Https build: ubuntu nginx configure SSL certificate

What is HTTPS?

According to Wikipedia's explanation:

Hypertext Transfer Protocol (Hypertext Transfer Protocol Secure) is a combination of Hypertext Transfer Protocol and SSL / TLS to provide encrypted communication and authentication of network server identities. HTTPS connections are often used for transaction payments on the World Wide Web and for the transmission of sensitive information in enterprise information systems. HTTPS should not be mixed with the Secure Hypertext Transfer Protocol (S-HTTP) defined in RFC 2660. 
HTTPS is now the first choice for all privacy and security sites. With the continuous development of technology, the HTTPS website is no longer a patent for large sites. All common personal webmasters and bloggers can build their own secure encryption website.

If a website is not encrypted, then all your account password is clear text transmission. It is conceivable that if privacy and financial issues are involved, how terrible is the unencrypted transmission.

First, upgrade OpenSSL

sudo apt-get update
sudo apt-get dist-upgrade
sudo wget openssl.org/source/openssl-1.0.2h.tar.gz
sudo tar -xvzfopenssl-1.0.2h.tar.gz
cd openssl-1.0.2h
sudo ./config --prefix=/usr/
sudo make depend
sudo make install
openssl version

Second, use OpenSSL to generate SSL keys and CSR

Because only the browser or the system trusted CA can let all visitors to visit your encrypted website, rather than a certificate error prompted. So we skip the self-signed certificate steps, directly signed third-party trusted SSL certificate.

OpenSSL is installed by default on Linux , OS X, etc. Because of some security issues, the current third-party SSL certificate issuer requires at least 2048-bit RSA encrypted private keys.

At the same time, ordinary SSL certificate authentication in two forms, one is DV (Domain Validated), there is a OV (Organization Validated), the former only need to verify the domain name, which needs to verify your organization or company, in security Aspect, certainly the latter is better.

Whether you use the DV or OV to generate a private key, you need to fill out some basic information, here we assume the following:

Domain name, also known as Common Name，Because the special certificate 
is not necessarily a domain name：example.com

Organization or company name（Organization）：Example, Inc.

department（Department）：Can not fill in here we write Web Security

City（City）：Casablanca

Province（State / Province）：Casablanca

Country（Country）：MA

Encryption strength: 2048, if your machine performance is strong, you can also choose 4096 bits

According to the above information, the use of OpenSSL generate key and csr order as follows

RSA certificate

RSA certificates can be used for RSA key exchange (RSA asymmetric encryption) or ECDHE key exchange (RSA asymmetric signature); and ECC certificates can only be used for ECDHE key exchange (ECDSA asymmetric signature).

openssl req -new -newkey rsa:2048 -sha256 -nodes -out example_com.csr -keyout example_com.key -subj "/C=MA/ST=Casablanca/L=Casablanca/O=Example Inc./OU=Web Security/MA=example.com"  

ECC Certificate

Not all browsers support ECDHE key exchange, which means that the compatibility of ECC certificates is worse. For example, in Windows XP, the use of ECC certificate website only Firefox can access (Firefox TLS own implementation, do not rely on the operating system ); Android platform, also need Android 4 + support ECC certificate.

openssl ecparam -genkey -name secp256r1 | openssl ec -out example.key
openssl req -new -key example.key -out example.csr

PS: If it is a generic domain name certificate, it should be filled*.example.com

You can run this command anywhere in the system, will automatically generate the current directory and the two filesexample_com.csrexample_com.key

