search
HomeOperation and MaintenanceNginxHow to configure nginx to support https
How to configure nginx to support httpsMay 16, 2023 pm 03:49 PM
nginxhttps

1. Introduction

Hypertext Transfer Protocol http protocol is used to transfer information between web browsers and website servers. The http protocol sends content in clear text and does not provide any If the attacker intercepts the transmission message between the web browser and the website server, he can directly read the information.

Therefore, the http protocol is not suitable for transmitting some sensitive information, such as : Credit card number, password and other payment information,

In order to solve this defect of the http protocol, another protocol needs to be used: Secure Sockets Layer Hypertext Transfer Protocol https. For the security of data transmission, https is used in The SSL protocol is added to HTTP. SSL relies on certificates to verify the identity of the server and encrypt the communication between the browser and the server.

2. Advantages of https

Although https is not absolutely safe, institutions that master the root certificate and organizations that master encryption algorithms can also carry out man-in-the-middle attacks, but https It is still the most secure solution under the current architecture and has the following main benefits:

(1) Using the https protocol can authenticate users and servers to ensure that data is sent to the correct client and server;

(2) The https protocol is a network protocol built from the ssl http protocol that can perform encrypted transmission and identity authentication. It is safer than the http protocol and can prevent data from being stolen or changed during the transmission process to ensure the integrity of the data. .

(3) https is the most secure solution under the current architecture. Although it is not absolutely safe, it greatly increases the cost of man-in-the-middle attacks.

(4) Google adjusted its search engine algorithm in August 2014 and stated that "compared to equivalent http websites, websites using https encryption will rank higher in search results."

3. Disadvantages of https

Although https has great advantages, relatively speaking, it still has shortcomings:

(1) The https protocol handshake phase is time-consuming, which will extend the page loading time by nearly 50% and increase power consumption by 10% to 20%;

(2) https connection caching is not as efficient as http, which will increase Data overhead and power consumption, and even existing security measures will be affected by this;

(3) SSL certificates cost money. The more powerful the certificate, the higher the cost. There is no need for personal websites and small websites. Won't use it.

(4) SSL certificates usually need to be bound to IP, and multiple domain names cannot be bound to the same IP. IPv4 resources cannot support this consumption.

(5) The encryption scope of the https protocol is also relatively limited, and it has little effect on hacker attacks, denial of service attacks, server hijacking, etc. The most critical thing is that the credit chain system of the SSL certificate is not secure, especially when some countries can control the CA root certificate, man-in-the-middle attacks are also feasible.

4. Download certbot

Use git to download. If you haven’t installed git yet, check how to switch.

How to configure nginx to support https

Directory

cd /usr/local

Clone git repository

git clone https: // github.com/certbot/certbot.git

After cloning is completed, the certbot directory will appear in /usr/loca/

5. View certbot

Switch to the certbot directory

cd /usr/local/certbot

If the directory is like this, the installation is successful

How to configure nginx to support https

certbot common commands

6, Install nginx

7. Apply for https certificate

View the current certificate

./certbot-auto certificates

The first execution will install some dependencies. There is a confirmation inquiry in the middle, enter y to start applying for the certificate (the certificate is valid for 3 months, and it needs to be re-applied when it expires). Method 1: Use the dns method to verify. This method requires you to configure the domain name. I personally like it. This way./certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d Your domain name --manual --preferred-challenges dns-01 certonly For example:

Configure generic domain name

Copy code The code is as follows:

./certbot-auto --server https: // acme-v02.api.letsencrypt.org/directory -d *.nl166. com --manual --preferred-challenges dns-01 certonly

Configure the specified domain name

Copy code The code is as follows:

./certbot-auto --server https: / /acme-v02.api.letsencrypt.org/directory -d api.nl166.com --manual --preferred-challenges dns-01 certonly

Configure the second-level generic domain name

Copy code The code is as follows:

./certbot-auto --server https: // acme-v02.api.letsencrypt.org/directory -d *.api.nl166.com --manual --preferred-challenges dns -01 certonly

How to configure nginx to support https#As shown in the picture above, you will be asked to enter an email address for the first time. Just enter it as required. An email will be sent to you when the time comes. Click to confirm the email address, so be sure to fill in the real email address, and then confirm as required. If you don’t confirm, the execution will not proceed.

