Shulou(Shulou.com)06/01 Report--

This article introduces how to configure SSL certificate in nginx to achieve https service, the content is very detailed, interested friends can refer to, hope to be helpful to you.

The basic architecture of node is as follows:

| |-Project | |-static # stores html files | | |-- index.html # index.html | |-node_modules # dependent package | | |-- app.js # node entry files | |-package.json | |-.babelrc # convert es6 files |

The index.html file code is as follows:

Nginx configure https Welcome to use https to access the page

The app.js code is as follows:

Const Koa = require ('koa'); const fs = require (' fs'); const path = require ('path'); const router = require (' koa-router') (); const koaBody = require ('koa-body'); const static = require (' koa-static'); const app = new Koa (); router.get ('/', (ctx, next) = > {/ / set header type, if not set, the page ctx.type = 'html' will be downloaded directly / / read file const pathUrl = path.join (_ _ dirname,'/ static/index.html'); ctx.body = fs.createReadStream (pathUrl); next ();}); app.use (static (path.join (_ _ dirname); app.use (router.routes ()); app.use (router.allowedMethods ()); app.listen (3001, () = > {console.log ('server is listen in 3001');})

The package.json code is as follows

{"name": "uploadandload", "version": "1.0.0", "description": "," main ":" app.js "," scripts ": {" dev ":" nodemon. / app.js "}," author ":" author "," license ":" ISC "," dependencies ": {" fs ":" 0.0.1-security "," koa ":" ^ 2.7.0 " "koa-body": "^ 4.1.0", "koa-router": "^ 7.4.0", "koa-send": "^ 5.0.0", "koa-static": "^ 5.0.0", "nodemon": "^ 1.19.0", "path": "^ 0.12.7"}}

Then after I execute npm run dev in the root directory of the project, I can access http://localhost:3001 in the browser, but in order for me to use the domain name, we can bind the domain name under the hosts file, such as xxx.abc.com. The hosts file is bound as follows:

127.0.0.1 xxx.abc.com

So at this point we can access the page using http://xxx.abc.com:3001/, as shown below:

As shown above, we can access the page, but have we found that it is not safe to display http requests in chrome browsers, so at this time I want to use https to access, and the security of the web page is guaranteed, but at this time, if I do nothing and directly use https to visit, such as address: https://xxx.abc.com:3001. As shown in the following figure:

We know that using https access generally requires a security certificate, so our task now is to use nginx to configure security certificates and the like, and then use https to access the web page to achieve the goal.

Nginx configure https service

1. First go to the nginx directory and use the command: cd / usr/local/etc/nginx. Then create a cert folder in this directory to hold the certificate files.

Use the command: mkdir cert is as follows:

two。 Then we need to copy the certificate-related files, such as server.crt and server.key files, to the cert directory. For example, the following certificate file:

As for how the certificate above survives, please see my previous article using openssl Survival Free Certificate.

Move command: mv server.key / usr/local/etc/nginx/cert, such as moving the server.key and server.crt files to the / usr/local/etc/nginx/cert directory. As shown in the following figure:

Then we look in the / usr/local/etc/nginx/cert directory and there are the following files, as shown below:

3. Configuration of nginx

The configuration of nginx requires the following code:

Server {listen 443 ssl; server_name xxx.abc.com; ssl on; / / this configuration item requires ssl_certificate cert/server.crt; ssl_certificate_key cert/server.key; / * to set the type and size of the ssl/tls session cache. If this parameter is set, shared,buildin may cause memory fragmentation of the parameter. The default is none, which is similar to off, and the cache is disabled. For example, shared:SSL:10m means that all my nginx worker processes share the ssl session cache, and the official website says that 1m can hold about 4000 sessions. * / ssl_session_cache shared:SSL:1m; / / the client can reuse the expiration time of the ssl parameter in the session cache. The private network system defaults to 5 minutes, which is too short, and can be set to 30m, that is, 30 minutes or even 4h. Ssl_session_timeout 5m; / * Select the cipher suite, different browsers may support different suites (and order). What is specified here is written in a way that the OpenSSL library can recognize, and you can see the supported algorithms by openssl-v cipher 'RC4purHIGHVOUA NULLVOR MD5' (followed by the package encryption algorithm you specified). * / ssl_ciphers HIGHVERA NULLLAR MD5; / / when negotiating encryption algorithms, priority is given to using our server's cipher suite rather than the client browser's cipher suite. Ssl_prefer_server_ciphers on; location / {proxy_pass http://localhost:3001;}}

Note: the ssl on; configuration item above needs to be removed. If it is configured as above, I will report an error when I restart the next nginx command, as follows:

SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:0906A065:PEM routines:PEM_do_header:bad decrypt an error like this, and then search for this error through Baidu, which can be solved by the following methods:

Go to this directory: cd / usr/local/etc/nginx/cert and execute the following two lines of code:

Cp server.key server.key.orgopenssl rsa-in server.key.org-out server.key

As follows:

You can see the page searched by Baidu.

Then, when I continue to restart nginx, I find that there will be an error message as follows:

Nginx: [warn] the "ssl" directive is deprecated, use the "listen... ssl" directive instead

Then continue to remove the configuration item of ssl on;, which may have something to do with the version of nginx.

After upgrading to nginx 1.15 nginx reload recently, all sites with ssl reported this warning, checked a lot of information, and finally found a related English note on github: (English) I am not good at English, which probably means that nginx 1.15 and later, there is no need to write ssl on;.

After going to nginx.conf to delete ssl on;, reload, sure enough, did not call the police again, and there is no problem with its use at present.

I really misunderstood that ssl on should be changed to listen 443 ssl.

Now I'm going to restart nginx and ok, as shown below:

However, after the above configuration, we cannot directly use the domain name https://xxx.abc.com/ to access. We also need to install the previously generated client.crt certificate under the browser. The steps are as follows under the mac system:

1. Click the launcher below. As follows:

two。 Search for keychain access and click in, as shown below

3. Go to the certificate page and drag our previous client.crt certificate into the certificate, such as the client.crt certificate I generated earlier, as shown below:

4. Right-click my certificate, and then click "Show introduction" to go to the certificate details page. As shown in the following figure:

5. After entering the page, when using the certificate, select always trust, as shown in the following figure:

6. Then exit, may need to enter the computer boot password, input completed, will be automatically saved. Then we can access it after visiting the https://xxx.abc.com/ page in the browser. As follows:

Then we click continue to visit to see the page, as shown below:

As above, the local node https service is implemented using nginx + certificates.

However, although the https can be accessed as above, the unsafe copy is still displayed in front of the https, as shown below:

On how to configure SSL certificates in nginx to achieve https services is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.