Distributed-Server Nginx: HTTPS protocol configuration in one-hour entry series

Enterprise 2023-10-01 14:05:29 views: null

Article directory

1. HTTPS protocol

HTTPS is a protocol for secure communication over computer networks. It is a secure version of HTTP that encrypts and protects data transmission by using SSL or TLS protocols. The main purpose of HTTPS is to ensure that data transmitted between the client and server is encrypted to prevent third parties from eavesdropping, tampering, or masquerading. It implements the data encryption and decryption process by using public key encryption and private key decryption.

2. Generate certificate

① This command will generate a 2048-bit RSA key pair and save the private key to a file named server.key.

[root@nginx-dev home]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
..............................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

② Use the OpenSSL tool to generate a certificate signing request (CSR) command. Before executing this command, you need to ensure that a private key file server.key has been generated.

[root@nginx-dev home]#  openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:anhui
Locality Name (eg, city) [Default City]:huaibei
Organization Name (eg, company) [Default Company Ltd]:baishan
Organizational Unit Name (eg, section) []:liuzi
Common Name (eg, your name or your server's hostname) []:guozhuang
Email Address []:daokou

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhangsan
An optional company name []:shenxinfu

③ The OpenSSL command is used to generate a self-signed SSL/TLS certificate.

[root@nginx-dev home]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=anhui/L=huaibei/O=baishan/OU=liuzi/CN=guozhuang/emailAddress=daokou
Getting Private key
Enter pass phrase for server.key:

④ View the generated certificate and certificate key:

[root@nginx-dev home]# ls
server.crt  server.csr  server.key

3. Configure SSL

① Nginx configuration file: Add nginx configuration file: 8004.conf under the /etc/nginx/conf.d folder

# 启动ruoyi-admin服务:8088
[root@nginx-dev conf.d]# cd /home/apps
[root@nginx-dev apps]# java -jar ruoyi-admin.jar

# 启动tomcat服务:8080
[root@nginx-dev ~]# /home/apache-tomcat-8.5.81/bin/startup.sh

[root@nginx-dev ~]# cd /etc/nginx/conf.d
[root@nginx-dev conf.d]# vi 8004.conf

8004.conf configuration file content:

server {
    listen 8004 ssl;
    server_name ruoyi.https;

    ssl_certificate     /home/server.crt;
    ssl_certificate_key /home/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    
    location / {
        proxy_pass http://localhost:8088;
    }
}

The Nginx server is used to configure an HTTPS server listening on port 8004:

  • listen 8004 ssl;Listen on port 8004 and enable SSL encryption.
  • ssl_certificate /home/server.crt;Specify the path and file name of the SSL certificate.
  • ssl_certificate_key /home/server.key;Specify the path and file name of the private key file of the SSL certificate.
  • ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Specify the supported SSL/TLS protocol version. TLSv1, TLSv1.1 and TLSv1.2 are configured here.
  • ssl_ciphers HIGH:!aNULL:!MD5; Specify the priority of the SSL encryption algorithm. High-level encryption algorithms are configured here, and unsafe algorithms such as NULL and MD5 are excluded.

The function of this configuration file is to forward requests to access the "ruoyi.https" domain name through the HTTPS protocol to the local port 8088. At the same time, SSL encryption is used to ensure communication security.

② Reload the Nginx service: You need to enter the password zhangsan configured when generating the certificate

[root@nginx-dev conf.d]# nginx -s reload
Enter PEM pass phrase:

③ Access https://192.168.1.9:8004, unable to access, check nginx log:

[root@nginx-dev home]# nginx -s reload
Enter PEM pass phrase:
nginx: [emerg] cannot load certificate key "/home/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:0906A065:PEM routines:PEM_do_header:bad decrypt)

④ This is because our certificate has a password set, and we need to generate a certificate password file cert.pass file:

[root@nginx-dev home]# vi /home/cert.pass
[root@nginx-dev home]# cat cert.pass
zhangsan
[root@nginx-dev home]#

⑤ In the nginx configuration file, set the ssl_password_file directive to the path of the /home/cert.pass file so that nginx can use the password to decrypt the SSL certificate:

server {
    listen 8004 ssl;
    server_name ruoyi.https;

    ssl_certificate     /home/server.crt;
    ssl_certificate_key /home/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_password_file   /home/cert.pass;
    
    location / {
        proxy_pass http://localhost:8088;
    }
}

⑥ Visit https://192.168.1.9:8004

Insert image description here

4. HTTPS protocol optimization

SSL operations consume additional CPU resources. The most CPU intensive operation is the SSL handshake. There are two ways to minimize the number of these operations per client:

  • Enable keep-alive connections to send multiple requests over a single connection
  • Reuse SSL session parameters to avoid SSL handshakes for parallel connections and subsequent connections

Sessions are stored in the SSL session cache shared between worker processes and configured by the ssl_session_cache directive. A one-megabyte cache contains approximately 4000 sessions. The default cache timeout is 5 minutes. This timeout can be increased using the ssl_session_timeout directive. The following is an example configuration optimized for a multi-core system with a 10 MB shared session cache:

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

server {
    listen 8004 ssl;
    server_name ruoyi.https;

    ssl_certificate     /home/server.crt;
    ssl_certificate_key /home/server.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 10m;

    location / {
        proxy_pass http://localhost:8088;
    }
}

Guess you like

Origin blog.csdn.net/qq_42764468/article/details/132503155
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com