Basic knowledge of

SSL: The Secure Socket Layer is located between the TCP Layer and the Application Layer. It provides security services for Application data encryption (ciphertext) and integrity protection (not to be tampered with). It works on TCP port 443 by default and generally encrypts HTTP, namely HTTPS.

This section describes the process of two-way SSL authentication

  1. The browser sends a connection request to the security server.
  2. The server sends its certificate and certificate-related information to the client browser.
  3. The client browser checks whether the certificate sent by the server is issued by a trusted CA. If so, proceed with the agreement; If not, the client browser sends the client a warning message warning the client that the certificate is not trustworthy and asking if the client wants to continue.
  4. The client browser then compares whether the message in the certificate, such as the domain name and public key, matches the relevant message the server just sent. If so, the client browser recognizes the server as legitimate.
  5. The server asks the client to send its own certificate. After receiving the certificate, the server verifies the client’s certificate. If the certificate fails to pass the verification, the server rejects the connection. If the authentication passes, the server obtains the user’s public key.
  6. The client browser tells the server what communication symmetric cryptographic schemes it can support.
  7. The server selects a password scheme with the highest encryption degree from the password scheme sent by the customer, encrypts it with the customer’s public key, and notifies the browser.
  8. For this password scheme, the browser selects a call key, encrypts it with the server’s public key, and sends it to the server.
  9. The server receives the message from the browser, decrypts it with its own private key, and obtains the fairy key.
  10. The server and browser then communicate using a symmetric cryptographic scheme, with symmetric keys encrypted.

Creating a Root Certificate

  1. Generate the CA private key: ca.key (this is the starting point for trust, all other certificates must be signed by the CA private key)

openssl genrsa -des3 -out ca.key 2048

  1. Generate the public key of the CA root certificate: ca.crt

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Create a server certificate

  1. Generate the server certificate private key server.pem

openssl genrsa -des3 -out server.pem 2048

  1. Generate a passwordless server private key :server.key

openssl rsa -in server.pem -out server.key

  1. Generate a server-side issuing request: server.csr

openssl req -new -key server.pem -out server.csr

  1. Finally, the CA certificate is used to sign the server certificate

openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

Append the contents of ca.crt to server.crt, as some browsers don’t seem to support it

cat ca.crt >> server.crt

Creating a client certificate (Same as creating a server certificate)

  1. Generate the client certificate private key

openssl genrsa -des3 -out client.pem 2048

  1. Generate a client certificate issuing request

openssl req -new -key client.pem -out client-req.csr

  1. Use the CA certificate to sign the client certificate

openssl x509 -req -sha256 -in client-req.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt

  1. Client certificate CRT converted to PKCS #12 format (the full name should be called Personal Information Exchange, usually with p12 suffix)

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out crh.p12

  1. Install CRH. P12 into your browser’s trusted root certificate

Nginx configuration

Nginx installation

1. Install the compilation tool and library files

yum -y install make zlib zlib-devel gcc-c++ libtool openssl openssl-devel

2. Install PCRE first

The PCRE function is to make Nginx support Rewrite functionality.

  1. Download the PCRE installation package

Wget downloads.sourceforge.net/project/pcr…

  1. Decompress the installation package

The tar ZXVF pcre – 8.35. Tar. Gz

  1. The installation package directory is displayed

CD pcre – 8.35

  1. Compile the installation

./configure make && make install

  1. View the PCRE version

pcre-config –version

Install nginx

  1. Download Nginx at nginx.org/en/download…

Wget nginx.org/download/ng…

  1. Decompress the installation package

The tar ZXVF nginx – 1.18.0. Tar. Gz

  1. The installation package directory is displayed

CD nginx – 1.18.0

  1. Compile the installation

./configure –prefix=/usr/local/webserver/nginx –with-http_stub_status_module –with-http_ssl_module – with – pcre = / usr/local/SRC/pcre – 8.35

Note: –with-pcre is the address from which you installed pcre

make && make install

  1. View the nginx version

/usr/local/webserver/nginx/sbin/nginx -V

Note: This command must be executed in the nginx source directory

Configure nginx

server { listen 9443 ssl; # enable SSL server_name 113.31.117.241; # the domain name or the native IP ssl_certificate/usr/local/webserver/nginx/conf/cert/server. The CRT. # server certificate ssl_certificate_key/usr/local/webserver/nginx/conf/cert/server. The key; Ssl_session_cache shared:SSL:1m; Ssl_session_timeout 5m; Ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers ALL:! DH:! EXPORT:! RC4:+HIGH:+MEDIUM:-LOW:! aNULL:! eNULL; Ssl_prefer_server_ciphers; Ssl_verify_client optional_no_ca; # open client certificate validation ssl_client_certificate/usr/local/webserver/nginx/conf/cert/ca. CRT; Ssl_verify_depth 6; # check depth ssl_trusted_certificate/usr/local/webserver/nginx/conf/cert/ca. CRT; Add_header x-frame-options DENY; Add_header x-content-type-options nosniffing; Add_header x-xss-protection 1; Location / {# start prevent cross-domain problems add_header access-control-allow-origin *; add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; if ($request_method = 'OPTIONS') { return 204; } # end root /home/ljcw/micro/; index index.html index.htm; try_files $uri $uri/ /index.html; }... }Copy the code

The problem record

1. Configure SSL and start nginx packetsthe "ssl" parameter requires ngx_http_ssl_module

The http_SSL_module module was not installed when nginx was installed.

Solution:

  1. Switch to the source package:

CD/root/nginx – 1.18.0

  1. View the original nginx module
[nginx root @ 10-23-54-102-1.18.0] # / usr/local/webserver/nginx/sbin/nginx -v nginx version: Nginx /1.18.0 built by GCC 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC) configure arguments: --prefix=/usr/local/webserver/nginxCopy the code
  1. The original configure arguments are shown following Configure arguments:

configure arguments: –prefix=/usr/local/webserver/nginx

Our new configuration should look like this:

./configure –prefix=/usr/local/webserver/nginx –with-http_stub_status_module –with-http_ssl_module

  1. After the configuration, run the make command

Do not make install here, otherwise you will overwrite the installation

  1. Then back up the original installed Nginx

cp /usr/local/webserver/nginx/sbin/nginx /usr/local/webserver/nginx/sbin/nginx.bak

  1. Overwrite the original nginx with the newly compiled nginx (nginx will stop at this point)

cp ./objs/nginx /usr/local/webserver/nginx/sbin/

  1. Then start nginx and you can still run the command to check whether it has joined successfully

/usr/local/nginx/sbin/nginx -V