Nginx+SSL set up HTTPS website

2020-05-10 23:31:19
OfStack

1. What is HTTPS?

According to wikipedia:



 Hypertext transfer security protocol ( Abbreviations: HTTPS English: Hypertext Transfer Protocol Secure) Hypertext transfer protocol and SSL/TLS Is used to provide encrypted communication and identification of network servers. HTTPS Connections are often used to pay for transactions on the world wide web and transmit sensitive information in enterprise information systems. HTTPS Should not be in RFC 2660 Secure hypertext transfer protocol defined in (S-HTTP) Mixed. 

HTTPS  Currently, it is the first choice for all privacy and security websites. With the development of technology, HTTPS  Website is no longer the patent of large website, all ordinary individual webmaster and blog can build by themselves 1 Secure encrypted web site.

If a web site is not encrypted, all of your account passwords are transmitted in clear text. As you can imagine, when it comes to privacy and financial issues, unencrypted transmission can be a terrible thing.

Since this blog is read by people who are close to professionals, let's get down to business without further ado.

2. Generate SSL Key and CSR using OpenSSL

Because only the browser or the system trust CA can let all visitors to your encrypted website smoothly, instead of the certificate error prompt. So let's skip the steps from the visa and go ahead and sign the third trusted SSL certificate.

OpenSSL is installed by default on conventional systems such as Linux and OS X. Due to some security issues, the third party SSL certificate issuing institutions now require at least 2048-bit private keys encrypted by RSA.

At the same time, the general SSL certificate authentication has two forms, one is DV(Domain Validated), and the other is OV (Organization Validated), the former only need to verify the domain name, the latter need to verify your organization or company, in terms of security, the latter is definitely better.

Whether you use DV or OV to generate the private key, you need to fill in some basic information. Here we assume that:

The domain name, also known as Common Name, because the special certificate is not necessarily the domain name: example.com

Organization or company name (Organization) : Example, Inc.

Department (Department) : we don't need to fill in the form. Here we write Web Security

City (City) : Beijing

Province (State/Province) : Beijing

Country (Country) : CN

Encryption strength: 2048 bits, or 4096 bits if your machine is strong

Following the above information, the command to generate key and csr using OpenSSL is as follows



openssl req -new -newkey rsa : 2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc./OU=Web Security/CN=example.com"

PS: if it is a generic domain name certificate, you should fill in *.example.com

You can run this command from anywhere on the system and it will automatically generate example_com.csr and example_com.key in the current directory

Then you can look at example_com.csr and get something like this

This is the CSR file that you need to submit to the SSL certification authority. When your domain name or organization is authenticated, the certification authority will issue you with an example_com.crt

example_com.key needs to be used in conjunction with Nginx configuration and example_com.crt. It needs to be kept in good condition and must not be disclosed to any third party.

3. Nginx configure HTTPS website and add security configuration

As mentioned above, you need to submit the CSR file to the third party SSL certification authority. After the certification, they will issue you with one CRT file, which we will name example_com.crt

At the same time, for the sake of series 1, you can put the three files are moved to/etc/ssl/private/directory.

You can then modify the Nginx configuration file



server {

listen 80;

listen [ : : ] : 80 ssl ipv6only=on; 

listen 443 ssl;

listen [ : : ] : 443 ssl ipv6only=on;

server_name example.com;

ssl on;

ssl_certificate /etc/ssl/private/example_com.crt;

ssl_certificate_key /etc/ssl/private/example_com.key;

}

Check that the configuration file is ok and then re-read Nginx



nginx -t && nginx -s reload

However, it is not safe to do so. The default is SHA-1, and the current mainstream scheme should avoid SHA-1. In order to ensure stronger security, we can adopt the defy-hermann key exchange

First, go into the /etc/ssl/certs directory and generate one dhparam.pem



cd /etc/ssl/certs

openssl dhparam -out dhparam.pem 2048 #  If your machine is powerful enough, you can use it  4096  An encryption

Once the build is complete, add it after the SSL configuration of Nginx



ssl_prefer_server_ciphers on;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

keepalive_timeout 70;

ssl_session_cache shared : SSL : 10m;

ssl_session_timeout 10m;

At the same time, if HTTPS is the entire site and HTTP is not considered, you can add HSTS to tell your browser that this site is fully encrypted and that it is mandatory to use HTTPS to access it



add_header Strict-Transport-Security max-age=63072000;

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

You can also turn on a single Nginx configuration and redirect all access requests from HTTP to HTTPS using 301



server {

listen 80;

listen [ : : ] : 80 ipv6only=on;

server_name example.com;

return 301 https://example.com$request_uri;

}

4. Reliable third party SSL issuing authority

As we all know, some time ago, a scandal about the issuance of certificates of Google domain name was exposed by an NIC organization, so it can be seen how important it is to choose a reliable third party SSL issuing organization.

Currently, there are 1 SSL certificate authorities on the market for small and medium-sized webmasters and enterprises:

StartSSL

Comodo/sub-brand Positive SSL

GlobalSign/sub-brand AlphaSSL

GeoTrust/sub-brand RapidSSL

Among them, Postivie SSL, AlphaSSL, RapidSSL and so on are sub-brands. Generally, they are level 3 and level 4 certificates, so you will need to add the CA certificate chain to your CRT file.

In the case of Comodo Positive SSL, you need to concatenate the CA certificates, assuming your domain name is example.com

So, the concatenated command is:



cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.signed.crt

Use example_com.signed.crt in the Nginx configuration

If it is a common AplhaSSL generic domain name certificate, they will not send you CA certificate chain, then you need to add AlphaSSL CA certificate chain to your CRT file

AlphaSSL Intermediate CA: https: / / www alphassl. com support/install - root - certificate. html

5. EV SSL for enterprises

EV SSL, short for Extended Validation, pays more attention to the security protection and strict certification of enterprise websites.

The most obvious difference is that EV SSL is usually displayed in green bars. For example, the SSL certificate of this website is EV SSL.

This is how to use SSL under nginx to build the entire content of HTTPS website. Hope you like it