NGINX Configure SSL certificate + Build HTTPS website tutorial

First, what is HTTPS?

According to Wikipedia's explanation:

Hypertext Transfer Security Protocol (abbreviated: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and authentication of network server identities. HTTPS connections are often used for transactional payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.

HTTPS is now the first choice for all privacy and security-oriented sites, with the continuous development of technology, HTTPS website is no longer a large website patent, all ordinary personal webmaster and blog can build a secure encrypted website.

If a website is not encrypted, all your account passwords are transmitted in clear text. It is conceivable that if it comes to privacy and financial issues, unencrypted transmissions are a horrible thing.

Since the readers of this blog are close to the professionals, we don't have to bother to go straight to the chase.

Ii. using OpenSSL to generate SSL Key and CSR

Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted site, rather than a certificate error prompts. So we skip the steps from the visa book and start signing up for a third-party trusted SSL certificate.

OpenSSL is installed by default on Linux, OS X, and other conventional systems, because of some security issues, typically the current third-party SSL certificate Authority requires at least 2048 bits of RSA encrypted private key.

At the same time, the common SSL certificate authentication in two forms, one is DV (domain Validated), and the other is OV (Organization Validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, Certainly the latter is better.

Whether you use DV or OV to generate the private key, you need to fill in some basic information, here we assume the following:

Domain name, also known as Common name, because a special certificate is not necessarily a domain name: example.com

Organization or company name (Organization): Example, Inc.

Department (Department): Can not fill, here we write Web Security

City: Beijing

Province (state/province): Beijing

Country (country): CN

Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit

Following the above information, the commands to generate key and CSR using OpenSSL are as follows

OpenSSL req- New-newkey RSA: 2048-sha256-nodes- outExample_com.csr-keyout EXAMPLE_COM.KEY-SUBJ "/c=cn/st=beijing/l=beijing/o=example inc./ou=web security/cn=example.com"

PS: If it is a generic domain name certificate, you should fill in *.example.com

You can run this command from anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory

Next you can look at EXAMPLE_COM.CSR and get a long string of text like this

-----BEGIN Certifi CATEREQUEST-----MIICUJC Caaicaqawdtelmakga1uebhmcq04xedaobgnvbagtb0jlawppbmcxedaoBgnvbactb0jlawppbmcxftatbgnvbaotdev4yw1wbgugsw5jljevmbmga1uecxmm V2viifnly3vyaxr5mrqwegydvqqdewtlegftcgxllmnvbtc CASIWDQYJKOZIHVCNAqebbqadggepadc CAQOCGGEBAPME+nvvcdgn9vwn+vp7jkmoodpoury MPVCLIBSIid7mgn982ocl22o9wcv/ 4Tl6dptcxfnx+ewd7cnekt4i+jygqllqp3/cojhkemiy SF3JWNCVP6VOST/HSZEMYNB71XWYNXF CGQSYE3QJXMQ9AE38H2LIPCLLFD1L7IVPAx4i2+hvgthfzb0xnmmlzq4hyvueimoywizx8hq+kweahkpbdfawkocirkbolfew sejlyhy+ Nruxutmqx1d7lzzcxut5sm5at9al0bf5foaajyltewnepfkp3l29gtou Qg1t9q8wufifk9vxqqqwg8j1muk7kksnbycopnngpx36kzs CAWEAAAAAMA0GCSQGSib3dqebbquaa4ibaqchgiuhpcgrsnwduw6731/devwq2x3zrqrbuj9/m8oonqen 1qiacbifemr+ma+c+wipt3bhvtxef8c CAJAR9SQ4SVY7M0W25DWRWAWIJXCF/j8u audl/ 029ckauewfcdbiltraaedqxsasuyibigtit+uqi+epgg4olykk/mf13fxdj/okyrsjdtp1xr9r7iqgcs/zl5qwmdaln7/qxbk6vx2r/ Hlhok0aki1zq4czep7mr 8EZJDIAKO87NB/AISFYKRT6ZE3JOF0/VNNPW7PMVHQ+FOLWDTVXDDJD9DPR2X1NC Y5HNOP4K6KVRXDJQ4OTDUQQ4P+SZU4HB41GIQEZ4----- END Certifi CATEREQUEST-----

This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is verified, the certification authority will issue you a example_com.crt

and Example_com.key need to use in the Nginx configuration and EXAMPLE_COM.CRT in conjunction with the need for safekeeping, do not disclose to any third party.

