How to implement https with nginx and openssl

If the server data is not encrypted and authenticated using an SSL certificate, the user's data will be transmitted in plain text. This makes it possible to obtain the user's password information using packet capture tools, which is very dangerous. It is also impossible to verify data consistency and integrity, and cannot ensure that the data has not been changed during transmission. Therefore, if the website involves important information such as user accounts, it is usually necessary to configure and use an SSL certificate to implement the https protocol.

SSL certificates in production environments need to be purchased through a third-party certification agency. They are divided into professional version OV certificates (the company name is not displayed in the browser address bar) and advanced version EV certificates (the company name can be displayed). The number of domain names protected by the certificate will also affect the price (for example, the price is different for www certification and wildcard * certification), and third-level domain names are not supported. During the test, you can create a certificate yourself as a certificate authority. The browser will display it in red, indicating that the certificate has expired or is invalid. If it is yellow, it means that some connections on the website are still using the http protocol.

Regardless of which method is used, the configuration of Nginx is the same after obtaining the certificate, so here is a complete description of setting up OpenSSL and making a certificate.

1. Prepare the environment

1) nginx service

2) SSL module

[root@ns3 ~]# systemctl stop firewalld
[root@ns3 ~]# iptables -F
[root@ns3 ~]# setenforce 0
[root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel
[root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/
[root@ns3 ~]#cd /usr/src/nginx-1.16.0
[root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #Install the modules required later at one time

3) Check whether openssl is installed

[root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64

If not installed

[root@ns3 ~]# yum -y install openssl openssl-devel

2. Create a root certificate CA

1. Generate CA private key

[root@ns3 ~]# cd zhengshu/
[root@ns3 zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................................................................................+++
............................................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.key

2. Generate CA certificate request

[root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #State or Province Name (full name) []:BJ #Locality Name (eg, city) [Default City]:BJ #Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test #DepartmentCommon Name (eg, your name or your server's hostname) []:test #HostnameEmail Address []:[email protected] #EmailPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan #Password An optional company name []:wuminyan #Name [root@ns3 zhengshu]# ls
local.csr local.key

req: This is a large command that provides generation of certificate request files, verification of certificates, and creation of root CAs
 -new: means to generate a new certificate request -x509: directly output the certificate -key: the private key file used when generating the certificate request -out: output file

3. Generate CA root certificate

This command to generate a CA certificate is confusing. 1. Generate a certificate request file using a secret key. 2. Generate the final certificate using a certificate request file. -in Generate a certificate using a certificate request file. -signkey specifies the private key. This is a parameter that I don't understand yet. [root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected]
Getting Private key

3. Create a server certificate based on the CA certificate

1. Generate server private key

[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.crt local.csr local.key my_server.key

2. Generate server certificate request

[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected]
Getting Private key
[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []: BJ
Locality Name (eg, city) [Default City]: BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan
An optional company name []:wuminyan
[root@ns3 zhengshu]# ls
local.crt local.csr local.key my_server.csr my_server.key

3. Generate server certificate

[root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
 Signature ok
 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/[email protected]
 Getting CA Private Key

4. Configure nginx to support SSL

[root@ns3 ~]# vim /etc/nginx.cof #A soft link is set here: lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
server {
        listen 80;
        listen 443 default ssl; #Listen to port 433 keepalive_timeout 100; #Turn on keepalive Activate keepalive long connection to reduce the number of client requests ssl_certificate /root/zhengshu/local.crt; #Server certificate location ssl_certificate_key /root/zhengshu/local.key; #Server private key location ssl_session_cache shared:SSL:10m; #Cache session ssl_session_timeout 10m; #Session expires in 10 minutes ssl_ciphers HIGH:!aNULL:!MD5;
                   ssl_prefer_server_ciphers on;

        server_name test.com;
        charset utf-8;

        location / {
            root html;
            index index.html index.htm;
        }

    }
}

5. Testing

Enter https://192.168.200.115

This is the end of this article about implementing https with nginx combined with openssl. For more relevant content about implementing https with nginx, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!

You may also be interested in:

How to install Nginx under Linux (pcre and openssl)
How to adjust Nginx server to address OpenSSL security vulnerabilities
Implementation of Nginx domain name forwarding https access
Implementation of HTTP and HTTPS services with Nginx reverse proxy for multiple domain names

<<: Defining the minimum height of the inline element span

>>: Detailed explanation of MySQL multi-version concurrency control mechanism (MVCC) source code