Build the HTTPS service from scratch

The initial purpose of setting up HTTPS service is to develop small wechat programs, because Wx. request only allows HTTPS requests and must communicate with the specified domain name. To build an HTTPS service from scratch, you need the following four elements: domain name, registration, cloud server, and service setup. This paper will introduce the specific requirements of these four elements respectively.

Introduction to the

Hypertext Transfer Protocol over SecureSocket Layer (HTTPS) is a Transfer Protocol used for secure communication over a computer network. HTTPS communicates over HTTP, but uses SSL/TLS to encrypt packets. HTTPS is developed to provide identity authentication for web servers and protect the privacy and integrity of data exchanged. The protocol was first proposed by Netscape in 1994 and then expanded to the Internet, where virtually all web sites now use HTTPS. The following focuses on the domain name, record, cloud server, service build these four aspects to build HTTPS service from zero.

The domain name

A Domain Name, also known as a Domain, is the Name of a computer or computer group on the Internet composed of a series of names separated by dots. It is used to identify the electronic location of a computer during data transmission. For example, blog.haojunyu.com is a Domain Name that can be mapped to a corresponding IP address through the Domain Name System. This operation can be implemented through domain name resolution.

Domain name registration and resolution

Domain name registration can be completed beforeWHOISTo check whether the domain name has been registered. Currently BAT provides domain name registrations, such as Ali’snets, baidu’sDomain name serviceTencent’sDnspod. I registered my domain haojunyu.com on Ali’s Website.The original purpose of my domain name registration was to make a personalized domain name for my personal blog on Github. And in the domain name resolution Settings, here do not need to do too much change, just need to add the following resolution record:After the setup is complete, when we go toapi.haojunyu.com/* When a request is sent, DNS automatically resolves it to a mapped IP address (the doodled part in the figure above) and requests the corresponding service to the target server.

For the record

The archival record here is for personal blog this kind of non – management website to do archival record, its purpose is to facilitate the management of the website. Because only law-abiding websites can play a positive role in promoting information sharing, cultural prosperity and social progress.

My domain name Haojunyu.com was put on record in Baidu Cloud. At that time, I submitted the information first (mainly the front and back photos of my ID card), and then waited for Baidu express to come to the background wall, and then took photos to upload and verify before I could put on record successfully.

Cloud server

A server is a running computer, which can be your own home computer or you can buy cloud services from BAT. Here because Tencent cloud has a free 8-day trial, so try to build an HTTPS service on the cloud service, in order to facilitate wechat small program can successfully initiate a request. If the trial experience is good, you can renew it (74 yuan/month). When creating a cloud host, you need to choose an operating system. In view of my familiarity with Ubutnu and the Server’s needs, I choose the image of Ubuntu Server 16.04.1 LTS 64 as the system. After a new cloud host is created, Baidu Cloud provides an external IP address, which is the recorded value to be entered in domain name resolution.

Service building

There are three main steps in server configuration. The first step is the application layout, the second step is the configuration of the Nginx server, and the third step is the upgrade of HTTP to HTTPS. The first two steps are to deploy the Flask application using Nginx on Ubuntu by referring to this blog post. The third step is to install the Nginx certificate on Tencent Cloud.

The application

Considering that wechat applets mainly use JSON data, we want to provide restful services for the server. Besides, I like Python language, so I choose Flask, a lightweight Web framework in Python. The server is Nginx, and uWSGI connects the server to the application. The installation procedure is as follows:

1. Environment configuration

   sudo apt-get update && sudo apt-get upgrade # Update all software
   sudo apt-get install build-essential  Install the compile environment
   sudo apt-get install  python python-dev python-setuptools Install the Python environment
   sudo easy_install pip
   sudo apt-get install nginx  # to install Nginx
   sudo apt-get install uwsgi uwsgi-plugin-python3  Install UWSGi and its plug-ins
   sudo apt-get install supervisor Install process management software
   Copy the code

2. Application configuration

   sudo mkdir -p /var/www/flaskApp Create an application folder
   sudo chown -R ubuntu:ubuntu /var/www/flaskApp # Change application folder ownership
   sudo pip install virtualenv Install the Python virtual environment
   Create a Python virtual environment
   cd /var/www/flaskApp
   virtualenv venv
   . venv/bin/activate # Enable the Python virtual environment venv
   pip install flask flask-restful Install the Flask Web Framework in a virtual environment
   Copy the code

3. Create api.py code

   #! flask/bin/python
   from flask import Flask, jsonify
   
   app = Flask(__name__)
   
   tasks = [
       {
           'id': 1.'title': u'Buy groceries'.'description': u'Milk, Cheese, Pizza, Fruit, Tylenol'.'done': False
       },
       {
           'id': 2.'title': u'Learn Python'.'description': u'Need to find a good Python tutorial on the web'.'done': False}]@app.route('/ todo/API/v1.0 / tasks', methods=['GET'])
   def get_tasks() :
       return jsonify({'tasks': tasks})
   
   if __name__ == '__main__':
       app.run(host='0.0.0.0', port=8080)
   Copy the code

   After executing scripts python API. Py, can through the browser to access the host IP http:// : 8080 / todo/API/v1.0 / tasks, in order to obtain the tasks of data.

