Nginx configuration and compatibility with HTTP implementation code analysis

Generate SSL Key and CSR file using OpenSSL

To configure HTTPS, you need the private key example.key file and the certificate example.crt file. When applying for a certificate file, you need the example.csr file. The OpenSSL command can generate the example.key file and the certificate example.csr file.

CSR: Certificate Signing Request, a certificate signing request file that contains the applicant's DN (Distinguished Name) and public key information, which needs to be provided when a third-party certificate authority signs a certificate. After receiving the CSR, the certificate authority uses its root certificate private key to encrypt the certificate and generate a CRT certificate file, which contains the certificate encryption information and the applicant's DN and public key information.

Key: The private key file of the certificate applicant, used in pair with the public key in the certificate. In the HTTPS "handshake" communication process, the private key is needed to decrypt the random number information sent by the client that is encrypted by the certificate public key. It is a very important file in the HTTPS encrypted communication process and is used when configuring HTTPS.

Use the OpenSSl command to generate example.key and example.csr files in the current directory of the system:

openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=ShenZhen/L=ShenZhen/O=Example Inc./OU=Web Security/CN=example.com"

The following are the meanings of the relevant fields of the above command:

• C：Country, the country where the unit is located, which is a two-digit country abbreviation, such as: CN is China
• ST field: State/Province, the state or province where the unit is located
• L field: Locality, the city and/or county where the unit is located
• O field: Organization, the name of the organization of this website;
• OU field: Organization Unit, the name of the subordinate department; it is also often used to display other certificate-related information, such as certificate type, certificate product name or authentication type or verification content;
• CN field: Common Name, the domain name of the website;

After generating the csr file, provide it to the CA organization. After successful signing, you will get an example.crt certificate file. After obtaining the SSL certificate file, you can configure HTTPS in the Nginx configuration file.

Configure HTTPS

Basic Configuration

To enable HTTPS service, in the configuration file information block (server block), you must use the ssl parameter of the listen command and define the server certificate file and private key file, as shown below:

	
server {
  #ssl parameter listen 443 ssl;
  server_name example.com;
  #Certificate file ssl_certificate example.com.crt;
  #Private key file ssl_certificate_key example.com.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;
  #...
}

The certificate file will be sent as a public entity to each client connected to the server. The private key file, as a security entity, should be stored in a directory file with certain permission restrictions and ensure that the Nginx main process has access permissions.

The private key file may also be placed in the same file as the certificate file, as shown below:

ssl_certificate www.example.com.cert;
ssl_certificate_key www.example.com.cert;

In this case, the read permission of the certificate file should also be restricted, so that even though the certificate and private key are stored in the same file, only the certificate will be sent to the client.

The commands ssl_protocols and ssl_ciphers can be used to restrict connections to only include enhanced versions and algorithms of SSL/TLS. The default values ​​are as follows:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

Since the default values ​​of these two commands have changed several times, it is not recommended to define them explicitly unless there are additional values ​​that need to be defined, such as defining the DH algorithm:

#Use DH file
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Define the algorithm
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
#...

Force HTTP to HTTPS

Also configure a server block, listen to port 80, and add rewrite.

server { 
  listen 80;
  server_name server ip;   
  rewrite ^(.*)$ https://$host$1 permanent; #Force http to https
}

Server configuration reference

server { 
  listen 80;
  server_name server ip;   
  rewrite ^(.*)$ https://$host$1 permanent; #Force http to https
}
server {
  charset utf-8; #server encoding listen 443 ssl; #listening address server_name server ip; #domain name of the website bound to the certificate server_tokens off; #hide nginx version number #ssl configuration ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; #public key of certificate ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; #private key of certificate ssl_session_timeout 5m;
  ssl_ciphers SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers off;
  ssl_dhparam /etc/nginx/dhparams.pem;  

  #Request header add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options SAMEORIGIN;
  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
  add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header Set-Cookie "HttpOnly";
  add_header Set-Cookie "Secure";
  
  #Request Method Restrictions## Only allow these request methods ##
   if ($request_method !~ ^(GET|POST|DELETE|PUT|PATCH)$ ) {
     return 444;
   }
  
  #Access path matching location / {
    root /usr/share/nginx/html; #site directory index index.html index.htm;
  }
  location /test/ {
     proxy_pass http://127.0.0.1:8100/; #Forward local port 8100
  }
 
  #Prohibit access to the path# location /dirdeny {
  # deny all;
  # return 403;
  #}

  #Error page configuration error_page 502 503 504 /error502.html;
    location = /error502.html{
    root /usr/share/nginx/html;
  }
  error_page 500 /error.html;
   location = /error.html{
      root /usr/share/nginx/html;
    }
  error_page 404 /notfind.html;
   location = /notfind.html{
      root /usr/share/nginx/html;
    }
}

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.