Nginx Build HTTPS Server

Source: Internet
Author: User
Tags sample html code generate ssl certificate ssl certificate ssl connection

HTTPS introduction HTTPS (Hypertext Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking is the security version of HTTP. That is, the SSL layer is added under HTTP, the security base of HTTPS is SSL, so the detailed content of encryption needs SSL. It is a URI scheme (abstract identifier system) with syntax similar to http: System for Secure HTTP data transfer. The default port used by HTTPS is 443.
Introduction to the SSL Certificate certificate type to set up a secure server, use the public key to create a pair of public key pairs. In most cases, you send a certificate request (including your own public key), your company proves the material, and the cost to a certification authority (CA). The CA verifies the certificate request and your identity, and then returns the certificate to your secure server.
But the intranet to achieve a server-side and client transmission of content encryption, you can issue their own certificates, only need to ignore the browser does not trust the alarm!
A certificate signed by a CA provides two important features for your server:
    • The browser automatically recognizes the certificate and allows a secure connection to be created without prompting the user
    • When a CA generates a signed certificate, it provides the identity guarantee for the organization that provides the Web page to the browser.
    • Most SSL-enabled Web servers have a list of CAs whose certificates are automatically accepted. When a browser encounters a certificate whose authorized CA is not in the list, the browser will ask the user whether to accept or reject the connection

Generate SSL Certificate HTML code
    1. OpenSSL genrsa-des3-out Wangzhengyi.key 2048



HTML code
    1. OpenSSL Req-new-key wangzhengyi.key-out WANGZHENGYI.CSR



Create a self-signed CA certificate HTML code
    1. OpenSSL req-new-x509-days 3650-key wangzhengyi_nopass.key-out wangzhengyi.crt



Building an HTTPS virtual host virtual host configuration file HTML code
  1. Upstream SSLFPM {
  2. Server 127.0.0.1:9000 weight= max_fails=3    fail_timeout=20s;
  3. }
  4. server {
  5. Listen 192.168.1.*:443;
  6. server_name 192.168.1.*;
  7. #为一个server开启ssl支持
  8. SSL on;
  9. #为虚拟主机指定pem格式的证书文件
  10. SSL_CERTIFICATE/HOME/WANGZHENGYI/SSL/WANGZHENGYI.CRT;
  11. #为虚拟主机指定私钥文件
  12. Ssl_certificate_key/home/wangzhengyi/ssl/wangzhengyi_nopass.key;
  13. #客户端能够重复使用存储在缓存中的会话参数时间
  14. Ssl_session_timeout 5m;
  15. #指定使用的ssl协议
  16. Ssl_protocols SSLv3 TLSv1;
  17. #指定许可的密码描述
  18. Ssl_ciphers all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;
  19. #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码
  20. Ssl_prefer_server_ciphers on;
  21. Location/{
  22. root/home/wangzhengyi/ssl/;
  23. AutoIndex on;
  24. Autoindex_exact_size off;
  25. Autoindex_localtime on;
  26. }
  27. # REDIRECT Server error pages to the static page/50x.html
  28. #
  29. Error_page 502 503 504/50x.html;
  30. Error_page 404/404.html;
  31. Location =/50x.html {
  32. root/usr/share/nginx/www;
  33. }
  34. Location =/404.html {
  35. root/usr/share/nginx/www;
  36. }
  37. # Proxy The PHP scripts to FPM
  38. Location ~ \.php$ {
  39. Access_log/var/log/nginx/ssl/ssl.access.log main;
  40. Error_log/var/log/nginx/ssl/ssl.error.log;
  41. root/home/wangzhengyi/ssl/;
  42. Fastcgi_param HTTPS on;
  43. Include/etc/nginx/fastcgi_params;
  44. Fastcgi_pass sslfpm;
  45. }
  46. }

HTTPS Server optimization method SSL operations consume CPU resources, so in multiprocessor systems, multiple worker processes need to be started, and the number needs to be no less than the number of available CPUs. The SSL operation that consumes the most CPU resources is the SSL handshake, and there are two ways to minimize the number of handshake operations per client:
    1. Keep a client long connection, send multiple requests on an SSL connection
    2. Reuse SSL session parameters in concurrent connections or subsequent connections, which avoids SSL handshake operations.

Session caching is used to hold SSL sessions, which are shared between worker processes and can be used Ssl_session_cacheInstructions to configure. A 1M cache can hold approximately 4,000 sessions. The default cache time-out is 5m, and you can use ssl_session_timeout to increase it.
Ssl_session_cache Instruction HTML code
    1. Syntax: Ssl_session_cache off|none|builtin:size|shared:name:size
    2. Usage Environment: Main,server
    3. Cache type:
    4. Off-hard shutdown, Nginx explicitly tells the client that this session is not reusable
    5. None-soft shutdown, Nginx tells client sessions to be reused, but Nginx does not actually reuse them
    6. Bultin--OpenSSL has a built-in cache that can be used only for one worker process. May cause memory fragmentation
    7. GKFX-Shared cache for all worker processes. (1) Cache size specified in bytes (2) Each cache must have its own name (3) cache with the same name can be used for multiple virtual hosts

Optimizing Sample HTML code
    1. #优化ssl服务
    2. Ssl_session_cache shared:wzy:10m;
    3. #客户端能够重复使用存储在缓存中的会话参数时间
    4. Ssl_session_timeout 10m;


Reference link http://nginx.org/cn/docs/http/configuring_https_servers.html

Nginx Build HTTPS Server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.