As the HTTP protocol transfer information with plain data, some websites such as shopping, transaction, login and register need to open the HTTPS protocol to increase security, ensure important data like password will not be intercepted and sniffed.
HTTPS need the support of SSL digital certificate, almost every browser trusted CA organizations charge fees when sign digital certificates, and the price is generally 13 U.S. dollars to 50 U.S. dollars per year. (Except StartSSL and PositiveSSL)
If the certificate only for the own use, to prevent the online management of your password has been tapped, you can self sign SSL digital certificate by free.
On Debian5 + OpenSSL + Nginx environment, just follow these steps:
1. Generate SSL digital certificate with OpenSSL
openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
The first command is to generate the user certificate RSA key pair, and not with a password.
The second command is to generate and self sign certificate. At this time, you will be asked to input parameters, random fill, but the Common Name must fill in the domain name of your website, for example: *. yourdomain.com.
2. Configure and compile Nginx with SSL module
The Nginx does not support SSL by default, so we need re-configure and compile it, the commands are as follows:
wget http://nginx.org/download/nginx-0.7.65.tar.gz
tar zxvf nginx-0.7.65.tar.gz
cd /root/nginx-0.7.65
./configure --with-http_stub_status_module --with-http_ssl_module
make
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old
cp ./objs/nginx /usr/local/nginx/sbin/nginx
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
Thees commands are actually a standard Nginx upgrade operation, you shloud replace the directories to your owns.
In addition, you can also comment line CFLAGS = “$ CFLAGS-g” in auto/cc/gcc , so to compile Nginx not in Debug mode, saving file size and memory usage, improving the speed.
3. Modify Nginx configuration file
Modify corresponding server section in nginx.conf:
server
{
listen 443;
ssl on;
ssl_certificate /etc/ssl/cacert.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
server_name www.yourdoamin.com;
index index.html index.htm index.php;
root /home/wwwroot/yourdomain;
......
......
}
You should also change the path of pem files according to actual conditions.
4. Restart Nginx
Upload nginx.conf, then test the configuration file, and restart Nginx:
/usr/local/nginx/sbin/nginx -t
kill -HUP `cat /usr/local/nginx/logs/nginx.pid`
5. Test your website with HTTPS
Input https://www.yourdomain.com, you will see a security alert dialog like this:
Because it is for own use, just click View Certificate – install the certificate, the browser will no longer pop up the alert box.
At this point, you can use the HTTPS protocol visit your website, do not worry about the user name and password will be sniffed during transmission.