Here is the Oldboy generating RSA private key, 1024x768 bit long modulus ......................++++++ ...................++++++ e is 65537 (0x10001) verifying-enter Pass phrase for Server.key:

4) Create a request certificate Create a certificate (CSR) for the signing request: OpenSSL Req-new-key server.key-out SERVER.CSR Extension Description: Remove the secret key file password information CP Server.key server.key.org OpenSSL rsa-in server.key.org-out server.key <-generate a private key without a password

5) Configure the Nginx service to support certificate access Modify the Nginx configuration file to include the newly tagged certificate and private key: server { server_name your_domainname_here; Listen 443; SSL on; SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT; Ssl_certificate_key/application/nginx/conf/key/server.key; }

1.2.2 Single Web server for HTTP access automatically jumps to HTTPS

Method One: Use the address rewriting function server { Listen 80; server_name www.etiantian.org; Rewrite ^ (. *) $ https://$host $ permanent; } Description: Add an HTTP jump server on top of HTTPS configuration server

server { listen; server_name www.etiantian.org; ssl on; SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT; ssl_certificate_key/application/nginx/conf/key/server.key; location/{ root html/www; index index.html index.htm; } description: 497 is a built-in error code, when access to HTTP cannot be processed, you need to take advantage of HTTPS processing

Method Three: Using return status code to realize jump access server { Listen 80; server_name www.etiantian.org; Return 301 https://$host $uri; } Description: Add an HTTP jump server on top of HTTPS configuration server

1.2.3 using a reverse proxy server for HTTP to HTTPS jumps

First milestone: Modify address pool information Upstream Www_server_pools { Server 10.0.0.7:443; Server 10.0.0.8:443; Server 10.0.0.9:443; }

second milestone: Modify address pool invocation information listen 443; server_name www.etiantian.org; ssl on; SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT; ssl_certificate_key/application/nginx/conf/key/server.key; location/{ proxy_pass Https://www_server_pools; }

Third milestone: Define HTTP to HTTPS jump configuration information server { Listen 80; server_name www.etiantian.org; Rewrite ^ (. *) $ https://$host $ permanent; }

1.2.4 HTTPS Configuration Summary

①. Summarizing official Documents SSL module Http://nginx.org/en/docs/http/ngx_http_ssl_module.html ②. Familiar with creating a private key generation request certificate process ③. Obtaining a certificate issued by a certification authority to configure the app PS: If the enterprise has the condition, try to use the paid certificate.

Linux nginx HTTPS network security Access Service