Home >Operation and Maintenance >Nginx >Nginx build https server instance analysis
Introduction to https
https (hypertext transfer protocol over secure socket layer) is an http channel targeting security. Simply put, it is a secure version of http. That is, an SSL layer is added under http. The security foundation of https is SSL, so the details of encryption require SSL.
It is a uri scheme (abstract identifier system), the syntax is similar to the http: system, and is used for secure http data transmission. The default port used by https is 443.
ssl certificate
Introduction to certificate types
To set up a secure server, use public Create a public-private key pair. In most cases, send the certificate request (including your own public key), your company credentials, and the fee to a Certificate Authority (ca).ca verifies the certificate request and your identity, then returns the certificate to your secure server .
But the intranet implements encryption of server-side and client-side transmission content. You can issue your own certificate and just ignore the browser distrust alert!
A certificate signed by a ca provides two important functions for your server:
The browser will automatically recognize the certificate and allow creation without prompting the user A secure connection
When a CA generates a signed certificate, it provides assurance of the identity of the organization that provides the web page to the browser.
Most web servers that support SSL have a list of CAs whose certificates will be automatically accepted. When a browser encounters a certificate whose authority ca is not in the list, the browser will ask the user whether to accept or reject the connection
Generate SSL Certificate
openssl genrsa -des3 -out wangzhengyi.key 2048
##openssl req -new -key wangzhengyi.key -out wangzhengyi.csrCreate a self-signed ca certificate
openssl req -new -x509 -days 3650 -key wangzhengyi_nopass.key -out wangzhengyi.crtBuild https virtual host
upstream sslfpm { server 127.0.0.1:9000 weight=10 max_fails=3 fail_timeout=20s; } server { listen 192.168.1.*:443; server_name 192.168.1.*; #为一个server开启ssl支持 ssl on; #为虚拟主机指定pem格式的证书文件 ssl_certificate /home/wangzhengyi/ssl/wangzhengyi.crt; #为虚拟主机指定私钥文件 ssl_certificate_key /home/wangzhengyi/ssl/wangzhengyi_nopass.key; #客户端能够重复使用存储在缓存中的会话参数时间 ssl_session_timeout 5m; #指定使用的ssl协议 ssl_protocols sslv3 tlsv1; #指定许可的密码描述 ssl_ciphers all:!adh:!export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp; #sslv3和tlsv1协议的服务器密码需求优先级高于客户端密码 ssl_prefer_server_ciphers on; location / { root /home/wangzhengyi/ssl/; autoindex on; autoindex_exact_size off; autoindex_localtime on; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; error_page 404 /404.html; location = /50x.html { root /usr/share/nginx/www; } location = /404.html { root /usr/share/nginx/www; } # proxy the php scripts to fpm location ~ \.php$ { access_log /var/log/nginx/ssl/ssl.access.log main; error_log /var/log/nginx/ssl/ssl.error.log; root /home/wangzhengyi/ssl/; fastcgi_param https on; include /etc/nginx/fastcgi_params; fastcgi_pass sslfpm; } }
The above is the detailed content of Nginx build https server instance analysis. For more information, please follow other related articles on the PHP Chinese website!