Nginx uses SSL to encrypt traffic

“This is the 8th day of my participation in the Gwen Challenge in November. Check out the details: The Last Gwen Challenge in 2021”

The difference between these two protocols is that they are both HTTP protocols, but HTTPS is HTTP in an SSL shell.

HTTPS is a transport protocol for secure communication over computer networks. It communicates through HTTP and uses SSL/TLS to establish full communication and encrypt data packets to ensure data security.

Secure Sockets Layer (SSL)

Transport Layer Security (TLS) Transport Layer Security

These two security protocols provide security and data integrity for network communications. TLS and SSL encrypt network connections at the transport and application layers.

To summarize why you should use HTTPS:

HTTP transmits data in plaintext and has security problems, whereas HTTPS transmits data in encryption, which is equivalent to HTTP + SSL and prevents traffic hijacking.Copy the code

To use SSL, Nginx needs to add a module called with-http_SSL_module, which in turn needs OpenSSL support during compilation.

Nginx adds SUPPORT for SSL

(1) Add the — with-http_SSL_module increment

The original/usr/local/nginx/sbin/nginx before you make a backup copy nginx configuration information In nginx installation source configured to specify the corresponding module. / configure -- with - http_ssl_module through make template to compile Nginx: /usr/local/nginx/sbin: /usr/local/nginx/sbin: /usr/local/nginx/sbinCopy the code

Nginx ssl-related directives

SSL: This command is used to enable HTTPS on the specified server. You can use Listen 443 SSL, which is more general.

server{ 
  listen 443 ssl; 
} 
Copy the code

Ssl_certifificate: Specifies a certificate with a PEM certificate for the current virtual host.

Ssl_certificate_key: Specifies the path of the PEM secret key file

Ssl_session_cache: This directive configures the cache for SSL sessions

Off: Disables session caching and prevents clients from reusing sessions

None: Disables session caching, which can be reused by clients but does not store session parameters in the cache

Builtin: Built-in OpenSSL cache, used only in one worker process.

Shared: All worker processes share a cache. Information about the cache is specified by name and size

Ssl_session_timeout: specifies the time that the client can repeatedly use the session parameters stored in the cache after the SSL session function is enabled.

Ssl_ciphers: Specifies the allowed password in the format supported by OpenSSL

You can use OpenSSL ciphers to view the formats supported by OpenSSL.

Ssl_prefer_server_ciphers: This directive specifies whether the server password takes precedence over the client password

Generate a certificate

Method 1: Use ali Cloud/Tencent Cloud and other third-party services to purchase.

Method 2: Use OpenSSL to generate a certificate

Check whether OpenSSL is installed on the current system

openssl version
Copy the code

Install the following command to generate

mkdir /root/cert 
cd /root/cert 
openssl genrsa -des3 -out server.key 1024 
openssl req -new -key server.key -out server.csr 
cp server.key server.key.org 
openssl rsa -in server.key.org -out server.key 
openssl x509 -req -days 365 -in server.csr -signkey 
server.key -out server.crt 
Copy the code

Enabling an SSL Instance

server { 
  listen 443 ssl; 
  server_name localhost; 
  ssl_certificate server.cert; 
  ssl_certificate_key server.key; 
  ssl_session_cache shared:SSL:1m; 
  ssl_session_timeout 5m; 
  ssl_ciphersHIGH:! aNULL:! MD5;ssl_prefer_server_ciphers on; 
  location / { 
    root html; 
    indexindex.html index.htm; }}Copy the code

Finally verify.