How to implement https with nginx and openssl
|
If the server data is not encrypted and authenticated using an SSL certificate, the user's data will be transmitted in plain text. This makes it possible to obtain the user's password information using packet capture tools, which is very dangerous. It is also impossible to verify data consistency and integrity, and cannot ensure that the data has not been changed during transmission. Therefore, if the website involves important information such as user accounts, it is usually necessary to configure and use an SSL certificate to implement the https protocol. SSL certificates in production environments need to be purchased through a third-party certification agency. They are divided into professional version OV certificates (the company name is not displayed in the browser address bar) and advanced version EV certificates (the company name can be displayed). The number of domain names protected by the certificate will also affect the price (for example, the price is different for www certification and wildcard * certification), and third-level domain names are not supported. During the test, you can create a certificate yourself as a certificate authority. The browser will display it in red, indicating that the certificate has expired or is invalid. If it is yellow, it means that some connections on the website are still using the http protocol. Regardless of which method is used, the configuration of Nginx is the same after obtaining the certificate, so here is a complete description of setting up OpenSSL and making a certificate. 1. Prepare the environment1) nginx service 2) SSL module [root@ns3 ~]# systemctl stop firewalld [root@ns3 ~]# iptables -F [root@ns3 ~]# setenforce 0 [root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel [root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/ [root@ns3 ~]#cd /usr/src/nginx-1.16.0 [root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #Install the modules required later at one time 3) Check whether openssl is installed [root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64 If not installed [root@ns3 ~]# yum -y install openssl openssl-devel 2. Create a root certificate CA1. Generate CA private key [root@ns3 ~]# cd zhengshu/ [root@ns3 zhengshu]# openssl genrsa -out local.key 2048 Generating RSA private key, 2048 bit long modulus ...........................................................................................................................................................................................................................................+++ ............................................................................................................................................................................................................+++ e is 65537 (0x10001) [root@ns3 zhengshu]# ls local.key 2. Generate CA certificate request [root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #State or Province Name (full name) []:BJ #Locality Name (eg, city) [Default City]:BJ #Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []:test #DepartmentCommon Name (eg, your name or your server's hostname) []:test #HostnameEmail Address []:[email protected] #EmailPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []:wuminyan #Password An optional company name []:wuminyan #Name [root@ns3 zhengshu]# ls local.csr local.key req: This is a large command that provides generation of certificate request files, verification of certificates, and creation of root CAs -new: means to generate a new certificate request -x509: directly output the certificate -key: the private key file used when generating the certificate request -out: output file 3. Generate CA root certificate This command to generate a CA certificate is confusing. 1. Generate a certificate request file using a secret key. 2. Generate the final certificate using a certificate request file. -in Generate a certificate using a certificate request file. -signkey specifies the private key. This is a parameter that I don't understand yet. [root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt Signature ok subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected] Getting Private key 3. Create a server certificate based on the CA certificate1. Generate server private key [root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048 Generating RSA private key, 2048 bit long modulus .................................+++ .........................................+++ e is 65537 (0x10001) [root@ns3 zhengshu]# ls local.crt local.csr local.key my_server.key 2. Generate server certificate request [root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt Signature ok subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected] Getting Private key [root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048 Generating RSA private key, 2048 bit long modulus .................................+++ .........................................+++ e is 65537 (0x10001) [root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []: BJ Locality Name (eg, city) [Default City]: BJ Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your server's hostname) []:test Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:wuminyan An optional company name []:wuminyan [root@ns3 zhengshu]# ls local.crt local.csr local.key my_server.csr my_server.key 3. Generate server certificate [root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt Signature ok subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected] Getting CA Private Key 4. Configure nginx to support SSL
[root@ns3 ~]# vim /etc/nginx.cof #A soft link is set here: lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
server {
listen 80;
listen 443 default ssl; #Listen to port 433 keepalive_timeout 100; #Turn on keepalive Activate keepalive long connection to reduce the number of client requests ssl_certificate /root/zhengshu/local.crt; #Server certificate location ssl_certificate_key /root/zhengshu/local.key; #Server private key location ssl_session_cache shared:SSL:10m; #Cache session ssl_session_timeout 10m; #Session expires in 10 minutes ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server_name test.com;
charset utf-8;
location / {
root html;
index index.html index.htm;
}
}
}5. TestingEnter https://192.168.200.115
This is the end of this article about implementing https with nginx combined with openssl. For more relevant content about implementing https with nginx, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future! You may also be interested in:
|
<<: Defining the minimum height of the inline element span
>>: Detailed explanation of MySQL multi-version concurrency control mechanism (MVCC) source code
Recommend
How to resize partitions in CentOS7
Yesterday, I helped someone install a system and ...
JavaScript to implement click to switch verification code and verification
This article shares the specific code of JavaScri...
CSS3 realizes the effect of triangle continuous enlargement
1. CSS3 triangle continues to zoom in special eff...
Tutorial on how to deploy LNMP and enable HTTPS service
What is LNMP: Linux+Nginx+Mysql+(php-fpm,php-mysq...
Detailed explanation of the use and differences of various lock mechanisms in Linux
Preface: I believe that those who need to underst...
Detailed graphic explanation of Mysql5.7.18 installation and master-slave replication
Install mysql5.7.18 on CentOS6.7 1. Unzip to the ...
Simple encapsulation of axios and example code for use
Preface Recently, when I was building a project, ...
Several ways to implement 0ms delay timer in js
Table of contents queueMicrotask async/await Mess...
Detailed explanation of Vue form event data binding
<body> <div id="root"> <...
Detailed explanation of six web page image carousel effects implemented with JavaScript
Table of contents 1. When the mouse passes over t...
favico.ico---Website ico icon setting steps
1. Download the successfully generated icon file, ...
Docker cleaning killer/Docker overlay file takes up too much disk space
[Looking at all the migration files on the Intern...
MySQL database operation and maintenance data recovery method
The previous three articles introduced common bac...
Detailed explanation of CSS label mode display property
The code looks like this: <!DOCTYPE html> &...
How to clean up the disk space occupied by Docker
Docker takes up a lot of space. Whenever we run c...