Nginx's https address conversion

1. Introduction to HTTPS

1 Overview

Why do we need to use HTTPS? Because HTTP is not secure, when we use http websites, it will be hijacked and tampered with. If the https protocol is used, the data is encrypted during transmission, so hackers cannot steal or tamper with data packets. At the same time, it also avoids information leakage when the website is transmitted.

So when we implement https, we need to understand the ssl protocol, but we are now using more of the TLS encryption protocol.

So how does TLS ensure that plaintext messages are encrypted? In the OSI seven-layer model, the application layer is the http protocol, then under the application layer protocol, our presentation layer is the layer played by the ssl protocol. The method is to encrypt the data securely without the application layer http protocol being aware of it.

2. Simulate website tampering

1) Configure a website

[root@web01 /code]# vim /etc/nginx/conf.d/linux.jiechi.com.conf
server {
    listen 80;
    server_name linux.jiechi.com;
    charset utf-8;
​
    location / {
        root /code/jc;
        index index.html;
    }
} 

 

2) Write a website page

[root@web01 /code]# mkdir /code/jc
[root@web01 /code]# cat /code/jc/index.html 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>I'm title</title>
</head>
<body>
<article>
  <header>
    <h1>I'm qiudao</h1>
    <p>Creation time:<time pubdate="pubdate">2018/8/10</time></p>
  </header>
  <p>
    <b>Aticle</b>first time use h5 write an essay,good him*nervousness...
  </p>
  <footer>
    <p><small>all rights reserved!</small></p>
  </footer>
</article>
</body>
</html>

 

3) Restart nginx access

[root@web01 /code]# systemctl restart nginx
#configure hosts
10.0.0.7 linux.jiechi.com

 

4) Configure the website that hijacks the website

[root@lb01 ~]# vim /etc/nginx/conf.d/linux.jiechi.com.conf
server {
    listen 80;
    server_name linux.jiechi.com;
    charset utf-8;
​
    location / {
        #hijack
        proxy_pass http://10.0.0.7;
        include proxy_params;
        #tamper
        sub_filter '<title>I'm title</title>' '<title>I'm not a thing</title>';
        sub_filter '<b>qiudao</b>first time use h5 write an essay,good him*nervousness...' '<img src="https://blog.driverzeng.com/zenglaoshi/xingganheguan.gif">';
    }
}

 

5) Configure hosts access

[root@lb01 /code]# systemctl restart nginx
#configure hosts
#10.0.0.7 linux.jiechi.com
10.0.0.4 linux.jiechi.com

 

 

3.HTTPS certificate issuance process

We first need to apply for a certificate, first go to the registration agency for identity registration, who am I, what do I do, what do I want to do, and then the registration agency sends it to the CA through CSR, and the CA center will generate a bunch of public keys and The private key and the public key will be stored in the CA certificate chain. After we get the public key and private key certificate, we will deploy it on the WEB server

1. When the browser visits our https site, it will request our certificate
2. A web server like Nginx will send our public key certificate to the browser
3. The browser will verify whether our certificate is legal and valid
4. The CA agency will place the expired certificate on the CRL server. The verification efficiency of the CRL service is very poor, so the CA has launched the OCSP response program. The OCSP response program can query whether a specified certificate has passed, so the browser can directly Query OSCP responder, but OSCP responder performance is not very high yet
5.Nginx will have an OCSP switch. When we turn it on, Nginx will actively query on OCSP, so that a large number of clients directly obtain certificates from Nginx whether it is valid
#don't remember
1. The browser initiates a request to port 443 of the server, and the request carries the encryption algorithm and hash algorithm supported by the browser.
2. The server receives the request and selects the encryption algorithm and hash algorithm supported by the browser.
3. The server returns the digital certificate to the browser. The digital certificate here can be applied for from a reliable organization or self-made.
4. The browser enters the digital certificate authentication link. This part is completed by the built-in TLS of the browser:
4.1 First, the browser will index from the built-in certificate list to find the institution corresponding to the certificate issued by the server. If it is not found, it will prompt the user whether the certificate is issued by an authoritative institution and cannot be trusted. If the corresponding organization is found, the public key issued by the organization is taken out.
4.2 Decrypt the content of the certificate and the certificate signature by decrypting the public key of the certificate of the organization, and the content includes the website URL, the public key of the website, and the validity period of the certificate. The browser will first verify the validity of the certificate signature (the verification process is similar to the communication between Bob and Susan above). After the signature is passed, the browser verifies whether the URL recorded in the certificate is the same as the current URL, and the user will be prompted for inconsistencies. If the URL is consistent, the validity period of the certificate will be checked, and the user will be prompted when the certificate expires. When these are authenticated, the browser can safely use the website public key in the certificate.
4.3 The browser generates a random number R and encrypts R with the website public key.
5. The browser transmits the encrypted R to the server.
6. The server decrypts with its own private key to obtain R.
7. The server uses R as the key to encrypt the web page content and transmit it to the browser using a symmetric encryption algorithm.
8. The browser uses R as the key to obtain the web page content using the previously agreed decryption algorithm.

