External services are accessed through nginx. At present, the client is used for one-way authentication of the server, and it only needs to be configured in nginx:
In addition, in order to improve the performance of nginx ssl, additional configuration items can be added, such as SSL _ Session _ Cache.
Both the certificate and the private key are in PEM format (text). If they are self-signed, they can be generated in the following ways:
Because the client needs to authenticate the server, it needs to distribute the certificate to the client:
Note: ios requires a certificate in binary format, so it needs to be converted.
Note: ios needs a certificate in BKS format, similar to JKS in java, so it needs to be converted.
Tcp is configured through haproxy:
Can be generated in the following ways:
Note: the format of server.pem is pem, which consists of certificate and private key. The server will only send the certificate to the client. In fact, nginx can also put the certificate and private key in one file.
After the installation and configuration is completed, you can view the server's certificate, protocol version, algorithm suite and other information through the tools provided by nmap. Take Baidu as an example:
* * Note: The improved script of nmap limits the port, so if the access port of your application is not 443, you need to modify the script. Typically, scripts are located in /usr/share/nmap/scripts.
For Java's support for SSL and TLS, you can refer to this article. In order to avoid similar situations, it needs to be configured by ssl_ciphers instruction.
In addition, because openssl will use random numbers, you can refer to this article for configuration;
1. Configure the https server.
2.haproxy ssl configuration
3. Set SSL termination for TCP upstream.
4.Netty ssl
5. Adaptation ATS of 5.IOS9