Shulou(Shulou.com)05/31 Report--

Today, I would like to share with you the relevant knowledge points about how to configure nginx to support https. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look.

1. Introduction

Hypertext transfer protocol http protocol is used to transmit information between web browser and website server. Http protocol sends content in clear text without providing any form of data encryption. If an attacker intercepts the transmission message between web browser and website server, he can read the information directly.

Therefore, http protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.

In order to solve this defect of http protocol, we need to use another protocol: secure socket layer hypertext transfer protocol https. For the security of data transmission, https adds ssl protocol on the basis of http. Ssl relies on certificates to verify the identity of the server and encrypt the communication between the browser and the server.

2. Advantages of https

Although https is not absolutely secure, and organizations with root certificates and encryption algorithms can also carry out man-in-the-middle attacks, https is still the most secure solution under the current architecture, with the following main benefits:

(1) use https protocol to authenticate users and servers to ensure that data is sent to the correct clients and servers

(2) https protocol is a network protocol constructed by ssl+http protocol for encrypted transmission and identity authentication, which is more secure than http protocol. It can prevent data from being stolen and changed in the process of transmission, and ensure the integrity of data.

(3) https is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.

(4) Google adjusted its search engine algorithm in August 2014, saying that "sites encrypted with https will rank higher in search results than their equivalent http sites."

3. Shortcomings of https

Although https has great advantages, it still has some disadvantages:

(1) the handshake phase of https protocol is time-consuming, which will increase the loading time of the page by nearly 50% and increase power consumption by 10% to 20%.

(2) https connection cache is not as efficient as http, which will increase data overhead and power consumption, and even existing security measures will be affected.

(3) the ssl certificate needs money, and the more powerful the certificate is, the higher the fee is. Personal websites and small websites are not necessary and generally will not be used.

(4) ssl certificates usually need to be bound to ip. You cannot bind multiple domain names to the same ip. Ipv4 resources cannot support this consumption.

(5) the encryption scope of https protocol is also limited, which can hardly play a role in hacker attack, denial of service attack, server hijacking and so on. Most importantly, the credit chain system of ssl certificate is not secure, especially when some countries can control ca root certificate, man-in-the-middle attack is also feasible.

4. Download certbot

Use git to download here, but you haven't installed git yet to see how to

Switch directories

Cd / usr/local

Clone git repository

Git clone https: / / github.com/certbot/certbot.git

When the clone is complete, the certbot directory will appear in / usr/loca/

5. View certbot

Change to the certbot directory

Cd / usr/local/certbot

If the directory is like this, the installation is successful.

Certbot common commands

6. Install nginx

7. Apply for https certificate

View current certificate

. / certbot-auto certificates

The first execution will install some dependencies. There will be a confirmation query on the way, just type y.

Start applying for a certificate (the certificate is valid for 3 months, and you need to reapply for its expiration) method 1: use dns verification, which requires you to configure a domain name. I personally like this method. / certbot-auto-- server https://acme-v02.api.letsencrypt.org/directory-d your domain name-- manual-- preferred-challenges dns-01 certonly, such as:

Configure pan-domain name

The copy code is as follows:

. / certbot-auto-- server https: / / acme-v02.api.letsencrypt.org/directory-d * .nl166.com-- manual-- preferred-challenges dns-01 certonly

Configure and define domain name

The copy code is as follows:

. / certbot-auto-- server https: / / acme-v02.api.letsencrypt.org/directory-d api.nl166.com-- manual-- preferred-challenges dns-01 certonly

Configure second-level pan-domain name

The copy code is as follows:

. / certbot-auto-- server https: / / acme-v02.api.letsencrypt.org/directory-d * .api.nl166.com-- manual-- preferred-challenges dns-01 certonly

As shown in the figure above, you will be asked to enter a mailbox for the first time, and you can enter it as required. An email will be sent to you at that time, and you need to click on the confirmation mailbox, so be sure to fill in the real mailbox, and then confirm as required. No confirmation can be carried out.

Next, you will be asked to verify the domain name and resolve a record of type txt as required.

Save the confirmation and then go back to the server for confirmation.

The above two files are the certificates used to configure https.

Method 2: use plug-ins

Let's see what the authorities say first.

What I use here is nginx (I will automatically restart nginx for you after applying). This method cannot configure pan-domain names and can only be added one by one.

. / certbot-auto-- nginx-d api2.nl166.com

To solve the above error, please note that / usr/local/nginx please replace it with your actual installation location of nginx to install lnmp.

Ln-s / usr/local/nginx/sbin/nginx / usr/bin/nginxln-s / usr/local/nginx/conf/ / etc/nginx

Execute the application again

You will be asked to choose whether to redirect http traffic to https and delete http access. Can choose according to their own needs, I here is c cancel the choice (in fact, this step can be ignored directly, after testing, this step is not selected before visiting the URL https can be accessed.)

If you want to omit the query step, you can add certonly. This method only generates the certificate and does nothing else. The certificate configuration needs to be manually added as follows:

. / certbot-auto certonly-- nginx-d api2.nl166.com

As shown in the figure above, if you configure server that listens to port 443, he will automatically find the configuration file for the corresponding domain name, add the following two lines, and disrupt my format. The} number does not correspond to the above {indentation, but it does not affect the function. I do not know whether or not to add ssl on according to the version of nginx.

Because I don't need this for my nginx version, the lower version needs to add ssl on; to enable https access.

If port 443 of the domain name is not monitored, the information will be added at the following location

Please explore other ways by yourself.

8. Configure nginx to support https

# https server # server {listen 443 ssl; server_name api2.nl166.com; root / data/web/im.nl166.com; location / {index index.php;} # auth_basic "hello world"; # auth_basic_user_file / usr/local/nginx/conf/auth/nl166.auth; location ~\ .php$ {include fastcgi_params; fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_index index.php; fastcgi_param script_filename $document_root$fastcgi_script_name } location ~. *. (svn | git | cvs) {deny all;} ssl_certificate / etc/letsencrypt/live/api2.nl166.com/fullchain.pem; # managed by certbot ssl_certificate_key / etc/letsencrypt/live/api2.nl166.com/privkey.pem; # managed by certbot}

In the lower version, ssl on; needs to be added to enable https access.

9. Use shell scripts to renew certificates regularly with scheduled tasks

Note: in order to avoid the limit of the number of operations, add the-dry-run parameter to avoid the operation limit, and then remove the real renew operation after the execution is correct. Renewal of mode one

The domain name is * .conf under / etc/letsencrypt/renewal/ directory, and * is the domain name you want to fill in. For example, when I generated it, it was * .nl166.com, but there was no * sign when I actually generated it.

Replace / home/certbot-sh/au.sh with your own script to update dns

As follows:

The copy code is as follows:

. / certbot-auto renew-cert-name nl166.com-manual-auth-hook / data/shell/crontab/auto_update_httpscert. Sh-dry-run

Put the update command into a file, which I put here in / data/shell/crontab/auto_update_httpscert.sh as follows. The original auto_update_httpscert.sh is changed to / data/shell/cnl_update_httpscert.sh.

Increase system timing tasks

Crontab-e

# update https certificate at 5: 00 am every Sunday

0 5 * 0 sh / data/shell/crontab/auto_update_httpscert.sh

The renewal of mode 2 is as follows:

. / certbot-auto certonly-renew-by-default-nginx-d api2.nl166.com-dry-run

Increase the system timing task operation reference mode 1

These are all the contents of the article "how to configure nginx to support https". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.