How to make the website and API support HTTPS? It’s a good choice to write on nginx!

Time:2021-6-22

With the increase of our website users, we will gradually realize the importance of HTTPS encryption. To upgrade from HTTP to HTTPS without modifying the existing code, it is a good choice for nginx to support HTTPS. Today, let’s talk about how to start with nginx, upgrade from HTTP to HTTPS, support static websites and springboot applications at the same time, and hope to help you!

Springboot real e-commerce project Mall (40K + star) address:https://github.com/macrozheng/mall

Generate SSL self signed certificate

Although the self signed certificate browser does not think it is safe, it is necessary to learn how to generate SSL certificate!

  • First, create the SSL certificate private key, during which you need to enter the user name and password twice. The generated file isblog.key
openssl genrsa -des3 -out blog.key 2048
  • Using the private key to generate a key file that does not need to enter a password, the generated file isblog_nopass.key
openssl rsa -in blog.key -out blog_nopass.key
  • Create SSL certificate signature request file, which needs to be used when generating SSL certificate. The generated file isblog.csr
openssl req -new -key blog.key -out blog.csr
  • In the generation process, we need to input some information, and we need to pay attention to the followingCommon NameNeed to be consistent with the website domain name;
Enter pass phrase for blog.key:
-----
Country name (2 letter code) [XX]: cn # country code
State or province name (full name) [
Locality name (eg, city) [default city]: Jiangsu City
Organization name (eg, company) [default Company Ltd]: macrozheng
Organizational unit name (eg, section) []: dev # unit name
Common name (eg, your name or your server's host name) []: blog.macrozheng.com # website domain name
Email Address [] :[email protected]                                            #Mailbox

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [: # private key protection password, you can enter directly without entering
An optional company name
  • Generate SSL certificate, valid for 365 days, the generated file isblog.crt
openssl x509 -req -days 365 -in blog.csr -signkey blog.key -out blog.crt
  • In fact, there are two useful files in the end, one is the certificate fileblog.crtThe other is the certificate private key file that does not need to enter a passwordblog_nopass.key

Nginx supports HTTPS

After the SSL certificate is generated, we can configure nginx to support HTTPS!

Install nginx

  • We still use the method of installing nginx in the docker container. First, download the docker image of nginx;
docker pull nginx:1.10
  • After downloading, run nginx first. Since we need to map the nginx configuration file of the host to the docker container, running it once is convenient for us to copy the default configuration;
docker run -p 80:80 --name nginx \
-v /mydata/nginx/html:/usr/share/nginx/html \
-v /mydata/nginx/logs:/var/log/nginx  \
-d nginx:1.10
  • After running successfully, copy the nginx configuration directory in the container to the host;
docker container cp nginx:/etc/nginx /mydata/nginx/
  • Set thenginxChange the name of the directory toconfOtherwise/mydata/nginx/nginxThis configuration file directory looks a bit awkward;
mv /mydata/nginx/nginx /mydata/nginx/conf
  • The created nginx container is useless after copying the configuration. Stop and delete the container;
docker stop nginx
docker rm nginx
  • To restart the nginx service with the docker command, we need to map the configuration file. Because we want to support HTTPS, we also need to open the443Port.
docker run -p 80:80 -p 443:443 --name nginx \
-v /mydata/nginx/html:/usr/share/nginx/html \
-v /mydata/nginx/logs:/var/log/nginx  \
-v /mydata/nginx/conf:/etc/nginx \
-d nginx:1.10

Configuration supports HTTPS

  • Copy our generated SSL certificate and private key to nginx’shtml/sslUnder the directory;
cp blog_nopass.key /mydata/nginx/html/ssl/
cp blog.crt /mydata/nginx/html/ssl/
  • Next, we need to giveblog.macrozheng.comThis domain name adds HTTPS support in the/mydata/nginx/conf/conf.d/Add nginx configuration file under directoryblog.confThe configuration file is as follows:;
server {
    listen       80; #  It also supports HTTP
    listen       443 ssl; #  Add HTTPS support
    server_name  blog.macrozheng.com;
  
    #SSL configuration
    ssl_ certificate      /usr/share/nginx/html/ssl/blog/blog.crt; #  Configure certificate
    ssl_ certificate_ key  /usr/share/nginx/html/ssl/blog/blog_ nopass.key; #  Configure certificate private key
    ssl_ protocols        TLSv1 TLSv1.1 TLSv1.2; #  Configure SSL protocol version
    ssl_ ciphers          ECDHE-RSA-AES128-GCM-SHA256:HIGH:! aNULL:! MD5:! RC4:! DHE; #  Configure SSL encryption algorithm
    ssl_ prefer_ server_ ciphers  on; #  Take the server algorithm first
    ssl_ session_ cache     shared:SSL :10m; #  Configure shared session cache size
    ssl_ session_ timeout  10m; #  Configure session timeout

    location / {
        root   /usr/share/nginx/html/www;
        index  index.html index.htm;
    }

    location /admin {
        alias   /usr/share/nginx/html/admin;
        index  index.html index.htm;
    }

    location /app {
        alias   /usr/share/nginx/html/app;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}
  • adoptHTTPSvisitblog.macrozheng.comThis domain name, because we are using our own signed SSL certificate, the browser will promptYour connection is not private, click continue to access it normally through HTTPS;

How to make the website and API support HTTPS? It's a good choice to write on nginx!

