Ṣiṣeto HTTPS pẹlu Jẹ ki Encrypt SSL Certificate For Nginx on RHEL/CentOS 7/6
Ni atẹle atẹle Jẹ ki a Encrypt lẹsẹsẹ nipa Apache tabi olupin ayelujara Nginx pẹlu module SSL/TLS, nkan yii a yoo tọ ọ lori bi o ṣe le ṣe ina ati fi sori ẹrọ ijẹrisi SSL/TLS ti a gba ni ọfẹ lati Jẹ ki Encrypt Authority Authority ti a yoo lo lati ni aabo awọn iṣowo HTTP Wginx webserver lori CentOS/RHEL 7/6 ati pinpin Fedora.
Ti o ba n wa lati fi sori ẹrọ Jẹ ki Encrypt fun Apache lori RHEL/CentOS 7/6 ati awọn pinpin Fedora, tẹle itọsọna yii ni isalẹ:
- Orukọ ìkápá ti a forukọsilẹ pẹlu awọn igbasilẹ A DNS to wulo lati tọka sẹhin si Adirẹsi IP gbangba olupin.
- Nginx olupin wẹẹbu ti a fi sii pẹlu agbara SSL ati Agbara Awọn ogun ti ṣiṣẹ (nikan fun awọn ibugbe pupọ tabi alejo gbigba awọn subdomains).
Igbesẹ 1: Fi Nginx Web Server sii
1. Ni igbesẹ akọkọ, ni idi ti o ko ba ti fi sii Nginx daemon tẹlẹ, gbe awọn aṣẹ isalẹ pẹlu awọn anfaani gbongbo lati fi sori ẹrọ Nginx webserver lati awọn ibi ipamọ Epel:
# yum install epel-release # yum install nginx
Igbesẹ 2: Gbaa lati ayelujara tabi Clone Free Jẹ ki Encrypt SSL Certificate
2. Ọna ti o yara julọ ti fifi Jẹ ki Encrypt alabara wa lori awọn eto Linux ni nipa titiijọ awọn idii lati awọn ibi ipamọ github.
Ni akọkọ, fi sori ẹrọ alabara git lori eto pẹlu aṣẹ isalẹ:
# yum install git
3. Lẹhin ti a ti fi alabara git sii, yi ilana pada si ọna /opt ki o fa Fa Jẹ ki Encrypt sọfitiwia ṣiṣẹ nipasẹ ṣiṣe awọn ofin isalẹ:
# cd /opt # git clone https://github.com/letsencrypt/letsencrypt
Igbesẹ 3: Ṣe Ominira Jẹ ki a Encrypt SSL Certificate for Nginx
4. Ilana ti gbigba Iwe-ẹri SSL/TLS Iwe-ẹri ọfẹ fun Nginx yoo ṣee ṣe pẹlu ọwọ nipa lilo Jẹ ki a Encrypt Standalone ohun itanna.
Ọna yii nilo pe ibudo 80 gbọdọ jẹ ọfẹ lakoko akoko Jẹ ki Encrypt alabara ṣe idanimọ idanimọ olupin naa ati awọn iwe-ẹri.
Nitorinaa, ti Nginx ba n ṣiṣẹ tẹlẹ, daemon duro pẹlu aṣẹ atẹle ki o ṣiṣẹ ss anfani lati jẹrisi pe ibudo 80 ko si ni lilo ninu akopọ nẹtiwọọki.
# service nginx stop # systemctl stop nginx # ss -tln
5. Bayi o to akoko lati gba Iwe-ẹri SSL ọfẹ lati Jẹ ki Encrypt. Gbe si Jẹ ki a Encrypt itọsọna fifi sori ẹrọ, ti o ko ba si sibẹ, ki o si ṣiṣẹ pipaṣẹ Letencrypt-auto pẹlu ijẹrisi gangan --standalone ati -d Flag fun ìkápá kọọkan tabi subdomain ti o fẹ ṣe lati ṣe ijẹrisi kan bi a ṣe daba ninu apẹẹrẹ isalẹ.
# cd /opt # ./letsencrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tld
6. Lẹhin ọpọlọpọ awọn idii ati awọn igbẹkẹle ti a fi sori ẹrọ lori ẹrọ rẹ, Jẹ ki Encrypt yoo tọ ọ lati tẹ akọọlẹ rẹ eyiti yoo lo fun imularada bọtini ti o sọnu tabi awọn iwifunni kiakia.
