Bii o ṣe le ni aabo Nginx pẹlu SSL ati Jẹ ki a Encrypt ni FreeBSD
Ninu itọsọna yii a yoo jiroro bawo ni a ṣe le rii olupin Nginx wẹẹbu ni FreeBSD pẹlu awọn iwe-ẹri TLS/SSL ti a fun nipasẹ Jẹ ki Encrypt Certificate Authority. A yoo tun fihan ọ bi o ṣe le tunse awọn iwe-ẹri Jẹ ki 'Encrypt tunṣe ṣaaju ọjọ ti o pari.
TLS, adape kan fun Aabo Layer Transport, jẹ ilana ti o nṣakoso labẹ ilana HTTP ati lilo awọn iwe-ẹri ati awọn bọtini lati le ṣe apamọ awọn apo-iwe ati fifi ẹnọ kọ nkan ti a paarọ data laarin olupin ati alabara kan, tabi ninu ọran yii laarin olupin ayelujara Nginx ati alabara aṣàwákiri, lati le ni aabo asopọ naa, ki ẹnikẹta, ti o le ṣe idiwọ ijabọ, ko le ṣe igbasilẹ gbigbe.
Ilana ti gbigba ọfẹ Jẹ ki Encrypt ijẹrisi ni FreeBSD le jẹ irọrun pupọ nipasẹ fifi sori ẹrọ iwulo alabara certboot, eyiti o jẹ aṣoju Jẹ ki Encrypt onibara lo fun ṣiṣe ati gbigba awọn iwe-ẹri.
- Fi FBEMP sori ẹrọ (Nginx, MariaDB ati PHP) ni akopọ ni FreeBSD
Igbesẹ 1: Tunto Nginx TLS/SSL
1. Nipa aiyipada, iṣeto olupin olupin TLS/SSL ko ṣiṣẹ ni FreeBSD nitori pe awọn gbólóhùn Àkọsílẹ olupin TLS ti ṣalaye ni faili iṣeto ni aiyipada Nginx.
Lati mu olupin TLS ṣiṣẹ ni Nginx, ṣii faili iṣeto ni nginx.conf, wa laini ti o ṣalaye ibẹrẹ ti olupin SSL ati mu gbogbo bulọọki wa lati dabi apẹẹrẹ ti isalẹ.
# nano /usr/local/etc/nginx/nginx.conf
Nginx HTTPS Àkọsílẹ iyasọtọ:
server {
listen 443 ssl default_server;
server_name www.yourdomain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location / {
root /usr/local/www/nginx;
index index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem";
ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Use gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_http_version 1.0;
# Set a variable to work around the lack of nested conditionals
set $cache_uri $request_uri;
location ~ /.well-known {
allow all;
}
location ~ \.php$ {
root /usr/local/www/nginx;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
Àkọsílẹ ti o wa loke, ni afikun si bulọọki SSL, tun ni diẹ ninu awọn alaye fun muu fifun gzip ati Oluṣakoso ilana FastCGI, ti a lo fun gbigbe koodu PHP si ẹnu-ọna PHP-FPM lati le ṣiṣe awọn ohun elo ayelujara ti o lagbara.
Lẹhin ti o ti ṣafikun koodu ti o wa loke si faili iṣeto akọkọ Nginx, maṣe tun bẹrẹ daemon naa tabi lo awọn eto ṣaaju fifi sori ati gba iwe-ẹri Jẹ ki Encrypt fun agbegbe rẹ.
Igbesẹ 2: Fi Certbot Onibara sii ni FreeBSD
2. Ilana ti fifi Jẹ ki Encrypt ohun elo iwulo certbot ni FreeBSD ṣe pẹlu gbigba koodu orisun fun py-certbot ati ṣajọpọ ni agbegbe, nipa ipinfunni awọn ofin isalẹ.
# cd /usr/ports/security/py-certbot # make install clean
3. Ṣajọpọ ohun elo iwulo py-certbot gba akoko pupọ ni ifiwera si fifi package alakomeji deede Ni akoko yii, a nilo lẹsẹsẹ awọn igbẹkẹle lati gba lati ayelujara ni akojọpọ agbegbe ni FreeBSD.
Pẹlupẹlu, lẹsẹsẹ ti awọn taanu yoo han loju iboju rẹ, nibeere fun ọ lati yan iru awọn idii ti yoo ṣee lo ni akoko sakojo fun igbẹkẹle kọọkan. Ni iboju akọkọ, yan awọn irinṣẹ atẹle, nipa titẹ bọtini [aaye], fun ikojọpọ igbẹkẹle python27, bi a ti ṣe apejuwe ninu aworan isalẹ.
- IPV6
- LIBFFI
- NLS
- PYMALLOC
- THREADS
- UCS4 fun atilẹyin Unicode
4. Itele, yan Awọn DOCS ati THREADS fun igbẹkẹle irinṣẹ irinṣẹ ati tẹ O DARA lati tẹsiwaju bi a ṣe han ninu aworan isalẹ.
