Nginx configuration HTTPS--Linux articles

Read the table of contents:

1 Introduction

2. Generation of certificate and private key

3. Configuration file

4. Enable nginx's ssl module

5. Enable both HTTP and HTTPS

6. Description

Please refer to the previous article first: Nginx 1.12.x Installation and Configuration--Linux

    https://my.oschina.net/u/3209432/blog/1581391

1 Introduction

• Introduction to https

      HTTPS is actually composed of two parts: HTTP + SSL / TLS, that is, a module that processes encrypted information is added to HTTP. The information transmission between the server and the client is encrypted by TLS, so the transmitted data is encrypted data.

• Principle of https protocol

     First, the client establishes a connection with the server, and each generates a private key and a public key, which are different. The server returns a public key to the client, and then the client uses this public key to encrypt the thing to be searched, which is called ciphertext, and returns it to the server together with its own public key, and the server decrypts it with its own private key ciphertext, and then encrypt the response data with the client's public key and return it to the client. The client decrypts the ciphertext with its own private key and presents the data.

2. Generation of certificate and private key

Note: Generally, the generated directory should preferably be placed in the nginx/conf/ssl directory

    2.1 Enter the nginx installation directory

    [root@localhost ~]# cd /usr/local/nginx/conf
    [root@localhost conf]# mkdir ssl
    [root@localhost ssl]# cd ssl

    2.2 Create the server certificate key file server.key and the certificate application file server.csr

    [root@localhost ssl]# openssl req -newkey rsa:2048 -keyout server.key -out server.csr s
    Generating a 2048 bit RSA private key
    ............................+++
    ..............................+++
    writing new private key to 'server.key'
    Enter PEM pass phrase:

    Enter the password, confirm the password, and define it yourself, but remember, it will be used later.

After that, the content to enter the verification information is:

-----
        Enter pass phrase for root.key: ← Enter the password created earlier 
        Country Name (2 letter code) [AU]:CN ← Country code, China enter CN 
        State or Province Name (full name) []:ZheJiang ← Full name of province, pinyin 
        Locality Name (eg, city) [Default City]:HangZhou← Full city name, pinyin 
        Organization Name (eg, company) [Default Company Ltd]:MyCompany Corp. ← Company English name 
        Organizational Unit Name (eg, section) []: ← 
        Common Name can be omitted (eg, your name or your server's hostname) []: xxx.com← ip
        Email Address []:[email protected] ← Email address, you can fill in at will.
        Please enter the following 'extra' attributes 
        to be sent with your certificate request 
        A challenge password []: ← can be omitted 
        An optional company name []: ← can be omitted

    2.3 Backup a server key file

    [root@localhost ssl]# cp server.key server.key.org

The following is to use the certificate on the server. If you want to use a third-party certificate, please omit the following two steps

    2.4 Remove file password

    [root@localhost ssl]# openssl rsa -in server.key.org -out server.key

    2.5 Generate the certificate file server.crt

    [root@localhost ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

3. Configuration file 

    [root@localhost ssl]# vim xxx.conf

 

server {
        listen 443 ssl;

        ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;
        keepalive_timeout 70;
        server_name www.loubobooo.com; #Forbid
        the server version to appear in the header to prevent hackers from exploiting version vulnerabilities to attack
        server_tokens off; #If
        it is HTTPS for the whole site And if you don't consider HTTP, you can add HSTS to tell you the > browser site-wide encryption of this website, and enforce HTTPS access
        #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        #  …
        fastcgi_param HTTPS on;
        fastcgi_param HTTP_SCHEME https;

        autoindex on;
        access_log  /usr/local/nginx/logs/access.log combined;
        error_log  /usr/local/nginx/logs/error.log;
        index index.html index.htm index.jsp index.php;
        #error_page 404 /404.html;

        location / {
            proxy_pass http://127.0.0.1:8080/;
            add_header Access-Control-Allow-Origin '*';
        }

    }
 

4. Enable nginx's ssl module

    4.1 Errors during restarting nginx

    [root@localhost ssl]# service nginx restart
    the "ssl" parameter requires ngx_http_ssl_module  in /usr/local/nginx/conf/nginx.conf:37

    This is because nginx lacks the http_ssl_module module. When compiling and installing, you can bring the --with-http_ssl_module configuration.

    4.2 View the original modules of ngixn

    [root@localhost ssl]# /usr/local/nginx/sbin/nginx -V

    About 2 modules are displayed, in short, there is no http_ssl_module module

    4.3 Switch to nginx source package

    [root@localhost ssl]# cd /developer/nginx-1.10.2

    4.4 Reconfiguration

    [root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

    4.5 Recompile, do not need make install installation. Otherwise it will overwrite

    [root@localhost nginx-1.10.2]# make

    4.6 Backup the original installed nginx

    [root@localhost nginx-1.10.2]# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

    4.7 Overwrite the newly compiled nginx with the original nginx (ngixn must be stopped)

    [root@localhost nginx-1.10.2]# cp ./objs/nginx /usr/local/nginx/sbin/ 

    At this time, you will be prompted whether to overwrite, please enter yes, and press Enter to not overwrite by default.

    4.8 Start nginx, check the nginx module, and find that it has been added

    [root@localhost nginx-1.10.2]# /usr/local/nginx/sbin/nginx -V  
    nginx version: nginx/1.10.2
    built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) 
    built with OpenSSL 1.0.1e-fips 11 Feb 2013
    TLS SNI support enabled
    configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

5. Enable both HTTP and HTTPS

    [root@localhost nginx-1.10.2]# cd /usr/local/nginx/conf
    [root@localhost conf]# vim xxx.conf

    Go ahead and add the following code below:

server {
       listen       80;
       server_name  loubobooo.com;
       rewrite ^ https://$http_host$request_uri? permanent; 
   }

6. Description

    Description: this use

       Operating System: CentOS 6.8 64-bit

       Nginx version: 1.12.2

Finally, about the choice of configuring Tomcat's Https and Nginx's Https,

    Just configure the certificate at the nginx layer. It is enough to configure the nginx layer to forward the request to the specified port. It is strongly not recommended to configure the certificate on tomcat, which will cause the certificate to spread very insecurely. At the same time, if the certificate expires, a new certificate needs to be replaced, which is also a huge workload. Now a big company has many projects, and there are more tomcat projects in the back, so you only need to configure the certificate at the nginx entrance, which is safe and convenient. <!-- Quote from jimi-->

Next: HTTPS Free Certificate StartSSL Application Detailed Explanation

    https://my.oschina.net/u/3209432/blog/1595700