Of Stack

Details how to configure the Nginx server to secure the HTTPS connection

  • 2020-05-10 23:26:43
  • OfStack

HTTPS is equal to HTTP plus TLS (SSL). There are three main objectives of the HTTPS protocol:

      data confidentiality. Ensure that the content is not viewed by the third party during transmission. Just like couriers who deliver packages that are sealed, no one knows what's inside.
      data integrity. Timely discovery of the transmission content tampered with by the third party. Just like a Courier who does not know what is in the package, but he may change the package in the middle of the process, data integrity means that if the package is changed, we can easily find it and reject it.
      identity check. Ensure that the data reaches the desired destination. Just like when we mail a package, although it is a package that is sealed and unswitched, we must make sure that the package will not go to the wrong place.

A certificate is required before HTTPS can be enabled, and the certificate needs to first create CSR on its own server, with the corresponding public and private keys. I'm going to take Nginx servers for example, Apache is not too bad, it's all based on openssl. Since I only have 1 host domain name www.ofstack.com, it is convenient to choose PositiveSSL of COMODO for the certificate, which is $9 per year. Note that COMODO requires a certificate of at least 2048 bits, as shown in the command below. When activating the certificate, please note that common name needs to fill in its own domain name address. Since I do not use ofstack.com, what I write here is www.ofstack.com. Please note that the two host addresses are different. Other names of organizations, companies, etc. If you don't have them, write NA, don't leave it blank. Let's just say step 1


1. Log in with root and upgrade the server. This is to solve a big vulnerability of OpenSSL, CVE-2014-0224, because the problem of ChangeCipherSpec messages may lead to man-in-the-middle attack, decryption and modification of the communication between the attacked server and client, so as to obtain encrypted data.

Check the OpenSSL version to make sure it is at least 1.0.1h, 


openssl version -a

If not, upgrade the server, for example, Debian 


apt-get update
apt-get upgrade

2. Create CSR and private key 


openssl req -new -newkey rsa:2048 -nodes -keyout www.ofstack.com.key -out www.ofstack.com.csr

Get two files, the private key www. ofstack. com. key, CSR file www. ofstack. com. csr, including CSR content inside at the time of activation certificate required

3. Purchase the certificate, complete the activation, and download the certificate file

The downloaded certificate files are usually 1 zip, some are 2 files, some are 4 files

If there are two files, it looks like this:

www_jb51_net.ca-bundle www_jb51_net.crt

If you have four files, it usually looks like this:

www_jb51_net.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt

Among them, www_slyar_com.ca-bundle is the product of automatically merging the other three files, for one reason

4. Merge the certificates, the order 1 must not be wrong 


cat www_jb51_net.crt www_slyar_com.ca-bundle > www.ofstack.com.crt

or 


cat www_slyar_com.crt www_slyar_com.ca-bundle > www.ofstack.com.crt

Finally produce www. ofstack. com. crt is the combination of the four files, this file with that of before www. ofstack. com. key1 formed Nginx need to use certificate

. 5, the www ofstack. com. crt and www ofstack. com. key copied to Nginx conf directory, such as/usr/local/nginx conf / 


cp www.ofstack.com.crt www.ofstack.com.key /usr/local/nginx/conf/

6. Modify Nginx configuration file or virtual host configuration file under vhost/, enable https, configure encryption method, etc 


# merge 80 and 443 Configuration files can also be used, 1 Start the configuration and finally force the transfer 80 to 443 It is ok 
listen 80;
listen 443;

# Specified certificate file 
ssl_certificate www.ofstack.com.crt;
ssl_certificate_key www.ofstack.com.key;

# Disable unsafe SSLv1 2 3 , using only TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

#RC4 It's not safe anymore. It can only be removed 
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

#301 transfer 
if ($server_port = 80) {
return 301 https://$server_name$request_uri;
}

7. Test the Nginx configuration file and reschedule the reload configuration file 


Nginx -t
service nginx reload

This completes the configuration of HTTPS for the server.

Since HTTPS is very secure and digital certificates don't cost much, why don't Internet companies use HTTPS in its entirety? There are two main reasons:

The effect of HTTPS on speed is obvious. Each HTTPS connection 1 typically adds 1-3 RTT, plus the performance cost of encryption and decryption, potentially adding a few more 10 milliseconds to the latency.
HTTPS is a heavy user of CPU's computing power. When a full handshake is made, web server's processing power is reduced to 10% or less of HTTP's.

Why does HTTPS significantly degrade performance? It is mainly the large number operation in the handshake stage. The most performance-intensive phase of the key exchange is the private key decryption phase (the function is rsa_private_decryption). Performance consumption at this stage accounts for 95% of the total SSL handshake performance consumption.

However, with the advent of the web and Moore's law of hardware, the security trade-off is worth it.

Related articles: