How to change the website accessed by http to https in nginx

1. Background

I have a website for data display that uses nginx to provide external http access, and another system uses a hyperlink to jump to my website for end users to access. Later, the other party said that their site is accessed through https and cannot be accessed directly through http, so I need to support https access.

So this is only a reference for display websites, I don’t know how to make interactive websites.

***My understanding of nginx is limited to the configuration of website access through configuration files, and I don’t have a deep understanding of other things. ***

2. Prerequisites

https:

HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure) is an HTTP channel with security as its goal. Simply put, it is a secure version of HTTP. That is, the SSL layer is added under HTTP. The security basis of HTTPS is SSL, so the encrypted details require SSL.

Simply put, the certificate is embedded in the website, and the data will be encrypted when the user interacts with the website server through the browser to ensure security.

Certificate system:

The tree structure may have multiple layers of certificate authorities. The top-level one is called the root certificate authority, which holds the root certificate private key and can issue the next level of certificates. The certificate used by each organization or person is issued by a certificate authority. Simply put, the issuing authority uses its private key to digitally sign the certificate holder's personal information, public key and other information, and declare to the outside world that the certificate is certified by it. The certificate can be publicly accessed to verify the identity of the holder and is endorsed by the issuing authority. The private key corresponding to the certificate is held by the holder and is not disclosed to the public. It is used to decrypt private messages encrypted by others using the public key in the certificate.

It is somewhat similar to the issuance of identity cards by public security agencies. There is a Ministry of Public Security at the top level across the country, which is responsible for the management of all provincial public security bureaus, and the provincial level is responsible for the municipal level,... and ultimately the police station issues identity cards to individuals. We can prove our identity to the outside world with our identity cards because they have the endorsement of the police station, and the police station has the endorsement of its superiors, and its superiors all the way up to the Ministry of Public Security. The difference is that our ID cards do not contain as much information as the certificate.

Note: The certificate relies on the public key cryptography system, which includes two keys: public key and private key. The public key is used for encryption and signature verification, while the private key is used for decryption and signing.

3. Operation process

3.1 Certificate Generation

The main process is: root certificate --> server certificate. The server certificate here refers to the website server that I mentioned above that needs to add https access.

1. Generate root certificate private key, generate root certificate request, and create self-signed root certificate

#Generate root certificate private key openssl genrsa -out root.key 2048

 #Generate root certificate request openssl req -new -key root.key -out root.csr

 #Generate a root certificate using the root certificate private key openssl x509 -req -in root.csr -extensions v3_ca -signkey root.key -out root.crt

The reason for the self-signed certificate with the root certificate private key here is that the format of the certificates is consistent and needs to be issued by a certificate authority. Because the root certificate authority has no superior, the root certificate authority issues a certificate to itself, so everyone needs to trust it.

2. Generate a server certificate private key, generate a server certificate request, and use the root certificate private key to issue a server certificate. Note that the commonName of this server certificate needs to be set to the server_name in the nginx configuration file to keep it consistent.

#Generate server certificate private key openssl genrsa -out server.key 2048

 #Generate server certificate request openssl req -new -key server.key -out server.csr

 #Generate server certificate openssl x509 -days 365 -req -in server.csr -extensions v3_req -CAkey root.key -CA root.crt -CAcreateserial -out server.crt -extfile openssl.cnf

There is an openssl.cnf file here that needs attention. It describes some information about the server certificate that needs to be issued. The content is as follows

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
 
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = Guizhou
stateOrProvinceName_default = Guizhou
localityName = Guizhou
localityName_default = Guizhou
organizationalUnitName = (If the web page is accessed by IP, write the IP address; if it is accessed by domain name, write the domain name)
organizationalUnitName_default = (If the web page access is by IP, write the IP; if it is by domain name, write the domain name)
commonName = (If the web page is accessed by IP, write the IP address; if it is a domain name, write the domain name)
commonName_max = 64
 
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

3.2 nginx configuration

Open the comments of the HTTPS server section in the nginx configuration and modify the fields such as server_name, ssl_certificate, ssl_certificate_key, and root in location.

...
 # HTTPS server
 #
 server {
  listen 443 ssl;
  server_name xxx.com (website access address);

 ssl on;
  ssl_certificate xxx.crt(server certificate);
  ssl_certificate_key xxx.key (server certificate private key);

  ssl_session_cache shared:SSL:1m;
  ssl_session_timeout 5m;

  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  location / {
   root xxx (front-end code directory);
   index index.html index.htm;
  }
 }
...

Start nginx to provide external services.

3.3 Browser access

So far we have configured https access on the server side, but when the browser accesses it, it will prompt a certificate error because the browser does not recognize our certificate yet and is not sure whether it is safe. Just like we all have no problem using ID cards issued by the Ministry of Public Security to prove our identity, but if you use an ID card issued by yourself to prove your identity, others may not believe it, because no one knows the identity of your issuing agency.

Therefore, we need to add the issuing authority of the server certificate, that is, the root certificate we generated above, to the browser's trust list. The specific operation method is: If it is a Windows system, you can directly double-click the root certificate file, click Install, and install it to the trusted root certificate authority. At this time, you can access it smoothly.

The above is the details of how nginx changes a website accessed by http to access by https. For more information about changing nginx http access to https access, please pay attention to other related articles on 123WORDPRESS.COM!