Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure the security certificate Https of the Web server in the Nginx environment". In the daily operation, it is believed that many people have doubts about how to realize the configuration of the security certificate Https of the Web server in the Nginx environment. The editor consulted all kinds of materials and sorted out a simple and useful operation method. I hope it will be helpful to answer the question of "how to configure the security certificate Https of the Web server in the Nginx environment"! Next, please follow the editor to study!

1. Talk about Nginx-HTTPS encryption technology first.

Hypertext transfer Security Protocol (HTTPS) is a security-oriented HTTP channel, which is simply the HTTP security version. Https consists of two parts: HTTP+SSL/TLS, which adds a layer of encrypted information module on the basis of http. The information of the server and the client will be encrypted through TLS, and the transmitted data are all encrypted data.

In order to solve these shortcomings of the HTTP protocol, we need to use another protocol: HTTPS. For the security of data transmission, HTTPS adds SSL protocol to http. SSL relies on certificates to verify identity and encrypt the communication between the browser and the server.

SSL certificate is a kind of digital certificate, which uses Secure Socket Layer protocol to establish a secure channel between the browser and the web server, so as to realize the encrypted transmission of data information between the client and the server, ensure the security of the information transmitted by both sides, and can not be eavesdropped by the third party, and the user can verify the authenticity and reliability of the website visited by the server certificate.

The difference between encrypted HTTPS and HTTP: hypertext transfer protocol HTTP is used to transmit information between web browser and website server. HTTP protocol sends content in clear text and does not provide encrypted data in any way. If an attacker intercepts the transmission message between web browser and website server, he can read the message directly. Therefore, http protocol is not suitable to transmit some memorable information.

The complete process of HTTPS encryption, decryption and verification is shown in the figure:

First of all, the client sends the request, the server receives the request and requests to generate the public and private key, and sends the public key certificate to the client. After receiving the certificate, the client parses and verifies it through TLS. If there is no problem with the certificate, it will generate an encrypted random value on the client, send the random value to the server, and then decrypt it with its own private key to get the random value. The content is then symmetrically encrypted with this random value. The server sends the encrypted information with the private key to the client. Finally, the client uses the previously generated private key to decrypt the information sent by the server to obtain the decrypted content.

1) the client initiates a HTTPS request to the server, and the user enters the https URL in the browser, and then connects to port 443 of Nginx server. 2) the server uses https protocol to have a set of digital certificates, which can be configured by itself or applied to the certificate management organization. The essence of the certificate is the public key and private key. 3) the public key is transmitted to the client, and the certificate contains a lot of information, such as the certificate issuing authority. Expiration time, etc. 4) the client parses the certificate, which is completed by the client's TLS. It will first verify whether the public key is valid, such as the issuing authority, expiration time, etc. If there is an exception, a warning message will pop up indicating that there is a problem with the certificate. If there is no problem with the certificate, a random value will be generated randomly, and then the random value will be encrypted with the certificate. 5) the encrypted random value of the certificate will be transmitted to the server. Let the server obtain the random value, and the subsequent client and server can encrypt and decrypt through the random value. 6) after decrypting with the private key, the server obtains the random value transmitted by the client. Then the content is symmetrically encrypted through this value. 7) the server sends the encrypted information of the private key to the client. 8) the client uses the previously generated private key to decrypt the information sent by the server to obtain the decrypted content.

2. About the SSL certificate

The secure communication of the Internet is based on the SSL/TLS protocol. The basic idea of the SSL/TLS protocol is to use the public key encryption method, that is, the client first asks for the public key from the server, and then encrypts the information with the public key. After receiving the ciphertext, the server decrypts it with its own private key. Through this encryption and decryption mechanism, we can ensure that all information is encrypted and cannot be eavesdropped. at the same time, the transmission has a verification mechanism, which can be found immediately once the information is tampered with. Finally, through the identity certificate mechanism, the identity can be prevented from being impersonated. It can be seen that SSL certificate has two main functions: encryption and authentication.

At present, all the SSL certificates in the market are issued by third-party SSL certificate authorities, and the common and reliable third-party SSL certificate authorities are DigiCert, GeoTrust, GlobalSign, Comodo and so on.

SSL certificates can be classified into the following categories according to the environment in which they are used:

Enterprise level: EV (Extended Validation), OV (Organization Validation)  personal level: IV (Identity Validation), DV (Domain Validation).

Among them, EV, OV and IV need to be paid. EV or OV certificate is recommended for corporate users and IV certificate is recommended for individual users. Although DV certificate is freely available, it is the lowest SSL certificate. It does not display the name of the unit, can not prove the true identity of the website, can only verify the ownership of the domain name, only plays the role of encrypted transmission of information, and is suitable for personal websites or non-e-commerce websites.

3. Use OpenSSL to generate private key file and CSR file

It is not complicated for Nginx to configure HTTPS. There are two main steps: signing a SSL certificate that can be trusted by a third party and configuring HTTPS, as described below.

To configure HTTPS, you need to use a private key file (ending in .key) and a certificate file (ending in .crt), which is issued by a third-party certification authority, and a certificate signing request file (ending in .csr) needs to be provided for third-party certification authorities to issue certificate files. The following is a brief introduction to the private key file and csr file.

