SSL certificates configure Https based on Nginx

Little bird's personal blog has been officially launched and opened to the outside world

Blog access address: The big dream of a small vegetable bird

Welcome to all students, I will pay more attention to my official account. Official account will be displayed.

preface

Recently, I have been engaged in my own blog website. The local environment has always used the HTTP protocol, but it is a little unreasonable to use HTTP access after publishing to the personal server online.

In addition, the infrastructure of the blog website is Hexo framework + Butterfly theme + blog back-end management (self-developed to facilitate blog management); This involves the basic operations of your own personal background services and server-side databases, as well as Alibaba cloud OSS storage objects. Considering this, I still intend to install SSL certificate and provide access outside the heap by HTTPS (in fact, the most common idea is to worry about persuading friends who do not engage in programs to retreat directly as soon as they see unsafe links, which can't be hurt). After all, he is also a native procedural ape. How can he tolerate this situation.

Although I haven't done anything about Nginx before, these are not problems. There is only one sentence: "no, I won't do it, only I don't want to do it".

The environment used is as follows:

Server: Tencent cloud lightweight application server (1G,2core)
centos: 7.6
nginx: 1.8.0

Apply for certificate

Tencent cloud domain name resolution is adopted here. It is preferred to apply for a personal domain name first and add it to the domain name resolution.

Click the domain name to enter the domain name record list configuration page and add the domain name resolution record:

After adding, you can go to the top of the page DNSPod console Apply for SSL certificate and find the record value just added, as shown in the figure:

After the application is completed, wait for the background approval. After the approval, there will be a corresponding email prompt. The following is the domain name for which I have applied for SSL certificate:

Download the SSL certificate of the corresponding domain name. After decompression, the corresponding file in Nginx is the certificate file we need:

Nginx configuring SSL certificates

By default, Nginx is installed and deployed on the server. Upload the above two files to the server, and the directory address is arbitrary; In order to facilitate management, I put the certificate files in the cert folder under the Nginx conf directory.

Configure HTTPS server module in nginx.conf:

  • Nginx static file access configuration
server {
    listen       443;
    server_name  www.lynsite.cn;
    ssl on; # Open SSL

    ssl_certificate     cert/1_www.lynsite.cn_bundle.crt; # Certificate path
    ssl_certificate_key cert/2_www.lynsite.cn.key; # Secret key path

    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Indicates the type of encryption suite used.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Indicates the type of TLS protocol used.
    ssl_prefer_server_ciphers on;
    #charset koi8-r;
    access_log logs/ssl-blog-web.access.log;
    error_log logs/ssl-blog-web-error.log;

    # Blog front page
    location / {
        root   /var/www/html/The static resource directory you want to access;
        index  index.html index.htm;
    }
}
  • API interface service configuration

    Proxy in configuration_ pass http://blog-test ; For proxy forwarding service, you need to configure an additional upstream module;

upstream blog-test{
    server localhost:1234 max_fails=3 fail_timeout=30s; #Maximum number of failures and timeout allowed
}

server {
    listen       443;
    server_name  test.lynsite.cn;
    ssl on; # Open SSL

    ssl_certificate     cert/1_test.lynsite.cn_bundle.crt; # Certificate path
    ssl_certificate_key cert/2_test.lynsite.cn.key; # Secret key path

    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;#Indicates the type of encryption suite used.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Indicates the type of TLS protocol used.
    ssl_prefer_server_ciphers on;
    #charset koi8-r;

    access_log logs/ssl-blog-test-access.log;
    error_log logs/ssl-blog-test-error.log;

    # Blog background management service
    location / {
        add_header backendIP $upstream_addr;
        add_header backendCode $upstream_status;
        proxy_pass http://blog-test;
        #proxy_redirect iff;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
        proxy_read_timeout 600;
        proxy_buffer_size 256k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
        proxy_temp_file_write_size 256k;
        proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
        proxy_max_temp_file_size 128m;
        #proxy_cache mycache;
        #proxy_cache_valid 200 302 60m;
        #proxy_cache_valid 404 1m;
    }
}

Small class:
The above configuration indicates access to the domain name server_ All requests with the name test.lynsite.cn will be forwarded to localhost:1234, where localhost refers to the server.
give an example: https://test.lynsite.cn/path Through Nginx, it is actually represented as localhost:1234/path;
If you want to implement the proxy and the actual address is the root address of localhost:1234, modify the proxy in the configuration file_ pass http://blog-test ; Is proxy_ pass http://blog-test/ ;

In addition, I extracted the server module configuration in nginx.conf http and uniformly configured it in conf/conf.d/*.conf. As shown in the figure:

  • After the above configuration is completed, reload the Nginx configuration and use it https://test.lynsite.cn To access our local port 1234, but we usually use HTTPS prefix to access the domain name directly. Therefore, we also need to redirect the access from port 80 to port 443, Assuming that we want to access port 443 by simply entering test.lynsite.cn, we also need to add a server module to the http module in Nginx. The specific configuration is as follows:
server {
  listen 80;
  server_name  test.lynsite.cn; # You need to set the domain name of the certificate binding here.
  rewrite ^/(.*)$ https://www.lynsite.cn:443/$1 permanent; # Redirect all HTTP requests to HTTPS through the rewrite instruction.
}
  • After reloading the Nginx configuration file, you can access it directly through the domain name. The address in the address bar is automatically converted to an https secure link.

Nginx start error handling

If the previous operation is normal, this part can be skipped directly.

Start nginx or refresh the configuration file after configuring the SSL module. An error is reported: nginx: [emerg] unknown direct SSL. Reason: we need to reference the SSL module in nginx when configuring the SSL certificate. However, when we first compiled nginx, we did not compile the SSL module together, so this error occurred.

  1. Download the Nginx installation package and recompile

./configure --with-http_ssl_module

Note: this error occurs when executing the above command (. / configure: error: the SSL module requires the OpenSSL library.), The reason is that OpenSSL is missing. Let's install another one: Yum - y install OpenSSL OpenSSL devel. Wait until OpenSSL is installed, and then execute. / configure

  1. Execute the make command, but do not execute make install, because make is used to compile and make install is installed, otherwise your whole nginx will be overwritten again.

  2. After we execute the do command, we can see that there is an nginx file in the objs folder in the nginx decompression directory. This is the new version of the program. First, we back up the previous nginx, and then copy the new program to overwrite the previous one.

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak //Backup, backup can not be performed

cp objs/nginx /usr/local/nginx/sbin/nginx

# If the alarm process is occupied, stop nginx first and then perform the above operations.
  1. Check whether the ssl module is successfully installed
cd /usr/local/nginx/

./sbin/nginx -v

Tags: Nginx SSL https

Posted on Fri, 03 Sep 2021 01:34:22 -0400 by alex_savin