First, what is HTTPS?
According to Wikipedia's explanation:
Hypertext Transfer Security Protocol (abbreviation: HTTPS, English: Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL/TLS to provide encrypted communication and identification of network server identities. HTTPS connections are often used for transaction payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660.
HTTPS is now the first choice for all privacy and security sites, with the continuous development of technology, HTTPS site is no longer a large site patents, all ordinary personal webmaster and blog can build a secure encrypted website.
If a Web site is not encrypted, then all your account passwords are in clear text transmission. It is conceivable that if the privacy and financial issues involved, unencrypted transmission is a terrible thing.
Since the readers of this blog are close to the professionals, we no longer have to waste more words, directly into the business.
Ii. using OpenSSL to generate SSL Key and CSR
Because only the browser or the system trusted CA can let all visitors unobstructed access to your encrypted Web site, rather than appear the certificate error prompts. So we skip the steps from the visa book and start by signing the SSL certificate that the third party can trust.
OpenSSL is installed by default in conventional systems such as Linux, OS X, and because of some security issues, the current Third-party SSL certification authorities require a minimum of 2048-bit RSA encrypted private keys.
At the same time, the common SSL certificate authentication is divided into two forms, one is DV (domain validated), there is a OV (organization validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, The latter must be better.
Whether you use DV or OV to generate the private key, you need to fill out some basic information, here we assume the following:
Domain name, also known as Common name, because a special certificate is not necessarily a domain name: example.com
Organization or company name (organization): Example, Inc.
Department (Department): Can not fill in, here we write Web security
Province (state/province): Beijing
Country (Country): CN
Encryption strength: 2048-bit, if your machine performance is strong, you can choose 4,096-bit
According to the above information, the command to generate key and CSR using OpenSSL is as follows
OpenSSL req-new-newkey rsa:2048-sha256-nodes-out example_com.csr-keyout example_com.key-subj "/C=CN/ST=Beijing/L=Be Ijing/o=example inc./ou=web security/cn=example.com "
PS: If it is a generic domain name certificate, you should fill in the *.example.com
You can run this command anywhere in the system and automatically generate EXAMPLE_COM.CSR and example_com.key two files in the current directory
Next you can look at the EXAMPLE_COM.CSR and get a long string of text like this
-----BEGIN Certificate REQUEST-----
-----End Certificate REQUEST-----
This CSR file is what you need to submit to the SSL certification authority, and when your domain name or organization is validated, the certification authority will issue you with a EXAMPLE_COM.CRT
And Example_com.key is to be used in Nginx configuration and EXAMPLE_COM.CRT with the use of, need to take good care of, do not leak to any third party.
Third, Nginx configure HTTPS Web site and increase security configuration
As mentioned earlier, you will need to submit a CSR file to a third party SSL certification authority, after certification, they will issue you a CRT file, we named EXAMPLE_COM.CRT
Also, for the sake of unification, you can move all three files to the/etc/ssl/private/directory.
You can then modify the Nginx configuration file
Listen [::]:80 SSL Ipv6only=on;
Listen 443 SSL;
Listen [::]:443 SSL Ipv6only=on;
Check the configuration file and reread the Nginx.
Nginx-t && Nginx-s Reload
But this is not safe, the default is SHA-1 form, and now the mainstream of the scheme should be avoided SHA-1, in order to ensure greater security, we can take the Diffie–hellman-Herman key Exchange
First, enter the/etc/ssl/certs directory and generate a DHPARAM.PEM
OpenSSL dhparam-out DHPARAM.PEM 2048 # If your machine is strong enough, you can use 4,096-bit encryption.
After the build is completed, add the following Nginx SSL configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM eecdh+arsa+aesgcm eecdh+ecdsa+ SHA384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 eecdh+arsa+sha256 eecdh+arsa+rc4 eecdh edh+arsa!aNULL!eNULL! Low!3des! MD5! Exp! Psk! The SRP! Dss! RC4 ";
at the same time, if you are all-station HTTPS and do not consider HTTP, you can join HSTs to tell your browser this site full station encryption, and forced to use HTTPS access
Add_header strict-transport-security max-age=63072000;
Add_header x-frame-options DENY;
Add_header x-content-type-options Nosniff;
At the same time can also open a separate Nginx configuration, HTTP access requests are 301 to the HTTPS
Listen [::]:80 Ipv6only=on;
return to Https://example.com$request_uri;
Four, reliable Third-party SSL issuing agency
As we all know, some NIC agencies have burst into a scandal over the issuance of certificates for Google domain names, so it is important to select a reliable Third-party SSL issuer.
At present, the general market for small and medium-sized owners and enterprises of the SSL certification authorities are:
Comodo/Sub-brand Positive SSL
GlobalSign/Sub Brand Alphassl
GeoTrust/Sub Brand RapidSSL
Which Postivie SSL, Alphassl, RAPIDSSL, etc. are sub brands, are generally three level four certificate, so you will need to increase the CA certificate chain to your CRT file.
Take Comodo Positive SSL For example, you need to concatenate CA certificates, assuming your domain name is example.com
So, the concatenation of the commands is
Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.SIGNED.CRT
Use EXAMPLE_COM.SIGNED.CRT in Nginx configuration
If it is a common aplhassl generic domain name certificate, they are not sent to you CA certificate chain, then you need to join the Alphassl CA certificate chain after your CRT file
Alphassl Intermediate CA
Five, EV SSL for the Enterprise
EV SSL, the abbreviation of Extended Validation, is more focused on the security of corporate websites and strict certification.
The most obvious difference is that usually the EV SSL display is a green bar, such as the SSL certificate for this site is EV SSL.
If you would like to obtain professional EV SSL, you can always contact us at cat Dot net