How can the website be upgraded to HTTPS free of charge?

Time:2019-10-6

Recently, in doing website SSL upgrade, seemingly simple operation will still encounter various problems, now share with you.

Certificate application:

The company is a start-up company. In order to save costs, it is prepared to apply for free certificates. After comparing some certificate providers, it finally chooses to use the certificate service provided by Walton Wosign. It is found that certificates with different configurations can be selected:

EV SSL: Extended Validation SSL

OV SSL: Organization Validation SSL

DV SSL: Domain Validation SSL

Certificate configurations vary from browser to browser, and low-matched certificates may have security warnings when browser security levels are set too high.

No money, first choose a free DV certificate to use, and then upgrade the configuration after the subsequent financial resources, according to the process application will have a receipt order, download it.

Upgrade strategy analysis:

HTTPS consumes more CPU resources than http (mainly in connection building, and then encrypting content), so for ordinary websites, only some parts of the site need to use https, most of the open content is not necessary. However, in order to improve the credibility of the website, our business scenario uses the whole site HTTPS solution.

Nginx + Tomcat for application server only needs SSL for nginx side (nginx and Tomcat are in the same LAN, security issues are ignored temporarily). Users first establish a connection with Nginx to complete the SSL handshake, then Nginx as a proxy will transfer the request to Tomcat by HTTP protocol, and Nginx will send Tomcat’s output back to the user through SSL encryption. It’s just processing http requests. Therefore, in this case, you don’t need to configure Tomcat’s SSL, you just need to configure Nginx’s SSL.

Nginx detailed configuration

Local environment test before online, certificate and local domain name inconsistency can be manually added out of the column, first verify the function.

upstream mytomcats {

server 127.0.0.1:8080;

}

server {

listen 80;

server_name local.domain.com;

rewrite ^(.*)$ https://$host$1 permanent;

}

server {

listen 443 ssl;

ssl on;

server_name local.domain.com;

ssl_certificate D:\workspace\nginx-1.6.3\security\local.crt;

ssl_certificate_key D:\workspace\nginx-1.6.3\security\local.key;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

client_max_body_size 10m;

client_body_buffer_size 128k;

proxy_connect_timeout 90;

proxy_send_timeout 90;

proxy_read_timeout 90;

proxy_buffer_size 4k;

proxy_buffers 4 32k;

proxy_busy_buffers_size 64k;

proxy_temp_file_write_size 64k;

location ~* \.(jpg|gif|png|swf|svg|map|ttf|woff|woff2|eot|otf|ico|txt|jpeg|html|htm|css|js|json|bmp)$ {

root D:\workspace\code\main-server\WebContent;

}

location / {

proxy_pass http://mytomcats;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto https;

}

}

  

After the local service runs, HTTPS can visit the site, but many styles and pictures can not come out. The survey found that many of our static files are useful for CDN services provided by upyun. The access address of upyun is still http. There is mixed content in the page, which leads to the failure of loading some resources.

Mixed content refers to the mixing of non-https resource requests in HTTPS pages, such as images, css, JS and so on.

Be careful:

(1) When HTTP pages are confused with HTTPS content, page layout will not be confused.

(2) In HTTPS pages, only resources introduced in http (such as images, js, etc.) are considered mixed content.

Only browsers whose pages and all referenced resources are HTTPS are considered secure, and browsers will give unsafe hints as long as they refer to non-secure resources (even pictures), especially in the case of js. If the browser prompt is not safe, then we will not achieve the original purpose. We spent half a day applying for an SSL certificate, configuring a Web server, and finally it would be worthless if all the previous efforts were wasted because of mixed content. The mixed display content of Firefox Browser will indicate as follows:

 
 

The whole original page is affected when the mixed script is executed because the browser prevents the mixed content from loading.

So we need to solve the problem of mixed content, first configure upyun HTTPS access, upyun address we add the secondary domain name, found that the certificate previously applied can only be bound to the main domain name, re-apply for a free certificate for the secondary domain name, and then configure SSL on the upyun side.

 
 

Here we learn that certificates hold pan-domain name certificates and multi-domain name certificates for domain names.

Pan-domain certificates support all secondary domain names*.domain.com,

Multi-domain certificates can support www.domain.com, www.domain.cn, and www.domain.net.

After the mixed content is solved, OK runs locally, deploys online, opens the website and finds the access timeout, checks the configuration file, checks the port monitor, restarts the service, and checks the possible settings, the problem can not be found, so a test server with the same configuration is found to work properly. At this time, the basic arrangement is the problem of configuration.

Continue to go up to see whether the domain name and Alibaba cloud ECS still need to do what configuration, found that the first two days just deployed a Ali cloud SLB, that is, SLB made a intercept before nginx, the 443 port monitor was forwarded by it, reconfigured the certificate of SLB.

 
 

You need to delete the previous configuration of nginx ssl, otherwise it will conflict and access everything again.

If your website also has the need to upgrade https, be sure to advance the point that may have an impact on other functions and choose the right upgrade route.

Historical articles:

JAVA WeChat payment to small businesses (ten minutes)

Recommended Today

Notes on tensorflow 2 deep learning (I) tensorflow Foundation

This series of notes records the process of learning tensorflow2, mainly based on https://github.com/dragen1860/Deep-Learning-with-TensorFlow-book Learning First of all, it needs to be clear that tensorflow is a scientific computing library for deep learning algorithm, and the internal data is stored in theTensor objectAll operations (OPS) are also based on tensor objects. data type Fundamentals in […]