Service configuration

Nginx configuration

1. Delete the default nginx configuration file

   sudo rm /etc/nginx/sites-enabled/default
   Copy the code

2. Create a new configuration file/var/WWW/flaskApp/config/flaskApp_nginx. Conf

   server {
     listen      80;
     server_name api.haojunyu.com; The domain name has been mapped to the host IP address
     charset     utf-8;
     client_max_body_size 75M;
   
     location / { try_files $uri@yourapplication; } location @yourapplication { include uwsgi_params; uwsgi_pass unix:/var/www/flaskApp/config/flaskApp_uwsgi.sock; }}Copy the code

3. Create the configuration file service and restart the service

   sudo ln -s /var/www/flaskApp/config/nginx.conf /etc/nginx/conf.d/ Link the configuration file in the application folder to the nginx configuration file
   sudo nginx -t           Verify that nginx is configured incorrectly
   sudo nginx -s reload    # reload the nginx configuration
   sudo /etc/init.d/nginx restart  # restart nginx
   Copy the code

4. validation Now through the browser to access the api.haojunyu.com/todo/api/v1… Flaskapp_uwsgi. sock has not yet been generated to allow UWSGi to build a bridge between Nginx and Python applications.

UWSGI configuration

1. Create a new configuration file/var/WWW/flaskApp/config/flaskApp_uwsgi ini

   [uwsgi]
   #application's base folder
   base = /var/www/flaskApp
   
   #python module to import
   app = api
   module = %(app)
   
   home = %(base)/venv
   pythonpath = %(base)
   ## Replace home and PYTHonPath with the following two parameters after managing virtualenv with virtualenvwrapper
   #chdir = %(base)
   #virtualenvs = %HOME/.virtualenvs/flaskEnv
   
   #socket file's location
   socket = /var/www/flaskApp/%n.sock
   
   #permissions for the socket file
   chmod-socket    = 666
   
   #the variable that holds a flask application inside the module imported at line #6
   callable = app
   
   #location of log files
   logto = /var/log/uwsgi/%n.log
   Copy the code

2. Create a uWSGI log folder and change file ownership

   sudo mkdir -p /var/log/uwsgi # uWSGI log folder
   sudo chown -R ubuntu:ubuntu /var/log/uwsgi # Change uWSGI log folder ownership
   uwsgi --ini /var/www/flaskApp/config/flaskApp_uwsgi.ini --plugin python3 & Start uWSGi in the background
   Copy the code

The supervisor configuration

The supervisor is to facilitate the management process, because every time after startup, have to rerun uwsgi – ini/var/WWW/flaskApp/config/flaskApp_uwsgi ini command to start the uwsgi, this is very demanding, Because you can’t remember an application like this, a configuration like this forever. So we use Supervisor to manage, and we just need to create a FlaskApp_Supervisor. conf configuration file when developing the application, and restart the machine to start supervisor service, Run sudo Service Supervisor start.

1. The installation supervisor

   sudo apt install supervisor
   Copy the code

2. Create a configuration file:

   [program:flaskApp]
   Start command entry
   command=/usr/local/bin/uwsgi --ini /var/www/flaskApp/flaskApp_uwsgi.ini
   The user name used to run the command
   user=ubuntu
   autostart=true
   autorestat=true
   # log address
   stdout_logfile=/var/log/supervisor/flaskApp_supervisor.log
   Copy the code

3. Create a copy of the configuration file and restart the service

   sudo ln -s /var/www/flaskApp/flaskApp_supervisor.conf /etc/supervisor/conf.d/
   sudo service supervisor restart
   Copy the code

HTTP upgrade HTTPS

HTTP upgrade requires the support of certificates. BAT here provides such services and has corresponding configuration and installation instructions. Here I install according to the Nginx certificate on Tencent cloud. The main thing is to save the certificate to the config directory and modify flaskApp_nginx.conf as follows:

server {
  listen 80;
  server_name api.haojunyu.com;
  return 301 https://api.haojunyu.com$request_uri;
}

server {
  listen      443 ssl;
  server_name api.haojunyu.com; The domain name has been mapped to the host IP address

  ssl on;
  ssl_certificate /var/www/flaskApp/1_haojunyu.com_bundle.crt;
  ssl_certificate_key /var/www/flaskApp/2_haojunyu.com.key;
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Configure according to this protocolssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:! aNULL:! MD5:! RC4:! DHE;Configure as per this suite
  ssl_prefer_server_ciphers on;

  location / { try_files $uri@yourapplication; } location @yourapplication { include uwsgi_params; uwsgi_pass unix:/var/www/flaskApp/config/flaskApp_uwsgi.sock; }}Copy the code

At the time SSL certificates were available for free, with the limitation that a certificate could only help one secondary domain or subdomain. You can use it if you want to mess with itcertbotTo automate the configuration of SSL certificates and scheduled updates.

For detailed installation and configuration procedures, see the official website (you need to select agent software such as Nginx and Apache and operating system such as Ubuntu, CentOS and MacOS).

Install command
sudo apt install certbot python-certbot-nginx  # Cerbot and its plug-ins

# configure domain name
sudo certbot certonly --nginx --cert-name haojunyu.com -d api.haojunyu.com
Delete the configured domain name
sudo certbot delete --cert-name haojunyu.com
# check the domain name
sudo certbot certificates
# update certificate
sudo certbot renew --dry-run
Copy the code

The final effect is as shown below, accessApi.haojunyu.com/todo/api/v1…You can get the corresponding data.

reference

1. Wiki – domain name
2. Whois domain name query
3. nets
4. Baidu Domain Name Service
5. Dnspod
6. Deploy the Flask application on Ubuntu using Nginx
7. Nginx certificate installation on Tencent cloud
8. certbot

If this article is helpful to you, or you are interested in technical articles, you can follow the wechat official number: Technical Tea Party, and you can receive relevant technical articles in the first time. Thank you!