NGINX+HTTPS (SSL/TLS)

Environment

First make sure the machine is installed with OpenSSL and Openssl-devel

rpm -qa | grep openssl#yum install openssl#yum install openssl-devel

Confirm if Nginx has SSL module installed, such as the following command:

/opt/nginx/sbin/nginx -V

See if the output is--with-http_ssl_module, if there is no need to reconfigure and install under.

Create a certificate "self-issued certificate to Yourself"

#cd /usr/local/nginx/conf#openssl genrsa -des3 -out server.key 1024#openssl req -new -key server.key -out server.csr#openssl rsa -in server.key -out server_nopwd.key#openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt

#cd /opt/nginx/conf#openssl genrsa -des3 -out cert.key 2048  //创建服务器私钥#openssl req -new -key cert.key -out cert.csr  //签名请求的证书

The following hints are given:

Enter pass phraseforcert.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) [BeijingLocality Name (eg, city) [Default City]:BeijingOrganization Name (eg, company) [Default Company Ltd]:demoOrganizational Unit Name (eg, section) []:localhostCommon Name (eg, your name or your server‘shostname) []:localhostEmail Address []:[email protected]Please enter the following‘extra‘attributesto be sent with your certificate requestA challenge password []:An optional company name []:

The colon is followed by our fill, and the last two I did not fill. The empty brackets appear to be optional.

Making a decrypted private key

先将cert.key文件复制一份为cert.key.orgcp cert.key cert.key.org#openssl rsa -in cert.key.org -out cert.key接下来，最后一步，用cert.csr和cert.key生成cert.crt文件#openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out server.crt

Configure Nginx

You must open the SSL protocol in the server configuration block and specify the location of the server-side certificate and key file to open the configuration file under Conf/vhosts:
PHP Example:

  server {listen 443;    server_name _;     Access_log off;    SSL on;    SSL_CERTIFICATE/OPT/NGINX/CONF/VHOSTS/CERT.CRT;    Ssl_certificate_key/opt/nginx/conf/vhosts/cert.key;        Ssl_session_timeout 10m;    Ssl_session_cache shared:ssl:10m;    Ssl_protocols SSLv2 SSLv3 TLSv1; Ssl_ciphers high:!anull:!    MD5;     Ssl_prefer_server_ciphers on;        Location/{root/mnt/html/test;    Index index.php index.html;    } error_page 502 503 504/50x.html;    Location =/50x.html {root/opt/nginx/html;        } location ~ \.php$ {Fastcgi_pass 127.0.0.1:9000;        Fastcgi_index index.php;        Fastcgi_param Script_filename/mnt/html/test$fastcgi_script_name;    Include Fastcgi_params;    } location-/\.ht {deny all; }}

SSL operations consume CPU resources, so in multiprocessor systems, multiple worker processes need to be started, and the number needs to be no less than the number of available CPUs. The SSL operation that consumes the most CPU resources is the SSL handshake, and there are two ways to minimize the number of handshake operations per client: The first is to keep the client long connected, send multiple requests on an SSL connection, and the second is to reuse the SSL session parameters in a concurrent connection or a subsequent connection. This avoids the operation of the SSL handshake. Session caching is used to hold SSL sessions, which are shared between worker processes and can be configured using the Ssl_session_cache directive. A 1M cache can hold approximately 4,000 sessions. The default cache timeout is 5 minutes, and you can use ssl_session_timeout to increase it.

If the capabilities of the HTTP and HTTPS virtual hosts are consistent, you can configure a virtual host to handle both HTTP requests and HTTPS requests. The configuration method is to remove the SSL on instruction and add the parameter SSL on the *:443 port:

server {    listen              80;    listen              443 ssl;    server_name         www.example.com;    ssl_certificate     www.example.com.crt;    ssl_certificate_key www.example.com.key;    ...}

Example: "To understand the parameters yourself!" 】

server {Listen 80;    Listen 443 SSL;    server_name lvtao.net;    Client_max_body_size 10M;    SSL_CERTIFICATE/ETC/NGINX/SSL/WWW.CRT;    Ssl_certificate_key/etc/nginx/ssl/private.key;    Ssl_session_cache shared:ssl:10m;    Ssl_session_timeout 5m;    SSL_DHPARAM/ETC/NGINX/SSL/DHPARAM.PEM;    Ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    Ssl_prefer_server_ciphers on; Ssl_ciphers "Ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:d He-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384:ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha: Ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256:dhe-rsa-aes256-sha:dhe-rsa-aes128-sha: ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256: aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:! export:! Des:! md5:! Psk:!    RC4 ";    Ssl_stapling on;    Ssl_stapling_verify on;    Resolver 8.8.8.8 8.8.4.4 valid=300s;    Resolver_timeout 5s; Add_header Strict-transPort-security max-age=15768000;} 

Nginx Configuration SSL Restart password-free

Nginx inside the configuration is still the same, but there is a problem is to restart the Nginx will be asked to enter the password, you can have a way to avoid the password. The following command is typed:

openssl rsa -in pupboss.key -out pupboss_unsecure.key

Force HTTPS

Add the following code

server {    listen 80;    server_name lvtao.net;    return 301 https://$server_name$request_uri;}

NGINX+HTTPS (SSL/TLS)