Nginx (pronounced “engine x”)
It is a high-performance HTTP and reverse proxy server, which occupies less memory than Apache, and also supports HTTPS access (SSL encryption) like Apache. This tutorial is based on
Ubuntu Lucid (10.04), briefly explain how to deploy HTTPS website on Nginx.
1. Definition of terms
CA (Certificate
Authority): The abbreviation of digital certificate certification center, which refers to the organization that issues, manages, and revokes digital certificates. The role of the CA is to check the legitimacy of the identity of the certificate holder, issue the certificate (sign on the certificate), prevent the certificate from being forged or tampered with, and manage the certificate and key.
SSL (Secure Sockets
Layer): Secure Sockets Layer, which specifies a mechanism to provide data security layering between application protocols (such as HTTP, Telnet, FTP) and TCP/IP, it is in the transmission communication protocol
A security protocol implemented on the protocol (TCP/IP), using public key technology, it provides data encryption, server authentication, message integrity, and optional client authentication for TCP/IP connections.
Certificate chain (certificate chain): contains the trust anchor (CA
certificate) and signed certificates. Web browsers come preconfigured with a set of root CA certificates that the browser automatically trusts. All certificates from other certificate authorities must be accompanied by a certificate chain to verify the validity of these certificates
sex. A certificate chain is a sequence of certificates issued by a series of CA certificates, culminating in a root CA certificate.
2. Prepare SSL certificate for Nginx
The SSL certificate can be provided by a CA, or a certificate (self-signed certificate) can be generated locally, but the self-signed certificate will not be recognized by the browser, and the browser will have a warning message when browsing the web. Assuming that a certificate has been purchased from a CA, the following certificate files will be obtained:
SSL certificate file (.crt file), SSL certificate .key file, SSL certificate chain file (.pem file, CA published on its website superior)
The content of the .crt certificate file issued by the CA is roughly as follows:
—–BEGIN CERTIFICATE—–
…
—–END CERTIFICATE—–
The content of the .pem file provided by the CA needs to be pasted behind the .crt file for use by Nginx, which is slightly different from the configuration of Apache.
The content of the .key certificate file issued by the CA is roughly as follows:
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,…
…
—–END RSA PRIVATE KEY—–
3. Nginx installation and SSL deployment
sudo apt-get install nginx
edit configuration file
sudo vim /etc/nginx/sites-available/default
Configuration example
server {
listen 443; //HTTPS protocol uses port 443
#listen 80;
server_name www.server110.com;
ssl on;
ssl_certificate ssl/cp.crt; //crt file storage path
ssl_certificate_key ssl/cp.key; //key file storage path
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
server_name localhost;
access_log /var/log/nginx/localhost.access.log;
## Default location
location / {
root /var/www;
index index.php;
}
}
4. Restart Nginx and complete
sudo service nginx restart
During the restart process, PEM pass is generally asked
phrase, this is because the RSA private key file is protected by a password. The CA has set a passphrase protection when issuing the certificate. If you know the passphrase, you can use OpenSSL to remove the protection. When restarting Nginx, you will not be prompted to enter the passphrase.
微信扫一扫打赏
支付宝扫一扫打赏
