nginx implementation of https site Settings
- 2020-05-14 06:08:11
- OfStack
1. HTTPS profile
1. https profile
HTTPS is actually composed of two parts: HTTP + SSL/TLS, which is to add another layer of module to HTTP to process encrypted information. The information transmission of both the server and the client is encrypted through TLS, so the data transmitted is all encrypted data
2. Principle of https protocol
First, the client establishes a connection with the server, and each generates a private key and a public key, which are different. Server to return to the client a public key, then the client with the public key encryption to search, called a cipher, and even their own public key 1 is returned to the server, the server with its own private key to decrypt the ciphertext, then the response to the data in the client's public key encryption, returned to the client, the client with their own private key to decrypt the ciphertext, the data presented
2. Generation of certificate and private key
Note: 1 the generated directory should be in the nginx/conf/ssl directory
1. Create the server certificate key file server.key:
openssl genrsa -des3 -out server.key 1024Enter your password, confirm your password, define it yourself, but remember, you'll need it later.
2. Create the application file server.csr for the server certificate
openssl req -new -key server.key -out server.csr
The output content is:
Enter pass phrase for root. key: enter the password created previously
Country Name (2 letter code) [AU] : CN ← country code, China import CN
State or Province Name (full name) [Some-State]:BeiJing ← province full name, pinyin
Locality Name (eg, city) []:BeiJing ← full name, pinyin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp.←
Organizational Unit Name (eg, section) []: optional
Common Name (eg, YOUR name) []: at this point no input is made
Email Address []:admin@mycompany.com ←
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: may not be input
An optional company name []: may not be input
4. Backup 1 server key file
cp server.key server.key.org5. Remove file password
openssl rsa -in server.key.org -out server.key6. Generate the certificate file server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt3. Configuration files
1. The following for the configuration files/usr/local/nginx/conf/vhost/daj conf
server{
# Compared to the default 80 Using the 443 The default is ssl way more default After the ssl
listen 443 default ssl;
#default Can be omitted
# open If the ssl on ; Let's get rid of this row, ssl Written in the book 443 Behind the port. such http and https You can use any of the links
ssl on;
# certificate ( The public key . Send to the client )
ssl_certificate ssl/server.crt;
# The private key ,
ssl_certificate_key ssl/server.key;
# Below is the binding domain name
server_name www.daj.com;
location / {
# Prohibit to jump
proxy_redirect off;
# Taobao agent
proxy_pass https://www.tao.com/;
}
}
4. Open ssl module of nginx
1.the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
The reason for this is that nginx lacks the http_ssl_module module, so compile and install it with the with-http_ssl_module configuration
2. If you have already installed nginx and want to add a module, see below
1) switch to the nginx source package
cd /usr/local/src/nginx-1.11.32) view the original module of ngixn
/usr/local/nginx/sbin/nginx -V3) reconfiguration
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module4) recompile, make install installation is not required. Otherwise it will overwrite
make 5) backup the original installed nginx
openssl req -new -key server.key -out server.csr6) overwrite nginx(ngixn must be stopped) with nginx just compiled
openssl req -new -key server.key -out server.csrAt this time, it will be prompted whether to overwrite, please enter yes, directly enter the default is not overwritten
7) launch nginx, view the nginx module, and find that it has been added
openssl req -new -key server.key -out server.csr