SSL: Difference between revisions

<slideshow style="nobleprog" headingmark="?" incmark="…" scaled="true" font="Trebuchet MS" >

title

SSL

author

Bernard Szlachta (NobleProg Ltd)

</slideshow>

nginx and SSL ?

• Encrypted transport over which HTTP runs
• Decent performance with nginx
• Can be combined with other features

• nginx can handle SSL and proxy to another application

SSL ?

• Public key encryption
• **Private key** - should exist only on the server and not be transferred
• **Certificate** - purchased from a third party who (should) verify that the recipient really is who they say they are

• Safe to copy wherever/however you like - a copy given to every visitor to the website

Getting an SSL certificate ?

• First, generate a private key

$ openssl genrsa -des3 -out server.key 2048

• Next, generate a certificate signing request (CSR)

$ openssl req -new -key server.key -out server.csr

• Now give the CSR to wherever you are buying the certificate from, and wait for them to send you an SSL cert

Using SSL Certificates ?

• When you receive the SSL certificate, you will also receive an intermediary certificate
• For nginx, this needs to be appended to the certificate

$ cat intermediate.crt >> certificate.crt

Adding SSL to nginx ?

 server {
  listen 443 default ssl;
  server_name www.example.com;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 SSLv3;
  ssl_ciphers RC4:HIGH:!aNULL:!MD5:@STRENGTH;
  ssl_certificate /etc/nginx/www.example.com.crt;
  ssl_certificate_key /etc/nginx/www.example.com.key;

  location / {
    root /usr/share/nginx/html;
    index index.html index.html;
  }
 }

Exercise ?

• Generate a private key + CSR, send to me to be signed
• Install provided certificate
• Make /foo proxy to the server on localhost:8000