Nginx build https server instance analysis

Introduction to https

https (hypertext transfer protocol over secure socket layer) is an http channel targeting security. Simply put, it is a secure version of http. That is, an SSL layer is added under http. The security foundation of https is SSL, so the details of encryption require SSL.

It is a uri scheme (abstract identifier system), the syntax is similar to the http: system, and is used for secure http data transmission. The default port used by https is 443.

ssl certificate

Introduction to certificate types

To set up a secure server, use public Create a public-private key pair. In most cases, send the certificate request (including your own public key), your company credentials, and the fee to a Certificate Authority (ca).ca verifies the certificate request and your identity, then returns the certificate to your secure server .

But the intranet implements encryption of server-side and client-side transmission content. You can issue your own certificate and just ignore the browser distrust alert!

A certificate signed by a ca provides two important functions for your server:

• The browser will automatically recognize the certificate and allow creation without prompting the user A secure connection

• When a CA generates a signed certificate, it provides assurance of the identity of the organization that provides the web page to the browser.

• Most web servers that support SSL have a list of CAs whose certificates will be automatically accepted. When a browser encounters a certificate whose authority ca is not in the list, the browser will ask the user whether to accept or reject the connection
  

Generate SSL Certificate

openssl genrsa -des3 -out wangzhengyi.key 2048

##openssl req -new -key wangzhengyi.key -out wangzhengyi.csr

Create a self-signed ca certificate

openssl req -new -x509 -days 3650 -key wangzhengyi_nopass.key -out wangzhengyi.crt

Build https virtual host

Virtual host configuration file

upstream sslfpm {
 server 127.0.0.1:9000 weight=10 max_fails=3 fail_timeout=20s;
}

server { 
 listen   192.168.1.*:443; 
 server_name 192.168.1.*; 
 
 #为一个server开启ssl支持
 ssl         on;
 #为虚拟主机指定pem格式的证书文件
 ssl_certificate   /home/wangzhengyi/ssl/wangzhengyi.crt; 
 #为虚拟主机指定私钥文件
 ssl_certificate_key /home/wangzhengyi/ssl/wangzhengyi_nopass.key; 
 #客户端能够重复使用存储在缓存中的会话参数时间
 ssl_session_timeout 5m;
 #指定使用的ssl协议 
 ssl_protocols sslv3 tlsv1; 
 #指定许可的密码描述
 ssl_ciphers all:!adh:!export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp; 
 #sslv3和tlsv1协议的服务器密码需求优先级高于客户端密码
 ssl_prefer_server_ciphers on;

 location / { 
 root /home/wangzhengyi/ssl/;
 autoindex on;
     autoindex_exact_size  off;
     autoindex_localtime on;
 } 
   # redirect server error pages to the static page /50x.html
   #
   error_page 500 502 503 504 /50x.html;
   error_page 404 /404.html;

 location = /50x.html {
     root /usr/share/nginx/www;
   }
  location = /404.html {
     root /usr/share/nginx/www;
   }
  
   # proxy the php scripts to fpm
   location ~ \.php$ {
 access_log /var/log/nginx/ssl/ssl.access.log main;
 error_log /var/log/nginx/ssl/ssl.error.log;
 root /home/wangzhengyi/ssl/; 
 fastcgi_param https on;
     include /etc/nginx/fastcgi_params; 
     fastcgi_pass  sslfpm;
   }
}

The above is the detailed content of Nginx build https server instance analysis. For more information, please follow other related articles on the PHP Chinese website!