The target

The original HTTP service (in Windows) is transformed into HTTPS service to improve security.

Prior to the start

Here are a few things to know before you start:

  1. After HTTPS is changed, all static resources referenced by HTTP in the original site must be changed to HTTPS. If this method is not supported, you need to solve the problem, for example, put the corresponding resources under nginx.
  2. The browser does not recognize the generated certificate, and an insecure message is displayed. You can use the let’s Encrypt + script to automatically obtain the certificate if you want to connect to the Internet. The details will be discussed later.
  3. HTTPS needs to be combined with firewall policies to further improve security

Technical route

By adding the Nginx reverse proxy, HTTPS is converted to the backend HTTP request, thus realizing the rapid transformation of HTTPS site main steps:

  1. Openssl installation
  2. Generate an authenticated certificate
  3. Modify the nginx configuration file, configure proxy + modify the original site to directly request HTTP resources to HTTPS
  4. Handling static resources, adjusting site services, moving static resources (HTTP) to Nginx as static resources (HTTP)

The detailed steps

Default is nginx

Openssl installation

  1. Under http://slproweb.com/products/Win32OpenSSL.html to choose the right version of the operating system
  2. Install executable programs
  3. Add the bin path of the corresponding directory to the path environment variable, and add OPENSSL_HOME to the openSSL installation location

Generate a certificate

Go to the nginx path to create the SSL folder, go inside, open the command line or PS

  1. Generate the corresponding private key,openssl genrsa -des3 -out server.key 1024
  2. Remove the password,openssl rsa -in server.key -out server.key
  3. Create a CSR certificate,openssl req -new -key server.key -out server.csr
  4. Create a ca,openssl req -new -x509 -key server.key -out ca.crt -days 3650
  5. Create a CRT certificate,openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

Configure nginx

#user www www; worker_processes 2; worker_rlimit_nofile 65535; events { worker_connections 65535; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 8m; sendfile on; tcp_nopush on; keepalive_timeout 0; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; ##cache## proxy_connect_timeout 5; proxy_read_timeout 60; proxy_send_timeout 5; proxy_buffer_size 16k; proxy_buffers 4 64k; proxy_busy_buffers_size 128k; proxy_temp_file_write_size 128k; ##end## gzip on; gzip_min_length 1k; gzip_buffers 4 8k; Gzip_http_version 1.1; gzip_types text/plain application/x-JavaScript text/css application/xml; gzip_disable "MSIE [1-6]\."; log_format access '$remote_addr - $remote_user [$time_local]"$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $http_x_forwarded_for'; upstream server_backend { server ip1:9000; } upstream map_backend { server ip2:8082; } upstream gis_layer_backend { server ip3:6080; } server { listen 443 default ssl; server_name ip1; ssl_certificate .. /ssl/server.crt; ssl_certificate_key .. /ssl/server.key; Location ~arcgis_js_api* {root D://software/nginx-1.13.1- data; } location ~arcgis/rest/services* { proxy_pass http://gis_layer_backend ; } location ~WebMapTileServer/map* { proxy_pass http://map_backend ; } # other admin backend service location / {proxy_pass http://server_backend; }}}Copy the code

Working with static Resources

  1. Change all direct HTTP static resource urls in the system to the corresponding path under nginx
  2. Copy the static resource to the data path of the nginx directory, which corresponds to the configuration above

PS: Map images are forwarded in the form of REST, so manual adjustment is not required. But the JS and CSS of the map API must be handled.

conclusion

HTTPS can effectively improve the system’s resistance to sniffing attacks and various hijacking attacks, and reduce risks. Of course, the article is not detailed. For example, it is better to convert the mixed mode to pure HTTPS, but it can also be used as a temporary solution if time is limited.