NGINX configuration SSL certificate + Build HTTPS website tutorial

: This article describes how to configure an SSL certificate + Build an HTTPS website for NGINX. if you are interested in the PHP Tutorial, refer to it. 1. what is HTTPS?

According to Wikipedia:

Hyper text Transfer security Protocol (HTTPS) is a combination of hyper text Transfer Protocol and SSL/TLS. It provides encrypted communication and identifies network servers. HTTPS connections are often used for transaction payment on the World Wide Web and transmission of sensitive information in Enterprise Information Systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.

HTTPS is now the first choice for all websites that focus on privacy and security. with the continuous development of technology, HTTPS websites are no longer the patents of large websites, all common webmasters and blogs can build a secure and encrypted website by themselves.

If a website is not encrypted, the passwords of all your accounts are transmitted in plaintext. It can be imagined that, in the case of privacy and financial problems, unencrypted transmission is a terrible thing.

Since the readers of this blog are close to professionals, we don't have to worry about it. let's go straight to the question.

II. use OpenSSL to generate the SSL Key and CSR

Only browsers or trusted CAs can allow all visitors to access your encrypted website smoothly, rather than prompting a certificate error. Therefore, we skipped the self-signed certificate step and began to sign a third-party trusted SSL certificate.

OpenSSL is installed in Linux, OS X, and other conventional systems by default. due to some security issues, generally, third-party SSL certificate issuing institutions require at least 2048-bit RSA-encrypted private keys.

At the same time, ordinary SSL certificate authentication is divided into two forms, one is DV (Domain Validated), the other is OV (Organization Validated), the former only needs to verify the Domain name, the latter needs to verify your organization or company. in terms of security, it must be better for the latter.

Whether you use DV or OV to generate a private key, you must fill in some basic information. Here we assume that:

Domain Name, also known as Common Name, because the special certificate is not necessarily a domain Name: Example.com

Organization ): Example, Inc.

Department: you can leave it empty. here we will write Web Security

City ): Beijing

Province (State/Province ): Beijing

Country ): CN

Encryption strength: 2048 bits. if your machine has strong performance, you can select 4096 bits.

Run the following command to generate the key and csr using OpenSSL according to the preceding information:

Openssl req-new-newkey rsa: 2048-sha256-nodes-out example_com.csr-keyout example_com.key-subj "/C = CN/ST = Beijing/L = Beijing/O = Example Inc. /OU = Web Security/CN = example.com"

PS: For wildcard domain name certificates, enter * .Example.com

You can run this command anywhere in the system and it will be automatically generated in the current directory. Example_com.csrAnd Example_com.keyThese two files

Next, you can check Example_com.csrTo get such a long string of text

----- Begin certificate request ----- BEGIN response + response/response + JYGqllqP3/CojhkemiY response/response + response SEjLyHY + response/M8oONQen 1 QIacBifEMr + Ma + C + response/J8U audL/029 response + uqi + epgg4olympus KK/MF13FxDj/issue/Zl5qWmDaLN7/qxBK6vX2R/issue/vnnpw7pMvhq + begin response + begin ----- end certificate request -----

This CSR file must be submitted to the SSL certification authority. after your domain name or organization passes verification, the certification authority will issue you Example_com.crt

While Example_com.keyIs used in Nginx configuration and Example_com.crtFor use in combination, you must keep it safe and never disclose it to any third party.

3. configure HTTPS websites in Nginx and add security configurations

As mentioned above, you need to submit the CSR file to a third-party SSL certification authority. after the certificate passes, they will issue you a CRT file named Example_com.crt

At the same time, to ensure consistency, you can move all three files /Etc/ssl/private/Directory.

Then you can modify the Nginx configuration file.

Server {listen80; listen [:]: 80 ssl ipv6> on; listen443 ssl; listen [:]: 443 ssl ipv6> on; server_name example.com; sslon; ssl_certificate/etc/ssl/private/example_com.crt; ssl_certificate_key/etc/ssl/private/example_com.key ;}

Check that the configuration file is correct. then read Nginx again.

Nginx-t & nginx-s reload

However, this is not safe. the default format is SHA-1. Currently, mainstream solutions should avoid SHA-1. to ensure better security, we can adopt the defi-Herman key exchange.

First, enter /Etc/ssl/certsDirectory and generate Dhparam. pem

Cd/etc/ssl/certs openssl dhparam-out dhparam. pem 2048 # if your machine has powerful performance, you can use 4096-bit encryption.

After the Nginx SSL configuration is generated, add

Ssl_prefer_server_cipherson; ssl_dhparam/etc/ssl/certs/dhparam. pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; export "EECDH + ECDSA + inclueecdh + aRSA + inclueecdh + ECDSA + SHA384 EECDH + Region + SHA256 EECDH + aRSA + SHA384 region + aRSA + SHA256 EECDH + aRSA + RC4 EECDH EDH aRSA! ANULL! ENULL! LOW! 3DES! MD5! EXP! PSK! SRP! DSS! RC4 "; keepalive_timeout70; ssl_session_cache shared: SSL: 10 m; ssl_session_timeout10m;

At the same time, if it is full-site HTTPS and does not take HTTP into account, you can add HSTS to tell your browser that the website is full-site encryption, and force HTTPS access

Add_header Strict-Transport-Security max-age = 63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;

You can also enable an Nginx configuration to redirect HTTP requests to HTTPS using 301.

Server {listen80; listen [:]: 80 ssl ipv6> on; server_name example.com; return301https: // example.com $ request_uri ;}

4. reliable third-party SSL issuing authority

As we all know, a NIC has experienced a scandal about issuing certificates for Google domain names some time ago, so it can be seen how important it is to select a reliable third-party SSL issuing organization.

Currently, SSL certificate authorities for small and medium-sized webmasters and enterprises are generally available:

StartSSL

Comodo/sub-brand Positive SSL

GlobalSign/sub-brand AlphaSSL

GeoTrust/sub-brand RapidSSL

Among them, Postivie SSL, AlphaSSL, RapidSSL and so on are sub-brands. Generally, they are all third-level certificates, so you will need to add CA certificates to your CRT file.

Take Comodo Positive SSL as an example. you need to concatenate the CA certificate. assume that your domain name is Example.com

Then, the serial command is

Cat example_com.crt COMODORSADomainValidationSecureServerCA. crt COMODORSAAddTrustCA. crt AddTrustExternalCARoot. crt> example_com.signed.crt

Use example_com.signed.crt in Nginx configuration.

If it is a common AplhaSSL wildcard domain name certificate, they will not send you a CA certificate chain, then you need to add the AlphaSSL CA certificate chain after your CRT file

AlphaSSL Intermediate CA

V. ev ssl for enterprises

Ev ssl, short for Extended Validation, focuses more on the security protection and strict authentication of enterprise websites.

The most obvious difference is that ev ssl is usually green. for example, the SSL certificate on this site is ev ssl.

If you want to obtain professional ev ssl, you can contact us at info at cat dot net at any time.

VI. References

Apache + WordPress + SSL full Guide

OpenSSL CSR Creation

NGINX-PhoenixWiki