How do I get my website and API to support HTTPS? Nginx is a great place to start!

SpringBoot e-commerce project mall (40K + STAR) address: github.com/macrozheng/…

Abstract

As the number of users on our site increases, we will gradually realize the importance of HTTPS encryption. Nginx support HTTPS is a good choice for upgrading from HTTP to HTTPS without modifying existing code. Today we will talk about how to upgrade from HTTP to HTTPS from Nginx, while supporting static websites and SpringBoot applications, hope to help you!

Generate an SSL self-signed certificate

Although self-signed certificates are not considered secure by browsers, it is important to learn how to generate SSL certificates!

• You need to enter the user name and password twice to create the SSL certificate private key. The generated file isblog.key;

openssl genrsa -des3 -out blog.key 2048
Copy the code

• Use the private key to generate a key file without entering a password. The generated file isblog_nopass.key;

openssl rsa -in blog.key -out blog_nopass.key
Copy the code

• Create an SSL certificate signature request file, which is required when the SSL certificate is generatedblog.csr;

openssl req -new -key blog.key -out blog.csr
Copy the code

• During the generation process, we need to enter some information. Note thatCommon NameNeed to be consistent with the website domain name;

Enter pass phrase for blog.key: ----- Country Name (2 letter code) [XX]:CN # Locality Name (full Name) []: Jiangsu # Locality Name (eg, City) [Default city]: Jiangsu # city Name (eg, Company) [Default Company Ltd]: Macrozheng # Organizational Name (eg, section) []:dev # Organizational Name (eg, []:blog.macrozheng.com # Email Address []:[email protected] # Email Address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: An optional company name []Copy the code

• An SSL certificate is generated. The validity period is 365 daysblog.crt;

openssl x509 -req -days 365 -in blog.csr -signkey blog.key -out blog.crt
Copy the code

• In fact, the final useful files are two, one is the certificate fileblog.crtThe other is a certificate private key file that does not require a passwordblog_nopass.key.

Nginx support HTTPS

Now that the SSL certificate is generated, we can configure Nginx to support HTTPS!

Install Nginx

• We still use the way of installing Nginx in Docker container, first download Nginx Docker image;

Docker pull nginx: 1.10Copy the code

• After downloading, run Nginx first, since we need to map the host Nginx configuration file to the Docker container, run Nginx once so that we can copy the default configuration.

docker run -p 80:80 --name nginx \
-v /mydata/nginx/html:/usr/share/nginx/html \
-v /mydata/nginx/logs:/var/logNginx/nginx \ - d: 1.10Copy the code

• After successful operation, copy the Nginx configuration directory in the container to the host.

docker container cp nginx:/etc/nginx /mydata/nginx/
Copy the code

• Will host thenginxThe directory was renamedconf, otherwise/mydata/nginx/nginxThis configuration file directory looks a bit awkward;

mv /mydata/nginx/nginx /mydata/nginx/conf
Copy the code

• The created Nginx container is no longer useful after the configuration is copied. Stop and delete the container.

docker stop nginx
docker rm nginx
Copy the code

• To restart the Nginx service using the Docker command, we need to map the configuration file, and since we want to support HTTPS, we need to open it443Port.

docker run -p 80:80 -p 443:443 --name nginx \
-v /mydata/nginx/html:/usr/share/nginx/html \
-v /mydata/nginx/logs:/var/log/ nginx \ - v/mydata/nginx/conf: / etc/nginx \ - d nginx: 1.10Copy the code

Configuring HTTPS

• Copy our generated SSL certificate and private key to Nginx’shtml/sslDirectory;

cp blog_nopass.key /mydata/nginx/html/ssl/
cp blog.crt /mydata/nginx/html/ssl/
Copy the code

• And then we need to giveblog.macrozheng.comThis domain name adds HTTPS support in/mydata/nginx/conf/conf.d/Add the Nginx configuration file to the directoryblog.confThe configuration file content is as follows.

