Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to configure https in the Nginx server. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Apply for a certificate

At present, there are many institutions on the Internet to provide personal free ssl certificates, valid for several months to several years. Take StartSSL: https://www.startssl.com as an example, the application is valid for 3 years, and the lease can be renewed free of charge when it expires.

The specific application process is also very simple.

After registration and login, select Certificates Wizard > > DV SSL Certificate to apply for a free ssl certificate.

After verifying the domain name by email, generate the csr of the SSL certificate in your server, remember the secret of generating the input, and then use:

Openssl req-newkey rsa:2048-keyout weizhimiao.cn.key-out weizhimiao.cn.csr

Place the generated certificate in the specified directory where the certificate is stored, such as / data/secret/. View the certificate weizhimiao.csr content, copy the content to the Certificate Signing Request (CSR) section of the page, and submit the page.

Download the generated certificate and select the corresponding web server (Nginx,1_weizhimiao.cn_bundle.crt) so that we have both private and public keys.

1_weizhimiao.cn_bundle.crt (public key)

Weizhimiao.cn.key (private key)

Nginx configuration (add https to the specified domain name)

Current configuration of nginx.conf

... http {... Include / etc/nginx/conf.d/*.conf; server {...}}

. / add to conf.d/weizhimiao.cn.conf

Server {listen 443 ssl; server_name weizhimiao.cn; ssl_certificate / data/secret/1_weizhimiao.cn_bundle.crt; ssl_certificate_key / data/secret/weizhimiao.cn.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers' kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA + SHA! aNULL! eNULL! LOW! MD5! EXP! DSS! PSK! SRP! kECDH! CAMELLIA! RC4! SEED'; add_header Strict-Transport-Security 'max-age=31536000; preload' Add_header X-Frame-Options DENY; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; keepalive_timeout 70; ssl_dhparam / data/secret/dhparam.pem; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1; root / data/www/weizhimiao.cn; index index.html; location / {}}

Note:

A / data/secret/dhparam.pem file is used in the configuration, which is a key file in PEM format for use in TLS sessions. Used to enhance the security of ssl. The method of generating the file

Cd / data/secret/openssl dhparam 2048-out dhparam.pem

Redirect the original access to port 80. . / add to conf.d/weizhimiao.cn.conf

Server {listen 80; server_name weizhimiao.cn; return 301 https://weizhimiao.cn$request_uri;}

test

To detect syntax errors in the configuration file, you need to enter the password you entered when you generated the public key.

Nginx-tEnter PEM pass phrase:nginx: the configuration file / etc/nginx/nginx.conf syntax is oknginx: configuration file / etc/nginx/nginx.conf test is successful

Restart Nginx (remember, reload doesn't work)

Nginx-s stopEnter PEM pass phrase:nginxEnter PEM pass phrase:

Whether the browser accesses weizhimiao.cn or not.

In addition, after Nginx is configured with a security certificate, you need to enter a password for every reload, stop, and other operations of nginx.

You can replace the original key file by generating a decrypted key file.

Cd / data/secret/openssl rsa-in weizhimiao.cn.key-out weizhimiao.cn.key.unsecure

Replace the weizhimiao.cn.key file in weizhimiao.cn.conf.

Server {... Ssl_certificate / data/secret/1_weizhimiao.cn_bundle.crt; ssl_certificate_key / data/secret/weizhimiao.cn.key.unsecure;...}

After that, every time you are in reload, you don't have to enter your password.

Finally, do a test with SSLLABS.

Result

The above is the editor for you to share how to configure https in the Nginx server, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.