Nginx Configuration SSL Encryption (single-way authentication, partial HTTPS)

Source: Internet
Author: User
Tags openssl library openssl rsa pkcs12 nginx server ssl certificate

The default nginx is not installed SSL module, you need to compile the installation nginx add--with-http_ssl_module option.

For the SSL/TLS principle please refer here if you just want to test or self-issue SSL certificate, refer to here.

Hint: Nignx to back-end server because it is usually intranet, so it is not encrypted.

1. Full-site SSL

Full station SSL is the most common use scenario, the default port 443, and is generally one-way authentication.

server {Listen 443;server_name example.com;root/apps/www;index index.html index.htm;ssl on;ssl_certificate: /ssl/ittest.pem;ssl_certificate_key. /ssl/ittest.key;# ssl_protocols SSLv3 TLSv1 TLSv1.1 tlsv1.2;# ssl_ciphers all:! Adh:! export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;# ssl_prefer_server_ciphers on;}

If you want to force the HTTP request to be transferred to https:

server {Listen 80;  server_name example.me; Rewrite ^ https://$server _name$request_uri? permanent;### using return will be more efficient # return 301 https://$server _name$request_uri;}

The ssl_certificate certificate is actually a public key that is sent to each client that connects to the server, and thessl_certificate_key private key is used to decrypt it. So its permissions are protected but the Nginx master process is able to read. Of course, private keys and certificates can be placed in a certificate file, and only public key certificates are sent to the client.

The ssl_protocols directive is used to start a specific cryptographic protocol, Nginx 1.1.13 and 1.0. After version 12, the default is ssl_protocols SSLv3 TLSv1TLSv1.1 TLSv1.2, TLSv1.1 and TLSv1.2 to make sure that OpenSSL >= 1.0.1, SSLv3 now has a lot of places to use but there are a number of vulnerabilities that are being exploited.

ssl_ciphers Select the encryption suite, the packages (and the order) supported by different browsers may be different. This is specified in the OpenSSL library can be recognized by the wording, you can through openssl-v cipher ' rc4:high:!anull:! MD5 '(followed by the suite encryption algorithm you specified) to see the supported algorithms.

ssl_prefer_server_ciphers on sets the negotiation encryption algorithm, priority is given to our service-side encryption suite rather than to the client browser's encryption suite.


HTTPS optimization parameters
    • Ssl_session_cache shared:ssl:10m; : Sets the type and size of the SSL/TLS session cache. If this parameter is generally shared,Buildin may have parameter memory fragmentation, default is none, and off is almost, deactivate the cache. As shared:ssl:10m indicates that all of my nginx work processes share SSL session cache, the official website says 1M can store about 4,000 sessions. Refer to question and answer Ssl_session_cacheon ServerFault for details.

    • ssl_session_timeout : The client can reuse the expiration time of the SSL parameter in the session cache, the intranet system default 5 minutes is too short, can be set to 30m that is 30 minutes or even 4h.

Setting a longer keepalive_timeout can also reduce the overhead of requesting SSL session negotiation, but also taking into account the number of concurrent threads.

tip: When generating a certificate request CSR file, if you enter a password, Nginx will prompt for this password each time you start, you can use the private key to generate the decrypted key instead, the effect is the same, to achieve the effect of password-free restart:

OpenSSL rsa-in ittest.key-out Ittest_unsecure.key


Import Certificate

If you are looking for a certificate issued by a well-known SSL certification authority such as VeriSign, Wosign, Startssl, the browser has built-in and trusted these root certificates, and if you are self-built C or licensed for level two CAs, you need to add the CA certificate to the browser This will not show an unsecured connection when the site is visited. The methods of adding individual views are not covered in this article.


2. Partial-page SSL

A site is not all the information is very confidential, such as online shopping mall, general merchandise browsing can not through HTTPS, and user login and payment when the mandatory HTTPS transmission, so that user access speed and security are taken into account.

But please be careful not to understand, is to encrypt the page and not for a request to encrypt, a page or address bar URL generally initiates many requests, including static files such as CSS/PNG/JS and dynamic Java or PHP requests, so the content to be encrypted contains the other resource files within the page, Otherwise, there will be an issue with HTTP and HTTPS content blending. When the HTTP page is mixed with HTTPS content, the page layout does not appear disorderly, the HTTPS page contains images, JS and other resources introduced in HTTP, the browser for security purposes will prevent loading.

