Using Nginx to build HTTPS server

First, HTTPS introduction

HTTPS is actually made up of two parts: HTTP + SSL/TLS, which adds a layer of encryption information to the HTTP module. The transfer of information between the server and the client is encrypted through TLS, so the transmitted data is encrypted.

First, the client establishes a connection with the server, each generating a private key and a public key, which is different. The server returns a public key to the client, and then the client takes the public key to encrypt the object to be searched, called the ciphertext, and, with its own public key, is returned to the server, the server takes its own private key to decrypt the text, and then encrypts the response data with the client's public key, and returns it to the client. The client takes its own private key to decrypt the text and presents the data.

Second, generate certificates and private keys

Note: This is just a description of how to create a secret key, but the secret key that you create is not validated by your browser. If you need to build an HTTPS server, you need to buy a secret key.

① Create the directory that is stored, and go to the directory, the generic generated directory, should be placed in the Nginx/conf/ssl directory: cd/usr/local/nginx/conf/ssl/

② creating a server certificate key file Server.key:openssl genrsa-des3-out Server.key 1024

　　　　

Note Remember the password you entered, which you need to use later.

③ Create the request file for the server certificate SERVER.CSR

1 [[email protected] SSL]# OpenSSL Req-new-key server.key-out SERVER.CSR2 Enter pass phrase for server.key:← type the password you created earlier3 You is about-to is asked to- enter information that'll be incorporated4 into your certificate request.5 What's about -to-enter is called a distinguished Name or a DN.6 there is quite a few fields but can leave some blank7For some fields there would be a default value,8If you enter '. ',The field would be a left blank.9 -----TenCountry Name (2 letter code)[XX]: cn← Country Code, China input CN OneState or province name (full name)[]: Full name of Beijing← province, pinyin ALocality Name (eg, city)[Default City]: Full name of beijing← city, pinyin -Organization Name (eg, company)[Default Company LTD]: MyCompany Corp. ← Company English Name -Organizational Unit Name (eg, section)[]: ← Can not enter theCommon name (eg, your name or your server ' s hostname)[]: ← Can not enter -Email Address[]: 1430156396@qq. com← e-Mail -  - Please enter the following ' extra ' attributes + To is sent with your certificate request -A Challenge Password[]: ← Can not enter +An optional company name[]: ← Can not enter

④ Backup Server secret key file: CP Server.key Server.key.bak

⑤ Remove file Password: OpenSSL rsa-in server.key.bak-out Server.key

⑥ Generate certificate file Server.crt:openssl x509-req-days 365-in server.csr-signkey server.key-out server.crt

Third, configure Nginx

① Configuring Nginx configuration file: vim/usr/local/nginx/conf/nginx.conf

② add HTTPS configuration in configuration file to enable Nginx to support HTTPS

1 server {2Listen 443 SSL;3server_name www.origal.cn; # domain or IP4 5Ssl_certificate/usr/local/nginx/conf/ssl/214324938610703.pem;6Ssl_certificate_key/usr/local/nginx/conf/ssl/214324938610703.key;7 8Ssl_session_cache shared:ssl:1m;9Ssl_session_timeout 5m;Ten  OneSsl_ciphers high:!anull:! MD5; ASsl_prefer_server_ciphers on; -  - Location /{ theRoot HTML; -Index index.html index.htm; -         } -}

③ is then accessed using HTTPS to access the

Using Nginx to build HTTPS server