I. Introduction
Basic knowledge
1.1 Public-key cryptography
The public key cryptosystem is divided into three parts, public key, private key, and encryption and decryption algorithm. Its encryption and decryption process is as follows:
Encryption: Encrypt the content (or explanatory text) through an encryption algorithm and a public key to obtain a cipher text. The public key is required for the encryption process.
Decryption: Decrypt the ciphertext through the decryption algorithm and the private key to obtain the plaintext. The decryption process requires a decryption algorithm and private key. Note that the content encrypted by the public key can only be decrypted by the private key, that is, the content encrypted by the public key cannot be decrypted without knowing the private key.
The public key and algorithm of the public key cryptosystem are public (this is why it is called the public key cryptosystem), and the private key is kept secret. Everyone uses the public key to encrypt, but only the holder of the private key can decrypt it. In actual use, a person in need will generate a pair of public and private keys, publish the public key for others to use, and keep the private key for themselves.
1.2 symmetric key algorithms
In a symmetric encryption algorithm, the key used for encryption and the key used for decryption are the same. In other words, both encryption and decryption use the same key. Therefore, if the symmetric encryption algorithm is to ensure security, the key must be kept secret, so that it can only be known to the person who uses it, and cannot be disclosed to the outside world. This is different from the above public key cryptosystem. In the public key cryptosystem, the public key is used for encryption and the private key is used for decryption. In the symmetric encryption algorithm, the same key is used for both encryption and decryption, and no distinction is made between the public key and the private key. Private key. The key, generally a string or number, is passed to the encryption/decryption algorithm during encryption or decryption. The public key and private key mentioned in the previous public key cryptosystem are the keys, the public key is the key used for encryption, and the private key is the key used for decryption.
1.3 Asymmetric key algorithms
In an asymmetric encryption algorithm, the key used for encryption and the key used for decryption are different. The public key cryptosystem mentioned above is an asymmetric encryption algorithm. Its public key and private key cannot be the same, that is to say, the key used for encryption is different from the key used for decryption, so it is a non-symmetric encryption algorithm. Symmetric encryption algorithm.
1.4 Introduction to RSA
RSA is a public key cryptosystem, which is now widely used. If you are interested in RSA itself, you can check the specific introduction of RSA.
The RSA cryptosystem is a public-key cryptosystem in which the public key is public, the private key is kept secret, and its encryption and decryption algorithms are public. The content encrypted by the public key can and can only be decrypted by the private key, and the content encrypted by the private key can and can only be decrypted by the public key. In other words, the pair of public and private keys of RSA can be used for encryption and decryption, and the content encrypted by one party can and can only be decrypted by the other party.
1.5 Signing and encryption
When we talk about encryption, we mean to encrypt a certain content, and the encrypted content can also be restored by decryption. For example, we encrypt an email, and the encrypted content is transmitted on the network. After receiving it, the recipient can restore the true content of the email through decryption.
Here is mainly an explanation of the signature. The signature is to add a piece of content after the information, which can prove that the information has not been modified. How can this effect be achieved? Generally, a hash calculation is performed on the information to obtain a hash value. Note that this process is irreversible, which means that the original information content cannot be obtained through the hash value. When sending the information, encrypt the hash value as a signature and send it out with the information. After receiving the information, the receiver will recalculate the hash value of the information and compare it with the hash value attached to the information (after decryption). If they are consistent, the content of the information has not been modified, because the hash calculation can guarantee Different content will definitely get different hash values, so as long as the content is modified, the hash value calculated based on the information content will change. Of course, people with bad intentions can also modify the content of the information and also modify the hash value so that they can match. In order to prevent this, the hash value is generally encrypted (that is, a signature) and then sent with the information. Ensure that this hash value is not modified.
HTTPS communication process
HTTPS is a secure version of HTTP, which can protect any communication transmitted online through SSL/TLS connections. In short, HTTPS=HTTP+SSL. If you want to establish an HTTPS connection, you must first register an SSL certificate from a trusted certificate authority (CA) Gworg organization. After installing the SSL certificate, there will be an "S" after the HTTP in the website address bar, and there will be a green security lock symbol.
SSL (Secure Sockets Layer) protocol, and its successor TLS (Transport Layer Security) protocol, is a security protocol that provides security and data integrity for network communications.
1) The browser sends an HTTPS request to the server;
2) The server must have a set of digital certificates, which can be made by yourself or applied to the organization. The difference is that the certificate issued by yourself needs to be verified by the client before you can continue to access it, while the certificate applied by a trusted company will not pop up. On the page, this set of certificates is actually a pair of public and private keys;
3) The server will transmit the public key to the client;
4) After the client (browser) receives the public key, it will verify whether it is legal and valid. If it is invalid, there will be a warning reminder. If it is valid, a string of random numbers will be generated and encrypted with the received public key;
5) The client transmits the encrypted random string to the server;
6) After the server receives the encrypted random string, it first decrypts it with the private key (public key encryption, private key decryption), after obtaining this string of random numbers, then uses this string of random strings to encrypt the transmitted data (the encryption is Symmetric encryption, the so-called symmetric encryption, is to mix the data and the private key, that is, this random string through a certain algorithm, so that unless the private key is known, the data content cannot be obtained);
7) The server transmits the encrypted data to the client;
8) After the client receives the data, it decrypts it with its own private key, which is the random string;
9) Both the client and the server know the symmetric key and use it to encrypt the end user during the session. (The flowchart is shown below)
2.1 Client access url,
One is https://www.domain.com/... to access directly through port 443 to the server;
The other is http://www.domain.com/.... to access port 80 to the server and rewrite from nginx to https://www.domain.com/... to go to 443 again to the server;
The server deploys nginx to monitor ports 80 and 443, and all 80 is re-converted to 443. This step has an additional redirection;
2. Generate SSL certificate by yourself
If you are going to install an SSL certificate for Nginx, the SSL module is not compiled by default, you need to use the --with-http_ssl_module parameter when compiling Nginx, and the compiled module requires OpenSSL library files, generally you need to install openssl and openssl-devel software.
