Steps to set up HTTPS website based on Nginx

Preface:

First, let me briefly explain why we are using the HTTPS protocol now:

In fact, the biggest reason for using the HTTPS protocol is that the HTTP protocol is not secure, because HTTP data transmission is: plain text transmission data , that is, when the client enters the username and password, they will be displayed. The HTTPS protocol, on the other hand, uses ciphertext to transmit data , which means that data will be encrypted during transmission.

HTTPS's solution to the problem of data transmission security is to use encryption algorithms, specifically hybrid encryption algorithms, which is a combination of symmetric and asymmetric encryption algorithms.

Encryption algorithm:

• Symmetric encryption: The same key is used for both encryption and decryption; common symmetric encryption algorithms include DES, 3DES, and AES.
• Asymmetric encryption: Encryption and decryption require the use of two different keys, a public key and a private key. The commonly used asymmetric encryption algorithm is the RSA algorithm.

1. Introduction to HTTPS

HTTPS actually consists of two parts: HTTP + SSL/TLS, which means that a module for processing encrypted information is added to HTTP. Information transmission between the server and the client will be encrypted via TLS, so the transmitted data is encrypted data.

HTTPS protocol principle:

• The client accesses the server's port 443 via the HTTPS protocol;
• The server will respond to the client and send the certificate, which is the public key;
• After receiving the certificate, the client will request the CA to determine whether the certificate is valid. If it is invalid, the client will prompt a warning message, indicating that the certificate is not safe;
• If the certificate is valid, the client will generate a random value;
• The client will use the certificate sent by the server to encrypt the random value and then send it to the server;
• After receiving it, the server will use the local private key to decrypt it to obtain the client's random value. When the server sends data, it will use the random value to encrypt the data, that is, to generate a public key, and the random value is the private key;
• The server sends encrypted data to the client;
• After receiving the data, the client will use the random value to decrypt it, thereby successfully transmitting the data.
  

2. Nginx implements HTTPS website settings

1. Install Nginx

[root@Nginx ~]# yum -y install pcre-devel zlib-devel popt-devel openssl-devel openssl
[root@Nginx ~]# wget http://www.nginx.org/download/nginx-1.18.0.tar.gz
[root@Nginx ~]# ls
anaconda-ks.cfg nginx-1.18.0.tar.gz
[root@Nginx ~]# tar zxf nginx-1.18.0.tar.gz -C /usr/src/
[root@Nginx ~]# cd /usr/src/nginx-1.18.0/
[root@Nginx nginx-1.18.0]# useradd -M -s /sbin/nologin nginx
[root@Nginx nginx-1.18.0]# ./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_flv_module \
--with-http_ssl_module \
--with-pcre && make && make install
[root@Nginx nginx-1.18.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
[root@Nginx nginx-1.18.0]# cd
[root@Nginx ~]# nginx
[root@Nginx ~]# netstat -anpt | grep 80

2. Create a server certificate key file

[root@Nginx ~]# openssl genrsa -des3 -out server.key 1024
...
Enter pass phrase for server.key: # Enter passwordVerifying - Enter pass phrase for server.key: # Confirm password

3. Create an application file for the server certificate

[root@Nginx ~]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: # Enter the password you created earlier...
Country Name (2 letter code) [XX]:CN # Country code. China enters CN
State or Province Name (full name) []:BeiJing # Full name of the province. PinyinLocality Name (eg, city) [Default City]:BeiJing # Full name of the city. PinyinOrganization Name (eg, company) [Default Company Ltd]:Coco # Company English nameOrganizational Unit Name (eg, section) []: # You can leave it blankCommon Name (eg, your name or your server's hostname) []:www.Coco.com # Domain nameEmail Address []:[email protected] # Email address. Feel free to fill in...
A challenge password []: # This is optional An optional company name []: # This is optional

Back up a server key file

[root@Nginx ~]# cp server.key server.key.org

Remove file password

[root@Nginx ~]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: #

4. Generate certificate files

[root@Nginx ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=Coco/CN=www.Coco.com/[email protected]
Getting Private key

5. Modify the Nginx main configuration file

[root@Nginx ~]# mkdir -p /usr/local/nginx/conf/ssl
[root@Nginx ~]# cp server.crt server.key /usr/local/nginx/conf/ssl/
[root@Nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
    listen 443; # Listening port ssl on; # Enable SSL
    ssl_certificate ssl/server.crt; # PS: I use a relative path here. You can use an absolute path ssl_certificate_key ssl/server.key; # The system will look for server_name www.Coco.com in the /usr/local/nginx/conf/ directory; # The domain name corresponding to the certificate...
}
[root@Nginx ~]# nginx -s reload # Restart Nginx service

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" : Because the version is higher than 1.15 , it can be started normally.

Verification: Visit the domain name you just set https://www.Coco.com/

Implement the redirection of client access from http to https :

Here's why we need to add a server to the configuration file, because http protocol uses port 80, and https protocol uses port 443.

If you want to redirect from http to https , you need to configure two virtual hosts (based on different ports) and then use rewrite to redirect.

Misconfiguration:

There is no logical problem in opening multiple ports in the same server , but problems arise when configuring rewrite .

Problem : When the client accesses http , it will jump, but when accessing https , it will also jump, which results in too many redirects.

server {
    listen 80;
    listen 443;
    server_name www.Coco.com;
    root html;
    index index.html index.htm;
    rewrite ^(.*)$ https://$host$1 permanent;
}

Correct configuration:

To distinguish port 80 from port 443, in simple terms, is to configure virtual hosts based on different ports.

In this way, access to port 80 can be redirected, while access to port 443 can be made directly.

[root@Nginx ~]# vim /usr/local/nginx/conf/nginx.conf
server {
    listen 80;
    server_name www.Coco.com;
    rewrite ^(.*)$ https://$host$1 permanent;
    ...
}
server {
    listen 443;
    ssl on;
    ssl_certificate ssl/server.crt;
    ssl_certificate_key ssl/server.key;
    server_name www.Coco.com;
    ...
}
[root@localhost ~]# nginx -s reload

Verification: Visit http://www.Coco.com

This concludes this article about the steps to set up an HTTPS website based on Nginx. For more information about Nginx HTTPS website settings, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!