Detailed process of configuring Https certificate under Nginx

1. The difference between Http and Https

HTTP: It is the most widely used network protocol on the Internet. It is a standard for client and server requests and responses (TCP). It is a transmission protocol used to transmit hypertext from WWW servers to local browsers. It can make browsers more efficient and reduce network transmission.

HTTPS: It is an HTTP channel with security as its goal. Simply put, it is a secure version of HTTP, that is, an SSL layer is added under HTTP. The security basis of HTTPS is SSL, so SSL is required for encrypted details. The main functions of the HTTPS protocol can be divided into two types: one is to establish an information security channel to ensure the security of data transmission; the other is to confirm the authenticity of the website.

The main differences between HTTPS and HTTP are as follows:

1. The https protocol requires applying for a certificate from a CA. Generally, there are fewer free certificates, so a certain fee is required.

2. HTTP is the hypertext transfer protocol, and information is transmitted in plain text, while HTTPS is the secure SSL encrypted transmission protocol.

3. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.

4. The http connection is very simple and stateless. The HTTPS protocol is a network protocol built by SSL+HTTP protocol that can perform encrypted transmission and identity authentication. It is more secure than the http protocol.

2. Generate a certificate using openssl

OpenSSL is the most popular SSL cryptographic library tool, which provides a general, robust, and full-featured tool suite to support the implementation of the SSL/TLS protocol.

For example, generated to: /usr/local/ssl

openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt

Generation process:

# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
Generating a 2048 bit RSA private key
...............................................................................+ ++
...............+++
writing new private key to '/usr/local/ssl/nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]: xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:xxxx (usually a domain name)
Email Address []:[email protected]
#ll
total 8
-rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt
-rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key

3. Install the http_ssl_module module in Nginx

If the SSL module is not enabled in Nginx, an error message will be displayed when configuring Https.

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx

Nginx lacks the http_ssl_module module. Just add the --with-http_ssl_module configuration when compiling and installing.

In this scenario, nginx has been installed on the server, but http_ssl_module has not been installed.

1. Enter the source package, such as:

cd /app/download/nginx-1.12.2

2.configure:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

#May need dependent packages yum -y install pcre-devel openssl openssl-devel

3.make:

make

4. There is no need to execute make install, otherwise the installation will be overwritten.

5. Back up the original nginx, such as:

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak

6. Then overwrite the original nginx with the newly compiled nginx (nginx needs to be stopped)

cp ./objs/nginx /usr/local/nginx/sbin/

7. Check the installation status:

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

4. nginx configuration https

Paste some configuration information:

 server {

    listen 80;
		server_name www.yourdomain.com;
	  rewrite ^(.*) https://$server_name$1 permanent; #http redirect to https
  }

server {
	listen 443 ssl;
	server_name www.yourdomain.com;
	ssl_certificate /usr/local/ssl/nginx.crt;
	ssl_certificate_key /usr/local/ssl/nginx.key;
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 5m;
	#Disable the server version in the header to prevent hackers from exploiting version vulnerabilities server_tokens off;
	#If the whole site is HTTPS and HTTP is not considered, you can add HSTS to tell your browser that the whole site is encrypted and force HTTPS access fastcgi_param HTTPS on;
	fastcgi_param HTTP_SCHEME https;
	access_log /usr/local/nginx/logs/httpsaccess.log;
}

First check whether the configuration is correct:

/usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

Restart nginx:

/usr/local/nginx/sbin/nginx -s reload

access:

This is the end of this article about the detailed process of configuring Https certificate under Nginx. For more relevant content about configuring Https certificate under Nginx, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!