SNI-based SSL solution in Nginx reverse proxy
With the development of Internet technology, the security issues of Web applications have received more and more attention. SSL certificate, as an encryption technology that provides data transmission security, has become one of the important means to protect web applications. In some special cases, multiple SSL certificates need to be deployed on the same server. At this time, SNI-based SSL solutions emerge as the times require.
1. What is SNI (Server Name Indication)
SNI is a TLS extension protocol that allows the client to include extended fields in the "Client Hello" message when establishing an SSL connection. , tells the server the host name the client wants to connect to. On a single IP address and port, multiple domain names can use different SSL certificates at the same time.
However, SNI is not supported by all browsers and servers. When using SNI, you must ensure that the client and server support the same SSL protocol version, and the client must support SNI extensions. Currently commonly used browsers, such as Chrome, Firefox, IE7 and above, Opera, etc., all support SNI.
2. Nginx reverse proxy and SSL
Nginx is a high-performance web server and supports reverse proxy. A reverse proxy is an information security technology that sends requests to a different server and returns the response to the requester. Reverse proxy servers also enable load balancing and SSL encryption.
The reverse proxy server serves as the middle layer to communicate with the front-end web server and back-end. Nginx supports two service modes: http and https. When using https services, SSL encryption and decryption are required.
Nginx’s SSL support has two modes: single SSL certificate mode and SNI-based multi-certificate mode. In single SSL certificate mode, only one SSL certificate can be used, that is, different SSL certificates cannot be used for different domain names. In the multi-certificate mode based on SNI, multi-domain SSL encrypted transmission can be achieved.
3. SNI-based SSL solution
First you need to apply for an SSL certificate and generate the corresponding certificate chain and private key . It is assumed here that we want to use two domain names abc.com and xyz.com and generate two certificates respectively.
Generate certificate:
openssl req -newkey rsa:2048 -nodes -keyout abc.com.key -out abc.com.csr
openssl x509 -req -days 365 -in abc.com.csr -signkey abc.com.key -out abc.com.crt
openssl req -newkey rsa:2048 -nodes -keyout xyz.com.key -out xyz.com.csr
openssl x509 -req -days 365 -in xyz.com.csr -signkey xyz.com.key -out xyz.com.crt
Generate certificate chain:
cat abc.com. crt domain.crt > abc.com-bundle.crt
cat xyz.com.crt domain.crt > xyz.com-bundle.crt
In the Nginx configuration file, you need to add the following configuration:
http {
...
# Configure SSL cache
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Configure SSL certificate
server {
listen 443 ssl; server_name abc.com; ssl_certificate /path/to/abc.com-bundle.crt; ssl_certificate_key /path/to/abc.com.key;
}
server {
listen 443 ssl; server_name xyz.com; ssl_certificate /path/to/xyz.com-bundle.crt; ssl_certificate_key /path/to/xyz.com.key;
}
}
Specify ssl_certificate and ssl_certificate_key in the configuration file to use different SSL certificates respectively. At the same time, a server block needs to be configured for each domain name.
After restarting Nginx, you can verify whether the configuration takes effect. Enter abc.com and xyz.com in the browser, and the browser will send an SNI request during the TLS handshake phase and return the corresponding SSL certificate. If the request returns normally, it proves that the SNI-based SSL solution has taken effect.
4. Summary
The SNI-based SSL solution can deploy multiple SSL certificates on the same server, which is suitable for scenarios that require the use of multi-domain SSL encryption. However, it should be noted that SNI is not supported by all browsers and servers, so you need to ensure that the client and server support the same SSL protocol version when using it, and the client must support the SNI extension. During the configuration process, you need to configure a server block for each domain name and specify the corresponding SSL certificate and private key.
The above is the detailed content of SNI-based SSL solution in Nginx reverse proxy. For more information, please follow other related articles on the PHP Chinese website!