Master HTTPS and Advanced Nginx Rewrite: From SSL Setup to Anti‑Hotlinking

nginx HTTPS configuration

What is HTTPS

HTTPS (Hypertext Transfer Protocol Secure) protects communication between a browser and a web server by encrypting data using SSL/TLS. It prevents attackers from reading or modifying transferred data.

HTTPS uses SSL/TLS to establish an encrypted link; TLS is the newer version of SSL.

What is SSL

SSL is a standard security technology that creates encrypted links between systems. HTTPS is essentially HTTP over SSL. SSL certificates (digital certificates) verify server identity and enable encryption.

HTTP vs HTTPS comparison

HTTP transfers data in plain text on port 80, while HTTPS transfers encrypted data on port 443, providing security.

Advantages of HTTPS

Secure communication via encrypted links.

Data integrity – encrypted data cannot be altered.

Privacy – prevents passive listening.

Improved performance – encryption can reduce data size.

SEO benefits – browsers label HTTP sites as “Not Secure”.

Generating certificates with OpenSSL

OpenSSL is a full‑featured toolkit for TLS/SSL.

Check nginx SSL module

nginx requires the http_ssl_module; verify with

nginx -V

.

Create a private key and self‑signed CA certificate

<code>> cd /etc/pki/CA
(umask 077; openssl genrsa 2048 > private/cakey.pem)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:wanger
Organizational Unit Name (eg, section) []:wanger
Common Name (eg, your name or your server's hostname) []:CA.wanger.com
Email Address []:[email protected]
>> touch serial
>> echo 01 >serial
>> touch index.txt</code>

Create an nginx certificate request

<code>> mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
(umask 077; openssl genrsa 1024 > nginx.key)
openssl req -new -key nginx.key -out nginx.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:wanger
Organizational Unit Name (eg, section) []:wanger
Common Name (eg, your name or your server's hostname) []:www.wanger.com
Email Address []:[email protected]
openssl ca -in nginx.csr -out nginx.crt -days 3650</code>

Modify nginx configuration

<code>server {
    listen 443 ssl;
    server_name localhost;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html;
    }
}</code>

Redirect HTTP to HTTPS

<code>server {
    listen 80;
    server_name wanger.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}</code>

Test and reload nginx

<code>nginx -t
nginx -s reload</code>

Rewrite module

The ngx_http_rewrite_module uses PCRE regular expressions to modify request URIs, perform redirects, or conditionally select configuration. Ensure PCRE is installed.

<code># rpm -q pcre
pcre-8.32-17.el7.x86_64</code>

break

Stops processing any further rewrite directives in the current context.

<code>location = /testbreak {
    break;
    return 200 $request_uri;
}</code>

if

Conditional statements with various operators (e.g., =, !=, ~, -f, -d, -e, -x).

<code>if ($request_method = POST ) {
  return 405;
}
if ( !-f $filename ) {
    break;
}</code>

return

Stops processing and returns a status code or redirects.

<code># return code [text];
location = /1 {
    return 200 "this is 1";
}
location = / {
    return 302 http://www.wanger.com;
}
location = / {
    return http://www.wanger.com;
}</code>

rewrite

Used for URL redirection, SEO‑friendly URLs, backend routing, and security.

<code>rewrite ^(.*) http://wanger.com/$1 permanent;</code>

Flags: last, break, redirect (302), permanent (301). “last” restarts URI processing, “break” stops further processing.

<code>location ~ ^/break {
    rewrite ^/break /test/ break;
}
location ~ ^/last {
    rewrite ^/last /test/ last;
}
location /test/ {
    default_type application/json;
    return 200 '{"status":"success"}';
}</code>

set

Defines a variable.

<code>location /wanger {
    root html;
    index index.html;
    set $var1 "client address is ";
    set $var2 $remote_addr;
    return 200 "$var1$var2";
}</code>

Read‑write separation

Environment

Three servers: 192.168.0.10 (nginx front‑end), 192.168.0.20 (httpd read), 192.168.0.30 (httpd write).

WebDAV

Web Distributed Authoring and Versioning allows remote file creation and editing on a web server.

Enable WebDAV on the write server

<code>vim /etc/httpd/conf/httpd.conf

<Directory "/var/www/html">
    Dav on
</Directory></code>

Restart httpd

<code>systemctl restart httpd</code>

Grant permissions

<code>setfacl -m u:apache:rwx /var/www/html/</code>

Add index files

<code>echo 192.168.0.20 > /var/www/html/index.html
echo 192.168.0.30 > /var/www/html/index.html</code>

Upload test

<code>curl -T zz.txt http://192.168.0.20   # read server (fails 405)
curl -T zz.txt http://192.168.0.30   # write server (succeeds)</code>

Configure nginx for read‑write separation

<code>location /wanger {
    root html;
    index index.html index.htm;
    proxy_pass http://192.168.0.20/;
    if ($request_method = "PUT") {
        proxy_pass http://192.168.0.30;
    }
}</code>

<code>nginx -s reload</code>

Anti‑hotlinking

What is hotlinking

Hotlinking displays resources from another server without storing them locally, increasing the source server’s load. Nginx’s

valid_referers

directive can mitigate it.

valid_referers syntax

Directive:

valid_referers none | blocked | server_names | string …;

Demo

Configure a server to serve images only when the Referer matches allowed domains.

<code>location ~ .*\\.(jpg|gif|png)$ {
    valid_referers none blocked .*wanger.com;
    if ($invalid_referer) {
        return 403;
    }
}</code>