Linux nginx HTTPS network security Access Service

Source: Internet
Author: User
Tags install openssl key string openssl openssl enc openssl rsa openssl version openssl x509 asymmetric encryption

1th. HTTPS Network security Access Service 1.1 issues related to network security

①. Network security issues-data confidentiality issues

Transmitted data may be visible to third parties at all times

②. Network security issues-data integrity issues

Transferred data cannot be arbitrarily modified by anyone

③. Network security Issues-authentication issues

In the first communication, it is necessary to confirm the identity of both sides of the communication

1.1.1 Resolution of data confidentiality issues

A) Use common cryptographic algorithms to address confidentiality

Using the corresponding algorithm, the transmitted data (plaintext data) is encrypted (ciphertext data), and then the corresponding algorithm is used to decrypt the encrypted data into real data.

Advantages: The data secret transmission is realized, which avoids the danger of transmitting data in plaintext.

Disadvantage: The use of encryption algorithm, the text is converted to ciphertext, if the third party obtains the encryption algorithm, can transfer ciphertext again into clear text

b) using symmetric encryption algorithms to address confidentiality (an important encryption method)

Symmetric cryptography is like putting the rules of a common algorithm into a safe, and only getting the safe and safe keys to get the algorithm handbook

Advantages: The key encryption algorithm is very fast and solves the security problem of ordinary encryption algorithm.

Disadvantage: The security of the encryption and decryption process is completely dependent on the key, and the symmetric encryption key is public and cannot resolve the key management problem when there are too many communication encryption objects.


1.1.1 Data Integrity Problem solving

a) using a single encryption algorithm (full network backup data integrity)

***************************************************************

extension description:

01: Signatures of different data (data fingerprint information) are not consistent

data input, signature information output must be the same

· The avalanche effect, the small change in input, will cause a huge change in output

fixed-length output, regardless of the source data, but the results are the same

irreversible, can not be based on the data fingerprint, restore the original data information.

****************************************************************************

cons: no consideration of the effect of middle-man xxx on data information

b) using a single encryption algorithm (cryptographic signature)

The symmetric encryption algorithm is used to encrypt the data, and the characteristic code is also encrypted.

The receiver has the same key as the sender to decrypt the encrypted data and signatures

But the man-in-the-middle encryption signature is no way for the receiver to decrypt, so the receiver can not get the signature, directly discard the data

****************************************************************************

Extension Description:

01: How can the symmetric key be effectively made available to both sides of the communication?

A symmetric key negotiation process is required, that is, through the key exchange mechanism (Internet key exchange IKE)

The protocol that implements the key exchange mechanism is called the Diffie-hellman protocol.

****************************************************************************


1.1.1 Authentication Problem Resolution

A) Using asymmetric key encryption algorithm (public key encryption algorithm)

The sender establishes the private key and the public key, sends the public key to the receiver, thereby enabling the authentication of the sending data party

Public key information is called a certificate (XXX) during web site access.


1.1.1 The conclusion of network security

To achieve network security, the order in which the issues need to be resolved is:

1. Resolve the authentication issue

2. Resolve Data integrity Issues

3. Resolving data confidentiality issues

1.2 Network security Certificate 1.2.1 The origin of the security certificate

According to the above conclusions, the first problem of network security is authentication;

The main way to solve the authentication problem is to use the private key and the public key

and the main public key information acquisition becomes particularly important; using third party justice, impartial public key information

What is included in the 1.2.2 certificate information

Public key information, and certificate expiration Time

Legal owner information of the certificate

How the certificate should be used (no concern)

CA Issuing Authority Information

Check code for CA signature


1.1.1 How to obtain a network security certificate

1.1.1 Symmetric encryption algorithm

1.1.1 One-way encryption algorithm



1.1.2 Asymmetric Encryption algorithm


1.1 OpenSSL software detailed description 1.1.1 OpenSSL software introduction

On a computer network, OpenSSL is an open source software library package that the application can use to secure communication, avoid eavesdropping, and confirm the identity of the other end of the connector. This package is widely used in Internet Web server.

Its main library is written in C language, realizes the basic encryption function, realizes the SSL and TLS protocol. OpenSSL can run on OpenVMS, Microsoft windows, and most Unix-like operating systems (including Solaris,linux,mac OS X with various versions of the open source BSD operating system). It also provides a ported version that can operate on IBM I (os/400).

Although the software is open source, its license terms are in conflict with the GPL, so the GPL (e.g. wget) must be given an exception to OpenSSL when using OpenSSL.

1.1.2 Obtaining version information for OpenSSL software

OpenSSL version <-viewing OpenSSL release information

1.1.3 Obtaining OpenSSL profile information

/ETC/PKI/TLS/OPENSSL.CNF <-OpenSSL profile, used primarily when configured as a private CA

Description: Basically the OpenSSL configuration file does not require an operation to modify the configuration too much

1.1.4 OpenSSL simple to use

#举例说明, encrypt a file

# OpenSSL enc-des3-salt-a-in inittab-out initab.des3 <-password is successfully encrypted

# OpenSSL enc-des3-d-salt-a-in initab.des3-out inittab <-Enter key after decryption is successful

Description: The salt parameter in the command, mainly used to avoid the password encryption, the key string of the reverse push

#生成和用户一样的密码串

OpenSSL passwd-1 <-uses MD5 encrypted user cipher string to convert plaintext password to ciphertext

Description: Implement the user password information in the database, and implement the user password information reset.

#生成伪随机数方法

OpenSSL rand-base64 <-gives an arbitrary number, generates arbitrary random numbers.

