Nginx Configuration HTTP and HTTPS

Nginx configuration file nginx.conf has some top-level directives (that is, context) that are used to group instructions for different types of traffic:

• events, generic connection processing.
• Http,http traffic.
• Mail,mail traffic.
• STREAM,TCP traffic.

Directives placed outside these contexts (directives) are considered to be placed in the main context. In each traffic processing context, you can place one or more server contexts to define the virtual server that is used to control request processing (Vsan servers).

In the HTTP context, each server context is responsible for processing requests for a resource for a specific domain name or IP address, and one or more of the location contexts in the server's context are used to define how to handle a particular collection of URIs.

For the mail and stream contexts, each server context is responsible for processing traffic on a specific TCP port or UNIX socket.

An approximate framework for the nginx.conf configuration file is as follows:

user nobody; # 位于主上下文的指令events {    # 连接处理的配置}http {    # 对 HTTP 请求的配置，会影响所有的虚拟服务器    server {        # 对第一台 HTTP 虚拟服务器的配置        location /one {            # 配置该如何处理以 /one 开始的 URI        }    }}stream {    # 对 TCP 请求的配置，会影响所有的虚拟服务器    server {        # 对第一台 TCP 虚拟服务器的配置    }}

Basic Configuration

The configuration in the nginx.conf file can be divided into three parts: Configuring the main context, configuring the events context, and configuring the HTTP context.

The configuration of the main context is global and is configured as follows:

user nginx nginx;worker_processes 2;error_log /var/log/nginx/error.log  notice;worker_rlimit_nofile 1024;

• User, specifying the users and user groups running worker process, which is run by the Nginx user by default.
• Worker_processes, specifies the number of child processes (worker process) that Nginx opens.

• Error_log, specifies the global error log file.

  The debug, info, notice, warn, error, and crit levels are selectable based on the reduced verbosity of the included log information.

• Worker_rlimit_nofile, specifies the number of file descriptors that can be opened by an Nginx process.

  The number of file descriptors that can be opened in Linux is set by the Ulimit-n 1024 command.

The events context is used to specify the working mode of Nginx and the connection upper limit, configured as follows:

events {    use epoll;    worker_connections 1024;}

• Use, specify Nginx mode of operation.

  The working modes supported by Nginx are SELECT, poll, Kqueue, Epoll, Rtsig and/dev/poll.

  Where select and poll are standard operating modes, kqueue and epoll are efficient modes of operation.

  Epoll is used on Linux platforms, while Kqueue is used in BSD systems.

• Worker_connections, specifies the maximum number of connections per process in Nginx (that is, the maximum number of requests received by the client).

  The maximum number of client connections is determined jointly by Worker_processes and Worker_connections, which is max_clients = Worker_processes*worker_connections.

  The maximum number of connections accepted by a process is limited by the maximum open file descriptor for the Linux system process, which can be modified by the Ulimit command.

The HTTP context is the most central module in Nginx, which is responsible for the configuration of HTTP server-related properties. The specific configuration is as follows:

  http {include mime.types;        Default_type Application/octet-stream; Log_format Main ' $remote _addr-$remote _user [$time _local] "$request" "$status $body _bytes_sent" $h    Ttp_referer "" "$http _user_agent" "$http _x_forwarded_for";        Access_log/var/log/nginx/access.log main;    Sendfile on;    Tcp_nopush on;        Tcp_nodelay on;        Keepalive_timeout 10; server {# config HTTP virtual server}}  

• Include, which contains the/etc/nginx/mime.type file, which is used to set the MIME type of the file for Nginx recognition.

• Default_type, set the default file type to binary stream.

  When the file type is not specified in the Mime.type file, the default is a binary stream, at which time access to the file, Nginx will not parse, but directly download.

• Log_format, set the log format and what information is logged.

• Access_log, the global access log in this HTTP context.

  The following main specifies the log format, which uses the format defined in Log_format.

• Sendfile, turn on efficient file transfer mode.

  Setting Tcp_nopush and Tcp_nodelay to on is to prevent network congestion.

• Keepalive_timeout, sets the time-out for client connections to remain active.

The server context in HTTP is used to configure the HTTP virtual server, which is configured as follows:

server {    listen 80;    server_name localhost 192.168.0.99 www.hao.com;    root /www/nginx;    index index.html index.jsp;            charset utf-8;    access_log /var/log/nginx/host.access.log  main;    error_log /var/log/nginx/host.error.log  error;            location / {        # 配置如何处理特定的 URI 集合    }}

• Listen, the port on which this virtual server listens. Different virtual servers can listen on different ports.
• server_name, specify an IP address or domain name.
• Root, which defines the roots of this virtual server.
• Index, which defines the default home address for this virtual server. Accesses the defined file sequentially.
• CharSet, sets the default encoding format for Web pages.
• Access_log, the access log for this virtual server.
• Error_log, the error log for this virtual server.

The location context in server is used to configure a collection of processing-specific URIs, which are configured as follows:

location / {    root /home/nginx;    index index.html index.jsp;}

• Location/, match the access path to the/start URI.

