Shulou(Shulou.com)06/02 Report--

TLS or Transport layer Security (transport layer security), formerly known as SSL (secure Sockets layer secure sockets layer), is the Web protocol used to wrap in a protected, encrypted encapsulated normal channel. With this technology, the server and the client can interact securely without worrying that messages will be intercepted and read. The certificate system helps users verify their identity with the connected site.

Environment description

For more information on how to build Nginx*2+Keepalived+Tomcat*2 's Web environment, please see https://blog.51cto.com/gdutcxh/2109841.

Configuration in experimental environment

1. Download openssl:yum install openssl*-y2 and use openssl to generate digital certificates mkdir-p / etc/nginx/ssl openssl req-x509-nodes-days 36500-newkey rsa:2048-keyout / etc/nginx/ssl/nginx.key-out / etc/nginx/ssl/nginx.pem Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: New York Locality Name (eg, city) []: New York City Organization Name (eg) Company) [Internet Widgits Pty Ltd]: Bouncy Castles, Inc. Organizational Unit Name (eg, section) []: Ministry of Water Slides Common Name (e.g. Server FQDN or YOUR name) []: your_domain.com Email Address []: configuration under admin@your_domain.com3 and Nginx (Https only enabled) server {listen 80 Server_name www.yourdomain.com; rewrite ^ https://$http_host$request_uri? Permanent; # force redirect http to https # return 301 https://$http_host$request_uri;} server {listen 443 ssl; ssl_certificate / etc/nginx/ssl/nginx.pem; ssl_certificate_key / etc/nginx/ssl/nginx.key; keepalive_timeout 70; server_name www.yourdomain.com # prohibit the occurrence of the server version in header to prevent * * exploit version vulnerabilities * * server_tokens off; # if it is a site-wide HTTPS and does not consider HTTP, you can add HSTS to your browser to tell your browser that this site is encrypted, and force access to # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" with HTTPS; #. Fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; access_log / var/log/nginx/wiki.xby1993.net.access.log; error_log / var/log/nginx/wiki.xby1993.net.error.log;} 4, configure server {listen 80; listen 443 ssl using both Http and HttpsNginx Server_name www.example.com; ssl_certificate www.example.com.pem; ssl_certificate_key www.example.com.key;.} 6. Restart Nginx

Description of openssl

Req: the configuration parameter-x509 specifies the use of X.509 certificate signing request management (certificate signing request (CSR)). "X.509" is a public key for that SSL and TLS adheres to for its key and certificate management.-nodes: tells OpenSSL to ignore the password link when producing the certificate. Because we need Nginx to read this file automatically, not in the form of user interaction. -days 36500: certificate validity, 100 years-newkey rsa:2048: generate a new certificate and a new SSL key (encryption strength is RSA 2048)-keyout:SSL output file name-out: certificate generation file name it will ask some questions. It should be noted that fill in the domain name of the website in common name, such as wiki.xby1993.net, to generate the certificate of the site, and you can also use the pan-domain name such as * .xby1993.net to generate the website certificate available for all second-level domain names.

HTTPS of the enterprise Web server

1. Apply for and purchase CA certificate. Generally speaking, all major cloud service providers will have this kind of certificate service. According to the company and business needs, you can choose a free or paid certificate. Download and extract the certificate file a zip package containing xxx.key and xxx.pem files. 3. Configure Nginx (ibid.)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.