NGINX Configuring SSL Certificate + Building HTTPS Website Tutorial

1. What is HTTPS?

According to Wikipedia’s explanation:

超文本传输安全协议（缩写：HTTPS，英语：Hypertext Transfer Protocol Secure）是超文本传输协议和SSL/TLS的组合，用以提供加密通讯及对网络服务器身份的鉴定。HTTPS连接经常被用于万维网上的交易支付和企业信息系统中敏感信息的传输。HTTPS不应与在RFC 2660中定义的安全超文本传输协议（S-HTTP）相混。

HTTPS is currently the first choice for all websites that focus on privacy and security. With the continuous development of technology, HTTPS websites are no longer a patent for large websites. All ordinary personal webmasters and Bloggers can build a secure, encrypted website by themselves.

If a website is not encrypted, then all your account passwords will be transmitted in clear text. One can imagine how terrible unencrypted transmission is when it comes to privacy and financial issues.

Since the readers of this blog are all close to professionals, let’s go straight to the topic without further ado.

2. Use OpenSSL to generate SSL Key and CSR

Because only a CA trusted by the browser or system can allow all visitors to access your encrypted website smoothly without a certificate error prompt. So let’s skip the self-signed certificate step and go straight to signing a third-party trusted SSL certificate.

OpenSSL is installed by default on regular systems such as Linux and OS X. Due to some security issues, most current third-party SSL certificate issuing agencies require at least a 2048-bit RSA encrypted private key.

At the same time, there are two forms of ordinary SSL certificate authentication, one is DV (Domain Validated), and the other is OV (Organization Validated). The former only needs to verify the domain name, and the latter needs to verify your organization or company. In terms of security, the latter is definitely better.

Whether you use DV or OV to generate a private key, you need to fill in some basic information. Here we assume the following:

Domain name, also called Common Name, because the special certificate is not necessarily a domain name: example.com

Organization or company name (Organization): Example, Inc.

Department: You can leave it blank, here we write Web Security

City: Beijing

Province (State / Province) ：Beijing

Country: CN

Encryption strength: 2048 bits, if your machine has strong performance, you can also choose 4096 bits

According to the above information, the commands to use OpenSSL to generate key and csr are as follows

openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Example Inc./OU=Web Security/CN=example.com"

PS: If it is a pan-domain certificate, you should fill in *.example.com

You can run this command anywhere in the system, and it will automatically generate example_com.csr and example_com.key in the current directory These two files

Next you can check example_com.csr and get a long string of text like this

-----BEGIN CERTIFICATE REQUEST----- MIICujCCAaICAQAwdTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEVMBMGA1UECxMM V2ViIFNlY3VyaXR5MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPME+nvVCdGN9VWn+vp7JkMoOdpOurYMPvclIbsIiD7mGN982Ocl22O9wCV/4tL6DpTcXfNX+eWd7CNEKT4i+JYGqllqP3/CojhkemiY SF3jwncvP6VoST/HsZeMyNB71XwYnxFCGqSyE3QjxmQ9ae38H2LIpCllfd1l7iVpAX4i2+HvGTHFzb0XnmMLzq4HyVuEIMoYwiZX8hq+kwEAhKpBdfawkOcIRkbOlFew SEjLyHY+nruXutmQx1d7lzZCxut5Sm5At9al0bf5FOaaJylTEwNEpFkP3L29GtoU qg1t9Q8WufIfK9vXqQqwg8J1muK7kksnbYcoPnNgPx36kZsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCHgIuhpcgrsNwDuW6731/DeVwq2x3ZRqRBuj9/M8oONQen 1QIacBifEMr+Ma+C+wIpt3bHvtXEF8cCAJAR9sQ4Svy7M0w25DwrwaWIjxcf/J8U audL/029CkAuewFCdBILTRAAeDqxsAsUyiBIGTIT+uqi+EpGG4OlyKK/MF13FxDj /oKyrSJDtp1Xr9R7iqGCs/Zl5qWmDaLN7/qxBK6vX2R/HLhOK0aKi1ZQ4cZeP7Mr 8EzjDIAko87Nb/aIsFyKrt6Ze3jOF0/vnnpw7pMvhq+folWdTVXddjd9Dpr2x1nc y5hnop4k6kVRXDjQ4OTduQq4P+SzU4hb41GIQEz4 -----END CERTIFICATE REQUEST-----

This CSR file is what you need to submit to the SSL certification agency when your domain name or organization passes the verification After that, the certification authority will issue you an example_com.crt

and example_com.key needs to be used in Nginx configuration with example_com.crt. It needs to be kept well and must not be leaked to anyone. Third parties.

