Install nginx

You may already have apt-get yum installed, but you may not support HTTPS http2 ipv6.

View the current version configuration

We can use the nginx -v command to view the version and the supported configuration.

The following uses Ubuntu as an example to uninstall and install Nginx

uninstall

# remove nginx
$ apt-get --purge remove nginx

# query nginx dependent package, will be listed
$ dpkg --get-selections|grep nginx

# Remove the packages listed above, such as nginx-common
$ apt-get --purge remove nginx-common

You can also use autoremove to automatically remove unwanted packages
$ apt-get autoremove

# delete nginx-related files
$ sudo find / -name nginx*

Copy the code

The installation

Installing dependent libraries

# gcc g++
apt-get install build-essential
apt-get install libtool

# pcre
sudo apt-get install libpcre3 libpcre3-dev

# zlib
apt-get install zlib1g-dev

# ssl
apt-get install openssl
apt-get install libssl-dev
Copy the code

Install nginx

Go to Nginx Download to find the latest version of Nginx

# download
$ wget https://nginx.org/download/nginx-1.17.8.tar.gz
# decompression
$ tar -zxvf nginx-1.17.8.tar.gz
# enter directory
$ cd nginx-1.17.8
Error: install anything that is missing
$ ./configure --prefix=/usr/local/nginx \
--with-http_gzip_static_module \
--with-http_v2_module \
--with-pcre \
--with-http_ssl_module

If you don't need to install anything, install it
$ make

# installation
$ make install

# Over a soft connection, so that you can execute directly using Nginx
$ sudo ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx
Copy the code

SSL certificate

SSL certificates are usually purchased or issued free of charge through a third-party SSL certificate authority. You can also purchase SSL certificates from cloud service providers, but generally free SSL certificates only support a single domain name.

Let’s Encrypt is recommended, and then use acme.sh to generate a free certificate from letsencrypt, which can generate a pan-domain certificate.

Sh use acme.sh Let’s Encrypt to implement the HTTPS domain name using Alicloud DNS authentication

The above two articles are very detailed and will not be repeated.

PS:

  • DNS authentication is recommended
  • --dns dns_aliIt depends on the service provider,dns_aliAli Cloud. References to other service providersHow to use DNS API 。
  • After the certificate is generated, the default value is~/.acme.sh/The files in this directory are for internal use and need to be used--installcertCommand to specify the destination location

Here you put the certificate in the conf directory of nginx. . /conf/ssl/…

Configure the HTTP

Basic HTTP Configuration

The configuration of HTTP is very simple. The configuration is as follows. Let’s make the website accessible first.

server {
    listen  80;
    server_name     wangsijie.top www.wangsijie.top;

    location / {
        root /var/www/main;
        indexindex.html; }}Copy the code

If you access http://, it will look like this

Configure HTTPS

Https Basic Configuration

server {
    listen                  443 ssl;
    server_name             wangsijie.top www.wangsijie.top;
    Cer is a generic domain certificate generated by acme.sh
    ssl_certificate         ssl/fullchain.cer;
    # private key file
    ssl_certificate_key     ssl/wangsijie.top.key;
    
    location / {
        root /var/www/main;
        indexindex.html; }}Copy the code

After you restart, visit your website starting with https:// and you’ll find it

Modifying HTTP Configurations

However, it still shows that the connection is not secure when accessing HTTP. We need to modify the configuration and redirect to HTTPS when accessing HTTP as follows

server {
    listen  80;
    server_name     wangsijie.top www.wangsijie.top;

    return  301 https://$server_name$request_uri;
}
Copy the code

If you access it again with http://, you’ll be redirected to https://

PS:

Rewrite is also widely used on the web, but the return directive is simple and efficient

Complete configuration

server {
    listen  80;
    server_name     wangsijie.top www.wangsijie.top;

    return  301 https://$server_name$request_uri;
}
server {
    listen                  443 ssl;
    server_name             wangsijie.top www.wangsijie.top;
    ssl_certificate         ssl/fullchain.cer;
    ssl_certificate_key     ssl/wangsijie.top.key;
    
    location / {
        root /var/www/main;
        indexindex.html; }}Copy the code

Hybrid configuration

server {
    listen  				80;
    listen                  443 ssl;
    server_name             wangsijie.top www.wangsijie.top;
    ssl_certificate         ssl/fullchain.cer;
    ssl_certificate_key     ssl/wangsijie.top.key;
    
    location / {
        root /var/www/main;
        indexindex.html; }}Copy the code

HTTPS security

Encryption suite

HTTPS uses the SHA-1 algorithm by default, which is very fragile. We can use the Diffie – Hermann key exchange.

We generate the dhparam.pem file in the /conf/ SSL directory

openssl dhparam -out dhparam.pem 2048
Copy the code

The following directives SSL_protocols and SSL_CIphers are enhanced versions and algorithms that restrict connections to include only SSL/TLS.

Take the server algorithm first
ssl_prefer_server_ciphers on;
Use DH files
ssl_dhparam 			ssl/dhparam.pem;
Protocol Version
ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
# define algorithm
ssl_ciphersEECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:! MD5;Copy the code

Secure response headers

# Enable HSTS. Sites that allow HTTPS require that browsers always access them over HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Reduce clickhijacking
add_header X-Frame-Options DENY;
Disable the server from automatically resolving resource types
add_header X-Content-Type-Options nosniff;
# Defend against XSS attacks
add_header X-Xss-Protection 1;
Copy the code

Server optimization

Configure the shared session cache size
ssl_session_cache   shared:SSL:10m;
Configure the session timeout period
ssl_session_timeout 10m;
Copy the code

Http2 configuration

Http2 configuration is simple, just add http2 after it.

[::]: indicates the ipv6 configuration. This line is not needed

listen  80;
listen[: :] :80;
listen	443 ssl http2;
listen[: :] :443 ssl http2;
Copy the code

After restarting Nginx, you can test whether http2 is configured successfully at tools.keycdn.com/http2-test.

The last

Complete configuration

server {
    listen                  80;
    listen[: :] :80;
    listen                  443 ssl http2;
    listen[: :] :443 ssl http2;
    server_name             wangsijie.top www.wangsijie.top;

    ssl_certificate         ssl/fullchain.cer;
    ssl_certificate_key     ssl/wangsijie.top.key;

    ssl_session_cache       shared:SSL:10m;
    ssl_session_timeout     10m;

    ssl_prefer_server_ciphers on;
    ssl_dhparam 			ssl/dhparam.pem;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphersEECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:! MD5;add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-Xss-Protection 1;

    location / {
        root /var/www/main;
        indexindex.html; }}Copy the code

Configuration file optimization

In order to allow more secondary domain names to support the above functions, each server is too cumbersome to write.

You can write listen 443, SSL, add_header in a separate file and then use the inculde directive.

The other configurations are stored in conf.d/ HTTPS -base.conf

server {
    listen                  8099;
    listen[: :] :8099;
    server_name             test.wangsijie.top;

    include                 conf.d/https-base.conf;

    location / {
        root /var/www/test;
        indexindex.html; }}Copy the code

That completes the HTTPS configuration, and enjoy your visit.

Refer to the link

Nginx Chinese documentation