Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to configure the https certificate in nginx. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

First of all, let's review the principle of https. First, let's look at the figure:

In the first step, the client sends the request, and the server sends the certificate to the client. The essence of the certificate is the content of the private key encryption of the third party CA, which is the public key of the server.

In the second step, after receiving the certificate, the client uses the CA public key built in by the operating system and the browser to match and verify the certificate. If it can be decrypted, it means that the request is the target website, not the middleman.

The third step is to decrypt the certificate with the CA public key and decrypt the server public key. At this point, the client securely gets the server-side public key.

The fourth step is to generate a random number and send it to the server by encrypting the random number with the server public key.

In the fifth step, the server decrypts the information with the server private key to get the random number

Let's take a closer look at the above process, and let's classify the tools used on the client side and server side:

The client uses the following:

1. The public key of the CA mechanism: it has been built into the system and does not need to be processed.

2. Public key certificate: if the server sends it to the client, the client will automatically decrypt the certificate with the CA public key

3. Server public key: the client uses CA public key to decrypt the certificate.

4. Random number generation symmetric key: automatic generation

Server side:

1. You need to apply for a public key certificate

2. The server-side private key needs to be generated manually.

The tools needed by the client do not need us to configure, mainly the server-side tools. We see that the server-side needs a public key certificate and a server-side private key. How do these two things come from?

First of all, we use the ssh-keygen command on the server to generate the public and private keys, and execute it on the server command line. Ssh-keygen will generate two files id_rsa,id_rsa.pub in the server's "~ / .ssh" directory. The former without the pub suffix is the private key, and the latter with the pub suffix is the public key.

After getting the server-side public key and private key, we need to use the server-side public key to apply for a certificate. Here, if you are going to apply for a certificate from some fee-charging CA institutions, the customer service of CA institutions will generally want your server public key and your website information, and then CA institutions will encrypt your server public keys with CA institutions' private keys to get the public key certificate, and then CA institutions will issue the public key certificate to you.

After the above two operations, we will get the public key certificate and the private key of the service. With these two files, we can use the website that configures the https protocol.

To explain here, when we apply for a certificate from some CA institutions, it does not need you to submit the server public key, but it will generate a pair of server public and private keys by itself, and then encrypt the server public key into a certificate with the CA private key and send it to you together with the server private key. Ariyun's free certificate is operated in this way.

First, click the SSL certificate on the console of Aliyun.

Go to the appropriate page and click purchase Certificate:

Go to the corresponding page and buy a free DV certificate. Of course, if you require a higher security level, you can purchase DV or EV:

In this way, we have purchased the certificate, and then apply for the certificate according to the domain name. Here, it is not quite the same as the traditional certificate authority to apply for a certificate. Some other CA institutions need you to send the server public key and website information to customer service, and customer service will issue the certificate to you.

After purchasing a free DV certificate, you can apply for it, and then we can apply for a certificate. The interface is as follows:

What we purchased in Aliyun is the right to apply for certificates. All the certificates that can be applied for are in this list. Click apply, and enter the domain name to which you want to deploy https:

1 We fill in our domain name, which can be a second-level domain name or a first-level domain name, because it is free and can not use wildcards.

In 2 places, we choose automatic DNS verification, where the domain name used to verify the applied certificate is yours, that is, you cannot apply for a https certificate with someone else's domain name.

3 here we need to generate a csr file, what is this file for? In fact, it is the information of your website, you can ask Aliyun to generate it for you, so you can choose system generation, or you can generate it yourself if you don't want to.

If you generate your own csr, you can go to the Internet to find a free tool to generate it, as follows:

I usually choose system generation.

After that, submit the application. After the application is approved, the certificate download address will appear in the following column:

We can get two files by clicking download. Here we choose the version that matches nginx:

The two documents are as follows:

The public key certificate at the end of pem and the private key of the server at the end of key must not be leaked.

Then we configure the https server by rewriting nginx's configuration file nginx.conf.

Server {listen 443; server_name localhost; ssl on; root html; index index.html index.htm; ssl_certificate cert/a.pem; ssl_certificate_key cert/a.key; ssl_session_timeout 5m; ssl_ciphers ECDHE, ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location, ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / {root html; index index.html index.htm;}}

There are a lot of configurations, but the main ones are lines 1, 4, 7, and 8.

The first line listens on port 443, the default port of https is 443, the fourth line opens ssl, line 7 configures the public key certificate, and line 8 configures the server private key.

Then restart the nginx service.

This is how to configure the https certificate in the nginx shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.