5. Lori iboju ti nbo fi aṣayan TESTS alaabo fun libffi-3.2.1 ki o tẹ O DARA lati gbe siwaju.
6. Nigbamii, lu aaye lati yan DOCS fun igbẹkẹle py27-enum34, eyi ti yoo fi iwe aṣẹ sori ẹrọ fun ọpa yii, ki o tẹ O DARA lati tẹsiwaju, bi a ti ṣe apejuwe ninu sikirinifoto ti o wa ni isalẹ.
7. Lakotan, yan lati fi sori ẹrọ awọn apẹẹrẹ apẹẹrẹ fun igbẹkẹle py27-openssl nipa titẹ bọtini [aaye] ki o lu O DARA lati pari akopọ ati ilana fifi sori ẹrọ fun alabara py-certbot.
8. Lẹhin ilana ti ikojọpọ ati fifi sori ẹrọ ohun-elo anfani py-certbot pari, ṣiṣe aṣẹ ni isalẹ lati le ṣe igbesoke ohun elo ni ẹya tuntun ti package bi a ṣe ṣalaye ninu awọn sikirinisoti isalẹ.
# pkg install py27-certbot
9. Lati yago fun diẹ ninu awọn ọran o le waye lakoko gbigba iwe-ẹri Jẹ ki a Encrypt ọfẹ, aṣiṣe ti o wọpọ julọ jẹ\"pkg_resources.DistributionNotFound", rii daju pe awọn igbẹkẹle meji wọnyi tun wa ninu eto rẹ: py27-salt ati py27- acme.
# pkg install py27-salt # pkg install py27-acme
Igbesẹ 3: Fi sii Jẹ ki Encrypt Iwe-ẹri fun Nginx lori FreeBSD
10. Lati le gba iwe-ẹri Jẹ ki Encrypt ijẹrisi iduro fun agbegbe rẹ, ṣiṣe aṣẹ atẹle ki o fun ọ ni orukọ ìkápá ati gbogbo awọn subdomains ti o fẹ lati gba awọn iwe-ẹri fun nipa fifi aami -d han.
# certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
11. Lakoko ti o n ṣe ijẹrisi naa yoo beere lọwọ rẹ lati tẹ adirẹsi imeeli si ọ ati lati gba pẹlu awọn ofin iṣẹ Encrypt. Tẹ a lati ori itẹwe lati gba ati tẹsiwaju ati pe yoo tun beere lọwọ rẹ ti o ba fẹ lati pin adirẹsi imeeli rẹ pẹlu awọn alabaṣepọ Jẹ ki Encrypt.
Ni ọran ti o ko ba fẹ pin adirẹsi imeeli rẹ, kan tẹ rara ọrọ ninu tọ ki o tẹ bọtini [tẹ] lati tẹsiwaju. Lẹhin ti o ti gba awọn iwe-ẹri fun agbegbe rẹ ni aṣeyọri, iwọ yoo gba diẹ ninu awọn akọsilẹ pataki eyiti yoo sọ fun ọ ibiti o ti fipamọ awọn iwe-ẹri ninu eto rẹ ati nigbati wọn ba pari.
12. Ti o ba fẹ gba iwe ijẹrisi Jẹ ki a Encrypt nipa lilo ohun itanna “webroot” nipa fifi itọsọna webroot ti olupin Nginx fun agbegbe rẹ, fun ni aṣẹ atẹle pẹlu --webroot ati -w awọn asia. Nipa aiyipada, ti o ko ba yipada ọna Nginx webroot, o yẹ ki o wa ni/usr/agbegbe/www/nginx/ọna eto.
# certbot certonly --webroot -w /usr/local/www/nginx/ -d yourdomain.com -d www.yourdomain.com
Gẹgẹ bi ilana --strandalone fun gbigba iwe-ẹri kan, ilana --webroot yoo tun beere lọwọ rẹ lati pese adirẹsi imeeli kan fun isọdọtun ijẹrisi ati awọn akiyesi aabo, lati tẹ < koodu> a lati gba pẹlu Jẹ ki a Encrypt awọn ofin ati ipo ati rara tabi bẹẹni si tabi ko ṣe alabapin adirẹsi imeeli Jẹ ki Awọn alabaṣepọ Encrypt bi a ti ṣe apejuwe ninu apẹẹrẹ isalẹ.
