SSL

From Training Material
Revision as of 17:32, 24 November 2014 by Cesar Chew (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
title
SSL
author
Bernard Szlachta (NobleProg Ltd)

nginx and SSL ?

  • Encrypted transport over which HTTP runs
  • Decent performance with nginx
  • Can be combined with other features
  • nginx can handle SSL and proxy to another application

SSL ?

  • Public key encryption
  • **Private key** - should exist only on the server and not be transferred
  • **Certificate** - purchased from a third party who (should) verify that the recipient really is who they say they are
  • Safe to copy wherever/however you like - a copy given to every visitor to the website

Getting an SSL certificate ?

  • First, generate a private key
$ openssl genrsa -des3 -out server.key 2048
  • Next, generate a certificate signing request (CSR)
$ openssl req -new -key server.key -out server.csr
  • Now give the CSR to wherever you are buying the certificate from, and wait for them to send you an SSL cert

Using SSL Certificates ?

  • When you receive the SSL certificate, you will also receive an intermediary certificate
  • For nginx, this needs to be appended to the certificate
$ cat intermediate.crt >> certificate.crt

Adding SSL to nginx ?

 server {
  listen 443 default ssl;
  server_name www.example.com;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 SSLv3;
  ssl_ciphers RC4:HIGH:!aNULL:!MD5:@STRENGTH;
  ssl_certificate /etc/nginx/www.example.com.crt;
  ssl_certificate_key /etc/nginx/www.example.com.key;

  location / {
    root /usr/share/nginx/html;
    index index.html index.html;
  }
 }

Exercise ?

  • Generate a private key + CSR, send to me to be signed
  • Install provided certificate
  • Make /foo proxy to the server on localhost:8000