SSL (HTTPS) Introduction, lab environment generation key pair, nginx configuration SSL, HTTPS

SSL principle HTTP and HTTPS differences

HTTP default port is 80,https default port is 443;
HTTP transmits data to plaintext, HTTPS transmits data is encrypted;

HTTP is the HTTP protocol that runs on top of TCP. All transmitted content is plaintext, the client and the server can not verify the identity of the other side;
HTTPS is HTTP running over SSL/TLS, and SSL/TLS is running over TCP. All transmitted content is encrypted and encrypted with symmetric encryption, but the symmetric encryption key is asymmetric encrypted with the server-side certificate. In addition, the client can verify the identity of the server side, and if client authentication is configured, the server side can also verify the identity of the client.

HTTPS Work Flow

1. Complete the TCP three synchronization handshake
2. Client Authentication server certificate, pass, go to step 3
Secret key and hash algorithm of 3.DH algorithm for negotiation of symmetric encryption algorithm
4.SSL secure encryption is broken until the negotiation is completed;
5. The Web page is transmitted by encryption, encrypted with the negotiated encryption algorithm to ensure that the data is intact and not tampered with;

Generate an SSL key pair

The normal website HTTPS use SSL certificate is need to purchase, we do the experiment just need to generate one on the line, but not on the network to circulate;

Download OpenSSL build Software

yum install -y openssl

Enter the key pair directory

Set secret key to prevent directory

cd /usr/local/nginx/conf/

Generate private key

Note that you need to set a password here

openssl genrsa -des3 -out tmp.key 2048

Convert to a private key without a password

Note: Here will be prompted to enter the old private key file Tmp.key password;

openssl rsa -in tmp.key -out test.key删除老的私钥rm -rf tmp.key

Generate a certificate Request file

You need to set the details, you can go directly to the default

openssl req -new -key test.key -out test.csr

Set public key validity period, generate public key

openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt

Note: TEST.CRT is the public key, TEST.CSR just request the file, Test.key is the private key;

Nginx configuration SSL Create SSL configuration file

vim /usr/local/nginx/conf/vhost/ssl.conf

Code

server{    listen 443;                         //设置端口为443    server_name shu.com;                //设置网站域名为shu.com    index index.html index.php;    root /data/wwwroot/shu.com;         //设置web的站点目录    ssl on;                             //开启ssl功能    ssl_certificate test.crt;           //指定公钥名字    ssl_certificate_key test.key;       //指定私钥名字    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;}

Detection and entry into force

/usr/local/nginx/sbin/nginx -t/usr/local/nginx/sbin/nginx -s reload

Test

View listening port, 443 successful

netstat -lntp

Use https://shu.com access, success;

SSL Error Handling:

Error message on-t detection

nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed提示：nginx不支持ssl，这是因为我们编译安装nginx时是最简单的模式编译的，没有指定ssl；

Ideas:

Recompile install Nginx

To view the parameters that were compiled before Nginx

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)configure arguments: --prefix=/usr/local/nginx

Enter the source package

cd /usr/local/src/nginx-1.12.2/

Query SSL requires additional configuration

./configure --help |grep -i ssl结果为：--with-http_ssl_module

Re-compiling Nginx

./configure --prefix=/usr/local/nginx --with-http_ssl_modulemake && make install

Restart Nginx Service

/etc/init.d/nginx restart

SSL (HTTPS) Introduction, lab environment generation key pair, nginx configuration SSL, HTTPS