1.1.5 OpenSSL software establishes a private CA (certification authority)

Implement https:

1) Generate the private key (birth certificate) and request certificate file (hukou)---operation and maintenance needs to be completed

2) Depending on the request certificate file information, the certification authority generates a certificate file (XXX)---certification authority to complete

3) The Enterprise website uses the certificate, realizes the user security authentication access---operation and maintenance needs to complete

1.1.6 a simulated certification Authority issue program

01) Generate private Key file information method

OpenSSL Genrsa 2048 >server.key <-creates private key information and specifies a private key length of 2048, and generates

The private key information is saved in a file

OpenSSL genrsa-out Server.key 2048 <-The private key information is stored directly, the length of the encryption must be placed in the output

Behind files

(Umask 077;openssl genrsa-out server1024.key 1024x768) <-use parentheses to implement child shell functions,

Temporarily modify the umask so that it creates a private key file permission of 600

02) Generate self-signed certificate

[email protected] ~]# OpenSSL req-new-x509-key server1024.key-out server.crt-days 365

Req <-for creating a new certificate

New <-indicates that the certificate was created

X509 <-indicates that the format of the definition certificate is in standard format

Key <-represents the private key file information for the call

Out <-indicates output certificate file information

Days <-indicates the validity period of the certificate

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN <-defines the country that generated the certificate

State or province name (full name) []:BJ <-defines the province in which the certificate is generated

Locality Name (eg, city) [Default city]:bj <-define the cities where the certificate is generated

Organization Name (eg, company) [Default Ltd]:oldboy <-defines the organization that generated the certificate

Organizational unit Name (eg, section) []:it <-define the function that generated the certificate

Common name (eg, your name or your server ' s hostname) []:oldboy.com.cn <-define host server name

Note: This output information is very important, before the client obtains the certificate, it uses the host name to establish a connection between the corresponding server, and then obtains the certificate

Email Address []:

#openssl x509-text-in server.crt <-to view the information in a certificate

1.1.7 CA Self-signed certificate actual creation process

cd/etc/pki/ca/private/<-into the private key save directory

(Umask 077;openssl genrsa-out./CAKEY.PEM 2048) <-Create a CA private key file

Cd/etc/pki/ca <-into the CA self-signed save directory

OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem <-generate self-signed certificate

Note: Because some certificate information is defined in the following configuration file, the default input can be

1.2 HTTPS Practice Deployment 1.2.1 Using certificates for HTTPS access Nginx service

1) Install OPESSL software

# yum Install OpenSSL

# yum Install Openssl-devel

2) Planning the certificate directory

# cd/application/nginx/conf/<-Compiler installation Nginx program directory

# mkdir Key

# CD key/

3) Create a private key file

Create a server private key , the command will let you enter a password: Here is the Oldboy

generating RSA private key, 1024x768 bit long modulus

......................++++++

...................++++++

e is 65537 (0x10001)

verifying-enter Pass phrase for Server.key:

4) Create a request certificate

Create a certificate (CSR) for the signing request:

OpenSSL Req-new-key server.key-out SERVER.CSR

Extension Description: Remove the secret key file password information

CP Server.key server.key.org

OpenSSL rsa-in server.key.org-out server.key <-generate a private key without a password

5) Configure the Nginx service to support certificate access

Modify the Nginx configuration file to include the newly tagged certificate and private key:

server {

server_name your_domainname_here;

Listen 443;

SSL on;

SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT;

Ssl_certificate_key/application/nginx/conf/key/server.key;

}

1.2.2 Single Web server for HTTP access automatically jumps to HTTPS

Method One: Use the address rewriting function

server {

Listen 80;

server_name www.etiantian.org;

Rewrite ^ (. *) $ https://$host $ permanent;

}

Description: Add an HTTP jump server on top of HTTPS configuration server

server {

listen;

server_name www.etiantian.org;

ssl on;

SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT;

ssl_certificate_key/application/nginx/conf/key/server.key;

location/{

root html/www;

index index.html index.htm;

}

description: 497 is a built-in error code, when access to HTTP cannot be processed, you need to take advantage of HTTPS processing

Method Three: Using return status code to realize jump access

server {

Listen 80;

server_name www.etiantian.org;

Return 301 https://$host $uri;

}

Description: Add an HTTP jump server on top of HTTPS configuration server

1.2.3 using a reverse proxy server for HTTP to HTTPS jumps

First milestone: Modify address pool information

Upstream Www_server_pools {

Server 10.0.0.7:443;

Server 10.0.0.8:443;

Server 10.0.0.9:443;

}

second milestone: Modify address pool invocation information

listen 443;

server_name www.etiantian.org;

ssl on;

SSL_CERTIFICATE/APPLICATION/NGINX/CONF/KEY/SERVER.CRT;

ssl_certificate_key/application/nginx/conf/key/server.key;

location/{

proxy_pass Https://www_server_pools;

}

Third milestone: Define HTTP to HTTPS jump configuration information

server {

Listen 80;

server_name www.etiantian.org;

Rewrite ^ (. *) $ https://$host $ permanent;

}

1.2.4 HTTPS Configuration Summary

①. Summarizing official Documents SSL module

Http://nginx.org/en/docs/http/ngx_http_ssl_module.html

②. Familiar with creating a private key generation request certificate process

③. Obtaining a certificate issued by a certification authority to configure the app

PS: If the enterprise has the condition, try to use the paid certificate.

Linux nginx HTTPS network security Access Service

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.