Sample code for configuring nginx to support https

1. Introduction

Are you still leaving your website exposed on the Internet? Here we will build a free version of HTTPS. Free, free, free, I say it three times because it is important.

The Hypertext Transfer Protocol (HTTP) is used to transfer information between a web browser and a website server. The HTTP protocol sends content in plain text and does not provide any form of data encryption. If an attacker intercepts the transmission message between a web browser and a website server, the attacker can directly read the information in it.

Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card numbers, passwords and other payment information.

In order to solve this defect of the HTTP protocol, another protocol is needed: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. For the security of data transmission, HTTPS adds the SSL protocol on the basis of HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.

2. Advantages of HTTPS

Although HTTPS is not absolutely secure, organizations that control root certificates and encryption algorithms can also conduct man-in-the-middle attacks. However, HTTPS is still the most secure solution under the current architecture, with the following main benefits:

(1) Using the HTTPS protocol can authenticate users and servers, ensuring that data is sent to the correct client and server;

(2) The HTTPS protocol is a network protocol built by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is more secure than the http protocol and can prevent data from being stolen or changed during transmission, thus ensuring the integrity of the data.

(3) HTTPS is the most secure solution under the current architecture. Although it is not absolutely secure, it greatly increases the cost of man-in-the-middle attacks.

(4) Google adjusted its search engine algorithm in August 2014 and stated that “websites using HTTPS encryption will rank higher in search results than equivalent HTTP websites.”

3. Disadvantages of HTTPS

Although HTTPS has great advantages, it still has some shortcomings:

(1) The HTTPS protocol handshake phase is time-consuming, which will extend the page loading time by nearly 50% and increase power consumption by 10% to 20%;

(2) HTTPS connection caching is not as efficient as HTTP, which will increase data overhead and power consumption, and even affect existing security measures;

(3) SSL certificates cost money. The more powerful the certificate, the higher the fee. Personal websites or small websites generally do not need to use them.

(4) SSL certificates usually need to be bound to an IP address. Multiple domain names cannot be bound to the same IP address. IPv4 resources cannot support this consumption.

(5) The encryption scope of the HTTPS protocol is also relatively limited, and it has almost no effect on hacker attacks, denial of service attacks, server hijacking, etc. Most importantly, the credit chain system of SSL certificates is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are still feasible.

4. Download certbot

Use git to download here. If you haven't installed git yet, check how to install it

Change directory

cd /usr/local

Clone the git repository

git clone https://github.com/certbot/certbot.git

After cloning is complete, the certbot directory will appear in /usr/loca/

5. View certbot

Change to the certbot directory

cd /usr/local/certbot

If the directory is like this, it means the installation was successful.

Common commands of certbot View official documentation

6. Install nginx

See the installation nginx document

7. Apply for https certificate

View Current Certificates

./certbot-auto certificates

The first execution will install some dependencies. There will be a confirmation prompt halfway through. Enter Y.

Start applying for a certificate (the certificate is valid for 3 months and needs to be re-applied after expiration) Method 1: Use DNS verification. This method requires you to be able to configure the domain name. I personally like this method./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d your domain name --manual --preferred-challenges dns-01 certonly For example:

Configuring wildcard domain names

Configure a specific domain name

Configuring a Secondary Wildcard Domain Name

As shown in the picture above, you will be asked to enter an email address for the first time. Just enter it as required. Then an email will be sent to you and you need to click to confirm your email address. So be sure to fill in the real email address and then confirm it as required. If you do not confirm, you will not be able to proceed.

Next, you will be asked to verify the domain name and resolve a TXT record as required.

Save and confirm, then return to the server to confirm

The above two files are the certificates used to configure https

Method 2: Using plugins

Let’s first see what the official said

Here I use nginx (it will automatically restart nginx for you after applying) This method cannot configure wildcard domain names, you can only add them one by one

./certbot-auto --nginx -d api2.nl166.com 

To solve the above error, please note that /usr/local/nginx should be replaced with the actual installation location of your nginx to install LNMP

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

Execute the application again

You will be asked to choose whether to redirect HTTP traffic to HTTPS and delete HTTP access. You can choose according to your needs. I cancel the selection here (in fact, this step can be ignored directly. After testing, the URL https can be accessed before this step is selected.)

If you want to skip the query step, you can add certonly. This method will only generate a certificate without doing any other operations. The certificate configuration needs to be added manually as follows:

./certbot-auto certonly --nginx -d api2.nl166.com 

As shown in the figure above, if you configure a server listening to port 443, it will automatically find the configuration file for the corresponding domain name and add the following two lines. It also messes up my format, and the indentation of the } number does not correspond to the indentation of the { above, but it does not affect the function. I don't know whether it will choose to add ssl on according to the version of nginx;

Because my version of nginx does not require this, lower versions need to add ssl on; to enable https access.

If the 443 port of the domain name is not monitored, information will be added in the following location

Please explore other methods on your own

8. Configure nginx to support https

# HTTPS server
 #
 server {
 listen 443 ssl;
 server_name api2.nl166.com;
 root /data/web/im.nl166.com;

 location / {
 index index.php;
 }

 #auth_basic "hello world";
 #auth_basic_user_file /usr/local/nginx/conf/auth/nl166.auth;

 location ~ \.php$ {
 include fastcgi_params;
 fastcgi_pass unix:/tmp/php-fcgi.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }
 location ~ .*.(svn|git|cvs) {
 deny all;
 }

 ssl_certificate /etc/letsencrypt/live/api2.nl166.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/api2.nl166.com/privkey.pem; # managed by Certbot
 }

For earlier versions, you need to add ssl on; to enable https access.

9. Use shell scripts and scheduled tasks to renew certificates regularly

Note: To avoid the limit on the number of operations, add the --dry-run parameter to avoid the operation limit. After the execution is correct, remove it and perform the real renewal operation. Renewal by Method 1

The domain name is ****.conf in the /etc/letsencrypt/renewal/ directory. **** is the domain name you want to fill in. For example, when I generated it, it was *.nl166.com, but there was no * when it was actually generated.

/home/certbot-sh/au.sh Replace it with your own script for updating DNS

as follows:

Put the update command into a file. I put it in /data/shell/crontab/auto_update_httpscert.sh. The content is as follows. The original auto_update_httpscert.sh is changed to /data/shell/cnl_update_httpscert.sh

Add system scheduled tasks

crontab -e

#Update the https certificate at 5:00 a.m. every Sunday

0 5 * * 0 sh /data/shell/crontab/auto_update_httpscert.sh

The renewal method of method 2 is as follows:

./certbot-auto certonly --renew-by-default --nginx -d api2.nl166.com --dry-run 

Adding system scheduled task operation reference method 1

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.