Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to configure ssl encryption for nginx. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

It would be easy to configure ssl under nginx, whether it is to go to the certification authority to buy a SSL security certificate or a self-signed certificate, but recently a demand from the company's OA has given it an opportunity to actually toss about. At first, it uses site-wide encryption, and all requests for access to http:80 are forced to convert (rewrite) to https. Later, automated test results say that the response speed is too slow, and https is 30 times slower than http. I wonder how it's possible, and God knows how they measure it. So I tried some pages of https (not only encrypted for some kind of dynamic request) and two-way authentication. The following sections are described.

The default nginx does not have the ssl module installed, so add the-- with-http_ssl_module option when you need to compile and install nginx.

Tip: nignx to the back-end server is not encrypted because it is generally an intranet.

1. Ssl of the whole station

Site-wide ssl is the most common use scenario. The default port is 443, and it is generally one-way authentication.

Server {listen 443; server_name example.com; root / apps/www; index index.html index.htm; ssl on; ssl_certificate. / SSL/ittest.pem; ssl_certificate_key. / SSL/ittest.key;# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;# ssl_ciphers all all, EXPORT56, RC4, RSAV, High, Medi, Med, LOWRV, SSLv2, exp. # ssl_prefer_server_ciphers on;}

If you want to force http's request to https:

Server {listen 80; server_name example.me; rewrite ^ https://$server_name$request_uri? Permanent;### will be more efficient with return # return 301 https://$server_name$request_uri;}

The ssl_certificate certificate is actually a public key, which is sent to every client that connects to the server, and the ssl_certificate_key private key is used for decryption, so its permissions are protected but can be read by the main process of nginx. Of course, private keys and certificates can be placed in a certificate file, and in this way only public key certificates are sent to client.

The ssl_protocols instruction is used to start a specific encryption protocol. Nginx defaults to ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2,TLSv1.1 and TLSv1.2 after 1.1.13 and 1.0.12. To ensure that OpenSSL > = 1.0.1, SSLv3 is still in use in many places, but there are many exploited vulnerabilities.

Ssl_ciphers chooses cipher suites, and different browsers may support different suites (and order). What is specified here is written in a way that the OpenSSL library can recognize, and you can see the supported algorithms by openssl-v cipher 'RC4purHIGHVOUA NULLVOR MD5' (followed by the package encryption algorithm you specified).

When negotiating the encryption algorithm, the ssl_prefer_server_ciphers on setting gives priority to using our server's cipher suite rather than the client browser's cipher suite.

Https optimization parameters

Ssl_session_cache shared:SSL:10m;: sets the type and size of the ssl/tls session cache. If this parameter is set, shared,buildin may cause memory fragmentation of the parameter. The default is none, which is similar to off, and the cache is disabled. For example, shared:SSL:10m means that all my nginx worker processes share the ssl session cache, and the official website says that 1m can hold about 4000 sessions. Refer to the question and answer ssl_session_cache on serverfault for details.

Ssl_session_timeout: the client can reuse the expiration time of the ssl parameter in the session cache. The private network system defaults to 5 minutes, which is too short, and can be set to 30m, that is, 30 minutes or even 4h.

Setting a longer keepalive_timeout can also reduce the overhead of requesting ssl session negotiation, but at the same time consider the number of concurrency of threads.

Tip: when generating a certificate request csr file, if you enter a password, nginx will be prompted to enter this password every time it starts. You can use the private key to generate the decrypted key instead. The effect is the same, achieving the effect of avoiding password restart:

Openssl rsa-in ittest.key-out ittest_unsecure.key Import Certificate

If you are looking for a well-known SSL certificate authority such as VeriSign, Wosign, StartSSL to sign the certificate, the browser has built and trusted these root certificates, if you are self-built C or obtain a second-level CA authorization, you need to add the CA certificate to the browser so that insecure connections will not appear when visiting the site. The method of adding each browse is beyond the scope of this article.

two。 Partial page ssl

Not all information on a site is very confidential, such as online shopping malls, where the general browsing of goods does not go through https, but users are forced to transmit through https when they log in and pay, so that both user access speed and security are taken into account.

