How Nginx uses the OpenSSL library for more secure communication

Nginx is a software widely used in web servers, load balancers, reverse proxies and caches. During network transmission, data encryption and security have received increasing attention. In order to improve the security of communication, the OpenSSL library can be used to implement the SSL/TLS protocol to protect the transmission of sensitive data. This article will explain how to use Nginx and the OpenSSL library to achieve more secure communication.

1. Installing and configuring the OpenSSL library

First, you need to install the OpenSSL library on the server. You can use the package manager to install. For example, for Ubuntu and Debian systems, you can use the following command:

sudo apt-get install libssl-dev

After the installation is complete, make relevant settings in the Nginx configuration. You need to point the ssl certificate path and key path to the corresponding files. At the same time, you also need to enable the SSL protocol and related security optimization settings:

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;

    #优化SSL加密方式
    ssl_protocols TLSv1.3;
    ssl_ciphersuites TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;

    #提高安全性
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Xss-Protection "1; mode=block";

    #其他配置
    location / {
        ...
    }   
}

In the above configuration, the "listen" command is used to enable the SSL protocol and load the http2 protocol to improve efficiency. "ssl_certificate" and "ssl_certificate_key" are the paths to the corresponding certificates. In addition, settings such as encryption algorithm and session timeout also need to be set.

In order to improve security, you can also add some HTTP response headers, such as "Strict-Transport-Security", "X-Content-Type-Options", "X-Frame-Options" and "X-Xss" -Protection" etc. to protect the site from malicious attacks.

2. Generate SSL certificate

SSL certificate is an important tool for protecting communication security. Generally, you can apply to a Certificate Authority (CA) to obtain an SSL certificate. However, we can also generate a self-signed SSL certificate ourselves for testing or private website use.

Under Ubuntu and Debian systems, you can follow the following steps to generate an SSL certificate:

1) Create a certificate and key

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

This command will generate a self-signed SSL certificate and corresponding private key. During the generation process, you will be prompted to enter some necessary information, such as organizational unit, public name, etc.

2) Configure Nginx

Follow the previous configuration steps and specify the paths to the certificate and key files in the Nginx configuration.

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

    ...
}

3. Configure SSL performance optimization

Encrypted communication based on the SSL protocol will increase the burden on the server and network delay. Therefore, when using the SSL protocol for communication, performance needs to be optimized.

Some commonly used optimization settings are as follows:

1) Turn on the SSL accelerator

The SSL accelerator can accelerate the handshake process, encryption and decryption processing of the SSL protocol, etc. OpenSSL engine technology can be used in Nginx to achieve hardware accelerated SSL processing. The specific choice needs to be combined with the actual situation. You can follow the following settings:

ssl_engine on;
ssl_engine_device /dev/pkcs11engine;
ssl_engine_param "/path/to/config.xml";

2) Merge certificate chain

Store the SSL certificate and the root certificate of its issuing authority in the same certificate file , reducing the number of times the client verifies the certificate and memory overhead:

cat your_domain.crt ca_bundle.crt > your_domain_ca.crt 

3) Turn on OCSP Stapling

OCSP Stapling is an optimization technology used to verify the legitimacy of the server certificate. When a client receives a server certificate, it requests verification from the issuing authority's OCSP server, thereby increasing network latency. OCSP Stapling technology can reduce this delay, cache the OCSP response on the server side, and return it directly when the client requests it, thus reducing network delays and QPST requests.

In Nginx, you can enable OCSP Stapling as follows:

server {
    ...
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /path/to/chain.pem;
    resolver DNS_SERVER;
    ...
}

4. Monitor SSL connection

Finally, we need to monitor the SSL connection and management. You can use the SSL extension module ngx_http_ssl_module provided by Nginx for detailed monitoring and logging of SSL connections.

Can be combined with other monitoring tools, such as Prometheus for SSL indicator monitoring and alarming, and ELK for SSL logging and statistical analysis.

Conclusion

In this article, we introduced how to use the OpenSSL library to achieve more secure communication. By configuring SSL certificates, encryption algorithms, optimization settings, and monitoring management, communication security and performance can be greatly improved. At the same time, we need to continue to pay attention to and learn the latest SSL security technology to protect our website and data.

The above is the detailed content of How Nginx uses the OpenSSL library for more secure communication. For more information, please follow other related articles on the PHP Chinese website!