Nginx configures SSL certificates from HTTP to HTTPS

What is theHTTP

Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents such as HTML.

It is designed for communication between Web browsers and Web servers, but it can also be used for other purposes. HTTP follows the classic client-server model, where a client opens a connection to make a request and then waits for it to receive a server-side response. HTTP is a stateless protocol, meaning that the server does not retain any data (state) between requests. Although typically based on the TCP/IP layer, the protocol can be used over any reliable transport layer; That is, a protocol that does not silently lose messages, as UDP does. As a reliable and upgraded version of UDP, RUDP is a suitable alternative.

What is theHTTPS

HyperText Transfer Protocol Secure (HTTPS) Often called HTTP over TLS, HTTP over SSL, or HTTP Secure, is a transport protocol for Secure communication over a computer network.

HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. HTTPS is developed to provide identity authentication for web servers and protect the privacy and integrity of exchanged data. The protocol was first proposed by Netscape in 1994 and then extended to the Internet.

Historically, HTTPS connections have often been used to pay for transactions on the World Wide Web and transfer sensitive information in enterprise information systems. In the late 2000s and early 2010s, HTTPS became widely used to ensure that all types of web pages were authentic, to protect accounts and to keep user communications, identities, and web browsing private.

In addition, there is a secure hypertext transfer protocol (S-HTTP) HTTP secure transport implementation, but HTTPS is widely used to become the de facto HTTP secure transport implementation, S-HTTP is not widely supported.

The role of the HTTPS

The primary purpose of HTTPS is to create a secure channel over an insecure network and provide reasonable protection against eavesdropping and manin-the-middle attacks when appropriate encrypted packets and server certificates can be verified and trusted.

HTTPS’s trust is based on a pre-installed certificate authority (CA) in the operating system. Therefore, an HTTPS connection to a site can be trusted only in these cases:

The browser implements HTTPS correctly and the operating system has a correct and trusted certificate authority installed.
Certification authorities trust only legitimate websites;
The site being visited provides a valid certificate, meaning that it is issued by a certificate authority trusted by the operating system (most browsers will warn against invalid certificates);
The certificate correctly verifies the site being visited (for example, if you visit https://example.com and receive a certificate issued to example.com instead of another domain name);
The encryption layer of this protocol (SSL/TLS) effectively provides authentication and strong encryption.

The difference between HTTPS and HTTP

Hypertext Transfer Protocol the HTTP protocol is used to transfer information between Web browsers and Web servers. HTTP sends content in plaintext and does not provide any data encryption. If an attacker intercepts packets transmitted between a Web browser and a Web server, he can directly understand the information in the packets. Therefore, HTTP is not suitable for transmitting sensitive information, such as credit card numbers and passwords. To address this shortcoming of HTTP, you need to use another protocol: secure Socket Layer Hypertext Transfer protocol HTTPS. To secure data transmission, HTTPS adds SSL to HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server. The differences between HTTPS and HTTP are as follows:

For HTTPS, you need to apply for a certificate from a CA. Generally, a free certificate is rare and requires a fee.
HTTP is a hypertext transmission protocol, and information is transmitted in plain text. HTTPS is a secure SSL encryption transmission protocol.
HTTP and HTTPS use completely different connections and use different ports, the former 80 and the latter 443.
HTTP connections are simple and stateless; HTTPS is a network protocol that uses SSL and HTTP to encrypt transmission and authenticate identity. It is more secure than HTTP.

How is an HTTP connection established

HTTP relies on TCP connections above the transport layer. That is to say, the TCP connection is established first, and data can be transmitted between the two parties after the connection is established. In other words, to transmit data in a specified format, you need to establish a TCP connection. So how do you set up a TCP connection?

Three-way handshake for TCP connection:

Send a request to establish a connection. When you type in the address of a web site you want to visit, the browser asks the DNS server for an IP address corresponding to that domain name. We can then send him a request to establish a connection and “prepare” ourselves to establish a connection.
Reply to client requests. The other machine has been waiting for someone to set up a connection with it, and then suddenly it gets excited and replies, “I got your request, and I’m ready to set up a connection.”
When you receive this message, be sure to reply and say, OK, I know you’re ready to set up the connection, let’s start sending data.

Why do you have to reply to him? Because he is not sure if you have received his confirmation request. If you do not reply, he will think that your message to establish the request is fake and expired, and will not establish the connection. When he receives your reply, he clearly knows that you do want to establish a connection, that you are ready to establish a connection, and that the data can be transmitted in HTTP format. In the third step of the process, the packet that you send the confirmation message can be inserted with the data that needs to be transmitted. Again, you send a request to establish a connection, he receives it and replies to it. Set it up, you receive his reply and reply to him again. At this point, a TCP connection has been established between you. Then, you can send him a HTTP request for, say, an image, and he will send you an image when he receives the request, in plain text.

How is an HTTPS connection established

How does HTTPS establish a connection? How do you negotiate an encrypted password? Like HTTP, HTTPS establishes a TCP connection first, but after establishing a TCP connection, it does not immediately send a request for a specific resource. Instead, it negotiates an encrypted password with the other party. The process of encrypting the password discussed is the process of establishing a TSL connection. In fact, there is no real connection, just on the established TCP connection, wrapped on a layer of encryption protocol. But it’s also known figuratively as connection building.

