How to configure HTTPS secure communication between Nginx server and iOS

Introduction

In network communications, packet capture software can be used to analyze network requests and perform replay attacks. The solution to replay attacks is generally to use a change Parameters, such as rsa encrypted timestamp, but considering the network transmission delay, the timestamp needs to have a certain error tolerance, which still cannot fundamentally prevent replay attacks. If you want to better solve the problem of replay attacks, you should consider using https communication. The https protocol is a network protocol built from the ssl http protocol that can perform encrypted transmission and identity authentication. It is more secure than the http protocol.

Implementation

For websites accessed with a browser, you need to apply for a certificate from the ca to ensure that https web pages can be browsed normally, otherwise you will be warned that it is unsafe or For uncertified websites, for the transmission of some background data, a self-signed certificate can be used.

Configuration of the server

Generate certificate

Perform the following operations on the server’s command line

① To generate the private key of the server, you need to enter a 4~8191-digit password

openssl genrsa -des3 -out server.key 2048

② To remove the password of the key file, you need to enter the password

openssl rsa -in server.key -out server.key

filled in ① ③ Generate the csr file, This step requires entering a variety of information. You can press Enter to skip them all.

openssl req -new -key server.key -out server.csr

④ Generate a crt file. The -days in this step is followed by the validity period. You can write it longer

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

⑤ Merge Crt and key are used to make pem, which is used to generate cer later for client verification

cat server.crt server.key > server.pem

⑥Use pem to generate cer, and the cer file is stored on the client for verification

openssl x509 -in server.pem -outform der -out server.cer

2. Modify the nginx configuration file

If you don’t know the path to the configuration file, use the following command to print it.

nginx -t

This command can be used to test whether the configuration file is correct and will also print out the path.

According to the printed content, open nginx.conf and you can find that there is an http { ... } configuration tag. Add a server configuration tag to the http tag.

server {
listen    443;
server_name localhost;

# 配置网站的根目录和首页的文件名和类型

index index.html index.htm index.php;
root <这里填写网站的根目录>
ssl         on;
ssl_certificate   <这里填写crt文件server.crt的全路径>
ssl_certificate_key <这里填写私钥key文件server.key的全路径>

# 下面是对php的配置，如果不配置，将无法正常解析php文件，这段配置是从nginx对http的80端口配置中复制过来的，如果这段配置不能正常工作，请从自己的服务器对80端口的配置文件中复制过来。

location ~ .*\.(php|php5)?$
{
  #fastcgi_pass unix:/tmp/php-cgi.sock;
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  include fastcgi.conf;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
  expires 30d;
}
location ~ .*\.(js|css)?$
{
  expires 1h;
}

# 这里如果不知道如何填写，请参考80端口的配置文件

include <nginx的conf目录路径>/rewrite/default.conf;
access_log <nginx服务器日志的路径>/default.log;
}

3. Update configuration

nginx -t #测试配置文件是否正确
nginx -s reload #重新加载配置文件

At this point, the server-side configuration is over.

Client configuration

If it is a certificate issued by ca, you can directly use https request, but we are a self-signed certificate, if you access it directly, an error will be reported, as described below Here's how to use afn to configure https requests for self-signed certificates.

1. Import the cer certificate mentioned above into the bundle of the app

Place server.cer Import bundle

2. Before using afn to make a request, perform the following configuration

afsecuritypolicy *policy = [afsecuritypolicy policywithpinningmode:afsslpinningmodepublickey];
policy.allowinvalidcertificates = yes;
afhttpsessionmanager *manager = [afhttpsessionmanager manager];
manager.securitypolicy = policy;
// 下面使用manager进行https请求即可。

The above is the detailed content of How to configure HTTPS secure communication between Nginx server and iOS. For more information, please follow other related articles on the PHP Chinese website!