Home > Article > Backend Development > NGINX Configuring SSL Certificate + Building HTTPS Website Tutorial
1. What is HTTPS?
According to Wikipedia’s explanation:
HTTPS is currently the first choice for all websites that focus on privacy and security. With the continuous development of technology, HTTPS websites are no longer a patent for large websites. All ordinary personal webmasters and Bloggers can build a secure, encrypted website by themselves.
If a website is not encrypted, then all your account passwords will be transmitted in clear text. One can imagine how terrible unencrypted transmission is when it comes to privacy and financial issues.
Since the readers of this blog are all close to professionals, let’s go straight to the topic without further ado.
2. Use OpenSSL to generate SSL Key and CSR
Because only a CA trusted by the browser or system can allow all visitors to access your encrypted website smoothly without a certificate error prompt. So let’s skip the self-signed certificate step and go straight to signing a third-party trusted SSL certificate.
OpenSSL is installed by default on regular systems such as Linux and OS X. Due to some security issues, most current third-party SSL certificate issuing agencies require at least a 2048-bit RSA encrypted private key.
At the same time, there are two forms of ordinary SSL certificate authentication, one is DV (Domain Validated), and the other is OV (Organization Validated). The former only needs to verify the domain name, and the latter needs to verify your organization or company. In terms of security, the latter is definitely better.
Whether you use DV or OV to generate a private key, you need to fill in some basic information. Here we assume the following:
Domain name, also called Common Name, because the special certificate is not necessarily a domain name:
Organization or company name (Organization):
Department: You can leave it blank, here we write
City:
Province (State / Province) :
Country:
Encryption strength: 2048 bits, if your machine has strong performance, you can also choose 4096 bits
According to the above information, the commands to use OpenSSL to generate key and csr are as follows
PS: If it is a pan-domain certificate, you should fill in
You can run this command anywhere in the system, and it will automatically generate
Next you can check
This CSR file is what you need to submit to the SSL certification agency when your domain name or organization passes the verification After that, the certification authority will issue you an
and
3. Configure Nginx HTTPS website and increase security configuration
As mentioned earlier, you need to submit a CSR file to a third-party SSL certification agency. After passing the certification, they will issue you a CRT file, which we named
同时,为了统一,你可以把这三个文件都移动到
然后可以修改 Nginx 配置文件
检测配置文件没问题后重新读取 Nginx 即可
但是这么做并不安全,默认是 SHA-1 形式,而现在主流的方案应该都避免 SHA-1,为了确保更强的安全性,我们可以采取迪菲-赫尔曼密钥交换
首先,进入
生成完毕后,在 Nginx 的 SSL 配置后面加入
同时,如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问
同时也可以单独开一个 Nginx 配置,把 HTTP 的访问请求都用 301 跳转到 HTTPS
四、可靠的第三方 SSL 签发机构
众所周知,前段时间某 NIC 机构爆出过针对 Google 域名的证书签发的丑闻,所以可见选择一家靠谱的第三方 SSL 签发机构是多么的重要。
目前一般市面上针对中小站长和企业的 SSL 证书颁发机构有:
StartSSL
Comodo / 子品牌 Positive SSL
GlobalSign / 子品牌 AlphaSSL
GeoTrust / 子品牌 RapidSSL
其中 Postivie SSL、AlphaSSL、RapidSSL 等都是子品牌,一般都是三级四级证书,所以你会需要增加 CA 证书链到你的 CRT 文件里。
以 Comodo Positive SSL 为例,需要串联 CA 证书,假设你的域名是
那么,串联的命令是
在 Nginx 配置里使用 example_com.signed.crt 即可
如果是一般常见的 AplhaSSL 泛域名证书,他们是不会发给你 CA 证书链的,那么在你的 CRT 文件后面需要加入 AlphaSSL 的 CA 证书链
AlphaSSL Intermediate CA
五、针对企业的 EV SSL
EV SSL,是 Extended Validation 的简称,更注重于对企业网站的安全保护以及严格的认证。
最明显的区别就是,通常 EV SSL 显示都是绿色的条,比如本站的 SSL 证书就是 EV SSL。
如果贵公司想获取专业的 EV SSL,可以随时联系我们 info at cat dot net
六、本文参考文献
Apache + WordPress + SSL 完全指南
OpenSSL CSR Creation
NGINX - PhoenixWiki
转自:https://s.how/nginx-ssl/
以上就介绍了NGINX 配置 SSL 证书 + 搭建 HTTPS 网站教程,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。