• Root, starting with the URI in the current location context.

  Can be the same as the root directory in the server context, or you can customize a new root directory.

• Index, the default home address in the current location context.

HTTPS Configuration

The client can safely interact with the server via HTTPS without worrying that messages will be intercepted and read. HTTPS certificates are used to help clients verify the identity of the server they are connected to.

A server certificate is a public entity that is sent to each client that is connected to the server. The private key is a security entity that should be stored in an access-restricted file, but it must be readable for Nginx's main process.

The first step is to create an SSL certificate for Nginx to provide HTTPS functionality. First, create an SSL directory in the Nginx installation directory.

mkdir /etc/nginx/ssl

Then create an SSL certificate in the SSL directory, as follows to create a validity period of 10 years, the encryption strength is RSA2048 SSL key Nginx.key and X509 certificate file NGINX.CRT.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout nginx.key -out nginx.crt

• The-x509 specifies that the Certificate Signing REQUEST,CSR) management be used with the certificate signing request.
• -node tells OpenSSL to ignore the password link when generating the certificate (this file needs to be automatically read by Nginx here, rather than in the form of user interaction).
• -DAY Specifies the validity period of the certificate.
• -newkey rsa:2048 indicates that a new certificate and a new SSL key are generated (the encryption strength is RSA 2048).
• -KEYOUT Specifies the SSL output file name.
• -OUT Specifies the generated certificate file name.

Upon execution of the above order, the following information will be required.

Generating a 2048 bit RSA private key.....................................+++...........+++writing new private key to ‘/etc/nginx/ssl/nginx.key‘-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BeijingLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:haoOrganizational Unit Name (eg, section) []:haoCommon Name (eg, your name or your server‘s hostname) []:www.hao.comEmail Address []:[email protected]

After SSL is created, the second part is to configure Nginx to use SSL. The first is to configure redirection of HTTP requests to HTTPS.

server {    listen 80;    server_name localhost 192.168.0.99 www.hao.com;    # HTTPS 配置    rewrite ^ https://$http_host$request_uri? permanent;}

• Rewrite, rewrite the URL.

  Syntax: Rewrite rule-directed path rewrite type;

  A string or regular expression that matches the target URL.

  A directed path that matches the path to be directed after the rule.

  $http _host represents the host address.

  $request _uri represents the URI.

  Override Type,

  Last, after completing the rewrite, the URL of the browser address bar does not change.

  Break, after this rule match is complete, terminates the match, no longer matches the following rule, and the URL of the browser address bar does not change.

  Redirect, return 302 temporary redirect, the browser address will show the URL after the jump.

  Permanent, return 301 permanent Redirect, the browser address bar will show the URL after the jump.

Then configure the processing of the HTTPS request.

server {    listen 443 ssl;    server_name www.hao.com;    ssl_certificate /etc/nginx/ssl/nginx.crt;    ssl_certificate_key /etc/nginx/ssl/nginx.key;    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    ssl_ciphers HIGH:!aNULL:!MD5;    root /www/nginx/https;    index index.html index.jsp;            keepalive_timeout 70;            server_tokens off;    access_log /var/log/nginx/www.hao.com.access.log;    error_log /var/log/nginx/www.hao.com.error.log;}

• Listen, listen on port 443 and use SSL parameters.
• Ssl_certificate, specify the path to the server certificate.
• Ssl_certificate_key, specifies the path to the private key.
• Ssl_protocols, specify the SSL protocol (Nginx is used by default).
• Ssl_ciphers, specify the password in the format understood by the OpenSSL library (Nginx is used by default).
• Server_tokens, close (show) the Nginx version number.

Finally, restart Nginx to use the new configuration file.

service nginx restart

You can also configure a server that handles Http/https at the same time, with the following configuration in the server context:

server {    listen 80;    listen 443 ssl;    server_name 192.168.0.99;    ssl_certificate /etc/nginx/ssl/nginx.crt;    ssl_certificate_key /etc/nginx/ssl/nginx.key;    root /www/nginx;    index index.html index.jsp;            keepalive_timeout 70;            server_tokens off;    access_log /var/log/nginx/www.hao.com.access.log;    error_log /var/log/nginx/www.hao.com.error.log;   }

HTTPS Server Optimization

An SSL connection consumes more CPU resources (such as an SSL handshake), so you should run several worker processes on multiprocessor systems. There are two ways to reduce the action of each client to perform an SSL handshake:

• First make the connection keep-alive, and then send multiple requests through a connection.
• The SSL session parameter is then reused to avoid parallel and subsequent connections to the SSL handshake.

The session is stored in the SSL session cache shared by the worker and can be configured via the Ssl_session_cache directive. The configuration of the session in the HTTP context is as follows.

http {    ssl_session_cache shared:SSL:10m;    ssl_session_timeout 10m;}

• Ssl_session_cache, specifies that the size of the SSL shared cache is 10M.
• Ssl_session_timeout, specifies that the timeout for the SSL shared cache is mins.

Nginx Configuration HTTP and HTTPS