How to configure nginx SSL certificate to implement https service

Suppose my current node basic structure is as follows:

|----项目
| |--- static     # 存放html文件
| | |--- index.html  # index.html
| |--- node_modules  # 依赖包
| |--- app.js     # node 入口文件
| |--- package.json 
| |--- .babelrc    # 转换es6文件

index.html The file code is as follows:

<!doctype html>
<html>
<head>
 <meta charset=utf-8>
 <meta name="referrer" content="never">
 <title>nginx配置https</title>
</head>
<body>
 <div>
  <h2>欢迎使用https来访问页面</h2>
 </div>
</body>
</html>

app.js The code is as follows:

const koa = require('koa');
const fs = require('fs');
const path = require('path');
const router = require('koa-router')();
const koabody = require('koa-body');
const static = require('koa-static');

const app = new koa();

router.get('/', (ctx, next) => {
 // 设置头类型, 如果不设置，会直接下载该页面
 ctx.type = 'html';
 // 读取文件
 const pathurl = path.join(__dirname, '/static/index.html');
 ctx.body = fs.createreadstream(pathurl);
 next();
});

app.use(static(path.join(__dirname)));

app.use(router.routes());
app.use(router.allowedmethods());

app.listen(3001, () => {
 console.log('server is listen in 3001');
});

package.json The code is as follows ;

{
 "name": "uploadandload",
 "version": "1.0.0",
 "description": "",
 "main": "app.js",
 "scripts": {
  "dev": "nodemon ./app.js"
 },
 "author": "",
 "license": "isc",
 "dependencies": {
  "fs": "0.0.1-security",
  "koa": "^2.7.0",
  "koa-body": "^4.1.0",
  "koa-router": "^7.4.0",
  "koa-send": "^5.0.0",
  "koa-static": "^5.0.0",
  "nodemon": "^1.19.0",
  "path": "^0.12.7"
 }
}

Then after I execute npm run dev in the root directory of the project, I can access http://localhost:3001 in the browser, but if I want to use the domain name to access, we can Bind the domain name under the hosts file, for example, xxx.abc.com. The hosts file is bound as follows:

127.0.0.1 xxx.abc.com

So at this time we can access it by using http://xxx.abc.com:3001/ The page is as follows:

As shown above, we can access the page, but have we found that it is not safe to display http requests under the Chrome browser? , so at this time I want to use https to access, and the security of the web page is guaranteed. However, if I do nothing at this time and directly use https to access, it will not work. For example, the address: https:/ /xxx.abc.com:3001. As shown in the figure below:

We know that using https to access generally requires a security certificate, so our current The task is to use nginx to configure things like security certificates, and then use https to access the web page to achieve the goal.

nginx configuration https service

1. First enter the nginx directory and use the command: cd /usr/local/etc/nginx. Then create the cert folder in this directory to store the certificate file.
Use the command: mkdir cert as follows:

2. Then we need to copy the certificate-related files, such as server.crt and server.key files to the cert directory. For example, the following certificate file:

As for how the above certificate survives, please see my previous article

Move command: mv server.key /usr /local/etc/nginx/cert, for example, move the server.key and server.crt files to the /usr/local/etc/nginx/cert directory. As shown in the figure below:

Then we check the /usr/local/etc/nginx/cert directory. There are the following files, as shown below:

3. nginx configuration

nginx configuration needs to add the following code:

server {
 listen    443 ssl;
 server_name  xxx.abc.com;
 ssl on; // 该配置项需要去掉
 ssl_certificate   cert/server.crt;
 ssl_certificate_key cert/server.key;
 /*
  设置ssl/tls会话缓存的类型和大小。如果设置了这个参数一般是shared，buildin可能会参数内存碎片，默认是none，和off差不多，停用缓存。如shared:ssl:10m表示我所有的nginx工作进程共享ssl会话缓存，官网介绍说1m可以存放约4000个sessions。
 */
 ssl_session_cache  shared:ssl:1m;
 // 客户端可以重用会话缓存中ssl参数的过期时间，内网系统默认5分钟太短了，可以设成30m即30分钟甚至4h。
 ssl_session_timeout 5m;

 /*
  选择加密套件，不同的浏览器所支持的套件（和顺序）可能会不同。
  这里指定的是openssl库能够识别的写法，你可以通过 openssl -v cipher 'rc4:high:!anull:!md5'（后面是你所指定的套件加密算法） 来看所支持算法。
 */
 ssl_ciphers high:!anull:!md5;

 // 设置协商加密算法时，优先使用我们服务端的加密套件，而不是客户端浏览器的加密套件。
 ssl_prefer_server_ciphers on;

 location / {
  proxy_pass http://localhost:3001;
 }
}

Note: The above ssl on; this configuration item needs to be removed. If it is configured as above, I restart the nginx command and an error will be reported as follows:

ssl: error:06065064:digital envelope routines:evp_decryptfinal_ex:bad decrypt error :0906a065:pem routines:pem_do_header:bad decrypt similar to this error, and then search this error through Baidu, the following method can be solved:

Enter the directory: cd /usr/local/etc/nginx/ cert and then execute the following two lines of code:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

As shown below:

You can see the page searched by Baidu

Then When I continued to restart nginx, I found that an error would still be reported. The error message was as follows:

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead

Then continue to put ssl on; This configuration item can be removed. It may be related to the version of nginx

I recently upgraded to nginx 1.15. After reloading, all sites with ssl will be I reported this warning, checked a lot of information, and finally found a relevant English explanation on github: ( ) My English is not good, and it probably means that nginx 1.15 and later versions do not need to write ssl on; anymore.

Go to nginx.conf and delete ssl on; and then reload. Sure enough, there is no alarm again. There is no problem in current use.

I did understand it wrong. I should change ssl on to listen 443 ssl. This is correct.

Now I will continue to restart nginx and it will be ok, as shown below:

But after the above configuration, we cannot directly use the domain name https:// After visiting xxx.abc.com/, we also need to install the client.crt certificate we generated before in the browser. The steps under the mac system are as follows:

1. Click on the launcher as shown below. As follows:

2. Search for keychain access and click in, as shown below

3. Enter the certificate page and enter the Just drag the client.crt certificate into the certificate. For example, the client.crt certificate I generated before is as follows:

4. Right-click my certificate, Then click "Show Profile" to enter the certificate details page. As shown in the figure below:

5. After entering the page, when using the certificate, select Always Trust, as shown in the figure below:

6. Then exit. You may need to enter the computer power-on password. Once entered, it will be automatically saved. Then we can access the https://xxx.abc.com/ page in the browser. As shown below:

Then we click to continue visiting and you will see the page, as shown below:

The above is to use the nginx certificate to implement the local node https service.

However, although https can be accessed as above, unsafe copywriting is still displayed in front of https; as shown in the figure below:

The above is the detailed content of How to configure nginx SSL certificate to implement https service. For more information, please follow other related articles on the PHP Chinese website!