Of Stack

How does nginx change a Web site visited by http to be visited by https

  • 2021-10-13 09:05:56
  • OfStack
Directory 1. Background
2. Preliminary knowledge
https:
Certificate system:
3. Procedures
3.1 Certificate Generation
3.2 nginx Configuration
3.3 Browser Access

1. Background

I have a website for data display that uses nginx to provide http access, and another system that uses hyperlinks to jump to my website for end users to access. Later, the other party said that their site is https access, can not directly access http, so I need to support https access.

Therefore, this is limited to the reference of display websites, and I will not use interactive websites either.

*** Knowledge of nginx is limited to configurations that can be accessed through configuration files, and others are not deeply understood. ***

2. Preliminary knowledge

https:

HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure, hypertext transfer security protocol) is an HTTP channel aiming at security, which is simply a secure version of HTTP. That is to say, SSL layer is added under HTTP, and the security basis of HTTPS is SSL, so SSL is needed for encryption details.

Simply put, the certificate is embedded in the website, and the data will be encrypted when the user interacts with the website server through the browser to ensure security.

Certificate system:

Tree structure, There may be multi-tier certification scheme institutions, The top level is called the root certificate authority, which holds the private key of the root certificate and can issue the next level certificate. The certificate used by each institution or person is issued by the certificate authority. Simply put, it uses the private key of the authority to digitally sign the personal information, public key and many other information of the certifier, and claims that the certificate is certified by him. The certificate can be publicly accessed to verify the identity of the holder, endorsed by the authority, and the corresponding private key of the certificate is held by the holder and not disclosed to the public, which is used to decrypt private messages encrypted by others through the public key in the certificate.

It is somewhat similar to the issuance of ID cards by public security agencies, There is a Ministry of Public Security at the upper level of the whole country, which is responsible for the management of all provincial public security departments, and the provincial level is responsible for the municipal level. Finally, the police station issues ID cards to individuals, and we can prove our identity with ID cards, because there is an endorsement from the police station, and the police station has a superior, and the superior 1 is until the endorsement of the Ministry of Public Security. The difference is that our ID card does not have as many messages as the certificate contains.

Remarks: The certificate depends on the public key cryptosystem, which includes two keys: public key and private key. The public key user encrypts and verifies the signature, while the private key is used for decryption and signature.

3. Procedures

3.1 Certificate Generation

The main process is: root certificate- > Server certificate, which in this case refers to the Web server I mentioned above that needs to be accessed by https,

1. Generate the private key of the root certificate, generate the root certificate request, and create the self-issued root certificate 


# Generate the root certificate private key 
openssl genrsa -out root.key 2048
 
# Generate root certificate request 
openssl req -new -key root.key -out root.csr
 
# Generate root certificate by self-signing with private key of root certificate 
openssl x509 -req -in root.csr -extensions v3_ca -signkey root.key -out root.crt

The reason why the private key of the root certificate comes from the certificate is that the format of the certificate is 1, and it is necessary to issue a certificate. Because the root certificate authority has no superior, the root certificate authority issues a certificate to itself, so it is necessary for everyone to trust him.

2. Generate the private key of the server certificate, generate the server certificate request, and issue the server certificate with the private key of the root certificate. Note here that the commonName of this server certificate needs to be set to server_name in the nginx configuration file, and keep 1. 


# Generate server certificate private key 
openssl genrsa -out server.key 2048
 
# Generate a server certificate request 
openssl  req -new -key server.key  -out server.csr
 
# Generate server certificate 
openssl x509 -days 365 -req -in server.csr -extensions v3_req -CAkey root.key -CA root.crt -CAcreateserial -out server.crt -extfile openssl.cnf

Here is an openssl. cnf file to note, which describes the server certificate to be issued with some information, as follows 


[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
 
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = Guizhou
stateOrProvinceName_default = Guizhou
localityName = Guizhou
localityName_default = Guizhou
organizationalUnitName =  (If the page access is ip Just write ip If it is a domain name, write the domain name) 
organizationalUnitName_default =  (If the page access is ip Just write ip If it is a domain name, write the domain name) 
commonName =  (If the page access is ip Just write ip If it is a domain name, write the domain name) 
commonName_max = 64
 
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

3.2 nginx Configuration

Open the comments in the HTTPS server section of the nginx configuration and modify the root fields in server_name, ssl_certificate, ssl_certificate_E120EN, location, etc. 


...
 # HTTPS server
 #
 server {
  listen  443 ssl;
  server_name xxx.com( Website access address );

 ssl on;
  ssl_certificate  xxx.crt( Server certificate );
  ssl_certificate_key xxx.key( Server certificate private key );

  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 5m;

  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  location / {
   root xxx( Front-end code directory );
   index index.html index.htm;
  }
 }
...

Start nginx, and you can provide services to the outside world.

3.3 Browser Access

Up to now, we have configured https access on the server side, but the browser will prompt the certificate error when accessing it, because the browser does not know our certificate yet and is not sure whether it is safe or not. It's like we all take the ID card issued by the Ministry of Public Security to prove our identity, but if you take an ID card issued by yourself to prove that others will not believe it, because no one knows what your issuing agency is like.

Therefore, we need to add the server certificate authority, that is, the root certificate generated above, to the browser's trust list. The specific operation method: If it is an windows system, you can directly double-click the root certificate file, click Install, and install it to the trusted root certificate authority. At this time, you can access it smoothly.

The above is how nginx changed the website visited by http to https. For more information about changing nginx http to https, please pay attention to other related articles on this site!

Related articles: