Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Detailed explanation of HTTPS secure communication between Nginx server and iOS

2025-01-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Detailed explanation of HTTPS secure communication between Nginx server and iOS

Brief introduction

In network communication, packet capture software can be used to analyze network requests and carry out replay attacks. The solution to replay attacks is generally to use a changing parameter, such as RSA encrypted timestamp, but considering the network transmission delay, timestamps need to have a certain error tolerance, which still can not fundamentally prevent replay attacks. In order to better solve the problem of replay attacks, we should consider using HTTPS communication. HTTPS protocol is a network protocol built by SSL+HTTP protocol for encrypted transmission and identity authentication, which is more secure than HTTP protocol.

Realize

For websites visited by browsers, you need to apply for a certificate from CA to ensure that HTTPS pages can be browsed normally, otherwise you will be warned that they are unsafe or unauthenticated, and for some background data transmission, you can use a self-signed certificate.

Server configuration

Generate a certificate

From the command line of the server, do the following

① generates the private key of the server, and you need to enter a password of 40008191 bits.

Openssl genrsa-des3-out server.key 2048

② removes the password from the key file. You need to enter the password entered in ①.

Openssl rsa-in server.key-out server.key

③ generates csr files. This step requires entering a variety of information, which can be skipped by pressing enter.

Openssl req-new-key server.key-out server.csr

④ generates a crt file. The validity period is after-days in this step, so you can write it longer.

Openssl x509-req-days 3650-in server.csr-signkey server.key-out server.crt

⑤ combines crt and key to make pem, which is used to generate cer for client verification.

Cat server.crt server.key > server.pem

⑥ uses pem to generate cer,cer files and stores them on the client side for verification

Openssl x509-in server.pem-outform der-out server.cer

two。 Modify nginx configuration file

If you don't know the path to the configuration file, use the following command to print.

Nginx-t

This command can be used to test whether the configuration file is correct and print out the path.

According to the printed content, open nginx.conf, and you can find a http {... } configure the tag and add a server configuration tag to the http tag.

Server {listen 443nserverSecretname localhost;# configure the root directory of the website and the file name and type of the home page index index.html index.htm index.php;root ssl on The following is the configuration of php under ssl_certificate ssl_certificate_key #. If it is not configured, the php file cannot be parsed properly. This configuration is copied from the port 80 configuration of nginx to HTTP. If this configuration does not work properly, copy it from the configuration file of your own server for port 80. Location ~. *\. (php | php5)? ${# fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1 fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 9000; fastcgi_index index.php; include fastcgi.conf;} location ~. *\. (gif | jpg | jpeg | png | bmp | swf) ${expires 30d;} location ~. *\. (js | css)? ${expires 1h;} # if you don't know how to fill it here, please refer to the configuration file include / rewrite/default.conf;access_log / default.log; for port 80.

3. Update configuration

Nginx-t # tests whether the configuration file is correct nginx-s reload # reloads the configuration file

At this point, the configuration of the server is over.

Configuration of the client

If it is a certificate issued by CA, you can directly use the HTTPS request, but we have a self-signed certificate. If you access the certificate directly, you will get an error. Here's how to use AFN to configure the HTTPS request for a self-signed certificate.

1. Import the cer certificate mentioned above into the Bundle of App

Import server.cer into bundle

two。 Before using AFN to make a request, make the following configuration

AFSecurityPolicy * policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey]; policy.allowInvalidCertificates = YES;AFHTTPSessionManager * manager = [AFHTTPSessionManager manager]; manager.securityPolicy = policy;// use manager to make HTTPS request.

Thank you for reading, hope to help you, thank you for your support to this site!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report