The specific establishment method is as follows:

The customer service sends the server a HELLO package with a list of the encryption protocols I support.
After receiving the packet, the server also sends a HELLO packet to the client. The packet contains the encryption algorithm selected by the server and its own digital certificate information. After you get his digital certificate information, you need to go to CA to verify the certificate. After the verification is successful, you also know the public key of the other party. You should inform the server that how much password we will encrypt symmetrically in the future. Before this message is sent, the client sends a message to the server that says, my next message will be encrypted using the encryption protocol you just picked up, the next message will be encrypted oh, make no mistake.
Then the symmetric encrypted ciphertext is sent to the server. After receiving the Message, the server generates a series of complex encryption algorithms based on the symmetric key and sends it to the client. After receiving the Message, the client sends a Finished Message to the server. After receiving the Message, the server also sends a Finished Message.
At this time, we finally completed the preparation of encryption, all encryption methods and keys are discussed, and finally can transmit data. At this point, TSL completes the connection process.

Upgrade steps

Nginx version: Nginx /1.10.3 (Ubuntu)

My nginx directory structure, nginx installation

feihong@iZuf69ng9hibpqjrdkb660Z:/etc/nginx$ ls 
cert          fastcgi_params  mime.types    scgi_params      snippets
conf.d        koi-utf         nginx.conf    sites-available  uwsgi_params
fastcgi.conf  koi-win         proxy_params  sites-enabled    win-utf
Copy the code

To get the certificate

My server is ali cloud, then get SSL certificate from Ali cloud cloud cloud shield

Click to buy certificate

Select the free DV SSL and click Buy now

Return to console you can see an unissued certificate, request to issue

Fill in the application and verification information (it will take a while for the application to be approved)

After the certificate is passed, the certificate is issued

Download the certificate

The two certificates are *.pem and *.key

After opening the two certificates, it is found that both certificates contain keys

*. Key: indicates the private key file of the certificate

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAi1M5kieXbIDTCJwyWWif8 g / 2 vc7ostg JCEpwOv2m2nyHPa32j4GtQgAV/rx2UFkmin2RWT8Lb13UQe3vKEvZi0HcXH1ef8MVymyR/M1H8 + D9mQ5q...... rtClNTkCgYB18MoPDYFFp8lcMFL4joIcmQTgRlZN7ZYwj0TEa+e2UemqkrxN8XyO P5xniOvmacFt3SxoDLjQoVOmmS1B0QdXP24y+b1+vIfG8ZQ3grNU0Nq2PyXRe7TR CaGaIY+5DXwoPjzPvfbWKIuMwthyAeyddW4XzO9/9c2Ugrr0s6AWkQ== -----END RSA PRIVATE KEY----- ~Copy the code

*. Pem: indicates a certificate file

Open port 443

Log in to Aliyun, find the security group, add the rule, and give port 443 access (don’t be like me, that’s what ended up causing the problem).

Place the certificate in the server

Place the downloaded certificate files in /etc/nginx/cert/

nginx.conf

/etc/nginx/conf.d/*. Conf and /etc/nginx/sites-enabled/*

This means that you need to write the server in both places, preferably separately to avoid coupling

The default. Conf file in /etc/nginx/conf.d/ is used to write HTTP services

Write some HTTPS services in /etc/nginx/sites-enabled/

# nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # #}}Copy the code

sites-available

Add the qiufeihong.top file to site-available

Ssl_certificate and SSL_certificate_key Import the two certificate files

The former service is HTTPS

The latter is HTTP, and the redirection is HTTPS

# qiufeihong.topserver { listen 443 ssl; server_name www.qiufeihong.top; ssl on; ssl_certificate /etc/nginx/cert/2476067_www.qiufeihong.top.pem; ssl_certificate_key /etc/nginx/cert/2476067_www.qiufeihong.top.key; ssl_session_timeout 10m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; Location / {proxy_pass http://127.0.0.1:7777; proxy_redirect off; proxy_set_header Host$host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
}
}
server {
listen 80;
server_name www.qiufeihong.top;
rewrite ^(.*)$ https://$hostThe $1 permanent;
}
Copy the code

In addition, you need to remove the blog configuration code in the conf.d folder default.conf, otherwise nginx will report two errors with the same name when restarting the configuration.

server
        {
                listen  80;
                server_name www.qiufeihong.top;
                location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Real-IP $remote_addr; Proxy_pass http://127.0.0.1:7777; }}Copy the code

sites-enabled

Building soft links

sudo ln sites-available/qiufeihong.top sites-enabled/qiufeihong.top

Copy the code

You can see qiufeihong.top in Site-enabled

Restart the nginx

 sudo nginx -t

 sudo nginx -s reload
Copy the code

A closed lock appeared on the login site

reference

Nginx configures SSL certificates for HTTPS access

SSL Certificate Installation Guide

Install SSL certificates on Nginx/Tengine servers

HTTP upgrade to HTTPS details

Ali cloud server nginx configure SSL certificate, add HTTPS to the website

Finally, don’t forget to give this project a star, thank you for your support.

blog

A learning programming technology of the public number. Every day, I post high-quality posts, open source projects, utilities, interview tips, programming learning resources and more. The goal is to achieve personal technology and public growth together. Welcome to pay attention to, progress together, to the full stack of big man cultivation road