接下来会让你验证域名,按要求解析个txt类型的记录

How to configure nginx to support https

保存确认以后再回到服务器中确认

How to configure nginx to support https

上面这两个文件就是配置https用到的证书了

方式二:使用插件方式

我们先看看官方怎么说的

How to configure nginx to support https

这里我使用的是nginx(申请完会自动帮你重启nginx) 这种方式配置不了泛域名,只能一个一个添加

./certbot-auto --nginx -d api2.nl166.com

How to configure nginx to support https

How to configure nginx to support https

解决上述报错,请注意,/usr/local/nginx 请替换为你的nginx实际安装位置安装lnmp

ln -s /usr/local/nginx/sbin/nginx /usr/bin/nginx

ln -s /usr/local/nginx/conf/ /etc/nginx

再次执行申请

How to configure nginx to support https

中途会询问你请选择是否将http流量重定向到https,删除http访问。可根据自己的需求选择,我这里是c取消选择(实际上这一步可以直接不理,经测试,这一步没有选择前,访问网址https已经可以访问了。)

如果想省略询问这一步,可以添加certonly 该种方式只会生成证书,不做其余操作,证书配置需要自己手动添加 如下:

./certbot-auto certonly --nginx -d api2.nl166.com

How to configure nginx to support https

如上图所示,如果你配置了监听443端口的server,他会帮你自动找到对应域名的配置文件,并添加下面两行,还把我格式打乱了,}号与上面{的缩进不对应了,不过不影响功能,这里不知道会不会根据nginx的版本选择是否添加ssl on;

因为我这个nginx版本是不需要这个的,较低版本需要添加ssl on;才能开启https访问。

如没有监听该域名的443端口,则会在如下位置添加信息

How to configure nginx to support https

其他方式请自行摸索

8、配置nginx支持https

# https server
 #
 server {
 listen 443 ssl;
 server_name api2.nl166.com;
 root /data/web/im.nl166.com;

 location / {
 index index.php;
 }

 #auth_basic "hello world";
 #auth_basic_user_file /usr/local/nginx/conf/auth/nl166.auth;

 location ~ \.php$ {
 include fastcgi_params;
 fastcgi_pass unix:/tmp/php-fcgi.sock;
 fastcgi_index index.php;
 fastcgi_param script_filename $document_root$fastcgi_script_name;
 }
 location ~ .*.(svn|git|cvs) {
 deny all;
 }

 ssl_certificate /etc/letsencrypt/live/api2.nl166.com/fullchain.pem; # managed by certbot
 ssl_certificate_key /etc/letsencrypt/live/api2.nl166.com/privkey.pem; # managed by certbot
 }

较低版本需要增加ssl on;才能开启https访问。

9、使用shell脚本与定时任务定时续期证书

注意:为避免遇到操作次数的限制,加入 --dry-run 参数,可以避免操作限制,等执行无误后,再去掉进行真实的renew 操作。 方式一的续期

其中域名为/etc/letsencrypt/renewal/目录下的****.conf ,****就是你要填写的域名,比如我生成的时候是*.nl166.com,但是在实际生成的时候是没有*号的

/home/certbot-sh/au.sh 替换成你自己更新dns的脚本

如下:

复制代码 代码如下:

./certbot-auto renew --cert-name nl166.com --manual-auth-hook /data/shell/crontab/auto_update_httpscert. sh --dry-run

How to configure nginx to support https

把更新命令放到一个文件,我这里是放在了/data/shell/crontab/auto_update_httpscert.sh 内容如下 ,原来的auto_update_httpscert.sh 更改到/data/shell/cnl_update_httpscert.sh

How to configure nginx to support https

增加系统定时任务

crontab -e

#每个星期天凌晨5点执行更新https证书操作

0 5 * * 0 sh /data/shell/crontab/auto_update_httpscert.sh

方式二的续期 如下:

./certbot-auto certonly --renew-by-default --nginx -d api2.nl166.com --dry-run

How to configure nginx to support https

增加系统定时任务操作参考方式一

The above is the detailed content of How to configure nginx to support https. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete
Nginx与SSL:配置HTTPS保护Web服务器Nginx与SSL:配置HTTPS保护Web服务器Jun 09, 2023 pm 09:24 PM

Nginx是一个高性能的Web服务器软件,同时也是一款强大的反向代理服务器和负载均衡器。随着互联网的迅速发展,越来越多的网站开始采用SSL协议保护敏感用户数据,而Nginx也提供了强大的SSL支持,使得Web服务器的安全性能更进一步。本文将介绍如何配置Nginx以支持SSL协议,并保护Web服务器的安全性能。什么是SSL协议?SSL(SecureSocke

