current position:Home>180 days cloud computing Xiaobai to great God nginx HTTPS practice

180 days cloud computing Xiaobai to great God nginx HTTPS practice

2021-08-23 08:27:55 Give Xiao Li three thin noodles

10.Nginx HTTPS practice

10.Nginx HTTPS practice

1.HTTPS Basic overview

1.1 Why do I need HTTPS

1.2 What is? HTTPS

1.3 TLS How to implement encryption

2.HTTPS Realization principle

2.1 Encryption model - Symmetric encryption

2.2 Encryption model - Asymmetric encryption

2.3 Authentication agencies -CA

2.4 HTTPS Communication principle

3.HTTPS Expanding knowledge

3.1 Https Certificate type

3.2 Https Purchase suggestions

3.3 Https Color identification

4.HTTPS Single configuration practice

4.1 To configure SSL grammar

4.1 establish SSL certificate

4.1 To configure SSL scene

4.3 Access validation SSL

4.4 Force a jump Https

5.HTTPS Cluster configuration practice

5.1 Environmental preparation

5.2 Configure the application node

5.3 Configure load balancing

6.HTTPS Scenario configuration practice

6.1 Scene practice -1

6.2 Scene practice -2

6.3 Scene practice -3

7.HTTPS Optimize configuration practice

7.2 Basic overview of optimization

7.2 Optimize the configuration instance

Xu Liangwei , People in the Jianghu call it benchmarking Xu . Years of experience in Internet operation and maintenance , I have been responsible for the automation operation and maintenance management of large-scale cluster architecture . Good at Web Cluster architecture and automatic operation and maintenance , He was responsible for the operation and maintenance of a large domestic e-commerce company .

Personal blog " Xu Liangwei's way as an architect " Tens of thousands of people have benefited .

1.HTTPS Basic overview

1.1 Why do I need HTTPS

because HTTP Data is transmitted in clear text , So in transmission ( Account and password 、 Transaction information 、 And other sensitive data ) It's not safe . Vulnerable to tampering , If you use HTTPS agreement , Data is encrypted during transmission , It can effectively avoid information leakage during website transmission .

1.2 What is? HTTPS

HTTPS Secure Hypertext Transfer Protocol , Now most of our sites are through HTTPS To achieve site data security .

Early Netscape designed SSL(Secure Socket Layer) Condom layer protocol , Mainly for HTTP The data transmitted by the protocol is added

The secret . How to make the site safe HTTPS What about the site ? We need to

To understand SSL(Secure Socket Layer) agreement . And now many times we use TLS(Transport

Layer Security) Encryption and decryption based on transport layer security protocol .

1.3 TLS How to implement encryption

TLS/SSL How to achieve HTTP Plaintext messages are encrypted , TLS/SSL Working in OSI In the seven-tier model , Between the application layer and the transport layer .

1. Provide data security : Ensure that the data will not be leaked .

2. Provide data integrity : Ensure that the data will not be tampered with during transmission .

3. Encrypt and decrypt the data handed over by the application layer to the transmission layer .

2.HTTPS Realization principle

2.1 Encryption model - Symmetric encryption

Symmetric encryption : Two people who want to communicate have the same secret key , add

Encryption and decryption . as follows :

bob Encrypt the original document with a secret key to generate a ciphertext document .

alice After you get this ciphertext document , It can use this to restore the secret key to the original plaintext document .

How exactly is symmetric encryption implemented , We can use RC4 Such a

Take a look at a symmetric encryption sequence algorithm .

encryption : Secret key sequence + Plaintext = Ciphertext

Decrypt : Secret key sequence + Ciphertext = Plaintext

2.2 Encryption model - Asymmetric encryption

Asymmetric encryption : It is based on a mathematical principle , Create a pair of secret keys

( Public and private keys ) Public key encryption , Private key decryption ;

Private key : Use the private key yourself , Closed to the public .

Public key : Public key for everyone to use , Opening to the outside world .

such as :alice There's a pair of public and private keys , He can publish the public key to anyone . hypothesis Bob It's one of them , When Bob To pass an encrypted document to alice , that Bob You can use it alice The public key of ,alice After receiving the ciphertext document, enter... Through your own private key

Row decryption , Get the original document .

Be careful :alice You must know Bob Namely Bob , That is, the message it receives must be Bob It's from , So this trust issue , In the process of multi-party communication , There must be a public trust organization to verify the identity of both parties , So this organization is CA Institutions .

2.3 Authentication agencies -CA

How do the communicating parties verify their identities ?