Third, Nginx configuration HTTPS website and increase the security configuration

As mentioned earlier, you need to submit a CSR file to a third-party SSL certification Authority, after certification, they will issue you a CRT file, which we named EXAMPLE_COM.CRT

Also, for the sake of unification, you can move all three files to the /etc/ssl/private/directory.

You can then modify the Nginx configuration file

Server{ Listen the; Listen[::]: theSSL Ipv6>on; Listen 443Ssl Listen[::]: 443SSL Ipv6>on; server_nameexample.com; SSL on; ssl_certificate/ETC/SSL/PRIVATE/EXAMPLE_COM.CRT; Ssl_certificate_key/etc/ssl/private/example_com.key;}

Detect the configuration file and re-read the Nginx.

Nginx-t && Nginx-s Reload

But this is not safe, the default is SHA-1 form, and now the mainstream solution should be avoided SHA-1, in order to ensure stronger security, we can take Deffee-Herman key Exchange

First, enter the /etc/ssl/certs directory and generate a Dhparam.pem

CD/etc/ssl/certs OpenSSL dhparam-out Dhparam.pem 2048 # If your machine performance is strong enough, you can use 4,096-bit encryption

After the build is complete, add the following in the Nginx SSL configuration

ssl_prefer_server_ciphers on; Ssl_dhparam/ETC/SSL/CERTS/DHPARAM.PEM; Ssl_protocolsTLSv1 TLSv1. 1TLSv1. 2; ssl_ciphers "EECDH+ECDSA+AESGCM eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4 "; Keepalive_timeout -; Ssl_session_cacheShared:ssl: 10m; Ssl_session_timeout 10m;

At the same time, if it is the whole station HTTPS and do not consider HTTP, you can join HSTS to tell your browser this website full station encryption, and forced to use HTTPS access

Add_headerStrict-transport-security max-age= 63072000; Add_headerX-frame-options DENY; Add_headerX-content-type-options Nosniff;

At the same time can also open a single Nginx configuration, HTTP access requests are used 301 to jump to HTTPS

Server{ Listen the; Listen[::]: theSSL Ipv6>on; server_nameexample.com; return 301 https://example.com$request _uri ;}

Iv. reliable third-party SSL issuing authority

As we all know, a NIC agency has had a scandal about issuing a certificate for Google domain names, so it's important to choose a reliable third-party SSL issuing agency.

At present, the general market for small and medium-sized webmaster and Enterprise SSL certification authorities are:

Startssl

Comodo/Sub-brand Positive SSL

GlobalSign/Sub-brand Alphassl

GeoTrust/Sub-brand RapidSSL

Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub-brand, is generally three level four certificate, so you will need to increase the CA certificate chain into your CRT files.

Take Comodo Positive SSL as an example, you need to concatenate the CA certificate, assuming your domain name is example.com

Then, the concatenation command is

cat example_com.crt COMODORSADOMAINVALIDATIONSECURESERVERCA.CRT COMODORSAADDTRUSTCA.CRT addtrustexternalcaroot.crt > EXAMPLE_COM.SIGNED.CRT

Using Example_ in Nginx configuration COM.SIGNED.CRT

If it is a common aplhassl generic domain name certificate, they will not send you the CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file

Alphassl I Ntermediate CA

Five, Ev SSL

EV SSL for Enterprise, is the abbreviation of Extended Validation, pay more attention to the security of enterprise website and strict authentication. The most obvious difference between

Is that the EV SSL display is usually a green bar, such as the SSL certificate on this site is EV SSL.

If your company wants to obtain professional EV SSL, you can contact us at any time at cat dot net

Six, this article reference

Apache + WordPress + SSL full guide

Op Enssl CSR Creation

Nginx-phoenixwiki

Turn from: https://s.how/nginx-ssl/

Above introduces NGINX configuration SSL certificate + build HT The TPS Web site tutorials, including aspects of the content, want to help the PHP tutorial interested friends.

