WEBVTT 00:00.170 --> 00:00.640 Hey, everyone. 00:00.650 --> 00:01.660 And welcome back. 00:01.670 --> 00:08.180 Now, in the earlier video we were discussing about the Https and the benefits that it offers. 00:08.180 --> 00:15.800 So in today's video, we'll look into the Web server based configuration aspect related to Https. 00:15.830 --> 00:21.710 Now, we were discussing that as soon as we open up the Https labs internal.com, automatically we have 00:21.710 --> 00:22.940 the verified sign. 00:22.940 --> 00:28.520 So let's look into how exactly things would work as far as the configuration is concerned. 00:28.520 --> 00:33.650 So this is my website where the Labs internal.com site is hosted. 00:33.650 --> 00:38.600 Now if you look into the configuration, so everything goes with the configuration because when you 00:38.600 --> 00:43.580 open up https labs internal.com, your browser will send a request to the web server. 00:43.580 --> 00:46.160 So in our case, the web server is enginex. 00:46.160 --> 00:53.360 So upon the request, the Nginx web server also has to send a certificate back to the web browser in 00:53.360 --> 00:56.420 order for web browser to be able to verify it. 00:56.420 --> 01:01.070 So the certificate needs to be stored within your web server. 01:01.080 --> 01:03.540 It can be Apache Nginx as well as IIS. 01:03.720 --> 01:12.090 So if I quickly open up the Nginx.conf over here and if you go a bit down here, you have a server block. 01:12.240 --> 01:19.830 So if you go a little down here, so you see this is the configuration specific to the TLS. 01:19.980 --> 01:24.030 So you have the listen directive, which is listen on four, four, three. 01:24.060 --> 01:26.040 So this is listen on four, four, three. 01:26.070 --> 01:29.340 Then you have the SSL certificate over here. 01:29.340 --> 01:33.720 So this is the path where your SSL certificate is stored. 01:33.750 --> 01:36.720 Then you also have the SSL certificate key. 01:36.960 --> 01:43.650 So this is the key because once the Web browser trusts the certificate and it basically sends your encrypted 01:43.650 --> 01:48.630 packet with the public key, which was mentioned in the certificate, then your web server should also 01:48.630 --> 01:53.490 be able to decrypt that message and it could only decrypt the message with the corresponding private 01:53.520 --> 01:53.970 key. 01:53.970 --> 01:59.520 So you also have to mention the corresponding private key path for your web server. 01:59.730 --> 02:03.180 Now the third directive here is the include directive. 02:03.180 --> 02:06.630 So basically this directive let me show you this. 02:06.990 --> 02:13.020 So if I open this up, so here it basically contains SSL specific configuration. 02:13.020 --> 02:14.880 So the SSL protocol. 02:14.880 --> 02:20.100 So you have TLS version one, TLS version 1.1 and TLS version 1.2. 02:20.130 --> 02:24.150 So these are the SSL protocols which your web browser will support. 02:24.150 --> 02:28.050 So we already discussed that there are various SSL, TLS protocol. 02:28.050 --> 02:34.380 Now you don't really want your web browser to support SSL 3.0 because the protocols which were part 02:34.380 --> 02:36.930 of the SSL, are deemed to be unsafe. 02:36.930 --> 02:42.240 That means the communication could be compromised, so you should never use the older protocols. 02:42.240 --> 02:48.180 Now, even in this specific configuration, you have TLS version one, TLS version 1.1. 02:48.180 --> 02:54.810 So when you talk about the industry, specifically the industry, which basically might take your sensitive 02:54.810 --> 02:56.700 data, for example, credit card. 02:56.700 --> 03:03.180 So generally when you have auditors who might be coming to your organization, if the auditor sees that 03:03.180 --> 03:08.580 your web server basically allows even the TLS version one protocol, then they'll say, No, no, this 03:08.580 --> 03:09.600 is not done. 03:09.600 --> 03:12.510 You have to remove the support for the older protocols. 