3. Configure Nginx HTTPS website and increase security configuration

As mentioned earlier, you need to submit a CSR file to a third-party SSL certification agency. After passing the certification, they will issue you a CRT file, which we named example_com .crt

同时，为了统一，你可以把这三个文件都移动到 /etc/ssl/private/ 目录。

然后可以修改 Nginx 配置文件

server { listen80; listen [::]:80 ssl ipv6>on; listen443 ssl; listen [::]:443 ssl ipv6>on; server_name example.com; sslon; ssl_certificate /etc/ssl/private/example_com.crt; ssl_certificate_key /etc/ssl/private/example_com.key; }

检测配置文件没问题后重新读取 Nginx 即可

nginx -t && nginx -s reload

但是这么做并不安全，默认是 SHA-1 形式，而现在主流的方案应该都避免 SHA-1，为了确保更强的安全性，我们可以采取迪菲－赫尔曼密钥交换

首先，进入 /etc/ssl/certs 目录并生成一个 dhparam.pem

cd /etc/ssl/certs openssl dhparam -out dhparam.pem 2048# 如果你的机器性能足够强大，可以用 4096 位加密

生成完毕后，在 Nginx 的 SSL 配置后面加入

ssl_prefer_server_cipherson; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; keepalive_timeout70; ssl_session_cache shared:SSL:10m; ssl_session_timeout10m;

同时，如果是全站 HTTPS 并且不考虑 HTTP 的话，可以加入 HSTS 告诉你的浏览器本网站全站加密，并且强制用 HTTPS 访问

add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;

同时也可以单独开一个 Nginx 配置，把 HTTP 的访问请求都用 301 跳转到 HTTPS

server { listen80; listen [::]:80 ssl ipv6>on; server_name example.com; return301https://example.com$request_uri; }

四、可靠的第三方 SSL 签发机构

众所周知，前段时间某 NIC 机构爆出过针对 Google 域名的证书签发的丑闻，所以可见选择一家靠谱的第三方 SSL 签发机构是多么的重要。

目前一般市面上针对中小站长和企业的 SSL 证书颁发机构有：

StartSSL

Comodo / 子品牌 Positive SSL

GlobalSign / 子品牌 AlphaSSL

GeoTrust / 子品牌 RapidSSL

其中 Postivie SSL、AlphaSSL、RapidSSL 等都是子品牌，一般都是三级四级证书，所以你会需要增加 CA 证书链到你的 CRT 文件里。

以 Comodo Positive SSL 为例，需要串联 CA 证书，假设你的域名是 example.com

那么，串联的命令是

cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.signed.crt

在 Nginx 配置里使用 example_com.signed.crt 即可

如果是一般常见的 AplhaSSL 泛域名证书，他们是不会发给你 CA 证书链的，那么在你的 CRT 文件后面需要加入 AlphaSSL 的 CA 证书链

AlphaSSL Intermediate CA

五、针对企业的 EV SSL

EV SSL，是 Extended Validation 的简称，更注重于对企业网站的安全保护以及严格的认证。

最明显的区别就是，通常 EV SSL 显示都是绿色的条，比如本站的 SSL 证书就是 EV SSL。

如果贵公司想获取专业的 EV SSL，可以随时联系我们 info at cat dot net

六、本文参考文献

Apache + WordPress + SSL 完全指南

OpenSSL CSR Creation

NGINX - PhoenixWiki

转自：https://s.how/nginx-ssl/

以上就介绍了NGINX 配置 SSL 证书 + 搭建 HTTPS 网站教程，包括了方面的内容，希望对PHP教程有兴趣的朋友有所帮助。