1 Introduction

Nginx is a very powerful and popular high-performance Web server. This article explains how nginx integrates https and redirects http to https.

https related articles are as follows:

(1)Spring boot integration https is so simple

(2)Key knowledge and key tools of HTTPS Keytool and keystore Explorer

(3)Two ways for spring boot to redirect http to https with Tomcat as container

(4)Spring boot uses Jetty as container to redirect http to https

Features of Nginx:

(1) Hot start: for example, when the configuration file is modified, the configuration can take effect without stopping and starting. The command is as follows:

nginx -s reload

(2) High concurrent connection: it is no problem to resist over 100000 connections.

(3) Low memory consumption: keep low memory consumption while high performance;

(4) Fast response to requests;

(5) High reliability.

What can Nginx do? The most commonly used functions are the following three:

(1) Static HTTP server for dynamic and static separation

(2) Reverse proxy

(3) Load balancing

2 installation and use

CentOS uses the following commands for installation and use:

# Add Nginx source
rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

# Install Nginx
yum install -y nginx
# Start Nginx
systemctl start nginx.service
# Stop Nginx
systemctl stop nginx.service
# Set the power on and auto start Nginx
systemctl enable nginx.service
# Reload
nginx -s reload

The Mac uses the following commands for installation and use:

# Check if there is an installation
brew info nginx
# install
brew install nginx
# Start, default port is 8080
nginx
# Stop it
nginx -s stop
# Reload
nginx -s reload

Instructions will be provided after installation:
Docroot is: /usr/local/var/www

nginx will load all files in /usr/local/etc/nginx/servers/

We will know where to put the website resources and configuration files.

3 integrate https

3.1 generate key file

First, the key in PKCS12 format is generated through keytool, and then cert and key are extracted through openssl. The specific commands are as follows:

# Generate key file in PKCS12 format
keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -storetype PKCS12 -keystore localhost.p12 -dname CN=localhost,OU=Test,O=pkslow,L=Guangzhou,C=CN -validity 731 -storepass changeit -keypass changeit

# Export pem(certificate)
openssl pkcs12 -nokeys -in ./localhost.p12 -out localhost.pem

# Export key
openssl pkcs12 -nocerts -nodes -in ./localhost.p12 -out localhost.key

3.2 configure nginx.conf

Create a new nginx.conf file and place it in the configuration load directory. To configure the path of the key file, the specific configuration is as follows:

server {
    listen 443 ssl;
    server_name localhost;
    
    ssl_certificate /key-path/localhost.pem;
    ssl_certificate_key /key-path/localhost.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on; 

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://127.0.0.1:8000/;
    }
}

Remember to replace the key path with the path of the specific key file.

ssl_certificate: this configuration is a cert file.

ssl_certificate_key: this configuration is a private key file.

Proxy pass http://127.0.0.1:8000/: this function is to reverse proxy the request to this address.

4 enable http and redirect to https

4.1 open http

It's easy to open http, just add listen 80; to listen 443 ssl; it's OK. Or add a new server configuration, as follows:

server {
    listen 443 ssl;
    server_name localhost;
    
    ssl_certificate /key-path/localhost.pem;
    ssl_certificate_key /key-path/localhost.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on; 

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://127.0.0.1:8000/;
    }
}

server {
    listen 80;
    server_name localhost;

    location / {
        proxy_set_header HOST $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://127.0.0.1:8000/;
    }
}

4.2 two ways to redirect to https

To redirect http to https is also very simple, you can use two configurations.

The first way to use return 301 is as follows:

server {
    listen 80;
    server_name localhost;
    return 301 https://127.0.0.1$request_uri;
}

The second way to use rewrite is as follows:

server {
    listen 80;
    server_name localhost;
    rewrite ^(.*)$ https://$host$1 permanent;
}

For the difference between return and rewrite, read this article: Creating NGINX Rewrite Rules

5 Summary

Finally, a tool is introduced, which can quickly and easily obtain the configuration of nginx: Nginx Config.

Welcome to Pumpkin talk www.pkslow.com Get more!

Welcome to WeChat official account, "pumpkin slow talk", which will continue to update for you.

Read more, share more; write more, organize more.