current position:Home>How does nginx support HTTPS? Hand in hand teaches you that every step of operation is simple, without looking at the absolute blood loss

How does nginx support HTTPS? Hand in hand teaches you that every step of operation is simple, without looking at the absolute blood loss

2021-08-26 12:29:26 Programmer LQS

Common Name (eg, your name or your server’s hostname) []:blog.macrozheng.com # Website domain name
Email Address []:[email protected] # mailbox

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: # a challenge password , You can enter directly without entering
An optional company name []: # Optional company name , You can enter directly without entering


*    Generate SSL certificate , Valid for 365 God , The generated file is `blog.crt`;


     
  • 1.
  • 2.
  • 3.

openssl?x509?-req?-days?365?-in?blog.csr?-signkey?blog.key?-out?blog.crt


*    In fact, the final useful documents are two , One is the certificate file `blog.crt`, The other is a certificate private key file that does not require a password `blog_nopass.key`.

## Nginx Support HTTPS

> SSL The certificate has been generated , Next we can configure Nginx To support HTTPS 了 !

###  install Nginx

*    We still use it in Docker Container mounted Nginx The way , To download Nginx Of Docker Mirror image ;


     
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.

docker?pull?nginx:1.10


*    After the download is completed, run once Nginx, Because then we're going to put the host's Nginx The configuration file is mapped to Docker In the container , Run once to make it easy for us to copy the default configuration ;


     
  • 1.
  • 2.
  • 3.

docker run -p 80:80 --name nginx
-v /mydata/nginx/html:/usr/share/nginx/html
-v /mydata/nginx/logs:/var/log/nginx
-d nginx:1.10


*    After successful operation, the... In the container will be Nginx Copy the configuration directory to the host ;


     
  • 1.
  • 2.
  • 3.

docker?container?cp?nginx:/etc/nginx?/mydata/nginx/


*    Host the `nginx` The directory was renamed `conf`, otherwise `/mydata/nginx/nginx` This configuration file directory looks a little awkward ;


     
  • 1.
  • 2.
  • 3.

mv?/mydata/nginx/nginx?/mydata/nginx/conf


*    Created Nginx The container is useless after copying the configuration , Stop and delete container ;


     
  • 1.
  • 2.
  • 3.

docker stop nginx
docker rm nginx


*    Use Docker Command restart Nginx service , You need to map the configuration file , Because we want to support HTTPS, It also needs to be open `443` port .


     
  • 1.
  • 2.
  • 3.

docker run -p 80:80 -p 443:443 --name nginx
-v /mydata/nginx/html:/usr/share/nginx/html
-v /mydata/nginx/logs:/var/log/nginx
-v /mydata/nginx/conf:/etc/nginx
-d nginx:1.10


###  Configuration support HTTPS

*    We will generate a good SSL Copy the certificate and private key to Nginx Of `html/ssl` Under the table of contents ;


     
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.

cp blog_nopass.key /mydata/nginx/html/ssl/
cp blog.crt /mydata/nginx/html/ssl/


*    Next we need to give `blog.macrozheng.com` Add... To this domain name HTTPS Support , stay `/mydata/nginx/conf/conf.d/` Add under directory Nginx The configuration file `blog.conf`, The contents of the configuration file are as follows ;


     
  • 1.
  • 2.
  • 3.

server {
listen 80; # Support at the same time HTTP
listen 443 ssl; # add to HTTPS Support
server_name blog.macrozheng.com;

#SSL To configure 
ssl_certificate      /usr/share/nginx/html/ssl/blog/blog.crt; #  Configure certificate 
ssl_certificate_key  /usr/share/nginx/html/ssl/blog/blog_nopass.key; #  Configure certificate private key 
ssl_protocols        TLSv1 TLSv1.1 TLSv1.2; #  To configure SSL Protocol version 
ssl_ciphers          ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #  To configure SSL encryption algorithm 
ssl_prefer_server_ciphers  on; #  Server algorithm is preferred 
ssl_session_cache    shared:SSL:10m; #  Configure shared session cache size 
ssl_session_timeout  10m; #  Configure session timeout 

location / {
    root   /usr/share/nginx/html/www;
    index  index.html index.htm;
}

location /admin {
    alias   /usr/share/nginx/html/admin;
    index  index.html index.htm;
}

location /app {
    alias   /usr/share/nginx/html/app;
    index  index.html index.htm;
}

error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}


*    adopt `HTTPS` visit `blog.macrozheng.com` This domain name , Because we use our own signature SSL certificate , The browser will prompt ` Your connection is not private `, Click continue to go through HTTPS Normal visit ;

