Read the table of contents:
1 Introduction
2. Generation of certificate and private key
3. Configuration file
4. Enable nginx's ssl module
5. Enable both HTTP and HTTPS
6. Description
Please refer to the previous article first: Nginx 1.12.x Installation and Configuration--Linux
https://my.oschina.net/u/3209432/blog/1581391
1 Introduction
- Introduction to https
HTTPS is actually composed of two parts: HTTP + SSL / TLS, that is, a module that processes encrypted information is added to HTTP. The information transmission between the server and the client is encrypted by TLS, so the transmitted data is encrypted data.
- Principle of https protocol
First, the client establishes a connection with the server, and each generates a private key and a public key, which are different. The server returns a public key to the client, and then the client uses this public key to encrypt the thing to be searched, which is called ciphertext, and returns it to the server together with its own public key, and the server decrypts it with its own private key ciphertext, and then encrypt the response data with the client's public key and return it to the client. The client decrypts the ciphertext with its own private key and presents the data.
2. Generation of certificate and private key
Note: Generally, the generated directory should preferably be placed in the nginx/conf/ssl directory
2.1 Enter the nginx installation directory
[root@localhost ~]# cd /usr/local/nginx/conf [root@localhost conf]# mkdir ssl [root@localhost ssl]# cd ssl
2.2 Create the server certificate key file server.key and the certificate application file server.csr
[root@localhost ssl]# openssl req -newkey rsa:2048 -keyout server.key -out server.csr s Generating a 2048 bit RSA private key ............................+++ ..............................+++ writing new private key to 'server.key' Enter PEM pass phrase:
Enter the password, confirm the password, and define it yourself, but remember, it will be used later.
After that, the content to enter the verification information is:
-----
Enter pass phrase for root.key: ← Enter the password created earlier
Country Name (2 letter code) [AU]:CN ← Country code, China enter CN
State or Province Name (full name) []:ZheJiang ← Full name of province, pinyin
Locality Name (eg, city) [Default City]:HangZhou← Full city name, pinyin
Organization Name (eg, company) [Default Company Ltd]:MyCompany Corp. ← Company English name
Organizational Unit Name (eg, section) []: ←
Common Name can be omitted (eg, your name or your server's hostname) []: xxx.com← ip
Email Address []:[email protected] ← Email address, you can fill in at will.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← can be omitted
An optional company name []: ← can be omitted
2.3 Backup a server key file
[root@localhost ssl]# cp server.key server.key.org
The following is to use the certificate on the server. If you want to use a third-party certificate, please omit the following two steps
2.4 Remove file password
[root@localhost ssl]# openssl rsa -in server.key.org -out server.key
2.5 Generate the certificate file server.crt
[root@localhost ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
3. Configuration file
[root@localhost ssl]# vim xxx.conf
server {
listen 443 ssl;ssl_certificate_key /usr/local/nginx/conf/ssl/server.key;
keepalive_timeout 70;
server_name www.loubobooo.com; #Forbid
the server version to appear in the header to prevent hackers from exploiting version vulnerabilities to attack
server_tokens off; #If
it is HTTPS for the whole site And if you don't consider HTTP, you can add HSTS to tell you the > browser site-wide encryption of this website, and enforce HTTPS access
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# …
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;autoindex on;
access_log /usr/local/nginx/logs/access.log combined;
error_log /usr/local/nginx/logs/error.log;
index index.html index.htm index.jsp index.php;
#error_page 404 /404.html;location / {
proxy_pass http://127.0.0.1:8080/;
add_header Access-Control-Allow-Origin '*';
}}
4. Enable nginx's ssl module
4.1 Errors during restarting nginx
[root@localhost ssl]# service nginx restart the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
This is because nginx lacks the http_ssl_module module. When compiling and installing, you can bring the --with-http_ssl_module configuration.
4.2 View the original modules of ngixn
[root@localhost ssl]# /usr/local/nginx/sbin/nginx -V
About 2 modules are displayed, in short, there is no http_ssl_module module
4.3 Switch to nginx source package
[root@localhost ssl]# cd /developer/nginx-1.10.2
4.4 Reconfiguration
[root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
4.5 Recompile, do not need make install installation. Otherwise it will overwrite
[root@localhost nginx-1.10.2]# make
4.6 Backup the original installed nginx
[root@localhost nginx-1.10.2]# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
4.7 Overwrite the newly compiled nginx with the original nginx (ngixn must be stopped)
[root@localhost nginx-1.10.2]# cp ./objs/nginx /usr/local/nginx/sbin/
At this time, you will be prompted whether to overwrite, please enter yes, and press Enter to not overwrite by default.
4.8 Start nginx, check the nginx module, and find that it has been added
[root@localhost nginx-1.10.2]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.10.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
5. Enable both HTTP and HTTPS
[root@localhost nginx-1.10.2]# cd /usr/local/nginx/conf [root@localhost conf]# vim xxx.conf
Go ahead and add the following code below:
server {
listen 80;
server_name loubobooo.com;
rewrite ^ https://$http_host$request_uri? permanent;
}
6. Description
Description: this use
Operating System: CentOS 6.8 64-bit
Nginx version: 1.12.2
Finally, about the choice of configuring Tomcat's Https and Nginx's Https,
Just configure the certificate at the nginx layer. It is enough to configure the nginx layer to forward the request to the specified port. It is strongly not recommended to configure the certificate on tomcat, which will cause the certificate to spread very insecurely. At the same time, if the certificate expires, a new certificate needs to be replaced, which is also a huge workload. Now a big company has many projects, and there are more tomcat projects in the back, so you only need to configure the certificate at the nginx entrance, which is safe and convenient. <!-- Quote from jimi-->
Next: HTTPS Free Certificate StartSSL Application Detailed Explanation
https://my.oschina.net/u/3209432/blog/1595700