preface
Whether you want to watch little sister/little brother, or pay attention to national affairs, want to grasp the fresh information and the latest trends in the first time, the Internet will become your first choice. The web protocols HTTP and HTTPS are the ones we see most.
Why use HTTPS instead of existing HTTP?
Let’s start with the pitfalls of HTTP
- HTTP is plaintext transmission, content is easy to be monitored, eavesdropping risk
- Do not verify the identity of the communication party, can disguise the identity, impersonation risk
- Packet integrity cannot be proved and may be tampered. Tampering risks
These dangers are more than just words, have you encountered carrier hijacking? There’s an AD in there every day and there’s other disgusting things you can’t guard against. It is because of these hidden dangers that some shady businessmen have become fertile ground.
Take a look at international trends
To encourage HTTPS deployment
- Google has tweaked its search engine to give sites that use HTTPS higher rankings
- Chrome has flagged HTTP sites as unsafe
- Apple required all apps in the App Store in 2017 to use HTTPS for encrypted connections;
- Wechat applet requires HTTPS to be used
- The next generation of HTTP/2 protocol support needs to be based on HTTPS.
For these reasons, HTTPS deployment is imperative.
HTTPS characteristics
HTTPS is the security upgrade version of HTTP, adding SSL/TLS layer on the basis of HTTP. The basic idea is to use public key encryption. The client requests the public key from the server. After receiving the public key, the server encrypts the information using the private key matching the public key.
The previous diagram illustrates the principle
The purpose of this:
- Data transmission is encrypted to ensure the security of data transmission
- Authentication to prevent impersonation
- Data integrity check to prevent content from being impersonated or tampered with by a third party
HTTPS Deployment Process
Show you about certificates
1) Why do I need a certificate?
For the requester, how can it be sure that the public key obtained was issued to it from the target host and not from an intermediary? Or how to determine the target host is trusted, or the enterprise or organization behind the target host is reliable? At this time, we need an authoritative and trusted organization (generally an organization audited and authorized by the government) to uniformly issue the public key of the host organization to solve the trust problem (centralized).
2) How to apply for a certificate?
The user first generates a specific key pair and transmits the public key and some necessary information to the authentication authority. After verifying that the information is legitimate, the certification authority performs the necessary steps to ensure that the request was submitted by the user (usually by providing authentication files, which you need to download and place in a domain-specific directory). The authentication authority will then issue a digital certificate to the user
3) What is the certificate content information?
- The name of the certificate authority
- Digital signature of the certificate itself
- Certificate holder public key + partial information
- Hash algorithm used to sign the certificate
Certificates are issued by independent certificate issuers, and each certificate has a different level of trust, similar to a tree structure. Ensure that the certificate chain is complete before deploying HTTPS (up to the CA root certificate, otherwise in some cases, the website is not secure and HTTPS deployment fails).
4) Verification of certificate validity
The browser provides a built-in CA root certificate and uses the CA certificate to verify the configured certificate
- Certificate issuing authority error —- Dangerous certificate
- The certificate issuing authority is correct and decrypts the certificate digest according to the public key of the CA root certificate. The decryption fails —- dangerous certificate. Decryption is successful and abstract A is obtained. Then, according to the Hash algorithm of the signature, the abstract B of the certificate is calculated. Comparing A and B, if they are equal, it is normal; if they are not equal, it is the tampered —- dangerous certificate.
- Certificate expired —- Dangerous certificate.
The certificate application
Above said so much theoretical knowledge, finally ushered in the practical operation, Don’t BB, show you code
I will use the certificate authority SSLS to do this.
Why did you choose it?
- Because the price is high, the price can be, the certificate quality is very high.
- The company in
Such is the reason for capricious. All right, back to the book
International convention, register login -> select CERTS, then select the appropriate item, add it to shopping cart, select quantity and validity time
Commodity list, the interface is still very good-looking
Here’s the key: Certificate deployment takes three steps
1) Enter CSR as prompted. Generated using OpenSSL
openssl req -new -newkey rsa:2048 -sha256 -nodes -out www.hashfish.net.csr -keyout www.hashfish.net.key -subj "/C=CN/ST=BeiJing/L=BeiJing/O=HASH FISH./OU=Web Security/CN=www.hashfish.net"
Copy the code
Req: Executes the certificate issuing command
-new indicates the request for issuing a new certificate
-out — path of the output CSR file
-keyout specifies the path of the private key
-subj — Certificate related user information (short for subject)
Direct use is pay attention to modify the information, do not copy directly (squint smile)
2) Complete other operations (such as filling in the mailbox to receive the certificate) as prompted, and the order state changes to In Progress. At this time, you need to place the verification file in the specified directory to complete SSLS verification
Let’s go ahead and make it a little bit more intuitive
3) After validation, some time later, you will receive an email with the certificate attached, merge the certificate (if there are more than one, make sure to keep the certificate chain intact to avoid unsafe links in some cases), upload the server, configure nginx, restart Nginx, and the world is clean.
Certificate of merger
// Merge the certificate and CA certificate into pem cat www.hashfish.net.crt www.hashfish.net.ca-bundle > www.hashfish.net.pemCopy the code
Configure nginx
// Add listen 443 to the specified domain; Ssl_certificate_key ssl_certificate_key ssl_certificateCopy the code
Ok, HTTPS certificate deployment is over here. The last classic diagram illustrates the process of an HTTPS request
Reprint must indicate the source, thank you. There are omissions and superficial articles, please correct them