Original link: http://www.studyshare.cn/software/details/1175/0
First, the encryption
1, symmetric encryption
I.e., a so-called symmetric encryption: the client using a series of fixed secret key to encrypt the content transmission, the server uses the same secret key to decrypt.
2, asymmetric encryption
SSL Certificates (SSL comply with the agreement, the digital certificate from a trusted certification authority CA, issued after verifying the identity of the server with server authentication and data encryption. Public + private key is secret key string one pair)
I.e. asymmetric encryption using a public key of the client to encrypt the content transmission, the transmission server using the private key to decrypt the content
java development tools Download and install tutorial Guinness, point [here] .
More in-depth technical articles, in [here] .
Two, http and https
http data is transmitted in clear text over the network, insecure, but high resolution efficiency (without encryption); HTTPS transmission is encrypted, symmetric encryption if used, client and server is fixed keys, encryption and decryption efficiency is not greatly overhead, but there is the risk of leaking secret key, is not secure enough; if using asymmetric encryption, the client uses the public key, the server using the private key encryption and decryption algorithm overhead, high performance cost, efficiency is lower than symmetric encryption, but has a more high security.
Production environment, https embodiment is the use of asymmetric encryption and symmetric encryption combination. First asymmetric encryption client generated random symmetric secret key sent to the server (secure transmission to the server), then the addition between the client and the server using the decrypted symmetric keys. As shown below
Three, nginx configuration https
1, the configuration premise
Whether nginx module has been enabled https, start nginx nginx -V View and perform, as follows:
Https Nginx configuration requires only two files. A browser certificate (containing the public key encryption for browser use), a private key (for the server to decrypt)
server.crt and server.key can go to their own certificate authority to purchase a commercial certificate. You can also use the program themselves generate their own copy. Here a self-signed certificate.
2, self-signed certificate
(1) create a server private key, you need to enter a password
openssl genrsa -des3 -out server.key 4096
(2) Create a certificate signing request (CSR)
openssl req -new -key server.key -out server.csr
(3) removing the password must support SSL when loading and using the private key Nginx
openssl rsa -in server.key -out server_nopass.key
(4) Finally, using the private key and certificate labeled CSR
openssl x509 -req -days 365 -in server.csr -signkey server_nopass.key -out server.crt
The last generation of the certificate file
3, configure certificates
In the nginx conf configuration file Server module is added:
ssl_certificate /usr/local/nginx/server.crt;
ssl_certificate_key /usr/local/nginx/server_nopass.key;
Original articles, please indicate the source.
java development tools Download and install tutorial Guinness, the point here .
More in-depth technical articles, in [here] .