HTTPS principle to configure "one-stop"

preface

Whether you want to watch little sister/little brother, or pay attention to national affairs, want to grasp the fresh information and the latest trends in the first time, the Internet will become your first choice. The web protocols HTTP and HTTPS are the ones we see most.

Why use HTTPS instead of existing HTTP?

Let’s start with the pitfalls of HTTP

HTTP is plaintext transmission, content is easy to be monitored, eavesdropping risk
Do not verify the identity of the communication party, can disguise the identity, impersonation risk
Packet integrity cannot be proved and may be tampered. Tampering risks

These dangers are more than just words, have you encountered carrier hijacking? There’s an AD in there every day and there’s other disgusting things you can’t guard against. It is because of these hidden dangers that some shady businessmen have become fertile ground.

Take a look at international trends

To encourage HTTPS deployment

Google has tweaked its search engine to give sites that use HTTPS higher rankings
Chrome has flagged HTTP sites as unsafe
Apple required all apps in the App Store in 2017 to use HTTPS for encrypted connections;
Wechat applet requires HTTPS to be used
The next generation of HTTP/2 protocol support needs to be based on HTTPS.

For these reasons, HTTPS deployment is imperative.

HTTPS characteristics

HTTPS is the security upgrade version of HTTP, adding SSL/TLS layer on the basis of HTTP. The basic idea is to use public key encryption. The client requests the public key from the server. After receiving the public key, the server encrypts the information using the private key matching the public key.

The previous diagram illustrates the principle

The purpose of this:

Data transmission is encrypted to ensure the security of data transmission
Authentication to prevent impersonation
Data integrity check to prevent content from being impersonated or tampered with by a third party

HTTPS Deployment Process

Show you about certificates

1) Why do I need a certificate?

For the requester, how can it be sure that the public key obtained was issued to it from the target host and not from an intermediary? Or how to determine the target host is trusted, or the enterprise or organization behind the target host is reliable? At this time, we need an authoritative and trusted organization (generally an organization audited and authorized by the government) to uniformly issue the public key of the host organization to solve the trust problem (centralized).

2) How to apply for a certificate?

The user first generates a specific key pair and transmits the public key and some necessary information to the authentication authority. After verifying that the information is legitimate, the certification authority performs the necessary steps to ensure that the request was submitted by the user (usually by providing authentication files, which you need to download and place in a domain-specific directory). The authentication authority will then issue a digital certificate to the user

3) What is the certificate content information?

The name of the certificate authority
Digital signature of the certificate itself
Certificate holder public key + partial information
Hash algorithm used to sign the certificate

Certificates are issued by independent certificate issuers, and each certificate has a different level of trust, similar to a tree structure. Ensure that the certificate chain is complete before deploying HTTPS (up to the CA root certificate, otherwise in some cases, the website is not secure and HTTPS deployment fails).

4) Verification of certificate validity

The browser provides a built-in CA root certificate and uses the CA certificate to verify the configured certificate

Certificate issuing authority error —- Dangerous certificate
The certificate issuing authority is correct and decrypts the certificate digest according to the public key of the CA root certificate. The decryption fails —- dangerous certificate. Decryption is successful and abstract A is obtained. Then, according to the Hash algorithm of the signature, the abstract B of the certificate is calculated. Comparing A and B, if they are equal, it is normal; if they are not equal, it is the tampered —- dangerous certificate.
Certificate expired —- Dangerous certificate.

The certificate application

Above said so much theoretical knowledge, finally ushered in the practical operation, Don’t BB, show you code

I will use the certificate authority SSLS to do this.

Why did you choose it?

Because the price is high, the price can be, the certificate quality is very high.
The company in

Such is the reason for capricious. All right, back to the book

International convention, register login -> select CERTS, then select the appropriate item, add it to shopping cart, select quantity and validity time

Commodity list, the interface is still very good-looking

Here’s the key: Certificate deployment takes three steps

1) Enter CSR as prompted. Generated using OpenSSL

openssl req -new -newkey rsa:2048 -sha256 -nodes -out www.hashfish.net.csr -keyout www.hashfish.net.key -subj "/C=CN/ST=BeiJing/L=BeiJing/O=HASH FISH./OU=Web Security/CN=www.hashfish.net"
Copy the code

Req: Executes the certificate issuing command

-new indicates the request for issuing a new certificate

-out — path of the output CSR file

-keyout specifies the path of the private key

-subj — Certificate related user information (short for subject)

Direct use is pay attention to modify the information, do not copy directly (squint smile)

2) Complete other operations (such as filling in the mailbox to receive the certificate) as prompted, and the order state changes to In Progress. At this time, you need to place the verification file in the specified directory to complete SSLS verification

Let’s go ahead and make it a little bit more intuitive

3) After validation, some time later, you will receive an email with the certificate attached, merge the certificate (if there are more than one, make sure to keep the certificate chain intact to avoid unsafe links in some cases), upload the server, configure nginx, restart Nginx, and the world is clean.

Certificate of merger

// Merge the certificate and CA certificate into pem cat www.hashfish.net.crt www.hashfish.net.ca-bundle > www.hashfish.net.pemCopy the code

Configure nginx

// Add listen 443 to the specified domain; Ssl_certificate_key ssl_certificate_key ssl_certificateCopy the code

Ok, HTTPS certificate deployment is over here. The last classic diagram illustrates the process of an HTTPS request

Reprint must indicate the source, thank you. There are omissions and superficial articles, please correct them

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

HTTPS principle to configure “one-stop”

preface

Why use HTTPS instead of existing HTTP?

Let’s start with the pitfalls of HTTP

Take a look at international trends

HTTPS characteristics

The purpose of this:

HTTPS Deployment Process

Show you about certificates

The certificate application

HTTPS principle to configure “one-stop”

preface

Why use HTTPS instead of existing HTTP?

Let’s start with the pitfalls of HTTP

Take a look at international trends

HTTPS characteristics

The purpose of this:

HTTPS Deployment Process

Show you about certificates

The certificate application

Related Posts

NestJS build blog system (2) – write static article CURD

Introduction to Jest (2)

AntV 11.22 is a new data visualization tool