# cd /usr/local/src/nginx-1.12.2
# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
# make
# make install
2.1 Generate private key with password
Enter the directory where nginx.conf is located. After the source is installed, the file directory is /usr/local/nginx/conf. If it is yum installation, the file directory is /etc/nginx. After entering the directory, create the ssl_cert directory. The corresponding key is generated in the directory, as follows:
[root@masternode /]# cd /etc/nginx [root@masternode nginx]# mkdir ssl_cert [root@masternode nginx]# cd ssl_cert [root@masternode ssl_cert]# pwd /etc/nginx/ssl_cert [root@masternode ssl_cert]# openssl genrsa -des3 -out tmp.key 2048 Generating RSA private key, 2048 bit long modulus ..............+++ ............................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key: Verifying - Enter pass phrase for tmp.key: [root@masternode ssl_cert]# ls -l total 4 -rw-r--r-- 1 root root 1751 Sep 21 23:45 tmp.key
When generating a private key file, you need to enter a password. It is unrealistic to need to enter the key every time you use a browser to access HTTPS. You need to convert the private key and cancel the password. Follow the steps below.
2.2 Convert to a passwordless private key
[root@masternode ssl_cert]# openssl rsa -in tmp.key -out moonxy.key Enter pass phrase for tmp.key: writing RSA key [root@masternode ssl_cert]# ls -l total 8 -rw-r--r-- 1 root root 1679 Sep 21 23:46 moonxy.key -rw-r--r-- 1 root root 1751 Sep 21 23:45 tmp.key [root@masternode ssl_cert]# rm -f tmp.key [root@masternode ssl_cert]# ls -l total 4 -rw-r--r-- 1 root root 1679 Sep 21 23:46 moonxy.key
Delete the tmp.key with password, and only keep the moonxy.key private key without password.
2.3 Generate certificate request file
[root@masternode ssl_cert]# openssl req -new -key moonxy.key -out moonxy.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HongKong Locality Name (eg, city) [Default City]:HongKong Organization Name (eg, company) [Default Company Ltd]:moonxy Organizational Unit Name (eg, section) []:Linux Common Name (eg, your name or your server's hostname) []:masternode Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:20190922 An optional company name []:amxx [root@masternode ssl_cert]# ls -l total 8 -rw-r--r-- 1 root root 1119 Sep 22 15:55 moonxy.csr -rw-r--r-- 1 root root 1679 Sep 21 23:46 moonxy.key
After generating the certificate request file moonxy.csr, we will use it and the private key moonxy.key file to generate the final certificate file, which is the public key.
2.4 Generate public key certificate file
[root@masternode ssl_cert]# openssl x509 -req -days 365 -in moonxy.csr -signkey moonxy.key -out moonxy.crt Signature ok subject=/C=CN/ST=HongKong/L=HongKong/O=moonxy/OU=Linux/CN=masternode/[email protected] Getting Private key [root@masternode ssl_cert]# ls -l total 12 -rw-r--r-- 1 root root 1298 Sep 22 16:02 moonxy.crt -rw-r--r-- 1 root root 1119 Sep 22 15:55 moonxy.csr -rw-r--r-- 1 root root 1679 Sep 21 23:46 moonxy.key
In this way, the CRT certificate file moonxy.crt is finally generated, which is the public key mentioned above.
Three, Nginx configure SSL
Create a new configuration file ssl.conf in the /etc/nginx/vhost (if it is compiled and installed, usually /usr/local/nginx/conf/vhost), and add the following content:
[root@masternode vhost]# vim /etc/nginx/vhost/ssl.conf
server {
listen 443;
server_name moonxy.com;
index index.html index.php;
root /data/www/nginx/moonxy;
ssl on;
ssl_certificate ssl_cert/moonxy.crt;
ssl_certificate_key ssl_cert/moonxy.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
Then check the configuration file syntax, create index.html and start the nginx service, as follows:
[root@masternode vhost]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@masternode vhost]# mkdir -p /data/www/nginx/moonxy [root@masternode vhost]# vim /data/www/nginx/moonxy/index.html This is SSL test for moonxy.com [root@masternode vhost]# systemctl start nginx [root@masternode vhost]# ps aux |grep nginx root 8810 0.0 0.2 125008 2144 ? Ss 16:31 0:00 nginx: master process /usr/sbin/nginx nginx 8811 0.0 0.3 125404 3192 ? S 16:31 0:00 nginx: worker process root 8813 0.0 0.0 112708 976 pts/0 R+ 16:31 0:00 grep --color=auto nginx
Then configure domain name mapping in the local hosts file:
C:\Windows\System32\drivers\etc 192.168.150.140 www.moonxy.com moonxy.com
Use the Chrome browser to visit https://moonxy.com.
Fourth, apply for a certificate through Alibaba Cloud
You can apply for a free Sysmantec SSL certificate through Alibaba Cloud. Note that the purchase fee shown on the right is 0.00, as follows