Nginx depth -https Principles and Practice

Scene: the transmission of data security

Disadvantages: if they are middlemen while impersonating the client and server can not be prevented

 

The disadvantage of requiring a CA-signed certificate 

http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html

https://blog.csdn.net/wangtaomtk/article/details/80917081

 

1 to generate the key, CA-signed certificate, use openssl 

[root@izwz97j0sus9exlvpgweqpz ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

Generate key confirmation before environment

 

1: Generate Key

openssl genrsa -idea -out guo.key 1024

 

2: Generate Certificate Signing Request file (crs file)

openssl req -new -key guo.key -out guo.csr

 

3: Generate a Certificate Signing (CA file)

 These two guo.csr guo.key to signing authority, but here have their own CA

X509 -req -days OpenSSL 3650 - in guo.csr -signkey guo.key - OUT guo.crt 
-days 3650 default will not fill a month.

 

CA has been completed at this time

 

 2 core configuration syntax

打开ssl on

Syntax: ssl  on | of

Default: ssl off

Context:http, server

 

证书文件

Syntax: ssl_certificate file

Default:---

Context:http, server

 

证书密码文件

Syntax: ssl_certificate_key file

Default: ---

Context:http, server

 

server
 {
   listen       443;
   server_name  120.79.210.194;
   ssl on;
   ssl_certificate /etc/nginx/ssl_key/guo.crt;
   ssl_certificate_key /etc/nginx/ssl_key/guo.key;
   #ssl_certificate_key /etc/nginx/ssl_key/jesonc_nopass.key;

   index index.html index.htm;
   location / {
       root  /opt/app/code;
   }
}