  • We can check the certificateIssuerInformation, we can find that it is the information entered when we created the SSL certificate signature request file;

How to make the website and API support HTTPS? It's a good choice to write on nginx!

  • Next, we need to giveapi.macrozheng.comThis domain name adds the support of HTTPS. Through this domain name, we can use HTTPS to access our springboot application,api.crtandapi_nopass.keyThe file needs to be generated by itself/mydata/nginx/conf/conf.d/Add nginx configuration file under directoryapi.confThe configuration file is as follows:;
server {
    listen       80; #  It also supports HTTP
    listen       443 ssl; #  Add HTTPS support
    server_ name  api.macrozheng.com; # Modify domain name

    #SSL configuration
    ssl_ certificate      /usr/share/nginx/html/ssl/api/api.crt; #  Configure certificate
    ssl_ certificate_ key  /usr/share/nginx/html/ssl/api/api_ nopass.key; #  Configure certificate private key
    ssl_ protocols        TLSv1 TLSv1.1 TLSv1.2; #  Configure SSL protocol version? Configure SSL encryption algorithm
    ssl_ciphers          ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_ prefer_ server_ ciphers  on; #  Take the server algorithm first
    ssl_ session_ cache     shared:SSL :10m; #  Configure shared session cache size
    ssl_ session_ timeout  10m; #  Configure session timeout

    location / {
        proxy_ pass    http://192.168.3.101 :8080; #  Set proxy service access address
        proxy_ set_ header  Host $http_ host; #  Set the client's real domain name (including port number)
        proxy_ set_ header  X-Real-IP  $remote_ addr; #  Set the real IP of client
        proxy_ set_ header  X-Forwarded-For $proxy_ add_ x_ forwarded_ for; #  The IP address of the real client and each proxy server in the middle will be included in the multi-layer proxy setting
        proxy_ set_ header X-Forwarded-Proto $scheme; #  Set the client's real protocol (HTTP or HTTPS)
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

How to make the website and API support HTTPS? It's a good choice to write on nginx!

  • If you call any interface for testing, such as login interface, you can find that you can normally access the interface provided by springboot application through HTTPS.

How to make the website and API support HTTPS? It's a good choice to write on nginx!

Use trusted certificate

Previously, we used a self signed SSL certificate, which is invalid for browsers. Only when you use the SSL certificate browser issued by an authoritative organization will it be considered effective. Here we recommend two ways to apply for free SSL certificate, one is from alicloud, the other is from freessl.

Alicloud certificate

  • Currently, the only free certificates that can be applied for on Alibaba cloud are DV level SSL certificates that support a single domain name. For example, you haveblog.macrozheng.comandapi.macrozheng.comIf two secondary domain names need to use HTTPS, they need to apply for two SSL certificates.

How to make the website and API support HTTPS? It's a good choice to write on nginx!

  • After successful application, click download nginx certificate;

How to make the website and API support HTTPS? It's a good choice to write on nginx!

  • After downloading, there will be the following two files;
Blog.macrozheng.com.key # certificate private key file
Blog.macrozheng.com.pem # certificate file
  • Copy the certificate file to the specified directory of nginx, and then modify the configuration fileblog.conf, just modify the certificate configuration path, and restart nginx after modification;
#SSL configuration
ssl_ certificate      /usr/share/nginx/html/ssl/blog/blog.macrozheng.com.pem; #  Configure certificate
ssl_ certificate_ key  /usr/share/nginx/html/ssl/blog/blog.macrozheng.com.key; #  Configure certificate private key
  • Access again via HTTPSblog.macrozheng.comThis domain name, the certificate has been found to be valid, the connection is also secure.

How to make the website and API support HTTPS? It's a good choice to write on nginx!

Freessl certificate

  • If you need to use wildcard domain name, you can go toFreeSSLApply for SSL certificate, but the free period of validity is only 3 months, which means that you have to apply again in 3 months.

How to make the website and API support HTTPS? It's a good choice to write on nginx!

useacme.shAutomatic Certificate Application

  • acme.shThe script implements theacmeAgreement can be obtained fromletsencryptGenerate free certificates. Generally, the validity period of the certificate we apply for is 1 year. If it is expired, we have to apply for it againacme.shScript can automatically apply for expiration, no longer worry about certificate expiration!

How to make the website and API support HTTPS? It's a good choice to write on nginx!

This article is about GitHubhttps://github.com/macrozheng/mall-learningHas been included, welcome to star!