![](https://s2.51cto.com/images/20210823/1629669865319437.jpg)

*    We can check the certificate ` Issued by the ` Information , It can be found that just before we created SSL Information entered when signing the certificate request file ;

![](https://s2.51cto.com/images/20210823/1629669866322356.jpg)

*    Next we need to give `api.macrozheng.com` Add... To this domain name HTTPS Support , Through this domain name, you can use HTTPS Visit our SpringBoot application ,`api.crt` and `api_nopass.key` The file needs to be generated by itself , stay `/mydata/nginx/conf/conf.d/` Add under directory Nginx The configuration file `api.conf`, The contents of the configuration file are as follows ;


     
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.

server {
listen 80; # Support at the same time HTTP
listen 443 ssl; # add to HTTPS Support
server_name api.macrozheng.com; # Modify domain name

#ssl To configure 
ssl_certificate      /usr/share/nginx/html/ssl/api/api.crt; #  Configure certificate 
ssl_certificate_key  /usr/share/nginx/html/ssl/api/api_nopass.key; #  Configure certificate private key 
ssl_protocols        TLSv1 TLSv1.1 TLSv1.2; #  To configure SSL Protocol version  #  To configure SSL encryption algorithm 
ssl_ciphers          ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers  on; #  Server algorithm is preferred 
ssl_session_cache    shared:SSL:10m; #  Configure shared session cache size 
ssl_session_timeout  10m; #  Configure session timeout 

location / {
    proxy_pass   http://192.168.3.101:8080; #  Set the proxy service access address 
    proxy_set_header  Host $http_host; #  Set the real domain name of the client ( Including port number )
    proxy_set_header  X-Real-IP  $remote_addr; #  Set client reality IP
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for; #  When multi-layer proxy is set, the real client and each proxy server in the middle will be included IP
    proxy_set_header X-Forwarded-Proto $scheme; #  Set the real protocol of the client (http still https)
    index  index.html index.htm;
}

error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}


*    adopt `HTTPS` visit `api.macrozheng.com` This domain name , The visiting address is :https://api.macrozheng.com/swagger-ui.html

![](https://s2.51cto.com/images/20210823/1629669868508347.jpg)

*    Call any interface to test , For example, the login interface , It can be found that it can pass HTTPS Normal visit SpringBoot Interface provided by the application .

![](https://s2.51cto.com/images/20210823/1629669869503264.jpg)

##  Use trusted certificates 

>  Before, we used self signed SSL certificate , Invalid for browsers . Use the certificate issued by the authority SSL The certificate browser will consider it valid , Here are two kinds of free applications SSL The method of certificate , One is to apply from Alibaba cloud , The other is from FreeSSL apply .

###  Alicloud certificate 

*    At present, the free certificates that Alibaba cloud can apply for are only those that support a single domain name DV level SSL certificate . For example, you have `blog.macrozheng.com` and `api.macrozheng.com` Two secondary domain names need to use HTTPS, You need to apply for two SSL certificate .

![](https://s2.51cto.com/images/20210823/1629669871752583.jpg)

*    Click download... After the application is successful Nginx Certificate is enough ;

![](https://s2.51cto.com/images/20210823/1629669872979352.jpg)


# ** summary **

 The interview suggestion is ,** Be confident , Dare to express **, Sometimes it's hard for us to grasp all aspects of knowledge during the interview , Say what you think , Instead of telling the interviewer that he doesn't understand , It's also a bonus .

 These are the four sides of ant technology and HR Interview questions ,** The most complete of the latest summary below **, The range is the most comprehensive MySQL、Spring、Redis、JVM Wait for the most comprehensive questions and answers , For reference only 

![ It's a warm ant golden noodle classic ( Have to take Offer) Interview process 4 Wheel technology +1 round HR](https://s2.51cto.com/images/20210823/1629669873477799.jpg)

**[ How to obtain interview reference materials ? Get it free of charge here ](https://gitee.com/vip204888/java-p7)**
     
  • 1.
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.

copyright notice
author[Programmer LQS],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2021/08/20210826122922107D.html

Random recommended