Nginx rewrite test and SSL workflow and nginx configuration https method and source code installation nginx

rewrite test

Add this configuration in the configuration file in the nginx file directory

server{

    listen 4040; #Listening port
    location/{
    root /www/ip/129; #html file storage directory
    index index.html; #HTML file returned by default
    rewrite /test/test1/test2/(.*).html /$1.html;
    #Convert the /test/test1/test2/xxx.html path to xxx.html in the directory where the html file is stored
    }
}

In this way, when accessing /test/test1/test2/test.html, the test.html file in the storage directory will be accessed.

When accessing /test/test1/test2/test1.html, the test1.html file in the storage directory will be accessed.

When accessing /test/test1/test2/test2.html, the test2.html file in the storage directory will be accessed.

flag:

Redirect (temporary redirect): Adding redirect after rewrite /test/test1/test2/(.*).html /$1.html can return a temporary redirect response message with status code 302.

permanent (permanent redirection): Adding permanent after rewrite /test/test1/test2/(.*).html /$1.html can return a permanent redirection response message with status code 301.

nginx configuration https

Create a cert folder in the nginx directory and cd into it

# Generate CA’s private key
openssl genrsa -out ca.key 2048
# Generate CA’s public key
openssl rsa -in ca.key -pubout -out ca.pub
# Generate CA application documents
openssl req -new -key ca.key -out ca.csr
# Generate CA’s self-signed certificate
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt -days 365

# Generate server-side private key
openssl genrsa -out server.key 2048
# Generate server-side certificate application file:
openssl req -new -key server.key -out server.csr

# Use the ca.crt and ca.key of the CA organization to issue a certificate for the server.csr application file
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -days 3650 -out server.crt

After completion, there should be

Then add it to the nginx configuration file

server{
    listen 443 ssl;
    ssl_certificate cert/server.crt; #Server’s certificate You can also use an absolute path
    ssl_certificate_key cert/server.key; #The server’s private key can also use an absolute path
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_protocols SSLv2 TLSv1 TLSv1.2;

    location/{
        root /www/https;
        index index.html;
    }
}

After that, the browser can use the https protocol to access the server. Because this certificate is self-signed by us, the browser does not recognize it. You have to apply for the official digital certificate yourself.

SSL workflow

We captured packets from the previous https access and got the following packets

The SSL workflow is divided into these parts: (* is optional)

First stage:

Client Hello: browser -> server

transfer own

tls version
Random number: random_client
Encryption suite: key exchange algorithm (to generate session keys), asymmetric encryption algorithm, symmetric encryption algorithm, hashing algorithm (to verify the integrity of the message)
Compression algorithm:
Expand

Second stage:

Server Hello: server -> browser

transfer own

tls version
Random number: random_server
Cipher Suite: Unknown (0xcca8)
Compression algorithm: null
Extension: omitted

certificate: server -> browser
The server sends its certificate to the browser

server key exchange: server->browser
Parameters for key exchange: public key and signature

Certificate Request (can be omitted): server -> browser

The server requires the client to verify its identity before the client sends its own certificate, which is generally not required.

server hello Done: server-> browser: informs the client that the server phase is completed

The third stage:

certificate: browser->server (can be omitted)
Premise: In the second stage, if there is a certificate request package, the client will send its certificate to the server.

client key exchange: browser-server
Parameters provided by client key exchange: public key (used to generate session keys)

change cipher spec: browser->server
Coding change notification: It is a notification message: The client notifies the server: The data sent by the client needs to be encrypted.

encypted handshake message: Encrypted handshake message: Verify message integrity

Hash all previously sent datagrams: notify the server that the client has completed its work at this stage

The fourth stage:

change cipher spec: encoding change notification server – client
Notify the client that subsequent data will be encrypted

enrypted handshake message: server – client
Encrypted handshake message: that is, encrypting the previous client and server messages: message integrity check

Application Data: encrypted message

Notice:

In the first phase of Client Hello, the browser passes a random number random_client

In the second stage of Server Hello, the server also passed a random number random_server

And in the third stage of client key exchange, the browser passes its own public key

At this time, both the client and the server hold these three numbers. After that,

Client and server: Each uses encryption algorithms (random_client, random_server, pre-master) to generate symmetric encryption keys: session_client_key == session_server_key

This key is the symmetric encryption key for subsequent sessions between the client and the server.

This ensures the security of http messages and no longer transmits them in clear text.
Note: The session key will not be transmitted over the network.

Nginx source code installation

first step:

First, please ensure that your Linux contains software such as gcc gcc-c + + pcre-devel openssl-devel wget and other software

If any one is missing, you can use yum install -y to download it.

Step two:

Download nginx source code compressed package

wget http://nginx.org/download/nginx-1.24.0.tar.gz

third step:

Unzip the nginx compressed package

tar -xf nginx-1.24.0.tar.gz

the fourth step:

Enter the unzipped folder and configure it

cd nginx-1.24.0

./configure –prefix=/usr/local/nginx #–prefix= followed by the installation path of nginx after compilation

#If an error is reported, please check whether the first step is completed.

the fifth step:

Install nginx according to previous configuration

make #Compile source code

make install #Install according to the compiled executable file

#You can also make & amp; & amp; make install in one step

After that, you can open the sbin directory under the installation directory you configured and start nginx.

cd the directory you configured in step 4/sbin

./nginx #Start nginx

If you don’t want to switch to this directory every time you start, you can create a soft link to the nginx file and put it in the /usr/sbin directory.

Afterwards, no matter which directory you enter nginx system will go to the /usr/sbin directory through the soft link, access and execute the file pointed to by the link, which is the nginx file we installed.

Little knowledge: When you enter a command in Linux, the system will go to the /usr/sbin directory to find a file or directory with the same name as the entered command. (Similar to path in Windows environment variables)