NginxConfiguring HTTPS Access
First,HttpsIntroduction
HTTPS is actually made up of two parts:HTTP + SSL/TLS, which adds a layer of encryption information to the HTTP module. the transfer of information between the server and the client is encrypted through TLS, so the transmitted data is encrypted
Second,Httpsprotocol Principle
First, the client establishes a connection with the server, each generating a private key and a public key, which is different. The server returns a public key to the client, and then the client takes the public key to encrypt the object to be searched, called the ciphertext, and, with its own public key, is returned to the server, the server takes its own private key to decrypt the text, and then encrypts the response data with the client's public key, and returns it to the client. The client takes its own private key to decrypt the text and renders the data.
Third,Sslgeneration of certificates and private keys1, create a directory that holds the private key and certificate, and enter
[Email protected] ~]# Mkdir/usr/local/nginx-1.12.1/key
[Email protected] ~]# Cd/usr/local/nginx-1.12.1/key
2, generate a private key file
[email protected] key]# OpenSSL genrsa-out server.key 1024
3, GenerateCsrfile
[email protected] key]# OpenSSL req-new-key server.key-out CERTREQ.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN ISO Standard Code for the country in which it is located
State or province name (full name) []:beijing Unit Location Province / Autonomous Region / Municipalities
Locality Name (eg, city) [Default city]:beijing the city where the unit is located / County / Area
Organization Name (eg, company) [Default company Ltd]:lvdian Unit / Institutions / legal name of the enterprise
organizational Unit Name (eg, section) []:yunwei Department Name
Common name (eg, your name or your server ' s hostname) []:www.long.com
host name, this entry must be provided with your access SSL exactly match the domain name that was applied when the server served
Email Address []:[email protected] e-mail address, no input, direct enter Skip
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []: The following information does not have to be entered, enter skip until the command is completed
An optional company name []:
The build type is X509 self-signed certificate. The validity period is set 3650 days, which is valid for ten years
[email protected] key]# OpenSSL x509-req-days 3650-in server.csr-signkey server.key-out server.crt
Four, recompileNginxAddQs.Module (compiledQs.Skip this step)1, viewNginxversion and compilation parameters
[Email protected] ~]#/usr/local/nginx-1.12.1/sbin/nginx-v
Nginx version:nginx/1.12.1
Built by GCC 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
Built with OpenSSL 1.0.1e-fips 2013
TLS SNI Support Enabled
Configure arguments:--user=nginx--group=nginx--prefix=/usr/local/nginx-1.12.1--with-http_stub_status_module --with-http_ssl_module
as you can see, we have compiled the SSL module above, if we do not compile the SSL module, we need to install the following methods to compile the installation.
2, compilingQs.Module(1) Back up the originalNginxExecute File
[Email protected] ~]# Cp/usr/local/nginx-1.12.1/sbin/nginx/usr/local/nginx-1.12.1/sbin/nginx.bak
(2) into the source code extractedNginxDirectory compilationQs.Module
tip: Be sure to add the previously compiled parameters to recompile and add the SSL module
[Email protected] ~]# CD nginx-1.12.1
[Email protected] nginx-1.12.1]#/configure--user=nginx--group=nginx--prefix=/usr/local/nginx-1.12.1--with-http _stub_status_module--with-http_ssl_module
(3) ExecutionMake, don't do it.Make install, or overwrite the installation
[[email protected] nginx-1.12.1]# make
3, StopNginx, the newly generatedNginxthe file overwrites the originalNginxfile
after make finished in the nginx-1.12.1/objs directory is more Nginx, this is the new version of nginx execution file, copy this file to /usr/ The local/nginx-1.12.1/sbin/directory overwrites the original nginx execution file.
[email protected] nginx-1.12.1]# CP objs/nginx/usr/local/nginx-1.12.1/sbin/
CP : whether to overwrite "/usr/local/nginx-1.12.1/sbin/nginx" ? y
4, test the newNginxwhether the program is correct and view the compilation parameters
[Email protected] ~]#/usr/local/nginx-1.12.1/sbin/nginx-t
Nginx:the configuration file/usr/local/nginx-1.12.1/conf/nginx.conf syntax is OK
Nginx:configuration file/usr/local/nginx-1.12.1/conf/nginx.conf Test is successful
[Email protected] ~]#/usr/local/nginx-1.12.1/sbin/nginx-v
Nginx version:nginx/1.12.1
[Email protected] ~]#/usr/local/nginx-1.12.1/sbin/nginx-v
Nginx version:nginx/1.12.1
Built by GCC 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
Built with OpenSSL 1.0.1e-fips 2013
TLS SNI Support Enabled
Configure arguments:--user=nginx--group=nginx--prefix=/usr/local/nginx-1.12.1--with-http_stub_status_module --with-http_ssl_module
Five,NginxConfigurationSslEncrypt
the configuration here is the most important, can be configured according to their own needs. Want to HTTPS to listen to 443 port,nginx.conf has reserved the server, as long as we let go of the permissions, simple modification can.
[Email protected] ~]# vim/usr/local/nginx-1.12.1/conf/nginx.conf
server {
Listen 443 SSL;
server_name localhost;
SSL_CERTIFICATE/USR/LOCAL/NGINX-1.12.1/KEY/CERTREQ.CSR;
Ssl_certificate_key/usr/local/nginx-1.12.1/key/server.key;
Ssl_session_cache shared:ssl:1m;
Ssl_session_timeout 5m;
Ssl_ciphers high:!anull:! MD5;
Ssl_prefer_server_ciphers on;
Location/{
root HTML;
Index index.html index.htm;
}
}
# Configure Port forwarding
server {
Listen 80;
server_name www.long.com;
Rewrite ^ (. *) https://$server _name$1 permanent;
}
[Email protected] ~]#/usr/local/nginx-1.12.1/sbin/nginx-s Reload
ssl_certificate The certificate is actually a public key, which is sent to each client that connects to the server. Ssl_certificate_key The private key is used for decryption, so its permissions are protected but the Nginx master process is able to read. Of course, private keys and certificates can be placed in a certificate file, and only public key certificates are sent to the client.
Ssl_session_timeout the client can reuse the expiration time of the SSL parameter in the session cache , the intranet system default 5 minutes is too short, can be set to 30m, that is , a minute or even 4h.
ssl_ciphers Select the encryption suite, and the packages (and order) supported by different browsers may be different. This is specified in the OpenSSL Library can be recognized by the wording, you can through openssl-v cipher 'rc4:high:!anull:! MD5' (followed by the suite encryption algorithm you specified) to see the supported algorithms.
ssl_prefer_server_ciphers on when setting up a negotiated encryption algorithm, priority is given to our service-side encryption suite rather than to the client browser's cryptographic suite.
Six,WindowsBrowser test can jumpHttpsSuccess1,Windowsadd domain name resolution in
Open The Windows C:\Windows\System32\drivers\etc\hosts file and add the following domain name resolution
192.168.10.10 www.long.com
2, open the browser, enter the domain name test
Can see that our HTTPS has jumped successfully
The above is generated by their own certificate, not trusted by each browser, to allow each browser to trust the relevant official website to apply for a free certificate, the general free certificate is valid for a few months to a year.
Nginx Configuration HTTPS Access