03:12.510 --> 03:18.420 You should only use the latest protocol, maybe 1.2 as well as 1.3. 03:18.420 --> 03:19.680 Nothing older than that. 03:19.680 --> 03:22.710 So they are very strict in these fronts. 03:22.710 --> 03:24.720 So you have to be careful there. 03:24.750 --> 03:31.980 Now, we already discussed that the protocol SSL, TLS in turn contains various other cipher suites 03:31.980 --> 03:32.730 that it supports. 03:32.730 --> 03:38.070 So you also have to make sure that whatever cipher suites that are being supported are the correct ones. 03:38.070 --> 03:43.800 So these are some of the configurations that you typically do within your web server. 03:44.010 --> 03:45.690 So let's do one thing. 03:45.690 --> 03:51.750 Let's open up Nginx.conf again and let's look into the certificate file. 03:51.750 --> 03:54.150 So this is the Pem file. 03:54.390 --> 04:00.330 So if you just do a Nano on the Pem file, you see this is the entire certificate. 04:00.330 --> 04:07.800 So if you want to read it, you can do open SSL, you can do x509 hyphen in. 04:07.830 --> 04:12.150 Then you have to basically specify the path of your certificate. 04:12.990 --> 04:16.710 So in our case the path of certificate is this. 04:17.940 --> 04:20.760 So I'll say hyphen txt and note. 04:22.590 --> 04:26.610 So now you will be able to see what exactly is being supplied. 04:26.620 --> 04:27.810 So similar thing. 04:27.810 --> 04:33.360 So the details that you see over here, similar details you will be able to see within your web browser. 04:33.360 --> 04:36.780 So as we had seen, if you just open this up. 04:38.740 --> 04:44.710 And if you do a view certificate, web browser gives you a view about each and every thing which is 04:44.710 --> 04:45.790 part of the certificate. 04:45.820 --> 04:48.680 Now, the same thing is something that you will be able to see over here. 04:48.700 --> 04:54.190 So if you see the issuer is let's encrypt, it has the validity, it has the subject subject is labs 04:54.190 --> 04:55.340 internal.com. 04:55.360 --> 05:03.190 Then you have the public key specific information and the ocsp and various other details associated 05:03.190 --> 05:04.210 with the certificate. 05:04.240 --> 05:07.570 Now, one last thing before we conclude this video. 05:08.290 --> 05:17.050 If you open up the nginx.conf, So here within the server directive, you see it is listening on 80 05:17.080 --> 05:18.770 as well as four, four, three. 05:18.790 --> 05:20.890 So this is a web server configuration. 05:20.890 --> 05:28.060 So what happens here is that if any user does not put Https within the browser, he will be redirected 05:28.060 --> 05:30.230 to the Http based website. 05:30.250 --> 05:37.460 If he puts Https within the browser, then he will be redirected to the https website. 05:37.460 --> 05:39.650 So if you want to just check it out. 05:39.920 --> 05:42.980 So if I just put the labs internal.com. 05:43.010 --> 05:44.990 This is the Http based website. 05:44.990 --> 05:47.730 You see, it does not really have that green lock sign. 05:47.750 --> 05:50.660 If you open up https, you have the green lock sign. 05:50.660 --> 05:54.580 So all of these configurations can be done from your web server. 05:54.590 --> 05:59.420 Many auditors, they say that your website should only be based on Https. 05:59.450 --> 06:07.640 It should not serve Http traffic or say if someone puts http dot labs internal.com, it should automatically 06:07.640 --> 06:10.570 redirect to the https based website. 06:10.580 --> 06:16.570 So there are a lot of configurations that you will be able to do at your web server level. 06:16.580 --> 06:19.760 So this was just the configuration related to Nginx. 06:19.760 --> 06:26.320 Similar configuration applies for Apache IIS and any other web server that might be used. 06:26.330 --> 06:31.820 So that's the high level overview about the configuration block for SSL. 06:31.850 --> 06:36.350 TLS within the Nginx, I hope this video has been informative for you and I look forward to see you 06:36.350 --> 06:37.430 in the next video.