 

4. Introduction of certificate types

Compared Domain DV Enterprise OV Enhanced EV
green address bar Small lock mark + https Small lock mark + https Small lock mark + company name + https
General purpose Personal sites and applications; simple https encryption needs E-Commerce Sites and Apps; Small and Medium Business Sites Large financial platforms; large corporate and government agency sites
Audit content Domain Ownership Verification Comprehensive Enterprise Authentication; Domain Ownership Verification Highest level of corporate identity verification; domain ownership verification
Issuing time 10 minutes - 24 hours 3-5 working days 5-7 working days
Single application period 1 year 1-2 years 1-2 years
payout guarantee - $1.25-1.75 million $1.5-1.75 million

5. Certificate purchase options

1. A single domain name www.mumusir.com
2. Protect multiple domain names www. class. test. cdn. all.
3. Wildcard domain name

6. Notes on HTTPS certificate

1. The https certificate does not support renewal, and the certificate needs to be re-applied and replaced when it expires.
2.https does not support third-level domain name resolution, such as test.mall.mumsir.com
3.https is displayed in green, indicating that the url of the entire website is https
4.https is displayed in yellow because the website code contains insecure links to http
5.https shows red, then the certificate is fake or the certificate has expired.

 

Two, single machine HTTPS configuration

1. Check nginx

[root@web01 /code]# nginx -v
nginx version: nginx/1.18.0
[root@web01 /code]# nginx -V
--with-http_ssl_module

 

2. Create a directory to store the certificate

[root@web01 /code]# mkdir /etc/nginx/ssl_key
[root@web01 /code]# cd /etc/nginx/ssl_key/

 

3. Generate a certificate

#use openssl command to act as CA Authoritative organization to create certificate (production does not use this method to generate certificate, black certificate that is not recognized by the Internet)
[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
..................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 123456
Verifying - Enter pass phrase for server.key: 123456#Generate a self-signed certificate while removing the password of the private key
[root@web03 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:zhongguo
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN   
State or Province Name (full name) []:meiguo
Locality Name (eg, city) [Default City]:riben
Organization Name (eg, company) [Default Company Ltd]:heiyiren
Organizational Unit Name (eg, section) []:heiyiren
Common Name (eg, your name or your server's hostname) []:kenan
Email Address []:123@qq.com
​
# req  --> for creating new certificates
# new  --> Indicates that a new certificate was created    
# x509 --> Indicates that the format of the definition certificate is the standard format
# key  --> Indicates the private key file information of the call
# out  --> Indicates the output certificate file information
# days --> Indicates the validity period of the certificate
#Two files after certificate generation
[root@web01 /etc/nginx/ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1387 Sep  4 11:30 server.crt
-rw-r--r-- 1 root root 1704 Sep  4 11:30 server.key

 

4. Certificate configuration syntax

#turn on ssl Certification
Syntax: ssl on | off;
Default:    ssl off;
Context:    http, server
​
#Specify the certificate file
Syntax: ssl_certificate file;
Default:    —
Context:    http, server
​
#Specify the private key file
Syntax: ssl_certificate_key file;
Default:    —
Context:    http, server

 

5. Configure nginx certificate

[root@web01 ~]# vim /etc/nginx/conf.d/linux.ssl.com.conf
server {
    listen 443 ssl;
    server_name linux.ssl.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;
​
    location / {
        root /code/ssl;
        index index.html;
    }
}

 

6. Restart access

[root@web01 ~]# systemctl restart nginx
#configure hosts
10.0.0.7 linux.ssl.com

 

7.HTTP automatically jumps to HTTPS

[root@web01 ~]# vim /etc/nginx/conf.d/linux.ssl.com.conf
server {
    listen 443 ssl;
    server_name linux.ssl.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;
​
    location / {
        root /code/ssl;
        index index.html;
    }
}
​
server {
    listen 80;
    server_name linux.ssl.com;
    rewrite (.*) https://linux.ssl.com$1;
    #return 302 https://$server_name$request_uri;
}

 

 

 

3. Site-wide HTTPS

 

1. Environmental preparation

host External IP Intranet IP identity
lb01 10.0.0.4 172.16.1.4 load balancing
web01   172.16.1.7 web server
web03   172.16.1.9 web server

2. Configure the web server

1) Configure nginx

[root@web01 ~]# vim /etc/nginx/conf.d/linux.https.com.conf
server {
    listen 80;
    server_name linux.https.com;
​
    location / {
        root /code/https;
        index index.html;
    }   
}

 

2) Configure the site

[root@web01 ~]# mkdir /code/https
[root@web01 ~]# echo "web01111111" > /code/https/index.html
​
[root@web03 ~]# mkdir /code/https
[root@web03 ~]# echo "web033333333" > /code/https/index.html

 

3) Test access

[root@web01 ~]# systemctl restart nginx
[root@web03 ~]# systemctl restart nginx
#configure hosts access

 

3. Configure the load balancing server

1) Configure the certificate

[root@web01 ~]# scp -r /etc/nginx/ssl_key 172.16.1.4:/etc/nginx/

 

2) Configure nginx

[root@lb01 ~]# vim /etc/nginx/conf.d/linux.https.com.conf
upstream https_web {
    server 172.16.1.7:80;
    server 172.16.1.9;
}
​
server {
    listen 80;
    server_name linux.https.com;
    rewrite (.*) https://linux.https.com$1;
}
​
server {
    listen 443 ssl;
    server_name linux.https.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;
    
    location / {
        proxy_pass http://https_web;
        include proxy_params;
    }
}

 

3) Restart access

[root@lb01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb01 ~]# systemctl restart nginx
#configure hosts

 

 

 

Tags: Nginx

Posted by onyx on Wed, 18 May 2022 09:09:15 +0300