Shulou(Shulou.com)05/31 Report--

This article is about how to use nginx to open a more secure tls1.3. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

I am using Debian 8.

Step 1: Install dependencies

$ apt-get install git gcc make build-essential zlib1g-dev libpcre3-dev

Step 2: Download source code and patches

$ mkdir -p /usr/src

$ cd /usr/src

$ git clone git://git.openssl.org/openssl.git openssl

$ git clone https://github.com/hakasenyang/openssl-patch.git openssl-patch

$ git clone https://github.com/kn007/patch.git nginx-patch

$ wget https://nginx.org/download/nginx-1.15.0.tar.gz

$ tar zxvf ./ nginx-1.15.0.tar.gz

Step 3: Patching

1. Patch OpenSSL. The significance of the patch is to make OpenSSL support the latest TLS 1.3.

Patch address: github.com/hakasenyang/openssl-patch

$ cd /usr/src/openssl

$ patch -p1 < ../ openssl-patch/openssl-equal-pre8_ciphers.patch

2, Patch Nginx, Add SPDY support, Add HTTP2 HPACK encoding support, Add dynamic TLS logging support.

Patch address: github.com/kn007/patch

fix_nginx_hpack_push_error patch fixes http2 push and http2 hpack compatibility issues with nginx

The nginx_auto_using_PRITIZE_CHACHA patch adds support for SSL_OP_PRITIZE_CHACHA when using OpenSSL 1.1.1.

$ cd /usr/src/nginx-1.15.0

$ patch -p1 < ../ nginx-patch/nginx.patch

$ patch -p1 < ../ nginx-patch/fix_nginx_hpack_push_error.patch

$ patch -p1 < ../ nginx-patch/nginx_auto_using_PRIORITIZE_CHACHA.patch

Step 4: Compile and install

$ ./ configure \

--sbin-path=/usr/sbin/nginx \

--conf-path=/etc/nginx/nginx.conf \

--prefix=/usr/local/nginx \

--pid-path=/var/run/nginx.pid \

--lock-path=/var/lock/nginx.lock \

--with-openssl=../ openssl \

--with-http_v2_module \

--with-http_v2_hpack_enc \

--with-http_spdy_module \

--with-http_ssl_module \

--with-http_gzip_static_module \

--http-log-path=/var/log/nginx/access.log \

--error-log-path=/var/log/nginx/error.log

$ make

$ make install

Nginx executable files are installed in/usr/sbin/, Nginx configuration files are in/etc/nginx/

Step 5: Configuration

1. Modify Nginx global configuration:

Add the following: /etc/nginx/nginx.conf

worker_processes auto;

pid /var/run/nginx.pid;

error_log /var/log/nginx/error.log;

events {

use epoll;

multi_accept on;

worker_connections 1024;

}

http {

charset utf-8;

include /etc/nginx/mime.types;

default_type application/octet-stream;

access_log /var/log/nginx/access.log;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 60;

gzip on;

gzip_vary on;

gzip_proxied any;

gzip_min_length 1k;

gzip_buffers 4 8k;

gzip_comp_level 2;

gzip_disable "msie6";

gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;

include /etc/nginx/vhost/*.conf;

}

2, Modify Nginx site configuration

We have set up the conf file in the global configuration that contains the directory/etc/nginx/vhost/

$ mkdir -p /etc/nginx/vhost

Then create the site configuration in/etc/nginx/vhost/, where the text "domain name" is used instead of the real domain name

server {

listen 80;

server_name Domain name;

root /wwwroot/domain name;

location / {

index index.html;

}

}

This HTTP site configuration is ready, but the site has no page, we can first put the welcome page of Nginx into it

mkdir -p /wwwroot/domain name

The requested URL/html/index.html was not found on this server.

$ nginx

After starting Nginx, the HTTP page is normal, and you can see the welcome page when you open it.

Step 6: Certificate issuance

Configure HTTPS first to have a certificate, I use acme.sh here to automatically issue certificates for us to encrypt

1. Installation tools:

apt-get install cron socat

2, get acme.sh:

curl https://get.acme.sh | sh

3. Generate certificates:

Use http method to verify domain name, this is why we set up HTTP site first, then specify domain name, specify site directory, start issuing

acme.sh--issue -d Domain--webroot /wwwroot/Domain/ --keylength ec-256 --nginx

4, copy certificate:

Certificate has been issued and stored in ~/.acme.sh/

$acme.sh--ecc --installcert -d Domain\

--key-file /etc/nginx/ssl/domain.key \

--fullchain-file /etc/nginx/ssl/domain.cer \

--reloadcmd "nginx -s reload"

Specify the domain name, specify the certificate storage directory, I set it in/etc/nginx/ssl/here, specify the Nginx overload command, if the issued certificate is not ECC certificate, remove the--ecc parameter

This completes the issuance of the certificate using acme.sh, and if the certificate is about to expire, the script automatically updates the certificate

The script is automatically updated using the following command

$ acme.sh --upgrade --auto-upgrade

Step 7: HTTPS Site Configuration

I patched OpenSSL with pre8_ciphers, so the configuration file is as follows:

server {

listen 80;

server_name Domain name;

return 301 https://domain name $request_uri;

}

server {

listen 443 ssl http2;

server_name Domain name;

root /wwwroot/domain name;

The requested URL/etc/nginx/ssl/was not found on this server.

The requested URL/ssl/was not found on this server.

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;

ssl_ecdh_curve X25519:P-256:P-384;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:50m;

ssl_session_timeout 1d;

ssl_session_tickets on;

ssl_stapling on;

ssl_stapling_verify on;

add_header Strict-Transport-Security max-age=15768000;

location / {

index index.html;

http2_push /style.css;

}

location ~ .*\. (gif|jpg|jpeg|png|bmp|swf|ico)$ {

expires 30d;

}

location ~ .*\. (js|css)?$ {

expires 15d;

}

location ~ /.git/ {

deny all;

}

}

The above is the complete site configuration file, overwrite/etc/nginx/vhost/domain name.conf, use nginx -s reload Nginx and open the site to see HTTPS page

Thank you for reading! About "how to use nginx to open a more secure tls1.3" This article will be shared here. I hope the above content can be of some help to everyone, so that everyone can learn more knowledge. If you think the article is good, you can share it and let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.