server { listen 80; HTTP Listen 443 SSL # add HTTPS support server_name blog.macrozheng.com; # SSL configuration ssl_certificate/usr/share/nginx/HTML/SSL/blogs/blogs. The CRT. # configuration certificate ssl_certificate_key/usr/share/nginx/HTML/SSL/blog/blog_nopass key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ecdhe-rSA-aes128-GMM-sha256 :HIGH:! Ssl_ciphers ecdhe-RSA-aes128-GMM-sha256 :HIGH:! aNULL:! MD5:! RC4:! DHE; Ssl_prefer_server_ciphers on; Ssl_session_cache shared:SSL:10m; Ssl_session_timeout 10m; # configuration session timeout time location / {root/usr/share/nginx/HTML/WWW. index index.html index.htm; } location /admin { alias /usr/share/nginx/html/admin; index index.html index.htm; } location /app { alias /usr/share/nginx/html/app; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; }}Copy the code

• throughHTTPSaccessblog.macrozheng.comThis domain name, since we are using a self-signed SSL certificate, the browser will promptYour connection is not private, click continue to access normal access through HTTPS;

• We can look at the certificateIssued by theInformation, it can be found that it is exactly the information we created SSL certificate signature request file input;

• And then we need to giveapi.macrozheng.comHTTPS support is added to this domain to access our SpringBoot application using HTTPS.api.crtandapi_nopass.keyThe file needs to be generated by itself, in/mydata/nginx/conf/conf.d/Add the Nginx configuration file to the directoryapi.confThe configuration file content is as follows.

server { listen 80; HTTP Listen 443 SSL # add HTTPS support server_name api.macrozheng.com # modified domain # SSL configuration ssl_certificate/usr/share/nginx/HTML/SSL/API/API. The CRT. # configuration certificate ssl_certificate_key/usr/share/nginx/HTML/SSL/API/api_nopass key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ecdhe-rSA-AES128-GMM-sha256 :HIGH:! Ssl_ciphers ecdhe-RSA-AES128-GMM-sha256 :HIGH:! aNULL:! MD5:! RC4:! DHE; ssl_prefer_server_ciphers on; Ssl_session_cache shared:SSL:10m; Ssl_session_timeout 10m; # configuration session timeout time location / {proxy_pass http://192.168.3.101:8080; Proxy_set_header Host $http_host; Proxy_set_header x-real-ip $remote_addr; Http_forwarded_for $forwarded_FORWARded_for; http_forwarded_forwarded_for Http_forwarded-proxy_header X-Forwarded-Proto $scheme # set the actual protocol of the client (HTTP or HTTPS) index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; }}Copy the code

• throughHTTPSaccessapi.macrozheng.comFor this domain, the access address is:Api.macrozheng.com/swagger-ui….

• If you call any interface test, such as the login interface, you can access the Interface provided by the SpringBoot application using HTTPS.

Use a trusted certificate

Previously we used a self-signed SSL certificate, which is not valid for browsers. Only SSL certificate browser issued by authority is considered valid. Here we recommend two ways to apply for FreeSSL certificate, one is from aliyun, the other is from FreeSSL.

Aliyun Certificate

• Currently, the only free certificates that can be applied for on Aliyun are DV-level SSL certificates that support a single domain name. Let’s say you haveblog.macrozheng.comandapi.macrozheng.comTo use HTTPS for two secondary domain names, you need to apply for two SSL certificates.

• After successful application, click download Nginx certificate.

• The following two files will be extracted after downloading;

blog.macrozheng.com.key # Certificate private key file
blog.macrozheng.com.pem # certificate file
Copy the code

• Copy the certificate file to the specified directory on Nginx and modify the configuration fileblog.conf, just change the certificate configuration path, and restart Nginx after the modification.

# ssl_certificate/usr/share/nginx/html/ssl/blog/blog.macrozheng.com.pem; SSL configuration # configuration certificate ssl_certificate_key/usr/share/nginx/html/ssl/blog/blog.macrozheng.com.key; Configure the certificate private keyCopy the code

• Access via HTTPS againblog.macrozheng.comFor this domain name, the certificate is valid and the connection is secure.

FreeSSL certificate

• If you need to use a wildcard domain name, go onFreeSSLApply for an SSL certificate, but the free certificate is only valid for 3 months, which means you have to apply again in 3 months.

• Attached is the official website: freessl.cn/

useacme.shAutomatic Certificate application

• acme.shThe script implementsacmeAgreement can be obtained fromletsencryptGenerate a free certificate. The certificate validity period that we apply for is 1 year commonly, expired be about to apply afresh, useacme.shThe script can realize automatic application of expiration, no longer need to worry about certificate expiration!

• Attached is the official website: github.com/acmesh-offi…

In this paper, making github.com/macrozheng/… Already included, welcome everyone Star!