CA Architecture is a trusted organizational architecture , It is mainly used to issue certificates and verify certificates . that CA How do organizations apply for and issue certificates ?

We first need to apply for a certificate , Registration is required , Register who I am , What organization am I , What do I want to do , When you get to the registration authority, you pass CSR issue CA ,CA After the center passes ,CA The center will generate a pair of public and private keys , Then the public key will be in CA Certificate chain , When the subscriber gets the public and private key certificates , It will be deployed in WEB Server

1. When the browser accesses our https Site time , It will ask for our certificates

2.Nginx Will send our public key certificate back to the browser .

3. The browser will verify whether our certificate is legal 、 Is it effective .

4.CA The organization will place expired certificates in CRL The server , that CRL The validation efficiency of the service is very poor , therefore CA Has introduced OCSP Response procedure ,OCSP The responder can query whether a specified certificate has expired , So the browser can directly query OCSP Response procedure , but OCSP Responder performance is not very high .

5.Nginx There will be one. OCSP The switch of , When we turn it on ,Nginx

Will take the initiative to OCSP Query on , Such a large number of clients directly from Nginx obtain , Is the certificate valid .

2.4 HTTPS Communication principle

HTTPS The encryption process ,HTTPS Using hybrid encryption algorithm , Symmetric encryption 、 And asymmetric encryption

Preparation before communication : Apply for the certificate corresponding to the domain name , And deploy it in Nginx Server .

1) Step 1: the client sends a message to the server Client Hello news , This message contains a random number generated by the client Random1 、 Client supported encryption suite and client support TLS Protocol version, etc .

2) The server will send Server Hello news . Return your own public key certificate 、 Pick a suitable encryption suite 、 In addition, a random number will be generated Random2 Push to client . So far, both the client and the server have two random numbers (Random1+ Random2)

3) After the client receives the public key certificate from the server , First from CA verification

The validity of the certificate (CA Public key to decrypt the public key certificate ), After verification, take out the server public key in the certificate , Regenerate into a random number Random3 , Then the server public key is used for asymmetric encryption Random3 .

4) The server uses its own private key to solve the... Generated by the client Random3 . thus , Both client and server have Random1 + Random2 + Random3, Both sides generate a secret key according to the same algorithm , The application layer data after the handshake is symmetrically encrypted with this secret key .

3.HTTPS Expanding knowledge

3.1 Https Certificate type

DV;

OV: Spend money ;

EV: Can't afford to buy ;

3.2 Https Purchase suggestions

oldxu.net (www.oldxu.net blog.oldxu.net images.oldxu.net cdn.oldxu.net m.oldxu.net qq.oldxu.net)

Protect 1 Domain names www

Protect 5 Domain names www images cdn test m Wildcard domain name *.oldxu.net

3.3 Https Color identification

Https Renewal is not supported , When the certificate expires, you need to apply for a new one and replace it .

Https Third level domain name resolution is not supported , Such as test.m.oldxu.net

*.m.oldxu.net

Https Show green , Explain the whole website's url All are https

Of , And it's all safe .

Https Show yellow , Explain that there is part of the website code URL The address is

http Unsafe protocol .(https (http url) )

Https Show red , Or the certificate is false , Or the certificate has expired .

4.HTTPS Single configuration practice

4.1 To configure SSL grammar

# The official sample

worker_processes auto;

http {

server {

listen

keepalive_timeout

443 ssl;

70;

ssl_protocols TLSv1 TLSv1.1

TLSv1.2;

ssl_ciphers AES128-

SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

ssl_certificate

/usr/local/nginx/conf/cert.pem; ssl_certificate_key

/usr/local/nginx/conf/cert.key;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

}

}

4.1 establish SSL certificate

1. Create a certificate store directory

[[email protected] ~]# mkdir -p /etc/nginx/ssl_key [[email protected] ~]# cd /etc/nginx/ssl_key

2. Use openssl Orders act as CA Authorities create certificates ( Similar to black households )

[[email protected] ssh_key]# openssl genrsa -idea -out server.key 2048

Generating RSA private key, 2048 bit long modulus

…+++

# Remember the configuration password , I am here 1234

Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:

3. Generate self signed certificate , At the same time, remove the password of the private key

[[email protected] ssl_key]# openssl req -days 36500 -x509 \

-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Country Name (2 letter code) [XX]:CN

# Country

State or Province Name (full name) []:WH

# province

Locality Name (eg, city) [Default City]:WH

# City

Organization Name (eg, company) [Default

Company Ltd]:edu # company

Organizational Unit Name (eg, section) []:

oldxu # Company

Common Name (eg, your name or your servers hostname) []: s.oldxu.net # Server host name Email Address []:[email protected]