The following are chestnuts that encrypt only the Example.com/account/login login page:

root /apps/www;index index.html index.htm;server {    listen       80;    server_name example.com;     location ^~ /account/login {        rewrite ^  https://$server _name:443$request_uri? permanent;    }     Location / {        proxy_pass  http://localhost :8080;          ### set headers ####         proxy_set_header Host  $host;         proxy_set_header X-Real-IP  $remote _addr;         proxy_set_header X-Forwarded-For  $proxy _add_x_forwarded_for;         proxy_redirect     off;     }}server {     Listen 443 ssl;    server_name example.com;    ssl  ON;    SSL_CERTIFICATE&NBSP, .... /SSL/ITTEST.PEM;    SSL_CERTIFICATE_KEY&NBSP, .... /ssl/ittest.key;    ssl_protocols sslv3 tlsv1 tlsv1.1 tlsv1.2;     ssl_ciphers all:! Adh:! export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;    ssl_prefer_server_ciphers on;     location ^~ /account/login {         proxy_pass  http://localhost:8080;        proxy_set_ header host  $host;         proxy_set_header x-real-ip   $remote _addr;        proxy_set_header&nbsp x-forwarded-for  $proxy _add_x_forwarded_for;        proxy_redirect      off;         ### most php ,  python, rails, java app can use this header -> https  ###        proxy_set_header x-forwarded-proto  $ scheme;    }    location / {         rewrite  ^  http://$server _name$request_uri? permanent;     }}

A reference to rewrite and location is here. When the browser accesses http://example.com/account/login.xx, it is 301 to https://example.com/account/login.xx, which is also matched to the SSL-encrypted virtual host. Account/login, the reverse proxy to the backend server, the subsequent transfer process is not HTTPS. The other resources under this login.xx page are also through the HTTPS request Nginx, login successful after jumping to the homepage when the link to use HTTP, this may need to develop code inside control.

    • The Proxy_set_header X-forwarded-proto $scheme is used in the above configuration, and HTTPS is obtained using Request.getscheme () on the JSP page. If the requested $scheme protocol is not set in the header, the backend JSP page will always be considered HTTP and will result in a response exception.

    • The SSL configuration block also has a location similar to the unencrypted 80 port, which is used to automatically jump to an unencrypted port when the user accesses the home page directly over HTTPS, and you can remove it to allow the user to do so.


3. Implement two-way SSL authentication

Both of the above configurations are to authenticate the site domain name being visited is authentic and encrypt the transfer process, but the server side does not authenticate the client is trustworthy. (In fact, unless it's a particularly important scenario, there's no need to authenticate visitors, except in cases like Bank U-Shields)

To implement two-way authentication, the CA certificate (root certificate/Intermediate level certificate) must be imported on the Https,nginx server, because the client is now authenticated by the server-side through the CA. There is also a need to generate a client certificate in the same way as when requesting a server certificate. After obtaining a client certificate, it is also converted into a browser-aware format (most browsers recognize the PKCS12 format):

OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12

Then send this client.p12 to the person you believe, let it import into the browser, visit the site to establish a connection when the Nginx will ask the client to send this certificate to verify, if not the certificate will be denied access.

Also, don't forget to configure the trusted CA in nginx.conf: (if it's a level two CA, put the root CA behind it and form a CA certificate chain)

Proxy_ignore_client_abort On;ssl on;...ssl_verify_client on;ssl_verify_depth 2;ssl_client_certificate. /ssl/ca-chain.pem;# in two-way location under: Proxy_set_header X-ssl-client-cert $ssl _client_cert;


Outreach: Using GEO modules

Nginx installed by default a ngx_http_geo_module, the GEO module can be based on the client IP to create the value of the variable, used in such as from the 172.29.73.0/24 segment of the IP access to login using two-way authentication, Other sections use a general one-way authentication.

Geo $duplexing _user {default 1;  Include geo.conf; # Note after version 0.6.7, include is relative to the directory where nginx.conf is located}

Syntax Geo [$address] $variable {...}, located in the HTTP segment, the default address is $reoute _addr, assuming conf/geo.conf content:

127.0.0.1/32 LOCAL;   # local 172.29.73.23/32 SEAN;      # one IP172.29.73.0/24 1; # IP segment, you can define a different value by country or region

Need to configure another virtual host Server{ssl 445}, which uses the above two-way authentication notation, and then in 80 or 443 use variable $duplexing_user to judge, if 1 is rewrite to 445, otherwise rewrite to 443. Refer to the Nginx Geo usage method for specific usage.


Nginx Configuration SSL Encryption (single-way authentication, partial HTTPS)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.