But please be careful not to get it wrong, the URL of a page or address bar usually initiates many requests, including static files such as css/png/js and dynamic java or php requests, so the content to be encrypted contains other resource files on the page, otherwise there will be a mix of http and https content. When http pages are mixed with https content, page typesetting will not occur; when https pages contain http-introduced images, js and other resources, browsers will prevent loading for security reasons.

Here are the chestnuts that encrypt only the example.com/account/login login page:

Root / apps/www;index index.html index.htm;server {listen 80; server_name example.com; location ^ ~ / account/login {rewrite ^ https://$server_name:443$request_uri? Permanent;} location / {proxy_pass http://localhost:8080; # Set headers # proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off;}} server {listen 443 ssl; server_name example.com; ssl on Ssl_certificate. / SSL/ittest.pem; ssl_certificate_key. / SSL/ittest.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers all SSL/ittest.pem; ssl_certificate_key. / ssl_prefer_server_ciphers on; location ^ / account/login {proxy_pass http://localhost:8080; proxy_set_header Host $host Proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; # Most PHP, Python, Rails, Java App can use this header-> https # proxy_set_header X-Forwarded-Proto $scheme;} location / {rewrite ^ http://$server_name$request_uri? Permanent;}}

For more information about rewrite and location, please refer to here. When the browser accesses http://example.com/account/login.xx, it is transferred to https://example.com/account/login.xx and / account/login is matched in this ssl-encrypted virtual host, and then proxied to the back-end server. There is no https in the subsequent transmission process. Other resources under this login.xx page are also nginx requested by https. After a successful login, the link to jump to the home page uses http, which may need to be controlled in the development code.

Proxy_set_header X-Forwarded-Proto $scheme is used in the above configuration, and https is obtained by using request.getScheme () on the jsp page. If the requested $scheme protocol is not set in header, the back-end jsp page will always think of it as http, resulting in an exception in the response.

The ssl configuration block also has a location / similar to unencrypted port 80, which automatically jumps to the unencrypted port when the user accesses the home page directly through https, and you can remove it to allow the user to do so.

3. Implement two-way ssl authentication

The above two configurations are to verify whether the domain name of the visited site is trustworthy, and to encrypt the transmission process, but the server side does not authenticate whether the client is trustworthy. (in fact, unless there is a particularly important scenario, there is no need to authenticate visitors, except in cases such as the bank U shield)

To achieve two-way authentication, the CA certificate (root certificate / intermediate certificate) must be imported on the HTTPS,nginx server, because it is now up to the server to verify the client's information through CA. It is also necessary to generate the client certificate in the same way as applying for the server certificate. After obtaining the customer certificate, convert it to a format recognized by the browser (most browsers recognize the PKCS12 format):

Openssl pkcs12-export-clcerts-in client.crt-inkey client.key-out client.p12

Then send the client.p12 to someone you trust and import it into the browser. When you visit the site to establish a connection, nginx will ask the client to send the certificate to itself for verification, and deny access if it does not have this certificate.

At the same time, don't forget to configure the trusted CA in nginx.conf: (if it is a secondary CA, please put the root CA behind to form a CA certificate chain)

Proxy_ignore_client_abort on; ssl on;... Ssl_verify_client on; ssl_verify_depth 2; ssl_client_certificate.. / SSL/ca-chain.pem;# added under the bidirectional location: proxy_set_header X-SSL-Client-Cert $ssl_client_cert; extension: using the geo module

Nginx installs a ngx_http_geo_module by default, and this geo module can create the value of the variable according to the client IP, which is used to use two-way authentication when accessing login by IP from segment 172.29.73.0, while other segments use general one-way authentication.

Geo $duplexing_user {default 1; include geo.conf; # Note that after version 0.6.7, include is relative to the directory where nginx.conf resides.

Syntax geo [$address] $variable {... }, located in the http segment. The default address is $reoute_addr, assuming the conf/geo.conf content:

127.0.0.1 LOCAL; 32 SEAN; # Local 172.29.73.23 + 32 SEAN; # an IP172.29.73.0/24 1; # IP segment, which can be followed by country or region definition

You need to configure another virtual host server {ssl 445}, which uses the above two-way authentication, and then use the variable $duplexing_user in 80 or 443 to judge. If it is 1, rewrite to 445, otherwise rewrite to 443.

On how to configure nginx ssl encryption to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.