#req --> Used to create a new certificate

#new --> Indicates that a new certificate was created

#x509 --> Indicates that the format of the definition certificate is the standard format

#key --> Represents the private key file information of the call

#out --> Represents the output certificate file information

#days --> Indicates the validity of the certificate

4.1 To configure SSL scene

[[email protected] ~]# cat s.oldxu.net.conf server {

listen 443 ssl;

server_name s.oldxu.net; ssl on;

ssl_certificate ssl_key/server.crt; ssl_certificate_key

ssl_key/server.key;

location / {

root /code;

index index.html;

}

}

# Prepare the corresponding site directory , And restart Nginx service

[[email protected]]# mkdir -p /code

[[email protected]]# echo “Https” >

/code/index.html

[[email protected]]# systemctl restart nginx

4.3 Access validation SSL

Browser input https://s.oldxu.net visit , Since the certificate is not issued by a third-party authority , It's signed by ourselves , So the browser will warn

4.4 Force a jump Https

If the user forgets to enter... In the browser address bar https:// Agreement, then it will not jump to https Site ;

Therefore, it is recommended to add the following configurations , Access the user to http Request forced jump

turn https

[[email protected] ~]# cat /etc/nginx/conf.d/ssl.conf

server {

listen 443;

server_name s.oldxu.net; ssl on;

ssl_certificate ssl_key/server.crt; ssl_certificate_key

ssl_key/server.key;

location / {

root /code;

index index.html;

}

}

server {

listen 80;

server_name s.oldxu.net; return 302

https:// s e r v e r n a m e server_name request_uri; }

5.HTTPS Cluster configuration practice

5.1 Environmental preparation

Host name Extranet IP(NAT) Intranet IP(LAN) role

lb01 eth0:10.0.0.5 eth1:172.16.1.5 nginx-
proxy

web01 eth0:10.0.0.7 eth1:172.16.1.7 nginx-
web01

web02 eth0:10.0.0.8 eth1:172.16.1.8 nginx-
web02

5.2 Configure the application node

# Configure all backend nodes , monitor 80 Port can ;

[[email protected] conf.d]# cat s.oldxu.net.conf server {

listen 80;

server_name s.oldxu.net; root /code/wordpress;

location / {

index index.html;

}

}

5.3 Configure load balancing

1. establish ssl certificate

[[email protected] ~]# mkdir /etc/nginx/ssl_key -p [[email protected] ~]# cd /etc/nginx/ssl_key [[email protected] ~]# openssl genrsa -idea -out server.key 2048

[[email protected] ~]# openssl req -days 36500 - x509 -sha256 \

-nodes -newkey rsa:2048 -keyout server.key -out server.crt

#2.Nginx The load balancing configuration file is as follows

[[email protected] ~]# cat /etc/nginx/conf.d/proxy.conf upstream site {

server 172.16.1.7:80 max_fails=2 fail_timeout=10s;

server 172.16.1.8:80 max_fails=2 fail_timeout=10s;

}

#https Site configuration information server {

listen 443;

server_name s.oldxu.net; ssl on;

ssl_certificate ssl_key/server.crt;

ssl_certificate_key

ssl_key/server.key;

location / {

proxy_pass  http://site;

include proxy_params;

}

}

# User request http agreement , Force jump to https agreement server {

listen 80;

server_name s.oldxu.net; return 302

https:// s e r v e r n a m e server_name request_uri;

}

#3. restart Nginx Load balancing

[[email protected] ~]# nginx -t

[[email protected] ~]# systemctl restart nginx

6.HTTPS Scenario configuration practice

6.1 Scene practice -1

Simulate the scenario of bank website ,

1. Users visit the main site of the website , Use http The protocol provides access to , 2. When the user clicks login , The website will jump to a new domain name , And use Https Provide secure access .

