Cesar Chew at 17:32, 24 November 2014

2014-11-24T17:32:02Z

New page

{{Cat|Nginx}}

<slideshow style="nobleprog" headingmark="?" incmark="…" scaled="true" font="Trebuchet MS" >
;title: SSL
;author: Bernard Szlachta (NobleProg Ltd)
</slideshow>

=== nginx and SSL ?===
* Encrypted transport over which HTTP runs
* Decent performance with nginx
* Can be combined with other features
:* nginx can handle SSL and proxy to another application
=== SSL ?===
* Public key encryption
* **Private key** - should exist only on the server and not be transferred
* **Certificate** - purchased from a third party who (should) verify that the recipient really is who they say they are
:* Safe to copy wherever/however you like - a copy given to every visitor to the website
=== Getting an SSL certificate ?===
* First, generate a private key
$ openssl genrsa -des3 -out server.key 2048

* Next, generate a certificate signing request (CSR)
$ openssl req -new -key server.key -out server.csr

* Now give the CSR to wherever you are buying the certificate from, and wait for them to send you an SSL cert

=== Using SSL Certificates ?===
* When you receive the SSL certificate, you will also receive an intermediary certificate
* For nginx, this needs to be appended to the certificate
$ cat intermediate.crt >> certificate.crt

=== Adding SSL to nginx ?===
<source lang="java">
server {
listen 443 default ssl;
server_name www.example.com;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 SSLv3;
ssl_ciphers RC4:HIGH:!aNULL:!MD5:@STRENGTH;
ssl_certificate /etc/nginx/www.example.com.crt;
ssl_certificate_key /etc/nginx/www.example.com.key;

location / {
root /usr/share/nginx/html;
index index.html index.html;
}
}
</source>
=== Exercise ?===
* Generate a private key + CSR, send to me to be signed
* Install provided certificate
* Make /foo proxy to the server on localhost:8000

SSL - Revision history

Cesar Chew at 17:32, 24 November 2014