nginx configuring https access

01,http&https

HTTP (HyperText Transfer Protocol) is an application layer protocol for distributed, collaborative and hypermedia information systems. In short, it is a method of publishing and receiving HTML pages, which is used to transfer information between Web browsers and Web servers.

HTTPS (Hypertext Transfer Protocol Secure) is a transmission protocol for secure communication through computer network. HTTPS communicates through HTTP, but uses SSL/TLS to encrypt data packets. The main purpose of HTTPS development is to provide identity authentication to website server and protect the privacy and integrity of exchange data.

The HTTP protocol sends content in clear text without any data encryption. If an attacker intercepts the transmission message between the Web browser and the website server, he can directly read the information. Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.

02. https usage scenario

1: Security of website data transmission

2: Based on the front-end and back-end separation development methods, such as wechat applets, and other mobile application development, for example, your server interface must be https. Wechat applets are published in real projects. If they are not https interfaces, you can't pass.

03. https configuration premise

1. You must have a registered domain name
2. Have a server (including public IP)
3. Server and domain name resolution
4. Get ssl security certificate
5. Certificate Authorization and installation into nginx

04. Domain name resolution

Before this step, you need to successfully file information in the Ministry of industry and information technology. Note: the filing address depends on your server manufacturer. You can go to the company where the server is purchased for filing. Please consult the customer service for details. The customer service will explain you clearly.




Note: if your domain name manufacturer is not the same as the server manufacturer, you need to modify the dns server address of the domain name manufacturer (depending on the situation) as follows:

05. Apply for ssl certificate

Search for SSL in the search bar

Apply for a free certificate and enter the domain name

Create certificate


Download certificate

Unzip certificate

06. Installing nginx

1. Create installation directory

mkdir -p /www/server/nginx
cd /www/server/nginx

2. Download and install nginx

wget http://nginx.org/download/nginx.1.20.1.tar.gz

3. Install compiled files

yum -y install make zlib zlib-devel gcc-c++ libtool openssl openssl-devel

4. Unzip nginx

tar -zxvf nginx-1.20.1.tar.gz

5. Create temporary directory

mkdir -p /var/temp/nginx

6. Enter the installation package path and compile the installation

cd nginx-1.20.1
./configure \
--prefix=/usr/local/nginx \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/temp/nginx/client \
--http-proxy-temp-path=/var/temp/nginx/proxy \
--http-fastcgi-temp-path=/var/temp/nginx/fastgi \
--http-uwsgi-temp-path=/var/temp/nginx/uwsgi \
--http-scgi-temp-path=/var/temp/nginx/scgi \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_stub_status_module 

7. Compile and install

make && make install

8. Enter sbin directory and start nginx

cd /usr/local/nginx/sbin
#Execution start
./nginx
#stop it:
./nginx -s stop
#Reload:
./nginx -s reload 

9. Configure nginx environment variables

vim /etc/profile

Add at the end

export NGINX_HOME=/usr/local/nginx
export PATH=$NGINX_HOME/sbin:$PATH

restart

source /etc/profile

If you install nginx for the pagoda, you do not need to follow the above steps, but it is not recommended to use the pagoda installation

07. Upload ssl certificate

Create a new cert directory under the conf directory of nginx, and upload the two files to the cert directory

08. Configure ssl

# Turn on gzip compression
gzip on;
gzip_min_length 10k;
gzip_buffers 4 16k;
#gzip_http_version 1.0;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript image/jpeg image/gif image/png image/jpg;
gzip_vary off;
gzip_disable "MSIE [1-6]\.";

# tomcat service
upstream tomcatservers {
   server 127.0.0.1:8080;
   server 127.0.0.1:8081;
}

server {
    listen 80;
    server_name www.qdwork.top; #You need to add yourdomain COM is replaced by the domain name bound by the certificate.
    rewrite ^(.*)$ https://$host$1; # Redirect all HTTP requests to HTTPS through the rewrite instruction.
    location / {
        proxy_pass http://tomcatservers;
    }
}


#Among the following attributes, attributes starting with ssl are related to certificate configuration.
server {
    listen 443 ssl;
    #The default access port configured for HTTPS is 443.
    #If the default access port of HTTPS is not configured here, Nginx may not start.
    #If you use nginx 1.15 0 and above, please use listen 443 ssl instead of listen 443 and ssl on.
    server_name www.qdwork.top; #You need to add yourdomain COM is replaced by the domain name bound by the certificate.
    root html;
    index index.html index.htm;
    ssl_certificate cert/6179501_www.qdwork.top.pem;  #You need to set cert file name Replace PEM with the name of the uploaded certificate file.
    ssl_certificate_key cert/6179501_www.qdwork.top.key; #You need to set cert file name Key is replaced by the name of the uploaded certificate key file.
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    #Indicates the type of encryption suite used.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Indicates the type of TLS protocol used.
    ssl_prefer_server_ciphers on;
    location / {
        proxy_pass http://tomcatservers;
    }
}

Restart nginx service

Note: if nginx is installed in the pagoda, port 443 needs to be released on the pagoda panel. After https is configured on the website, the resources of http service cannot be loaded through js.

Keywords: Nginx http https

Added by tomm098 on Mon, 27 Dec 2021 21:03:22 +0200