First, the difference Http and Https of
HTTP: is the most widely used on the Internet a network protocol is a client and server side request and response standard (TCP), for transmission from the WWW server to the local hypertext browser transport protocol, it can make the browser more efficient, so that network traffic is reduced.
HTTPS: HTTP is safe for the target channel, simply, is a safe version of HTTP, HTTP added SSL layer, HTTPS security infrastructure is SSL, encryption and therefore the details will need to SSL. The main role of the HTTPS protocol can be divided into two types: one is to establish a channel of information security, to ensure the security of data transmission; the other is to confirm the authenticity of the site.
The main difference between HTTPS and HTTP as follows:
1, ca HTTPS protocol needs to apply for a certificate, generally less free certificates, thus requiring a fee.
2, http is the hypertext transfer protocol, information is transmitted in the clear, https is encrypted with a security ssl transfer protocol.
3, http and https use is completely different connections, with the port are not the same, the former is 80, which is 443.
4, http connection is very simple, is stateless; is constructed by the HTTPS protocol SSL + HTTP encrypted transmission protocol, a network authentication protocol, the http protocol than security.
Second, the use openssl to generate a certificate
openssl SSL is the most popular password database tool that provides a common, robust, full-featured suite of tools to support the achievement of SSL / TLS protocol.
For example to generate: / usr / local / ssl
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt 生成过程: # openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /u sr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt Generating a 2048 bit RSA private key ...............................................................................+ ++ ...............+++ writing new private key to '/usr/local/ssl/nginx.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:xxxx Organizational Unit Name (eg, section) []:xxxx Common Name (eg, your name or your server's hostname) []:xxxx(一般是域名) Email Address []:[email protected] # ll total 8 -rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt -rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key
Three, http_ssl_module module installed Nginx
Nginx an error if unopened SSL module configured Https.
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx
nginx lack http_ssl_module module, when compiled and installed --with-http_ssl_module strip arranged on the line.
This scenario is nginx server already installed, but http_ssl_module not installed.
1. Go to source package, such as:
cd /app/download/nginx-1.16.7
2.configure:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
3.make:
make
4. Does not require the implementation of make install, otherwise cover installed.
The backup of the original nginx, such as:
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak
6. Then nginx compiled just overwrite the original nginx (nginx needs to be stopped)
cp ./objs/nginx /usr/local/nginx/sbin/
7. Review the installation :( Note: If not in effect, the reload nginx )
/usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
Four, nginx configuration https
stickers part of the configuration information:
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 7777; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.html?s=$1 last; break; } root /usr/local/chip/product/crdp_plus; index index.html; } location /portal-ui { root html; index index.html index.htm; try_files $uri $uri/ /monitor-view/index.html; } location /crdp/ { proxy_pass http://127.0.0.1:8888; } location /swagger-ui.html { proxy_pass http://127.0.0.1:8888; } location /swagger-resources { proxy_pass http://127.0.0.1:8888; } location /swagger { proxy_pass http://127.0.0.1:8888; } location /webjars { proxy_pass http://127.0.0.1:8888; } location /v2 { proxy_pass http://127.0.0.1:8888; } location /druid { proxy_pass http://127.0.0.1:8888; } proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 5m; #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # server { listen 8787 ssl; server_name 192.168.13.192; ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥 ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL; ssl_prefer_server_ciphers on; root /usr/local/ui_workspace; index /appBaoJian/index.html; location /appBaoJian { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /appBaoJian/index.html; } location /chhm-service/ { proxy_pass http://192.168.13.77:8380; } } server { listen 8686 ssl; server_name 192.168.13.192; ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥 ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL; ssl_prefer_server_ciphers on; root /usr/local/ui_workspace; index /crpge/index.html; location /crpgea { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /crpge/index.html; } location /crpgeb { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /crpge/hospital.html; } location /crpge/v1 { proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:18888/crpge/v1; } } }
First test configuration right:
/usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Restart nginx:
/usr/local/nginx/sbin/./nginx -s reload