Bii o ṣe le ni aabo Apache pẹlu SSL ati Jẹ ki Encrypt ni FreeBSD


Ninu ẹkọ yii a yoo kọ bi a ṣe le ṣe aabo olupin HTTP Afun pẹlu awọn iwe-ẹri TLS/SSL ti a funni nipasẹ Jẹ ki Encrypt ni FreeBSD 11.x. A yoo tun bo bii a ṣe le ṣe adaṣe ilana ti isọdọtun ijẹrisi fun Jẹ ki Encrypt.

Awọn iwe-ẹri TLS/SSL ni a lo nipasẹ olupin ayelujara Apache lati encrypt ibaraẹnisọrọ laarin awọn apa ipari, tabi arinrin diẹ sii laarin olupin ati alabara lati pese aabo. Jẹ ki Encrypt pese iwulo laini aṣẹ certbot, eyiti o jẹ ohun elo ti o le dẹrọ ọna ti o le gba awọn iwe-ẹri igbẹkẹle fun ọfẹ.

  1. Fifi sori ẹrọ ti FreeBSD 11.x
  2. Awọn nkan 10 lati Ṣe Lẹhin Fifi sori ẹrọ FreeBSD
  3. Bii o ṣe le Fi Apache sii, MariaDB ati PHP ni FreeBSD

Igbesẹ 1: Tunto SSL Afun ni FreeBSD

1. Ṣaaju ki o to bẹrẹ lati fi sori ẹrọ iwulo certbot ati lati ṣẹda faili atunto TSL fun Apache, kọkọ ṣẹda awọn ilana itọnisọna ọtọtọ meji ti a npè ni awọn aaye-ti o wa ati ṣiṣe awọn aaye ni itọsọna iṣeto root root Apache nipa ipinfunni awọn ofin isalẹ.

Idi ti awọn ilana-ilana meji wọnyi ni lati dẹrọ iṣakoso iṣeto iṣeto alejo gbigba eto ninu, laisi ṣiṣatunṣe faili faili iṣeto Apache httpd.conf akọkọ ni igbakugba ti a ba ṣafikun alejo foju tuntun kan.

# mkdir /usr/local/etc/apache24/sites-available
# mkdir /usr/local/etc/apache24/sites-enabled

2. Lẹhin ti o ti ṣẹda awọn ilana mejeeji, ṣii Apache httpd.conf faili pẹlu olootu ọrọ kan ati ṣafikun ila atẹle ti o sunmọ opin faili naa bi a ti ṣe apejuwe ni isalẹ.

# nano /usr/local/etc/apache24/httpd.conf

Ṣafikun laini atẹle:

IncludeOptional etc/apache24/sites-enabled/*.conf

3. Itele, mu module TLS ṣiṣẹ fun Apache nipa ṣiṣẹda atẹle atẹle faili tuntun ti a npè ni 020_mod_ssl.conf ninu itọsọna modules.d pẹlu akoonu atẹle.

# nano /usr/local/etc/apache24/modules.d/020_mod_ssl.conf

Ṣafikun awọn ila atẹle lati faili 020_mod_ssl.conf.

Listen 443
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCacheTimeout  300

4. Nisisiyi, ṣoki ilana module SSL lati /usr/local/etc/apache24/httpd.conf faili nipa yiyọ hashtag lati ibẹrẹ ti ila atẹle bi a ti ṣe apejuwe ni isalẹ:

LoadModule ssl_module libexec/apache24/mod_ssl.so

5. Nigbamii, ṣẹda faili iṣeto TLS fun agbegbe rẹ ni itọsọna ti o wa ni awọn aaye, pelu pẹlu orukọ ti agbegbe rẹ, bi a ti gbekalẹ ninu abala isalẹ:

# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf

Ṣafikun atẹle iṣeto-ọrọ foju-faili si faili bsd.lan-ssl.conf.

<VirtualHost *:443>
    ServerName www.yourdomain.com
	ServerAlias yourdomain.com
                DocumentRoot "/usr/local/www/apache24/data/"
	SSLEngine on

	SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
	SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
	SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

	BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

	CustomLog "/var/log/apache/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	<Directory "/usr/local/www/apache24/data/">
            Options Indexes FollowSymLinks MultiViews
        #AllowOverride controls what directives may be placed in .htaccess files.       
                        AllowOverride All
        #Controls who can get stuff from this server file
                        Require all granted
        </Directory>
       
    ErrorLog "/var/log/apache/yourdomain.ssl-error.log"
    CustomLog "/var/log/apache/yourdomain.ssl-access_log" combined

</VirtualHost>

Rii daju pe o rọpo oniyipada orukọ orukọ ašẹ lati ServerName, ServerAlias, ErrorLog, awọn alaye CustomLog ni ibamu.

Igbese 2: Fi sori ẹrọ Jẹ ki o wa ni ifitonileti lori FreeBSD

6. Ni igbesẹ ti n tẹle, gbekalẹ aṣẹ atẹle ni lati fi sori ẹrọ ohun elo certbot ti a pese nipasẹ Jẹ ki Encrypt, eyiti yoo lo lati gba awọn iwe-ẹri ọfẹ Apache TSL fun agbegbe rẹ.

