Otu esi echekwa Nginx na Lets Encrypt na Ubuntu na Debian

N'ịgbaso nkuzi gara aga Ka anyị Encrypt nkuzi gbasara Apache SSL, n'isiokwu a, anyị ga-atụle otu esi emepụta na wụnye SSL/TLS akwụkwọ efu nke Let's Encrypt CA maka Nginx webserver na Ubuntu ma ọ bụ Debian.

  1. Chekwaa Apache na Free Let's Encrypt na Ubuntu na Debian
  2. Wụnye Ka Anyị Encrypt SSL ka Chekwaa Apache na RHEL na CentOS

  1. Ngalaba edebanyere aha nwere ndekọ DNS dị irè A iji rụtụ aka azụ na adreesị IP nke ihe nkesa gị.
  2. Sava webụ Nginx arụnyere nwere SSL na Vhost enyere, ma ọ bụrụ na ị na-eme atụmatụ ịnabata ọtụtụ ngalaba ma ọ bụ ngalaba subdomains.

Kwụpụ 1: Ịwụnye Nginx Web Server

1. Na nzọụkwụ mbụ wụnye sava weebụ Nginx, ọ bụrụ na etinyeghị ya, site na ịnye iwu dị n'okpuru:

$ sudo apt-get install nginx

Kwụpụ 2: Mepụta ka anyị zoo Asambodo SSL maka Nginx

2. Tupu ịmepụta akwụkwọ SSL/TLS n'efu, wụnye Ka anyị Encrypt software na /usr/local/ filesystem hierarchy site n'enyemaka nke git ahịa site n'inye iwu ndị a:

$ sudo apt-get -y install git
$ cd /usr/local/
$ sudo git clone https://github.com/letsencrypt/letsencrypt

3. Ọ bụ ezie na usoro nke ịnweta Asambodo maka Nginx na-akpaghị aka, ị ka nwere ike iji aka mepụta ma wụnye akwụkwọ SSL n'efu maka Nginx site na iji Let's Encrypt Standalone plugin.

Usoro a chọrọ ka a ghara iji ọdụ ụgbọ mmiri 80 mee ihe na sistemụ gị maka obere oge ka onye ahịa na-akwado njirimara nkesa tupu ịmepụta asambodo ahụ.

Ọ bụrụ na ị na-agba ọsọ Nginx ugbua, kwụsị ọrụ site n'inye iwu na-esonụ.

$ sudo service nginx stop
OR
$ sudo systemctl stop nginx

Ọ bụrụ na ị na-arụ ọrụ ọzọ na-ejikọta na ọdụ ụgbọ mmiri 80 kwụsị ọrụ ahụ.

4. Kwenye na ọdụ ụgbọ mmiri 80 bụ n'efu site na iji iwu netstat:

$ sudo netstat -tlpn | grep 80

5. Ugbu a ọ bụ oge ịgba ọsọ letsencrypt iji nweta Asambodo SSL. Gaa na Ka anyị Encrypt ndekọ ndekọ nke achọtara na/usr/local/letsencrypt usoro ụzọ wee mee iwu letsencrypt-auto site na ịnye nhọrọ --standalone na -d ọkọlọtọ maka. ngalaba ọ bụla ma ọ bụ subdomain ịchọrọ ịmepụta akwụkwọ.

$ cd /usr/local/letsencrypt
$ sudo ./letsencrypt-auto certonly --standalone -d your_domain.tld

6. Tinye adreesị ozi-e nke Ka anyị Encrypt ga-eji maka mgbake isi furu efu ma ọ bụ ọkwa ngwa ngwa.

7. Kwekọrịta na usoro nke ikike site na ịpị igodo Tinye.

8. N'ikpeazụ, ọ bụrụ na ihe niile gara nke ọma, ozi yiri nseta ihuenyo dị n'okpuru kwesịrị ịpụta na njikwa njedebe gị.

Kwụpụ 3: Wụnye Ka anyị Encrypt SSL Asambodo na Nginx

9. Ugbu a ka emepụtara Asambodo SSL gị bụ oge ịhazi Nginx webserver iji jiri ya. A na-etinye asambodo SSL ọhụrụ na /etc/letsencrypt/live/ n'okpuru ndekọ aha aha aha ngalaba gị. Gbaa ls iwu ka ịdepụta faịlụ Asambodo enyere maka ngalaba gị.

$ sudo ls /etc/letsencrypt/live/
$ sudo ls -al /etc/letsencrypt/live/caeszar.tk

10. Ọzọ, mepee /etc/nginx/sites-available/default faịlụ na onye editọ ederede wee gbakwunye ngọngọ na-esonụ mgbe akara mbụ kwuru nke na-akọwa mmalite nke ngọngọ SSL. Jiri nseta ihuenyo dị n'okpuru dị ka nduzi.

$ sudo nano /etc/nginx/sites-enabled/default

Ihe nginx ngọngọ:

# SSL configuration
        #
        listen 443 ssl default_server;
        ssl_certificate /etc/letsencrypt/live/caeszar.tk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/caeszar.tk/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_dhparam /etc/nginx/ssl/dhparams.pem;

Dochie ụkpụrụ ngalaba aha maka asambodo SSL otu a.

11. Na nzọụkwụ na-esote mepụta ike Diffie-Hellman cipher na /etc/nginx/ssl/ directory iji chebe ihe nkesa gị megide Logjam ọgụ site na-agba ọsọ na-esonụ iwu.

$ sudo mkdir /etc/nginx/ssl
$ cd /etc/nginx/ssl
$ sudo openssl dhparam -out dhparams.pem 2048

12. N'ikpeazụ, malitegharịa Nginx daemon iji gosipụta mgbanwe.

$ sudo systemctl restart nginx

ma nwalee asambodo SSL gị site na ịga na URL dị n'okpuru.

https://www.ssllabs.com/ssltest/analyze.html

Kwụpụ 4: Megharịa akpaaka Ka anyị zoo Asambodo Nginx

13. Asambodo nke Let's Encrypt CA nyere dị irè maka ụbọchị 90. Iji megharịa faịlụ ndị ahụ na-akpaghị aka tupu ụbọchị njedebe, mepụta ssl-renew.sh bash script n'ime akwụkwọ ndekọ aha /usr/local/bin/ nwere ọdịnaya ndị a.

$ sudo nano /usr/local/bin/ssl-renew.sh

Tinye ọdịnaya ndị a na faịlụ ssl-renew.sh.

#!/bin/bash

cd /usr/local/letsencrypt
sudo ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html/ -d your_domain.tld
sudo systemctl reload nginx
exit 0

Dochie mgbanwe --webroot-ụzọ ka ọ dabara na mgbọrọgwụ akwụkwọ Nginx gị. Jide n'aka na enwere ike ime ihe ederede site na ịnye iwu na-esonụ.

$ sudo chmod +x /usr/local/bin/ssl-renew.sh

14. N'ikpeazụ tinye a cron ọrụ na-agba ọsọ script ọ bụla ọnwa abụọ n'etiti abalị iji jide n'aka na gị akwụkwọ ga-emelite n'ime ihe dị ka 30 ụbọchị tupu ya expires.

$ sudo crontab -e

Tinye ahịrị na-esonụ na ala nke faịlụ ahụ.

0 1 1 */2 * /usr/local/bin/ssl-renew.sh >> /var/log/your_domain.tld-renew.log 2>&1

Ọ bụ ya! Ihe nkesa Nginx gị na-enye ọdịnaya SSL ugbu a site na iji akwụkwọ ikike ka anyị zoo SSL n'efu.