Jẹ ki o mọ pe alabara certbot le rii adirẹsi imeeli ti ko tọ ati pe kii yoo jẹ ki o tẹsiwaju pẹlu ipilẹṣẹ ijẹrisi kan titi iwọ o fi pese adirẹsi imeeli gidi kan.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email #A fake email address will be detected There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/nginx/ for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-12-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Igbesẹ 4: Ṣe imudojuiwọn Awọn iwe-ẹri Nginx TLS
13. Ipo ti a gba Jẹ ki awọn ijẹrisi Encrypt ati awọn bọtini ni FreeBSD jẹ /usr/local/etc/letsencrypt/live/www.yourdomain.com/ ọna eto. Ipinfunni ls aṣẹ lati le ṣe afihan awọn paati ti iwe-ẹri Jẹ ki Encrypt rẹ: faili pq, faili kikun, bọtini ikọkọ ati faili ijẹrisi, bi a ti ṣe apejuwe ninu apẹẹrẹ atẹle.
# ls /usr/local/etc/letsencrypt/live/www.yourdomain.com/
14. Lati fi sori ẹrọ Jẹ ki awọn ijẹrisi Encrypt fun agbegbe rẹ ni olupin wẹẹbu Nginx, ṣii faili iṣeto akọkọ Nginx tabi faili iṣeto fun olupin Nginx TLS, bi o ba jẹ pe faili ọtọtọ ni, ki o ṣe atunṣe awọn ila isalẹ lati ṣe afihan ọna ti jẹ ki a Encrypt ti pese awọn iwe-ẹri bi a ṣe ṣalaye ni isalẹ.
# nano /usr/local/etc/nginx/nginx.conf
Ṣe imudojuiwọn awọn ila wọnyi lati dabi ninu apẹẹrẹ yii:
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"; ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
15. Pẹlupẹlu, ti laini ssl_dhparam wa ninu iṣeto Nginx SSL, o yẹ ki o ṣe bọtini 2048 bit Diffie – Hellman tuntun pẹlu aṣẹ atẹle:
# openssl dhparam –out /usr/local/etc/nginx/dhparam.pem 2048
16. Ni ipari, lati mu iṣeto Nginx TLS ṣiṣẹ, kọkọ ṣayẹwo iṣeto agbaye Nginx fun awọn aṣiṣe sintasi ti o ṣeeṣe ati, lẹhinna, tun bẹrẹ iṣẹ Nginx lati lo iṣeto SSL nipasẹ sisọ awọn ofin wọnyi.
# nginx -t # service nginx restart
17. Jẹrisi ti o ba jẹ pe daemon Nginx jẹ abuda lori ibudo 443 nipa ipinfunni awọn ofin wọnyi ti o le ṣe atokọ gbogbo awọn iho nẹtiwọki ṣiṣi ninu eto ni ipo gbigbo.
# netstat -an -p tcp| grep LISTEN # sockstat -4
18. O tun le ṣabẹwo si adirẹsi ibugbe rẹ nipasẹ ilana HTTPS nipa ṣiṣi aṣawakiri kan ki o tẹ adirẹsi ti o tẹle wọn lati le jẹrisi pe Jẹ ki awọn ijẹrisi Encrypt n ṣiṣẹ bi o ti ṣe yẹ. Nitori pe o nlo awọn iwe-ẹri ti ipilẹṣẹ nipasẹ Alaṣẹ Ijẹrisi to wulo, ko si aṣiṣe ti o yẹ ki o han ni ẹrọ lilọ kiri ayelujara.
https://www.yourdomain.com
19. Ohun elo Openssl tun le ṣe iranlọwọ fun ọ lati wa alaye nipa ijẹrisi kan ti a gba lati Jẹ ki Encrypt CA, nipa ṣiṣe pipaṣẹ pẹlu awọn aṣayan atẹle.
# openssl s_client -connect www.yourdomain.com:443
Ni ọran ti o fẹ fi ipa mu Nginx lati ṣe itọsọna gbogbo http si awọn ibeere https ti a gba fun aaye rẹ lori ibudo 80 si HTTPS, ṣii faili iṣeto Nginx, wa itọsọna olupin fun ibudo 80 ati ṣafikun laini isalẹ lẹhin alaye olupin_name bi a ti ṣe apejuwe ninu apẹẹrẹ isalẹ .
rewrite ^(.*) https://www.yourdomain.com$1 permanent;
20. Ṣiṣeto isọdọtun aifọwọyi fun ijẹrisi ti a fun nipasẹ aṣẹ Jẹ ki Encrypt ṣaaju ki wọn to pari le ṣee ṣe nipasẹ ṣiṣe eto iṣẹ cron kan lati ṣiṣẹ lẹẹkan ni ọjọ kan nipasẹ fifiranṣẹ aṣẹ atẹle.
# crontab -e
Iṣẹ-ṣiṣe Cron lati tunse ijẹrisi.
0 0 * * * certbot renew >> /var/log/letsencrypt.log
Gbogbo ẹ niyẹn! Nginx le ṣe iranṣẹ fun awọn ohun elo wẹẹbu ti o ni aabo si awọn alejo rẹ nipa lilo Jẹ ki Encrypt awọn iwe-ẹri ọfẹ.