foreword
This blog mainly explains how to use Nginx to deploy the back-end application interface SSL certificate, so as to realize the HTTPS protocol access interface (this article uses public network IP deployment, readers can replace it with domain name)
Apply for a certificate
Notice
Please apply for an SSL certificate on your cloud service platform. Generally speaking, the certificate period is one year, and you need to apply again when the period expires
The blogger here is using the Alibaba Cloud cloud server. Alibaba Cloud can apply for 20 DigiCert SSL certificates for free every year, but the DigiCert certificate does not support IP binding. If you enter the IP, the following error will pop up
Globalsign、GeoTrust、vTrus、CFCA品牌OV单域名证书支持绑定IP,建议您购买Globalsign品牌的证书
Here we explain the situation of using public network IP to apply for certificates. We know that generally speaking, SSL certificates are only for domain name installation, and only some DV and OV certificates support IP deployment. Next, we will explain the free certificate application steps that can be deployed using IP
If you want to deploy [domain name], you can apply for and deploy it under your own cloud service provider. Generally, there is a free quota, which is enough for individuals and more convenient
Application steps
访问:Free SSL Certificates and SSL Tools - ZeroSSL
Then select a 90-day certificate and confirm it all the time. Then follow the process, DNS verification or HTTP file verification. The HTTP file verification method is used as an example below
Select Download Auth File and store the Auth File in the /usr/share/nginx/html/.well-known/pki-validation folder of the server, so that nginx on the server provides a response to the HTTP access to the Auth File
location /.well-known/pki-validation/ {
root /usr/share/nginx/html/;
}
It is not necessary to be the above directory, just ensure that nginx has the operation authority of this directory, otherwise a 403 error will pop up
Then deploy it according to the official Nginx deployment certificate document: Installing SSL Certificate on NGINX – ZeroSSL
After uploading all SSL certificate files, you need to merge the certificate.crt and ca_bundle.crt files
cat certificate.crt ca_bundle.crt >> certificate_merge.crt
certificate configuration
Now port 8080 of the server has run the backend interface, next I will deploy the SSL certificate to the public network IP
Configure nginx.conf
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
ssl_certificate "/home/dev/certs/certificate_merge.crt";
ssl_certificate_key "/home/dev/certs/private.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
}
}
# 重启 Nginx
systemctl restart nginx.service
Certificate classification
Domain name certificate (DV)
The SSL certificate is a simple (Class 1) SSL certificate that only verifies the ownership of the domain name of the website. It can be issued quickly in 10 minutes and can play the role of encrypted transmission, but it cannot prove the real identity of the website to the user.
All the free certificates currently on the market are of this type, which only provide data encryption, but do not verify the identity of the individual or organization providing the certificate.
Organization/Enterprise Certificate (OV)
It is used to verify that the domain name is owned by a specific company, organization, or institution, and the subject identity of the application is legally registered or recognized by an authority.
Provide encryption function, conduct strict identity verification and verification for applicants, and provide credible identity certificates. The difference from DV SSL is that OV SSL provides audits for individuals or organizations, which can confirm the identity of the other party and is more secure. Usually fee certificate
Enhanced Certificate (EV)
Extended Validation (EV) certificates are currently the most trusted SSL certificates available. The auditing of certificate authorities is extremely strict. The enhanced certificate has the highest level of credibility and security, and the green address bar with the company name is one of its distinctive features, which can make visitors more confident and more assured that the website they are transacting with is authentic Legal, thereby increasing online transaction volume.
Financial securities, banks, third-party payment, online shopping malls, etc., websites that emphasize website security and corporate credible image, involve transaction payment, transmission of customer privacy information and account passwords. This part of the verification requirements is the highest, and the application fee is also the most expensive.
reference article
recommended reading
This article is published by OpenWrite, a multi-post platform for blogging !