Then you can look at it , get a long string of textexample_com.csr

-----BEGIN CERTIFICATE REQUEST-----
MIICujCCAaICAQAwdTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAO  
BgNVBAcTB0JlaWppbmcxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEVMBMGA1UECxMM  
V2ViIFNlY3VyaXR5MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN  
AQEBBQADggEPADCCAQoCggEBAPME+nvVCdGN9VWn+vp7JkMoOdpOurYMPvclIbsI  
iD7mGN982Ocl22O9wCV/4tL6DpTcXfNX+eWd7CNEKT4i+JYGqllqP3/CojhkemiY  
SF3jwncvP6VoST/HsZeMyNB71XwYnxFCGqSyE3QjxmQ9ae38H2LIpCllfd1l7iVp  
AX4i2+HvGTHFzb0XnmMLzq4HyVuEIMoYwiZX8hq+kwEAhKpBdfawkOcIRkbOlFew  
SEjLyHY+nruXutmQx1d7lzZCxut5Sm5At9al0bf5FOaaJylTEwNEpFkP3L29GtoU  
qg1t9Q8WufIfK9vXqQqwg8J1muK7kksnbYcoPnNgPx36kZsCAwEAAaAAMA0GCSqG  
SIb3DQEBBQUAA4IBAQCHgIuhpcgrsNwDuW6731/DeVwq2x3ZRqRBuj9/M8oONQen  
1QIacBifEMr+Ma+C+wIpt3bHvtXEF8cCAJAR9sQ4Svy7M0w25DwrwaWIjxcf/J8U  
audL/029CkAuewFCdBILTRAAeDqxsAsUyiBIGTIT+uqi+EpGG4OlyKK/MF13FxDj  
/oKyrSJDtp1Xr9R7iqGCs/Zl5qWmDaLN7/qxBK6vX2R/HLhOK0aKi1ZQ4cZeP7Mr
8EzjDIAko87Nb/aIsFyKrt6Ze3jOF0/vnnpw7pMvhq+folWdTVXddjd9Dpr2x1nc  
y5hnop4k6kVRXDjQ4OTduQq4P+SzU4hb41GIQEz4  
-----END CERTIFICATE REQUEST-----

This CSR file is what you need to submit to the SSL certification body, when your domain name or organization through the verification, the certification body will be issued to you two documents: andexample_com.crtexample_com.ca-bundle

But it is needed in the Nginx configuration and inside , the need to take care with the use of, do not disclose to any third party.example_com.keyexample_com.crtexample_com.ca-bundle

3. Nginx configures HTTPS sites and adds secure configurations

As mentioned earlier, you need to submit a CSR document to a third party SSL certification body, after passing the certification, they will be issued to you two CRT files, we put these two files into one file for easy use, as follows:

cat example_com.crt  example_com.ca-bundle > example_com.pem

Eventually we got two files:

example_com.key
example_com.pem

At the same time, in order to unify the location, you can move both files to the directory. You can then modify the Nginx configuration file/etc/ssl/private/

server {  
    listen 80;
    listen [::]:80 ssl ipv6only=on; 
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    server_name example.com;

    ssl on;
    ssl_certificate /etc/ssl/private/example_com.pem;
    ssl_certificate_key /etc/ssl/private/example_com.key;
}

At the same time, if the whole station is HTTPS and does not consider HTTP, you can join HSTS to tell your browser that this site is encrypted, and forced to use HTTPS access

        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

But also can be a separate open a Nginx configuration, the HTTP access request with 301 jump to HTTPS

server {  
        listen 80;
        listen [::]:80 ssl ipv6only=on;
        server_name     example.com;
        return 301 https://example.com$request_uri;
}

Check the configuration file no problem after re-read Nginx can

nginx -t && nginx -s reload

At this point, you can already access https.

Fourth, increase securityThe above is not safe, the default is SHA-1 form, and now the mainstream of the program should avoid SHA-1, in order to ensure greater security, we can take Defoe - Herman key exchange

First, go to the / etc / ssl / certs directory and generate a dhparam.pem

cd /etc/ssl/certs  
openssl dhparam -out dhparam.pem 4096 # If your machine performance is not 
strong enough，Can be encrypted with 2048 bits 

After the build is done, join the Nginx SSL configuration

        ssl on;
        #ssl_certificate /etc/ssl/private/example_com.crt;
        ssl_certificate /etc/ssl/private/example_com.pem;
        ssl_certificate_key /etc/ssl/private/example_com.key;

        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        keepalive_timeout 70;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 10s;

        add_header Strict-Transport-Security max-age=63072000;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;      

Source howtoforge