[python][nginx][https] Nginx server SSL certificate installation and deployment



preface

The pictures in the blogger's blog use their own picture bed (in Tencent cloud + python + their own domain name). Since http was previously used, the browser will block the pictures as unsafe links. Therefore, bloggers set out to seamlessly replace it with https. This article is the operation details.


1. Application for certificate

Provide 1-year free certificate on Tencent cloud platform:
https://console.cloud.tencent.com/ssl

Above are the two certificates I applied for.
Note: because it is a one-year free certificate, each secondary domain name should apply for a separate one. I only applied for a primary domain name for the first time, but I found it impossible!!!


2. Installation and deployment of SSL certificate of nginx server

We applied for the SSL certificate of the international encryption standard above and are going to deploy it on the Nginx server. Therefore, refer to: https://cloud.tencent.com/document/product/400/35244

2.1. Prepare Nginx environment

The blogger server environment is ubuntu, and its default nginx version is too low, so it needs to be compiled and installed manually:

1) Completely uninstall the original nginx: sudo apt get auto remove nginx
2) Download, compile, install:

wget http://nginx.org/download/nginx-1.18.0.tar.gz
wget http://downloads.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz

# Install zlib, openssl (compiler, if not installed)
sudo apt-get install zlib1g-dev
sudo apt-get install openssl
sudo apt-get install libssl-dev

# Install PCRE
tar zxvf pcre-8.35.tar.gz
cd pcre-8.35
sudo ./configure
sudo make
sudo make install

# Installing nginx
tar zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0.tar.gz
sudo ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
sudo make
sudo make install

be careful:

  • The old Nginx needs to be completely deleted
  • The nginx compilation option must be accompanied by -- with HTTP_ ssl_ Module, otherwise SSL cannot be used (an error will be reported when running. / sbin/nginx -t)
  • ./configure: error: SSL modules require the OpenSSL library. Libssl dev needs to be installed( Error in compiling nginx with ubuntu solution)

3) Generate nginx soft links

After installation, establish an nginx soft link in / usr/bin:

ln -s /usr/local/nginx/sbin/nginx nginx

2.2 certificate deployment

reference resources: https://cloud.tencent.com/document/product/400/35244

1) In SSL certificate management console Select the certificate you need to install in the and click download
2) Send the downloaded compressed package to the remote server through scp and other methods. After decompression:

➜  tuchuang.beautifulzzzz.com_nginx tree
.
├── tuchuang.beautifulzzzz.com_bundle.crt Certificate file
├── tuchuang.beautifulzzzz.com_bundle.pem Certificate file (this file can be ignored)
├── tuchuang.beautifulzzzz.com.csr CSR file 
└── tuchuang.beautifulzzzz.com.key Private key file

3) Copy the crt and key files to the nginx config Directory:

cd /usr/local/nginx/conf
mv ~/Download/tuchuang.beautifulzzzz.com_nginx/tuchuang.beautifulzzzz.com.key  ./
mv ~/Download/tuchuang.beautifulzzzz.com_nginx/tuchuang.beautifulzzzz.com_bundle.crt  ./

2.3 Nginx configuration

This can be done by executing VIM / usr / local / nginx / conf / nginx Edit the file from the conf command line:

server {
    #The SSL access port number is 3000
    listen 3000 ssl;
    #Fill in the domain name of the binding certificate
    server_name tuchuang.beautifulzzzz.com;
    #Certificate file name
    ssl_certificate tuchuang.beautifulzzzz.com_bundle.crt;
    #Private key file name
    ssl_certificate_key tuchuang.beautifulzzzz.com.key;
    ssl_session_timeout 5m;
    #Please configure according to the following protocol
    ssl_protocols TLSv1.2 TLSv1.3;
    #Please configure the encryption suite according to the following suite configuration. The writing method follows the openssl standard.
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

	# nginx port remapping can be written as follows
    # When accessing: https://tuchuang.beautifulzzzz.com:3000 When, it is mapped to http://127.0.0.1:8000
    location / {   
        proxy_pass  http://127.0.0.1:8000;
    }

    #Location / {< -- if you don't need to remap with nginx port, you can write it like this
    #   #The path to the home page of the website. This path is for reference only. Please follow the actual directory for details.
    #   #For example, if the running directory of your website is under / etc/www, fill in / etc/www.
    #    root html; 
    #    index  index.html index.htm;
    #}
}

Because the links of my previous drawing bed pictures are http, I don't want to change the original links, which can be realized through nginx remapping:

server {
    listen 3000;
    #Fill in the binding certificate of domain name
    server_name tuchuang.beautifulzzzz.com;

    rewrite ^(.*)$  https://$host$1 permanent;
    #Convert the domain name request from http to https
    #return 301 https://$host$request_uri; 
}

In this way, every browser access http://tuchuang.beautifulzzzz.com:3000 , will be automatically transferred to https://tuchuang.beautifulzzzz.com:3000 Then, with the help of the above configuration, you can finally go to http://127.0.0.1:8000 .


Finally, you can verify whether there is a problem with the configuration file by executing the following command in the root directory of Nginx:

./sbin/nginx -t

After there is no problem, run the following command to restart nginx (if nginx.pid error is reported, refer to link 8):

nginx -s reload

Note: it seems that markdown and curl cannot automatically convert http to https.


3 finally

When publishing this blog post, if you can see the picture without warning in the browser, it means that our above operation is successful!

In fact, there is still a little work to be done - that is to update the script for uploading pictures:

➜  Pictures cat run.sh 
#!/bin/bash
 
ret=`curl https://tuchuang.beautifulzzzz.com:3000/api/v1/upimg -F "file=@" -H "token: password" - v`

cnt=1
if [ ! -f "tuchuang.log" ]; then
    echo $cnt > tuchuang.log
else
    cnt=`cat tuchuang.log`
    cnt=$((cnt+1))
    echo $cnt > tuchuang.log
fi

echo ""
echo $ret | jq .
 
param=`echo $ret | jq .data.path | sed 's:\"::g'`
echo [p$cnt]:https://tuchuang.beautifulzzzz.com:3000/?path=$param

Reference link

[1]. How to select SSL certificate installation deployment type?
[2]. Nginx server SSL certificate installation and deployment (RSA)
[3]. How does the server open port 443? - > Add security group rule
[4]. Is an SSL certificate a domain name certificate?
[5]. The upper part of centos7 deploys Nginx to implement https and http redirection
[6]. ubuntu18.04 installing nginx1 18.0 - installation records
[7]. nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module
[8]. Solve Nginx: [error] open() "/ usr / local / nginx / logs / nginx pid" failed(2:No such file or directory)
[9]. Let your website support HTTPS and Nginx smooth upgrade for free
[10]. Error in compiling nginx with Ubuntu solution
[11]. Self built drawing bed server


: updating in succession

Added by vidhu on Mon, 07 Mar 2022 03:15:20 +0200

Popular Keywords

©2024 Programming VIP