preface

HTTPS (full name: Hyper Text Transfer Protocol over Secure Socket Layer (Hypertext Transfer Protocol Secure) is a Secure HTTP channel. It is simply a secure version of HTTP. That is, add SSL layer to HTTP, and SECURE Sockets Layer (SSL) is the basis of HTTPS security. Therefore, SSL is required for details of encryption. It is a URI scheme (abstract identifier scheme) with the same syntax as HTTP: scheme. For secure HTTP data transfer. HTTPS: THE URL indicates that it uses HTTP, but HTTPS has a different default port than HTTP and an encryption/authentication layer (between HTTP and TCP). The system, originally developed by Netscape and built into its browser, Netscape Navigator, provides authentication and encrypted communication. It is now widely used for security-sensitive communications on the World Wide Web, such as transaction payments.

Why use HTTPS

HTTP sends content in plaintext and does not provide any data encryption. If an attacker intercepts packets transmitted between a Web browser and a Web server, he can directly understand the information in the packets. Therefore, HTTP is not suitable for transmitting sensitive information, such as credit card numbers and passwords.

To address this shortcoming of HTTP, you need to use another protocol: secure Socket Layer Hypertext Transfer protocol HTTPS. To secure data transmission, HTTPS adds SSL to HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.

HTTPS prevents network data from being captured or tampered with during transmission, and can be used to deal with carrier hijacking and AD placement. In addition, when accessing websites that support THE HTTPS protocol, Google and other browsers display a security icon in the address bar. In this way, the website appears secure to users and improves customer trust.

To deploy HTTPS, you need to purchase an SSL certificate, whose price ranges from thousands to tens of thousands of yuan per year. Some vendors provide free SSL certificates. Here are two ways to apply for a free SSL certificate and deploy HTTPS.

Let’s Encrypt free certificate

Let’s Encrypts is a public, free SSL project launched by Mozilla, Cisco, Akamai, IdenTrust, EFF, and others to facilitate the transition of web sites from HTTP to HTTPS. At present, more and more users have joined and sponsored support.

The following describes how to install the Let’s Encrypt certificate in Ubuntu.

1. Install Certbot (for automatic certificate renewal)

Add the installation source
sudo add-apt-repository ppa:certbot/certbot
# Update apt installation source
sudo apt-get update
# installation
sudo apt-get install python-certbot-apache
Copy the code

2. Install Lets encrypt

# installation letsencrypt
sudo apt-get install letsencrypt
Create a certificate
letsencrypt certonly --agree-tos --email [email protected] -d www.domain.com
Copy the code

After the appeal command is run, the certificate file is generated in the /etc/letsencrypt folder

3. Configure nginx

Add a new configuration file, website. Conf, to /etc/nginx/conf.d/ (replace www.domain.com with your actual domain name) :

server {
    listen 80;
    # listen [::]:80;server_name www.domain.com;    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.    return 301 https://$host$request_uri; 
}
server {
    listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name www.domain.com;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page 404 /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # intermediate configuration. tweak to your needs.Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECD HE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-A ES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES 256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DH E-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA38 4:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:! DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /etc/letsencrypt/live/www.gabin.top/root_ca_cert_plus_intermediates;

    # resolver 8.8.8.8 8.8.4.4 valid=300s;
    # resolver_timeout 5s;
}
Copy the code

4. Reload the nginx configuration

Run the following command:

nginx -s reload
Copy the code

5. Add a scheduled renewal task

The validity period of the Lets ENCRYPT certificate is three months by default and must be renewed periodically. Edit a scheduled task:

crontab -e
Copy the code

Adding a scheduled task:

# Renew every night at 2am:
* 2 * * * service nginx stop & letsencrypt renew & service nginx start
Copy the code

Three, seven niuyun free certificate

Many cloud service providers, such as Aliyun, Tencent Cloud and Qiuniuyun, provide free SSL certificates. Most of these certificates are valid for one year and need to be renewed manually when they expire. Here through seven niuyun for example.

1. Apply for a certificate

Visit https://portal.qiniu.com/certificate/apply to buy free certificate:

2. Download the certificate

Click “Details” – “View certificate” – “Download Certificate” to download certificate file:

3. Modify the nginx configuration

The method of setting the certificate is similar to that of Lets encrypt. You only need to replace the path where the uploaded certificate file is stored.

  • If you have any questions, you can follow the wechat public account “Full stack community” to ask questions. You can also get more front-end, back-end, operation and maintenance technology necessary for webmasters and developers.

  • $19 US VPS, website space, source code: www.xumaoyun.com