7. Nigbamii o yẹ ki o gba awọn ofin iwe-aṣẹ nipa titẹ bọtini Tẹ.
8. Lakotan, ti ohun gbogbo ba lọ bi o ti yẹ, ifiranṣẹ Alaye oriire yoo han lori ebute bu rẹ. Ifiranṣẹ naa yoo tun han nigbati ijẹrisi naa yoo pari.
Igbesẹ 4: Fi sii Jẹ ki Encrypt SSL Certificate in Nginx
9. Bayi pe o ni iwe-ẹri SSL/TLS Iwe-ẹri ọfẹ, o to akoko lati fi sii ni Nginx webserver ni ibere fun agbegbe rẹ lati lo.
Gbogbo awọn iwe-ẹri SSL tuntun ni a gbe sinu /ati be be lo/letsencrypt/live/ labẹ itọsọna kan ti a npè ni lẹhin orukọ-ašẹ rẹ. Lo pipaṣẹ ls lati ṣe atokọ awọn faili Ijẹrisi ti a fun ni aṣẹ fun agbegbe rẹ ki o ṣe idanimọ wọn.
# sudo ls /etc/letsencrypt/live/ # sudo ls -al /etc/letsencrypt/live/your_domain.tld
10. Lati fi awọn faili ijẹrisi sii ni Nginx ki o mu SSL ṣiṣẹ, ṣii /etc/nginx/nginx.conf faili fun ṣiṣatunkọ ati ṣafikun awọn alaye ti o wa ni isalẹ lẹhin ila ti o gbọ kẹhin lati bulọọki olupin. Lo apejuwe ti o wa ni isalẹ bi itọsọna.
# vi /etc/nginx/nginx.conf
Nginx SSL Àkọsílẹ iyasọtọ:
# SSL configuration listen 443 ssl default_server; ssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
Rọpo okun orukọ ìkápá fun awọn iwe-ẹri SSL lati baamu agbegbe tirẹ.
11. Lakotan, tun bẹrẹ iṣẹ Nginx ki o ṣabẹwo si agbegbe rẹ nipasẹ Ilana HTTPS ni https:/yourdomain . Oju-iwe yẹ ki o kojọpọ laisiyonu, laisi aṣiṣe ijẹrisi eyikeyi.
# systemctl restart nginx # service nginx restart
12. Lati le rii daju ijẹrisi SSL/TLS ati titọ rẹ ṣabẹwo si ọna asopọ atẹle:
https://www.ssllabs.com/ssltest/analyze.html
13. Ti o ba gba ifitonileti kan pe olupin rẹ ṣe atilẹyin paṣipaarọ paṣipaarọ DH ti ko lagbara ati idiyele gbogbogbo ti ipele B, ṣe agbekalẹ olutọju Diffie-Hellman tuntun ni/ati be be/nginx/ssl/directory lati daabobo olupin rẹ lodi si ikọlu Logjam nipasẹ nṣiṣẹ awọn ofin wọnyi.
# mkdir /etc/nginx/ssl # cd /etc/nginx/ssl # openssl dhparam -out dhparams.pem 4096
Ninu apẹẹrẹ yii a ti lo bọtini bit 4096 kan, eyiti o gba akoko to gun lati ṣe ati mu afikun ohun elo lori olupin rẹ ati lori bowo ọwọ SSL.
Ni ọran ko si yeye yeke lati lo bọtini kan ni gigun yii ati pe o ko ni paranoid, o yẹ ki o ni aabo pẹlu bọtini bit 2048 kan.
14. Lẹhin ti a ti ṣẹda bọtini DH, ṣii faili iṣeto Nginx ki o ṣafikun awọn alaye isalẹ lẹhin laini ssl_ciphers laini lati ṣafikun bọtini DH ki o dide ipele aabo ti agbegbe rẹ si A + ite.
# vi /etc/nginx/nginx.conf
Ṣafikun atokọ atẹle atẹle si Nginx.conf:
ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_session_timeout 30m; ssl_session_cache shared:SSL:10m; ssl_buffer_size 8k; add_header Strict-Transport-Security max-age=31536000;
15. Tun bẹrẹ iṣẹ Nginx lati lo awọn ayipada ati tun ṣayẹwo ijẹrisi SSL rẹ nipasẹ didari kaṣe abajade ti tẹlẹ lati ọna asopọ ti a darukọ loke.
