Bii o ṣe le ni aabo Nginx pẹlu Jẹ ki Encrypt lori Ubuntu ati Debian

Ni atẹle atẹle Jẹ ki a Encrypt ẹkọ nipa Apache SSL, ninu nkan yii a yoo jiroro bawo ni a ṣe le ṣe ina ati fi sori ẹrọ ijẹrisi SSL/TLS ọfẹ ti a gbekalẹ nipasẹ Jẹ ki Encrypt CA fun Nginx webserver lori Ubuntu tabi Debian.

  1. Apache ti o ni aabo pẹlu ọfẹ Jẹ ki a Encrypt lori Ubuntu ati Debian
  2. Fi Jẹ ki a Enkiripiti SSL lati ni aabo afun lori RHEL ati CentOS

  1. Agbegbe ti a forukọsilẹ pẹlu DNS to wulo A awọn igbasilẹ lati tọka si adirẹsi IP ti olupin rẹ.
  2. Olupin wẹẹbu Nginx ti a fi sii pẹlu SSL ati Vhost ti o ṣiṣẹ, ni idi ti o ngbero lati gbalejo awọn ibugbe pupọ tabi awọn subdomains.

Igbese 1: Fifi Nginx Web Server sii

1. Ni igbesẹ akọkọ fi sori ẹrọ olupin ayelujara Nginx, ti ko ba fi sii tẹlẹ, nipa ipinfunni aṣẹ isalẹ:

$ sudo apt-get install nginx

Igbesẹ 2: Ṣe ina Jẹ ki a Encrypt SSL Certificate for Nginx

2. Ṣaaju ki o to ṣe ijẹrisi SSL/TLS ọfẹ kan, fi sori ẹrọ Jẹ ki Encrypt sọfitiwia ni /usr/agbegbe/ awọn ilana eto faili pẹlu iranlọwọ ti alabara git nipa fifun awọn ofin isalẹ:

$ sudo apt-get -y install git
$ cd /usr/local/
$ sudo git clone https://github.com/letsencrypt/letsencrypt

3. Biotilẹjẹpe ilana ti gbigba Iwe-ẹri fun Nginx jẹ adaṣe adaṣe, o tun le ṣẹda pẹlu ọwọ ati fi sori ẹrọ ijẹrisi SSL ọfẹ fun Nginx nipa lilo Jẹ ki a Encrypt Standalone ohun itanna.

Ọna yii nilo pe ibudo 80 ko gbọdọ wa ni lilo lori eto rẹ fun igba diẹ lakoko Jẹ ki Encrypt alabara ṣe idanimọ idanimọ olupin ṣaaju ṣiṣe ijẹrisi naa.

Ni ọran ti o nṣiṣẹ Nginx tẹlẹ, da iṣẹ duro nipa fifun aṣẹ atẹle.

$ sudo service nginx stop
OR
$ sudo systemctl stop nginx

Ni ọran ti o n ṣiṣẹ iṣẹ miiran ti o sopọ lori ibudo 80 da iṣẹ naa duro.

4. Jẹrisi pe ibudo 80 jẹ ọfẹ nipa ṣiṣe pipaṣẹ netstat:

$ sudo netstat -tlpn | grep 80

5. Bayi o to akoko lati ṣiṣe letsencrypt lati le gba Iwe-ẹri SSL kan. Lọ si Jẹ ki a Encrypt ilana fifi sori ẹrọ ti a rii ni/usr/agbegbe/Letencrypt ọna ọna ati ṣiṣe aṣẹ leencrypt-auto nipa fifun ni aṣayan --standalone ati -d asia fun ìkápá kọọkan tabi subdomain ti o fẹ lati ṣe ijẹrisi kan.

$ cd /usr/local/letsencrypt
$ sudo ./letsencrypt-auto certonly --standalone -d your_domain.tld

6. Tẹ adirẹsi imeeli sii eyiti yoo ṣee lo nipasẹ Jẹ ki Encrypt fun imularada bọtini ti o sọnu tabi awọn akiyesi amojuto ni.

