HTTPS deployment and security performance optimization of Nginx

Nginx, as a high-performance web server and reverse proxy server, is widely used for application deployment and load balancing. With the gradual improvement of security and environmental protection awareness, HTTPS has also become an indispensable part of modern web applications. This article will focus on Nginx’s HTTPS deployment and security performance optimization.

1. HTTPS deployment of Nginx

1. Certificate application

First you need to go to the Certificate Authority (CA) to apply for an SSL certificate. After the application is successful, you will get a certificate file (.crt) and a private key file (.key).

2. HTTPS configuration

The HTTPS configuration of Nginx needs to involve three aspects: HTTP forwarding to HTTPS, Nginx certificate configuration and HTTPS configuration.

(1) Forward HTTP to HTTPS

In the Nginx configuration file, you need to add a section of HTTP configuration so that when users access the HTTP default port 80, they can automatically jump to the default HTTPS on port 443.

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

(2) Nginx certificate configuration

In the Nginx configuration file, you need to add the SSL certificate and private key file you just applied for to the configuration file.

server {
    listen 443 ssl;
    server_name example.com;
    ssl_certificate /path/to/cert.crt;
    ssl_certificate_key /path/to/cert.key;
    ...
}

(3) HTTPS configuration

You need to configure specific options of the HTTPS protocol, such as enabling the HTTP/2 protocol, disabling SSLv3, etc.

http2_push_preload on;  #启用HTTP/2协议的推送预加载
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  #指定启用的TLS协议版本
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;  #指定加密套件
ssl_prefer_server_ciphers on;  #常用加密套件优先顺序为服务端指定的值
ssl_session_cache shared:SSL:10m;  #指定SSL session缓存
ssl_session_timeout 10m;  #指定SSL session超时时间

2. Nginx security performance optimization

After deploying the HTTPS service, you also need to pay attention to the following security performance optimization issues to ensure the stability and security of the service:

1. Detect OCSP response

OCSP (Online Certificate Status Protocol) is used to detect whether the certificate has been revoked. In Nginx's HTTPS configuration, OCSP response detection can be performed through the following program:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/fullchain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

The key points are interpreted as follows:

• ssl_stapling on Turn on OCSP response
• ssl_stapling_verify on Turn on OCSP response verification
• ssl_trusted_certificate /path/to/fullchain.pem Configure certificate chain
• resolver 8.8.8.8 8.8.4.4 valid=300s Configure DNS resolver
• resolver_timeout 10s Configure DNS resolution time
  The DNS resolver needs to be configured as a recognized trusted resolver, here it is configured as Google public DNS.

2. Enable HSTS

HSTS (HTTP Strict Transport Security) prevents users from being hijacked to HTTP pages, thereby increasing the security level. In Nginx's HTTPS configuration, you can enable HSTS as follows:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

The key points are interpreted as follows:

• max-age=31536000 Define the duration of the HSTS header
• includeSubDomains Enable all subdomains

3. Enable security protocol

By default, Nginx only enables TLSv1 and TLSv1.2, if you need to enable others The encryption protocol can be configured in the following way:

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;

The key points are interpreted as follows:

• TLSv1.3 defines the enabled encryption protocol

4. Enable HMAC key algorithm

Data transmitted through HTTPS requires a key to encrypt the data. Using HMAC (Hash-based message authentication code) can improve the security of data transmission. The method to enable HMAC in the Nginx configuration file is as follows:

ssl_ciphers ... !aNULL !eNULL !EXPORT !CAMELLIA !DES !MD5 !PSK !RC4 !SEED +AES256 !kEDH +SHA256 +HMAC;

The key points are interpreted as follows:

• AES256 Enable AES256 encryption algorithm
• SHA256 Enable SHA256 hash function
• HMAC Enable HMAC key algorithm

Conclusion

This article introduces the main knowledge points of Nginx HTTPS deployment and security performance optimization. In the context of the increasingly complex modern web applications, the security and performance requirements of HTTPS are also getting higher and higher. As a system manager, it is important to constantly update your knowledge reserves and maintain a professional vision of new technologies and new environments. Very necessary and important.

The above is the detailed content of HTTPS deployment and security performance optimization of Nginx. For more information, please follow other related articles on the PHP Chinese website!