# systemctl restart nginx # service nginx restart
Igbesẹ 5: Tunse Nginx Free Jẹ ki Aifọwọyi Awọn iwe-ẹri SSL Encrypt
16. Jẹ ki Encrypt CA tu awọn iwe-ẹri SSL/TLS ọfẹ ọfẹ ti o wulo fun awọn ọjọ 90. Awọn iwe-ẹri le ṣe tunse pẹlu ọwọ ati lo ṣaaju ipari ni lilo ohun itanna webroot, laisi diduro olupin ayelujara rẹ, nipa ipinfunni awọn ofin isalẹ:
# ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d yourdomain.tld -d www.yourdomain.tld # systemctl reload nginx
Nigbati o ba n ṣiṣe aṣẹ ti o wa loke rii daju pe o rọpo webroot-path lati baamu gbongbo iwe olupin olupin wẹẹbu rẹ, ti a ṣalaye nipasẹ alaye root root Nginx.
17. Lati le ṣe atunṣe iwe-ẹri laifọwọyi ṣaaju ki o pari ṣẹda iwe afọwọkọ bash yii lati github erikaheidi ni/usr/agbegbe/bin/itọsọna ki o ṣafikun akoonu ti o wa ni isalẹ (iwe afọwọkọ ti o ti yipada diẹ si afihan eto Nginx).
# vi /usr/local/bin/cert-renew
Ṣafikun awọn ila atẹle si cert-renew faili.
#!/bin/bash
webpath='/usr/share/nginx/html/'
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;
get_domain_list(){
certdomain=$1
config_file="$le_conf/renewal/$certdomain.conf"
if [ ! -f $config_file ] ; then
echo "[ERROR] The config file for the certificate $certdomain was not found."
exit 1;
fi
domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')
if [ "${last_char}" = "," ]; then
domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
fi
echo $domains;
}
if [ -z "$domain" ] ; then
echo "[ERROR] you must provide the domain name for the certificate renewal."
exit 1;
fi
cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
if [ ! -f $cert_file ]; then
echo "[ERROR] certificate file not found for domain $domain."
exit 1;
fi
exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)
echo "Checking expiration date for $domain..."
if [ "$days_exp" -gt "$exp_limit" ] ; then
echo "The certificate is up to date, no need for renewal ($days_exp days left)."
exit 0;
else
echo "The certificate for $domain is about to expire soon. Starting renewal request..."
domain_list=$( get_domain_list $domain )
"$le_path"/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=”$webpath” --domains "${domain_list}"
echo "Reloading Nginx..."
sudo systemctl reload nginx
echo "Renewal process finished for domain $domain"
exit 0;
fi
18. Rọpo oniyipada $webpath lati ibẹrẹ ti iwe afọwọkọ lati baamu gbongbo iwe Nginx rẹ. Rii daju pe iwe afọwọkọ n ṣiṣẹ ati pe ẹrọ iṣiro bc ti fi sori ẹrọ rẹ nipa sisọ awọn ofin wọnyi.
# chmod +x /usr/local/bin/cert-renew # yum install bc
O le ṣe idanwo iwe afọwọkọ si aaye rẹ nipa fifun aṣẹ wọnyi:
# /usr/local/bin/cert-renew yourdomain.tld
19. Lakotan, lati ṣiṣẹ ilana isọdọtun ijẹrisi laifọwọyi, ṣafikun iṣẹ cron tuntun lati ṣe iwe afọwọkọ ni gbogbo ọsẹ lati le ṣe imudojuiwọn iwe-ẹri laarin awọn ọjọ 30 ṣaaju ọjọ ipari.
# crontab -e
Ṣafikun laini atẹle ni isalẹ faili naa.
@weekly /usr/local/bin/cert-renew your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1
Gbogbo ẹ niyẹn! Bayi olupin Nginx le fi akoonu wẹẹbu ti o ni aabo pamọ pẹlu SSL/TLS ọfẹ SSL Jẹ ki Encrypt ijẹrisi lori oju opo wẹẹbu rẹ.