Lakoko ti o nfi certbot sori ẹrọ lẹsẹsẹ tọ yoo han loju iboju rẹ. Lo sikirinifoto ti o wa ni isalẹ lati tunto ohun elo certbot. Pẹlupẹlu, ṣajọ ati fifi sori ẹrọ ohun elo certbot le gba akoko diẹ, da lori awọn orisun ẹrọ rẹ.

# cd /usr/ports/security/py-certbot
# make install clean

7. Lẹhin ilana akopọ ti pari, gbekalẹ aṣẹ isalẹ lati le ṣe imudojuiwọn ohun elo certbot ati awọn igbẹkẹle ti a beere fun certbot.

# pkg install py27-certbot
# pkg install py27-acme

8. Lati le ṣe ijẹrisi ijẹrisi kan fun agbegbe rẹ, fun ni aṣẹ bi a ti ṣe apejuwe ni isalẹ. Rii daju pe o pese ipo webroot ti o tọ nibiti awọn faili oju opo wẹẹbu rẹ ti wa ni fipamọ ni eto faili (Ilana DocumentRoot lati faili iṣeto agbegbe rẹ) nipa lilo asia -w . Ti o ba ni awọn iwe-ipamọ kekere pupọ kun gbogbo wọn pẹlu asia -d .

# certbot certonly --webroot -w /usr/local/www/apache24/data/ -d yourdomain.com -d www.yourdomain.com

Lakoko ti o gba iwe-ẹri naa, pese adirẹsi imeeli kan fun isọdọtun ijẹrisi, tẹ kan lati gba pẹlu Jẹ ki a lo awọn ofin ati ipo ati n lati ma ṣe pin adirẹsi imeeli Jẹ ki awọn alabaṣepọ Encrypt.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email 
There seem to be problems with that address. Enter email address (used for
urgent renewal and security notices)  If you really want to skip this, you can
run the client with --register-unsafely-without-email but make sure you then
backup your account key from /etc/letsencrypt/accounts   (Enter 'c' to cancel):[email 

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/apache24/data for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

9. Lẹhin ti o ti gba awọn iwe-ẹri fun agbegbe rẹ, o le ṣiṣe aṣẹ ls lati le ṣe atokọ gbogbo awọn paati ijẹrisi (pq, bọtini ikọkọ, ijẹrisi) bi a ti gbekalẹ ninu apẹẹrẹ isalẹ.

# ls -al /usr/local/etc/letsencrypt/live/www.yourdomain.com/

Igbesẹ 3: Ṣe imudojuiwọn Awọn iwe-ẹri TLS Afun lori FreeBSD

10. Ni ibere lati ṣafikun Jẹ ki awọn ijẹrisi Encrypt si oju opo wẹẹbu rẹ, ṣii faili iṣeto afun fun agbegbe rẹ ki o ṣe imudojuiwọn awọn ila wọnyi lati ṣe afihan ọna ti awọn iwe-ẹri ti a fun.

# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf

Ṣafikun awọn ila ijẹrisi TLS wọnyi:

SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
	SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
	SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"

11. Lakotan, mu faili iṣeto TLS ṣiṣẹ, nipa ṣiṣẹda aami-ọrọ kan fun faili iṣeto TLS ibugbe rẹ si itọsọna ti o ni agbara si awọn aaye, ṣayẹwo awọn atunto Apache fun awọn aṣiṣe sintasi ti o ṣeeṣe ati, ti iṣeduro naa ba dara, tun bẹrẹ Apache daemon nipa sisọ awọn ofin isalẹ.

# ln -sf /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf /usr/local/etc/apache24/sites-enabled/
# apachectl -t
# service apache24 restart

12. Lati le ṣayẹwo ti iṣẹ Afun ba n tẹtisi lori ibudo HTTPS 443, gbekalẹ aṣẹ atẹle lati ṣe atokọ awọn ibọn-ẹrọ httpd.

# sockstat -4 | grep httpd

13. O le lilö kiri si adirẹsi ibugbe rẹ lati ẹrọ lilọ kiri ayelujara nipasẹ ilana HTTPS lati le jẹrisi pe Jẹ ki awọn ijẹrisi Encrypt ti lo ni ifijišẹ.

https://www.yourdomain.com

14. Lati le gba alaye ni afikun nipa iwe-aṣẹ Jẹ ki Encrypt ti a ti pese lati laini aṣẹ, lo aṣẹ openssl gẹgẹbi atẹle.

# openssl s_client -connect www.yourdomain.com:443

15. O tun le rii daju ti ijabọ naa ba wa ni paroko pẹlu ijẹrisi ti o wulo ti a pese nipasẹ Jẹ ki Encrypt CA lati ẹrọ alagbeka bi a ṣe ṣalaye ninu sikirinifoto alagbeka alagbeka ni isalẹ.

Gbogbo ẹ niyẹn! Awọn alabara le bayi ṣabẹwo si oju opo wẹẹbu rẹ ni aabo, nitori ijabọ ti o nṣàn laarin olupin ati aṣàwákiri alabara ti wa ni paroko. Fun awọn iṣẹ ti o nira sii nipa iwulo certbot ṣabẹwo si ọna asopọ atẹle: https://certbot.eff.org/