Nginx防火墙如何保障HTTPS安全通信Nginx防火墙如何保障HTTPS安全通信Jun 10, 2023 am 10:16 AM

在当今互联网时代,安全通信已经成为了不可或缺的一部分。尤其是在HTTPS通信中,如何保障其安全性尤为重要。而Nginx作为流行的Web服务器和反向代理服务器,其防火墙也可以在保障HTTPS安全通信中发挥重要作用。本文将就Nginx防火墙从以下几个方面进行讨论。TLS/SSL加密HTTPS通信的安全保障主要是基于TLS/SSL加密技术,其能够防止数据在传输过程

怎么使用Nginx实现HTTPS双向验证怎么使用Nginx实现HTTPS双向验证Jun 03, 2023 pm 08:38 PM

单向验证与双向验证的区别:单向验证:指客户端验证服务器端证书,服务器并不需要验证客户端证书。双向验证:指客户端验证服务器端证书,而服务器也需要通过ca的公钥证书来验证客户端证书。详细的握手过程:单向验证浏览器发送一个连接请求给安全服务器。1、服务器将自己的证书,以及同证书相关的信息发送给客户浏览器。2、客户浏览器检查服务器送过来的证书是否是由自己信赖的ca中心所签发的。如果是,就继续执行协议;如果不是,客户浏览器就给客户一个警告消息:警告客户这个证书不是可以信赖的询问客户是否需要继续。3、接着客

Nginx下如何升级httpsNginx下如何升级httpsMay 14, 2023 pm 04:49 PM

下载证书在证书控制台下载nginx版本证书。下载到本地的压缩文件包解压后包含:.pem文件:证书文件.key文件:证书的私钥文件(申请证书时如果没有选择自动创建csr,则没有该文件)配置nginx1、在nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中,如果申请证书时是自己创建的csr文件,请将对应的私钥文件放到cert目录下。2、打开nginx安装目录下conf目录中的nginx.conf文件#usernobody;worker_processes1;#error

Java API 开发中使用 Https 进行数据传输Java API 开发中使用 Https 进行数据传输Jun 18, 2023 pm 10:43 PM

随着科技的发展,网络通信已经成为了现代社会信息传输的重要工具之一。但同时,网络上的信息传输面临着被恶意攻击和窃取的风险,因此安全性显得尤为重要。基于此,HTTPS协议就应运而生。它是在HTTP协议上加入SSL/TLS加密的方式来保证网络传输安全性的一种协议。Java作为一门广泛应用于网络开发的语言,自然也提供了丰富的API来支持HTTPS协议。本文将

如何在golang中使用正则表达式验证URL地址是否为HTTPS协议如何在golang中使用正则表达式验证URL地址是否为HTTPS协议Jun 24, 2023 pm 12:05 PM

Golang是一种高效的编程语言,经常被用于创建网络应用程序。在网络应用程序中,经常需要对URL地址进行验证,以确保它们符合我们的目标。在这篇文章中,我们将会介绍如何在Golang中使用正则表达式来验证URL地址是否为HTTPS协议。首先,我们需要了解HTTPS协议的URL格式。HTTPS协议的URL从HTTP协议URL中继承了一部分,但是它有一些独特的特征

nginx如何让浏览器强制跳转HTTPS访问nginx如何让浏览器强制跳转HTTPS访问May 15, 2023 pm 02:34 PM

效果可以看如下:但是如果我们现在使用http来访问的话,访问不了。如下图所示:因此我现在首先要做的是使用nginx配置下,当用户在浏览器下输入http请求的时候使用nginx重定向到https下即可。因此我们现在需要做一个简单的nginx重定向功能。因此在我们的nginx中需要加如下重定向配置:server{listenxxx.abc.com;server_namexxx.abc.com;rewrite^/(.*)$https://$host$1permanent;}因此nginx主要的配置代码

Nginx如何将HTTP重定向到HTTPSNginx如何将HTTP重定向到HTTPSMay 13, 2023 am 09:52 AM

Nginx是一个强大的重定向工具,可以轻松配置在您的系统上重定向不安全或未加密的HTTP网络流量到加密和安全的HTTPS网络服务器。Nginx,发音为“Enginex”,是一个免费、开源、基于Linux的高性能Web和反向代理服务器,负责管理和处理互联网上最大的网站流量的负载。Nginx是一个强大的重定向工具,可以轻松配置在您的系统上重定向不安全或未加密的HTTP网络流量到加密和安全的HTTPS网络服务器。如果你是一个系统管理员或开发人员,那么你应该经常使用Nginx服务器。在这篇文章中,我们将

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

MinGW - Minimalist GNU for Windows

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

DVWA

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

VSCode Windows 64-bit Download

VSCode Windows 64-bit Download

A free and powerful IDE editor launched by Microsoft

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools