First, what is HTTPS?
According to Wikipedia's explanation:
Hypertext Transfer Security Protocol (abbreviated: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and authentication of network server identities. HTTPS connections are often used for transactional payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.
HTTPS is now the first choice for all privacy and security-oriented sites, with the continuous development of technology, HTTPS website is no longer a large website patent, all ordinary personal webmaster and blog can build a secure encrypted website.
If a website is not encrypted, all your account passwords are transmitted in clear text. It is conceivable that if it comes to privacy and financial issues, unencrypted transmissions are a horrible thing.
Since the readers of this blog are close to the professionals, we don't have to bother to go straight to the chase.
Ii. using OpenSSL to generate SSL Key and CSR
Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted site, rather than a certificate error prompts. So we skip the steps from the visa book and start signing up for a third-party trusted SSL certificate.
OpenSSL is installed by default on Linux, OS X, and other conventional systems, because of some security issues, typically the current third-party SSL certificate Authority requires at least 2048 bits of RSA encrypted private key.
At the same time, the common SSL certificate authentication in two forms, one is DV (domain Validated), and the other is OV (Organization Validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, Certainly the latter is better.
Whether you use DV or OV to generate the private key, you need to fill in some basic information, here we assume the following:
Domain name, also known as Common name, because a special certificate is not necessarily a domain name: example.com
Organization or company name (Organization): Example, Inc.
Department (Department): Can not fill, here we write Web Security
City: Beijing
Province (state/province): Beijing
Country (country): CN
Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit
Following the above information, the commands to generate key and CSR using OpenSSL are as follows
" /c=cn/st=beijing/l=beijing/o=example inc./ou=web security/cn=example.com "
PS: If it is a generic domain name certificate, you should fill in *.example.com
You can run this command from anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory
Next you can look at EXAMPLE_COM.CSR and get a long string of text like this
-----BEGIN CERTIFICATE REQUEST-----Miicujccaaicaqawdtelmakga1uebhmcq04xedaobgnvbagtb0jlawppbmcxedao Bgnvbactb0jlawppbmcxftatbgnvbaotdev4yw1wbgugsw5jljevmbmga1uecxmm V2VIIFNLY3VYAXR5MRQWEGYDVQQDEWTLEGFTCGXLLMNVBTCCASIWDQYJKOZIHVCN AQEBBQADGGEPADCCAQOCGGEBAPME+nvvcdgn9vwn+VP7JKMOODPOURYMPVCLIBSI ID7MGN982OCL22O9WCV/4tl6dptcxfnx+ewd7cnekt4i+jygqllqp3/Cojhkemiy sf3jwncvp6vost/HSZEMYNB71XWYNXFCGQSYE3QJXMQ9AE38H2LIPCLLFD1L7IVP Ax4i2+hvgthfzb0xnmmlzq4hyvueimoywizx8hq+kweahkpbdfawkocirkbolfew sejlyhy+Nruxutmqx1d7lzzcxut5sm5at9al0bf5foaajyltewnepfkp3l29gtou QG1T9Q8WUFIFK9VXQQQWG8J1MUK7KKSNBYCOPNNGPX36KZSCAWEAAAAAMA0GCSQG sib3dqebbquaa4ibaqchgiuhpcgrsnwduw6731/devwq2x3zrqrbuj9/M8oonqen 1QIacBifEMr+ma+c+wipt3bhvtxef8ccajar9sq4svy7m0w25dwrwawijxcf/j8u audl/029ckauewfcdbiltraaedqxsasuyibigtit+uqi+epgg4olykk/MF13FXDJ/okyrsjdtp1xr9r7iqgcs/zl5qwmdaln7/qxbk6vx2r/HLHOK0AKI1ZQ4CZEP7MR8EZJDIAKO87NB/aisfykrt6ze3jof0/vnnpw7pmvhq+FOLWDTVXDDJD9DPR2X1NC y5hnop4k6kvrxdjq4otduqq4p+szu4hb41giqez4-----END CERTIFICATE REQUEST-----
This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is verified, the certification authority will issue you a EXAMPLE_COM.CRT
and Example_com.key need to use in the Nginx configuration and EXAMPLE_COM.CRT in conjunction with the need for safekeeping, do not disclose to any third party.
Third, Nginx configuration HTTPS website and increase the security configuration
As mentioned earlier, you need to submit a CSR file to a third-party SSL certification Authority, after certification, they will issue you a CRT file, which we named EXAMPLE_COM.CRT
Also, for the sake of unification, you can move all three files to the/etc/ssl/private/directory.
You can then modify the Nginx configuration file
server { a; Listen [::]:SSL ipv6only= on; 443 SSL; Listen [::]:443 SSL ipv6only= on; server_name example.com; SSL on; /etc/ssl/private/example_com.crt; /etc/ssl/private/Example_com.key;}
Detect the configuration file and re-read the Nginx.
Nginx-t && Nginx-s Reload
But this is not safe, the default is SHA-1 form, and now the mainstream solution should be avoided SHA-1, in order to ensure stronger security, we can take Deffee-Herman key Exchange
First, enter the/etc/ssl/certs directory and generate a DHPARAM.PEM
cd/etc/ssl/certs # If your machine performance is strong enough, you can use 4,096-bit encryption
After the build is complete, add the following in the Nginx SSL configuration
ssl_prefer_server_ciphers on; /etc/ssl/certs/Dhparam.pem; Ssl_protocols TLSv1 TLSv1. 1 TLSv1.2; " eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4"; ; Ssl_session_cache shared:ssl:10m; Ssl_session_timeout 10m;
At the same time, if it is the whole station HTTPS and do not consider HTTP, you can join HSTS to tell your browser this website full station encryption, and forced to use HTTPS access
Add_header strict-transport-security max-age=63072000; Add_header X-frame-Options DENY; Add_header X-content-type-options Nosniff;
At the same time can also open a single Nginx configuration, HTTP access requests are used 301 to jump to HTTPS
server { a; Listen [::]:SSL ipv6only= on; server_name example.com; return 301 https://Example.com$request_uri;}
Iv. reliable third-party SSL issuing authority
As we all know, a NIC agency has had a scandal about issuing a certificate for Google domain names, so it's important to choose a reliable third-party SSL issuing agency.
At present, the general market for small and medium-sized webmaster and Enterprise SSL certification authorities are:
Startssl
Comodo/Sub-brand Positive SSL
GlobalSign/Sub-brand Alphassl
GeoTrust/Sub-brand RapidSSL
Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub-brand, is generally three level four certificate, so you will need to increase the CA certificate chain into your CRT files.
Take Comodo Positive SSL as an example, you need to concatenate the CA certificate, assuming your domain name is example.com
Then, the concatenation command is
Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.SIGNED.CRT
From: https://s.how/nginx-ssl/
Use EXAMPLE_COM.SIGNED.CRT in Nginx configuration
If it is common aplhassl generic domain name certificate, they will not send you the CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file
Alphassl Intermediate CA
Nginx Configure SSL certificate + Build HTTPS website tutorial