#1. The home page shows  http://yh.oldxu.net( Provide web browsing

Browse )

#2. Simulated landing  http://yh.oldxu.net/login( phase

When you click the login button )

#3. Landing page  https://star.oldxu.net ( Provide

Safe landing )

#1. To configure  https://star.oldxu.net [[email protected] ~]# cat /etc/nginx/conf.d/star.oldxu.net.conf server {

listen 443 ssl;

server_name start.oldxu.net;

ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key;

root /code/login;

location / {

index index.html;

}

}

[[email protected] ~]# mkdir /code/login -p [[email protected] ~]# echo “login…https” > /code/login/index.html

#2. To configure  http://yh.oldxu.net [[email protected] ~]# cat /etc/nginx/conf.d/yh.oldxu.net.conf server {

listen 80;

server_name yh.oldxu.net; root /code;

location / {

index index.html;

}

location /login {

return 302  https://start.oldxu.net;

}

}

6.2 Scene practice -2

demand : Want users to visit all of the sites Url go Https agreement , But visit s.oldxu.net/abc Time to go Http agreement

[[email protected] conf.d]# cat

proxy_s.oldxu.net.conf

upstream webs {

server 172.16.1.7:80;

server 172.16.1.8:80;

}

server {

listen 443 ssl;

ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key;

server_name s.oldxu.net;

location / {

proxy_pass  http://webs;

include proxy_params;

}

}

server {

listen 80;

server_name s.oldxu.net;

if ($request_uri !~* “^/abc”) { return 302

https:// h t t p h o s t http_host request_uri;

}

location / {

proxy_pass  http://webs;

include proxy_params;

}

}

6.3 Scene practice -3

Turn on OCSP , Accelerate verification of certificate validity ;

# Get ready OCSP certificate :

#wget -O root.pem  https://ssl-tools.net/certificates/dac9024f54d8f6df9493 5fb1732638ca6ad77c13.pem

#wget -O intermediate.pem  https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

#cat intermediate.pem >

/etc/nginx/ssl_key/ocsp.pem

#cat root.pem >> /etc/nginx/ssl_key/ocsp.pem

# To configure Nginx

server {

listen 443 ssl;

server_name s.oldxu.net;

ssl_certificate ssl/6152750_s.oldxu.net.pem;

ssl_certificate_key ssl/6152750_s.oldxu.net.key;

# Turn on OCSP

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate

ssl/ocsp.pem;

root /code;

location / {

index index.html;

}

}

Verify that it is on OCSP Response procedure

# Command to verify

[[email protected] ~]# echo QUIT | openssl

s_client -connect s.oldxu.net:443 -status 2>/dev/null | grep -A 17 “OCSP response” OCSP response:

======================================

OCSP Response Data:

OCSP Response Status: successful (0x0)

Response Type: Basic OCSP Response

Version: 1 (0x0)

Responder Id:

55744FB2724FF560BA50D1D7E6515C9A01871AD7 Produced At: Aug 20 02:33:01 2021 GMT Responses:

Certificate ID:

Hash Algorithm: sha1

Issuer Name Hash:

978B4716E5B0F658BAE69DAB1689B8363AE3C3A6

Issuer Key Hash:

55744FB2724FF560BA50D1D7E6515C9A01871AD7

Serial Number:

086605F8BF56EA63D3E250FDD617DDF0 Cert Status: good

This Update: Aug 20 02:18:01 2021 GMT

# This update

Next Update: Aug 27 01:33:01 2021 GMT

# Next update

# Baidu didn't open OCSP

[[email protected] ~]# echo QUIT | openssl

s_client -connect baidu.com:443 -status 2>/dev/null | grep -A 17 “OCSP response” OCSP response: no response sent

7.HTTPS Optimize configuration practice

7.2 Basic overview of optimization

SSL Running the calculation requires additional CPU resources ,SSL In the process of communication 『 handshake 』 The operation of the stage takes the most time CPU resources , There are several aspects that can be adjusted and optimized .

1. Set up worker The number of processes is set equal to CPU The core of the processor

Count .worker_processes auto

2. Enable keepalive A long connection , Please send more than one connection

seek

3. Enable shared Session cache , all worker Shared cache between worker processes , Avoid multiple SSL 『 handshake 』

4. Ban builtin Built in cache , Only one worker The work process uses , Use shared Caching is disabled builtin

7.2 Optimize the configuration instance

worker_processes auto;

http {

server {

listen 443 ssl;

server_name www.example.com; ssl_certificate

www.example.com.crt;

ssl_certificate_key

www.example.com.key;

ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on;
#Nginx Decide which protocols to use to communicate with the browser

keepalive_timeout 70;

# Set up long connections

# Not on by default session_cache: a After shaking hands , Close the browser , Revisit , Need to shake hands again ;

# After the handshake is established, if the connection is disconnected , stay session_timeout Connect again in time , There is no need to establish a handshake again , Cached connections between can be reused directly .

ssl_session_cache shared:SSL:10m;

#1M Cache space can store 4000 Number of conversations

ssl_session_timeout 1440m;

# Configure session timeout ( Default 5 minute )

}

copyright notice
author[Give Xiao Li three thin noodles],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2021/08/20210823082748256d.html

Random recommended