Private key file: a file that ends with .key, generated by the certificate applicant. It is the private key file of the certificate applicant and used in pairing with the public key in the certificate. In the process of HTTPS handshake communication, the private key needs to be used to decrypt the random number information encrypted by the certificate public key sent by the client. It is a very important file in the HTTPS encryption communication process, which is used when configuring HTTPS. CSR file: the full name of CSR is Cerificate Signing Request, that is, the certificate signing request file, which contains the applicant's DN (Distinguished Name, identification name) and public key information. This file is generated by the certificate applicant and needs to be provided to a third-party certificate authority. After getting the CSR file, the certificate authority uses its root certificate private key to encrypt the certificate and generate the CRT certificate file. The CRT file contains the certificate encryption information as well as the applicant's DN and public key information. Finally, the third-party certificate authority will send the CRT file to the certificate applicant, thus completing the certificate file application process.

Before applying for a SSL certificate, the certificate applicant needs to generate a private key file and a CSR file, which can be generated through the openssl command, as follows:

[root@iZ23sl33esbZ ~] # openssl req-new-newkey rsa:2048-sha256-nodes-out iivey.csr-keyout iivey.key-subj "/ C=CN/ST=beijing/L=beijing/O=iivey Inc./OU=Web Security/CN=iivey.com"

The above command generates a CRS file iivey.csr and a private key file iivey.key. Among them, the relevant fields are as follows:

C field: that is, Country, which indicates the country where the unit is located, and is a two-digit country abbreviation. For example, CN represents China  ST field: State/Province,  L field: Locality, city or county  O field: Organization, unit name OU field: Organization Unit, subordinate department name It is also often used to display other certificate-related information, such as  CN fields such as certificate type, certificate product name or authentication type or authentication content: Common Name, the domain name of the website.

Then, provide the generated CSR file to the CA institution, and after the signature is successful, the CA institution will send us a CRT certificate file, assuming that this file is iivey.crt. After obtaining the SSL certificate file, you can configure HTTPS in the Nginx configuration file.

4. Configure SSL certificate under Nginx

To enable HTTPS service, you need to open a 443 listening port on Nginx. The following is the configuration of HTTPS service under Nginx. Only the configuration of server segment is listed here:

Server {listen 443; server_name www.iivey.com; index index.php index.html; root / data/webhtdocs/iivey; ssl on; ssl_certificate iivey.crt; ssl_certificate_key iivey.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers Higg Add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1;}

Briefly describe the meaning of each of the above configuration options:

Ssl on: means to enable the SSL feature.

Ssl_certificate: used to specify the path of the CRT file, either relative or absolute, in this case, the relative path, where the iivey.crt file is placed in the same directory as nginx.conf.

Ssl_certificate_key: used to specify the path to the key file, either relative or absolute, in this case, the iivey.key file is placed in the same directory as nginx.conf.

Ssl_prefer_server_ciphers on: when setting up to negotiate encryption algorithms, priority is given to our server's cipher suite rather than the client browser's cipher suite.

Ssl_protocols: this directive is used to start a specific encryption protocol, which is set to "TLSv1 TLSv1.1 TLSv1.2". TLSv1.1 and TLSv1.2 want to ensure that the openssl version is greater than or equal to openssl1.0.1, and SSLv3 can also be used, but there are many exploited vulnerabilities, so it is rarely used now.

Ssl_ciphers: choose a cipher suite and encryption algorithm. Different browsers may support different suites and sequences. You can choose default here.

Add_header X-Frame-Options DENY: this is an enhanced security option that reduces click hijacking.

Add_header X-Content-Type-Options nosniff: also an option to enhance security, which prohibits the server from automatically parsing resource types.

Add_header X-Xss-Protection 1: also an option to enhance security, to prevent XSS attacks.

5. Verify the function of HTTPS

After the https configuration of Nginx is completed, you need to test whether the configuration is normal. Here, two ways are provided. The first method is to access the https service directly through the browser. Here, Firefox browser is used for testing. If the https configuration is normal, the page should be opened directly instead of the following interface:

This interface shows that the https is not configured successfully, and you need to check whether the https configuration is correct. After opening the https page, another situation may occur, as shown in the following figure:

This phenomenon is able to open the https interface, but the small lock on the left side of the browser address bar is gray, and there is a yellow exclamation point, which indicates that the page of this site may refer to third-party website pictures, js, css and other resource files. Https thinks that it is not safe for the page to refer to third-party website resources, so there is a warning. To solve this problem, download all the resource files on the page that refer to third-party websites locally, and then reference them through the local path.

After modifying all the resource files to the local server, access them through https again. The small lock on the left side of the browser address bar automatically turns green, and the exclamation mark disappears, as shown below:

At this point, the https service configured under nginx has been running normally.

You can view certificate information (certificate manufacturer, certificate authority, certificate validity, etc.) under the browser. Click the green lock in the browser address bar, and select View Certificate to view certificate details, as shown in the following figure:

At this point, the study on "how to configure the security certificate Https of the Web server in the Nginx environment" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.