Most websites now support HTTPS.

Introduction of HTTPS

HTTPS is actually composed of two parts: HTTP + SSL/TLS, that is, on top of HTTP, another layer of modules for processing encrypted information. Both the server and client are encrypted through TLS. Therefore, the transmitted data is encrypted

HTTPS Protocol Principle

First, the client establishes a connection with the server and generates private and public keys, which are different. The server to return to the client a public key, then the client with the public key encryption to search, called ciphertext, and returned and his public key connected to the server, the server with its own private key to decrypt the ciphertext, then the response to the data in the client’s public key encryption, returned to the client, the client with their own private key to decrypt the ciphertext, the data presented

Certificate and private key generation:

Key: openssl genrsa -des3 -Out server.key 1024 Enter the password, confirm the password, but remember that you will use it later. 2 Create a signed request certificate (CSR) server. CSR openssl req -new -key server.key -out serverforroot.key: ← Enter the password created earlier Country Name (2 letter Code) [AU]:CN ← Country code, Chinese input CN State or Province Name (full Name) [some-state]: Name of BeiJing ← Province, Locality Name (EG, city) []: Name of BeiJing ← City, Pinyin Organization Name (EG, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← English Name Organizational Unit Name (eg, Section) []: ← Can not enter Common Name (eg, YOUR Name) []: ← Do not enter Email Address []:[email protected] ← Email, Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ← Do not enter An optional company name []: ← Do not enter 4. Back up the server key file cp server.key server.key.org 5. Openssl rsa -in server.key.org -out server.key 6 Remove the required password when loading SSL supported Nginx and using the above private key. CRT openssl x509 -req -days 365 -in server. CSR -signkey server.key -out server.crt is used to mark the certificateCopy the code

Configure Nginx

server{
        Use 443 instead of the default 80
        listen 443 default ssl;
        # default can be omitted
        # enable if SSL on is enabled; Get rid of that line, SSL after port 443. This will work with both HTTP and HTTPS links
        ssl on;
        Certificate (public key. Send to client)
        ssl_certificate /home/server.crt;
        # the private key.ssl_certificate_key /home/server.key; location ~ /\. { deny all; }}Copy the code

Example of Nginx enforcing HTTPS:

server{
        Compatible with HTTP and HTTPS
        listen  80;
        listen 443 ssl;
        ssl_certificate /home/server.crt;
        ssl_certificate_key /home/server.key;
	    ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

	    if ($server_port= 80) {return 301 https://$host$request_uri; } location ~ /\. { deny all; }}Copy the code

SSL is recommended

Free SSL certificate provided by Tencent Cloud