Nginxssl encryption proxy Configuration Guide

Use nginx encryption proxy to enhance security by using ssl-based transmission, and you do not need to write programs to implement user authentication, which is highly practical. First compile and install: I'm using debiantesting, first install pcre, then compile and install:. configure -- prefixhomeng.pdf -- with-md5usrlib -- with-sha1usrlib --

Use nginx encryption proxy to enhance security by using ssl-based transmission, and you do not need to write programs to implement user authentication, which is highly practical.

First, compile and install:

I use debian testing. Install pcre first, and then compile and install it:

./Configure -- prefix =/home/nginx -- with-md5 =/usr/lib -- with-sha1 =/usr/lib -- with-cc-opt =-I/usr/INcLude/pcre-I/usr/include/openssl -- with-http_ssl_moDuLe
Make-j10

Make install

If debian is not used, openssl may need to be compiled and installed by itself. Download:

Wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz
Tar-zxvf openssl-0.9.8k.tar.gz
CdOpenssl-0.9.8k
./Config
Make
Make install


After the installation, openssl will be installed in the/usr/local/ssl/directory. If there is no special need, do not overwrite the openssl of the system. Otherwise, openssh may not be connected, this is troublesome.

Modify the nginx compilation parameters as follows:

. /Configure -- prefix =/home/nginx -- with-md5 =/usr/lib -- with-sha1 =/usr/lib -- with-cc-opt =-I/usr/include/pcre-I /usr/local/ssl/include/openssl -- with-http_ssl_module
Make-j10
Make install

Configuration


1. ssl uses port 443, not port 80. Modify listen

Listen 443; # ssl port
Listen 80; # http access is used by the user, and 80 is added. A later configuration will automatically jump to port 443.

2. Configure ssl

Complete example:

UpsTrTesteam .com {
Server 192.168.1.2: 80;

}
Server {
Server_name test.com;
Include port. conf;

Ssl on;
Ssl_certifiCatE server. crt; # $ {nginx_install_dir}/conf/server. crt
Ssl_certificate_key server. key; # $ {nginx_install_dir}/conf/server. key
Error_page 497 https: // $ host $ uri? $ Args;


Location /{
Proxy_pass http://test.com;
Include proxy. conf ;#
Auth_basicStatUs;
Auth_basic_user _FileTrac.Passwd;
}

}


There are two sections:

Section 1:

Ssl on;
Ssl_certificate server. crt;
Ssl_certificate_key server. key;
Error_page 497 https: // $ host $ uri? $ Args;

1/enable ssl, server. crt and server. key is keygen. sh generation, corresponding to $ {nginx_install_dir}/conf/server. crt and $ {nginx_install_dir}/conf/server. key.


2. After the keygen. sh file is downloaded, run sh keygen. sh to generate server. crt and server. key under/etc/apache_ssl/, and copy it to the nginx conf directory.

3/error_page 497 is to make the http request automatically jump to https, such as http://test.com/asDf. Html? A = 1 will automatically Jump 302 to the https://test.com/asdf.html? A = 1.

Section 2:

Proxy_pass https://test.com;
Include proxy. conf;
Auth_basic status;
Auth_basic_user_file trac. passwd;


1/proxy_pass https://test.com; note that this is http, https can also be proxy, https by default is to use port 443, configure it in upstream.

2/proxy. conf in proxy. conf.

3/auth_basic status; specify the authentication method as htpasswd, auth_basic_user_file specify the password file as trac. passwd, corresponding to $ {nginx_install_dir}/conf/trac. passwd.

4/htpasswd is a small tool in apache, apt-get install apache2-utiLsThen you can get it, or simply create: http ://SuDone. Com/htpasswd.PhpAnd paste the generated result to trac. passwd.


Create an htpasswd:
Htpasswd-c trac. passwd username
Add users:
Htpasswd trac. passwd username

Access the https://test.com after the configuration, first pop up a certificate box, then pop up a User Password fill box, fill in the user name and password in trac. passwd, you can access.

Access the http://test.com, jump more than one step, the effect is the same.

-----------------------------------------------------------


Recently, an ssl Certificate with nginx and CNNIC is issued by a trusted organization, except server. crt and server. you also need a root. crt for third-party authentication to prove the server. crt and server. the key is officially issued and has not been forged.

Some time ago, because the Certificate for testing nginx and CNNIC failed to pass the test, apache was used. I recently asked my colleagues of Netease pass to learn the matching method.

In fact, the installation and configuration files are the same, that is, there is a problem with the certificate.

The configuration in apache contains three sections, which are the standard provided by CNNIC:

SSLCertificateFile/etc/apache2/ssl/server. cer
SSLCertificateKeyFile/etc/apache2/ssl/server. key

SSLCertificateChainFile/etc/apache2/ssl/CNNIC. cer

The file server. key is the nginx server. key; server. cer + CNNIC. cer is the nginx server. crt.

Server. key does not need to be modified. Pay attention to the first line and the last line:
----- Begin rsa private key -----
----- End rsa private key -----
Complete

Server. crt is the combination of two files:

Cat CNNIC. cer> server. cer
MvServer. cer server. crt

The last problem is the most fatal, which is also the cause of my failure to test. See the figure:


Make sure that the format of ----- begin certificate ----- is correct.

-----------------------------------------------------------

For the exit of the Basic authentication method, refer to this article:


Http://sudone.com/linux/http_basic_authentication_logout.html