Introduction
In network communications, packet capture software can be used to analyze network requests and perform replay attacks. The solution to replay attacks is generally to use a change Parameters, such as rsa encrypted timestamp, but considering the network transmission delay, the timestamp needs to have a certain error tolerance, which still cannot fundamentally prevent replay attacks. If you want to better solve the problem of replay attacks, you should consider using https communication. The https protocol is a network protocol built from the ssl http protocol that can perform encrypted transmission and identity authentication. It is more secure than the http protocol.
Implementation
For websites accessed with a browser, you need to apply for a certificate from the ca to ensure that https web pages can be browsed normally, otherwise you will be warned that it is unsafe or For uncertified websites, for the transmission of some background data, a self-signed certificate can be used.
Configuration of the server
Generate certificate
Perform the following operations on the server’s command line
① To generate the private key of the server, you need to enter a 4~8191-digit password
openssl genrsa -des3 -out server.key 2048
② To remove the password of the key file, you need to enter the password
openssl rsa -in server.key -out server.key
filled in ① ③ Generate the csr file, This step requires entering a variety of information. You can press Enter to skip them all.
openssl req -new -key server.key -out server.csr
④ Generate a crt file. The -days in this step is followed by the validity period. You can write it longer
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
⑤ Merge Crt and key are used to make pem, which is used to generate cer later for client verification
cat server.crt server.key > server.pem
⑥Use pem to generate cer, and the cer file is stored on the client for verification
openssl x509 -in server.pem -outform der -out server.cer
2. Modify the nginx configuration file
If you don’t know the path to the configuration file, use the following command to print it.
nginx -t
This command can be used to test whether the configuration file is correct and will also print out the path.
According to the printed content, open nginx.conf and you can find that there is an http { ... } configuration tag. Add a server configuration tag to the http tag.
server { listen 443; server_name localhost; # 配置网站的根目录和首页的文件名和类型 index index.html index.htm index.php; root <这里填写网站的根目录> ssl on; ssl_certificate <这里填写crt文件server.crt的全路径> ssl_certificate_key <这里填写私钥key文件server.key的全路径> # 下面是对php的配置,如果不配置,将无法正常解析php文件,这段配置是从nginx对http的80端口配置中复制过来的,如果这段配置不能正常工作,请从自己的服务器对80端口的配置文件中复制过来。 location ~ .*\.(php|php5)?$ { #fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 1h; } # 这里如果不知道如何填写,请参考80端口的配置文件 include <nginx的conf目录路径>/rewrite/default.conf; access_log <nginx服务器日志的路径>/default.log; }
3. Update configuration
nginx -t #测试配置文件是否正确 nginx -s reload #重新加载配置文件
At this point, the server-side configuration is over.
Client configuration
If it is a certificate issued by ca, you can directly use https request, but we are a self-signed certificate, if you access it directly, an error will be reported, as described below Here's how to use afn to configure https requests for self-signed certificates.
1. Import the cer certificate mentioned above into the bundle of the app
Place server.cer Import bundle
2. Before using afn to make a request, perform the following configuration
afsecuritypolicy *policy = [afsecuritypolicy policywithpinningmode:afsslpinningmodepublickey]; policy.allowinvalidcertificates = yes; afhttpsessionmanager *manager = [afhttpsessionmanager manager]; manager.securitypolicy = policy; // 下面使用manager进行https请求即可。
The above is the detailed content of How to configure HTTPS secure communication between Nginx server and iOS. For more information, please follow other related articles on the PHP Chinese website!