7. Gba pẹlu awọn ofin ti iwe-aṣẹ nipa titẹ bọtini Tẹ.

8. Lakotan, ti ohun gbogbo ba ṣaṣeyọri, ifiranṣẹ ti o jọra sikirinifoto ti o wa ni isalẹ yẹ ki o han lori kọnputa ebute rẹ.

Igbesẹ 3: Fi sori ẹrọ Jẹ ki Encrypt SSL Certificate in Nginx

9. Nisisiyi pe a ti ṣẹda Ijẹrisi SSL rẹ ni akoko lati tunto Nginx webserver lati lo. Awọn iwe-ẹri SSL tuntun ni a gbe sinu /ati be be lo/letsencrypt/live/ labẹ itọsọna kan ti a npè ni lẹhin orukọ-ašẹ rẹ. Ṣiṣe ls aṣẹ lati ṣe atokọ awọn faili ijẹrisi ti a fun ni aṣẹ fun agbegbe rẹ.

$ sudo ls /etc/letsencrypt/live/
$ sudo ls -al /etc/letsencrypt/live/caeszar.tk

10. Itele, ṣii /ati be be/nginx/ojula-wa/aiyipada faili pẹlu olootu ọrọ kan ati ṣafikun bulọọki atẹle lẹhin laini asọye akọkọ ti o ṣalaye ibẹrẹ ti bulọọki SSL. Lo sikirinifoto ti isalẹ bi itọsọna.

$ sudo nano /etc/nginx/sites-enabled/default

Nginx Àkọsílẹ iyasọtọ:

# SSL configuration
        #
        listen 443 ssl default_server;
        ssl_certificate /etc/letsencrypt/live/caeszar.tk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/caeszar.tk/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

Rọpo awọn iye orukọ ìkápá fun awọn iwe-ẹri SSL ni ibamu.

11. Ni igbesẹ ti n tẹle ina ina Diffie-Hellman ti o lagbara ni/ati be be/nginx/ssl/liana lati le daabobo olupin rẹ lodi si ikọlu Logjam nipa ṣiṣe awọn ofin wọnyi.

$ sudo mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl
$ sudo openssl dhparam -out dhparams.pem 2048

12. Ni ipari, tun bẹrẹ Nginx daemon lati ṣe afihan awọn ayipada.

$ sudo systemctl restart nginx

ati idanwo iwe-ẹri SSL rẹ nipa lilo si URL ti o wa ni isalẹ.

https://www.ssllabs.com/ssltest/analyze.html

Igbesẹ 4: Tunse Aifọwọyi Jẹ ki Encrypt Awọn iwe-ẹri Nginx

13. Awọn iwe-ẹri ti a fun nipasẹ Jẹ ki Encrypt CA wulo fun ọjọ 90. Lati le tunse awọn faili laifọwọyi ṣaaju ọjọ ipari ti o ṣẹda ssl-renew.sh iwe afọwọkọ bash ni /usr/agbegbe/bin/ itọsọna pẹlu akoonu atẹle.

$ sudo nano /usr/local/bin/ssl-renew.sh

Ṣafikun akoonu atẹle si ssl-renew.sh faili.

#!/bin/bash

cd /usr/local/letsencrypt
sudo ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html/ -d your_domain.tld
sudo systemctl reload nginx
exit 0

Rọpo oniyipada -webroot-path lati baamu gbongbo iwe Nginx rẹ. Rii daju pe iwe afọwọkọ jẹ ṣiṣe nipasẹ ipinfunni aṣẹ atẹle.

$ sudo chmod +x /usr/local/bin/ssl-renew.sh

14. Lakotan ṣafikun iṣẹ cron lati ṣiṣẹ iwe afọwọkọ ni gbogbo oṣu meji ni ọganjọ lati le ni idaniloju pe iwe-ẹri rẹ yoo ni imudojuiwọn ni iwọn ọjọ 30 ṣaaju ki o to pari.

$ sudo crontab -e

Ṣafikun laini atẹle ni isalẹ faili naa.

0 1 1 */2 * /usr/local/bin/ssl-renew.sh >> /var/log/your_domain.tld-renew.log 2>&1

O n niyen! Olupin Nginx rẹ n ṣiṣẹ lọwọlọwọ akoonu SSL nipa lilo ọfẹ Jẹ ki a Encrypt SSL ijẹrisi.