Otu esi echekwa Apache na SSL yana Ka anyị zoo na FreeBSD
N'ime nkuzi a, anyị ga-amụta otu esi echekwa sava Apache HTTP site na asambodo TLS/SSL nke Let's Encrypt na FreeBSD 11.x. Anyị ga-ekpuchikwa ka ị ga-esi megharịa usoro nke akwụkwọ ọhụrụ maka Lets' Encrypt.
Saịtị Apache na-eji asambodo TLS/SSL iji zoo nkwukọrịta n'etiti ọnụ njedebe, ma ọ bụ karịa n'etiti sava na onye ahịa iji weta nchekwa. Ka anyị Encrypt na-enye ọrụ ahịrị iwu certbot, nke bụ ngwa nwere ike ịkwado ụzọ ị ga-esi nweta asambodo ntụkwasị obi n'efu.
- Nwụnye FreeBSD 11.x
- Ihe iri a ga-eme ka nwụnye FreeBSD
- Otu esi etinye Apache, MariaDB na PHP na FreeBSD
Kwụpụ 1: Hazie Apache SSL na FreeBSD
1. Tupu ịmalite ịwụnye certbot utility ma mepụta faịlụ nhazi TSL maka Apache, buru ụzọ mepụta akwụkwọ ndekọ aha abụọ dị iche iche aha saịtị-dị na saịtị-enyere na Apache mgbọrọgwụ nhazi ndekọ site n'inye iwu n'okpuru.
Ebumnuche nke akwụkwọ ndekọ aha abụọ a bụ iji kwado njikwa nhazi nhazi nke ọma na sistemụ, na-enweghị gbanwee faịlụ nhazi Apache httpd.conf bụ isi oge ọ bụla anyị gbakwunyere onye nnabata ọhụrụ.
# mkdir /usr/local/etc/apache24/sites-available # mkdir /usr/local/etc/apache24/sites-enabled
2. Mgbe ịmechara akwụkwọ ndekọ aha abụọ, mepee Apache httpd.conf faịlụ na onye editọ ederede wee gbakwunye akara na-esote na njedebe nke faịlụ dị ka e gosiri n'okpuru.
# nano /usr/local/etc/apache24/httpd.conf
Tinye ahịrị a:
IncludeOptional etc/apache24/sites-enabled/*.conf
3. Ọzọ, mee ka modul TLS maka Apache site na ịmepụta faịlụ ọhụrụ aha ya bụ 020_mod_ssl.conf na modul.d ndekọ na ọdịnaya ndị a.
# nano /usr/local/etc/apache24/modules.d/020_mod_ssl.conf
Tinye ahịrị ndị a na faịlụ 020_mod_ssl.conf.
Listen 443 SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300
4. Ugbu a, uncomment na SSL modul si /usr/local/etc/apache24/httpd.conf faịlụ site na iwepu hashtag site na mmalite nke na-esonụ ahịrị dị ka e gosiri n'okpuru:
LoadModule ssl_module libexec/apache24/mod_ssl.so
5. Na-esote, mepụta faịlụ nhazi TLS maka ngalaba gị n'ime ndekọ saịtị dị, ọkachamma na aha ngalaba gị, dị ka ewepụtara na ntinye n'okpuru:
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Tinye nhazi virtualhost na faịlụ bsd.lan-ssl.conf.
<VirtualHost *:443>
ServerName www.yourdomain.com
ServerAlias yourdomain.com
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/apache/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
#AllowOverride controls what directives may be placed in .htaccess files.
AllowOverride All
#Controls who can get stuff from this server file
Require all granted
</Directory>
ErrorLog "/var/log/apache/yourdomain.ssl-error.log"
CustomLog "/var/log/apache/yourdomain.ssl-access_log" combined
</VirtualHost>
Jide n'aka na ị dochie aha mgbanwe ngalaba site na ServerName, ServerAlias, ErrorLog, CustomLog statements otú ahụ.
Kwụpụ 2: Wụnye Lets'Encrypt na FreeBSD
6. Na nzọụkwụ ọzọ, nye iwu na-esonụ iji wụnye certbot utility nyere site Let's Encrypt, nke a ga-eji nweta Apache TSL asambodo free maka ngalaba gị.
Mgbe ị na-etinye certbot, a ga-egosipụta usoro ozugbo na ihuenyo gị. Jiri nseta ihuenyo dị n'okpuru ka hazie ọrụ certbot. Ọzọkwa, ịchịkọta na ịwụnye akụrụngwa certbot nwere ike were oge, dabere na akụrụngwa akụrụngwa gị.
# cd /usr/ports/security/py-certbot # make install clean
7. Mgbe usoro nchịkọta gwụchara, nye iwu dị n'okpuru ebe a iji melite utility certbot na certbot chọrọ ịdabere.
# pkg install py27-certbot # pkg install py27-acme
8. Iji n'ịwa akwụkwọ maka ngalaba gị, nye iwu dị ka e gosiri n'okpuru. Jide n'aka na ị wetara ebe kwesịrị ekwesị webroot ebe faịlụ webụsaịtị gị na-echekwa na sistemụ faịlụ (ntụziaka DocumentRoot sitere na faịlụ nhazi ngalaba gị) site na iji ọkọlọtọ -w. Ọ bụrụ na ị nwere ọtụtụ subdomains tinye ha niile na -d ọkọlọtọ.
# certbot certonly --webroot -w /usr/local/www/apache24/data/ -d yourdomain.com -d www.yourdomain.com
Mgbe ị na-enweta asambodo ahụ, nye adreesị ozi-e maka mmeghari akwụkwọ ikike, pịa ka ị kwenye na Usoro na ọnọdụ Ka anyị Encrypt na n ka ị ghara ịkekọrịta adreesị ozi-e Ka anyị Encrypt mmekọ.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/apache24/data for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
9. Mgbe ị nwetachara asambodo maka ngalaba gị, ị nwere ike ịgba ọsọ ls iwu ka ịdepụta ihe mejupụtara akwụkwọ ikike niile (agbụ, igodo nzuzo, asambodo) dị ka ewepụtara na ihe atụ n'okpuru.
# ls -al /usr/local/etc/letsencrypt/live/www.yourdomain.com/
Kwụpụ 3: Melite Asambodo Apache TLS na FreeBSD
10. Iji tinye ka anyị Encrypt asambodo na ebe nrụọrụ weebụ gị, mepee faịlụ nhazi apache maka ngalaba gị ma melite ahịrị ndị a iji gosipụta ụzọ nke asambodo enyere.
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Tinye ahịrị asambodo TLS ndị a:
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
11. N'ikpeazụ, mee ka faịlụ nhazi TLS, site na ịmepụta symlink maka faịlụ nhazi TLS ngalaba gị na saịtị-enyere aka na ndekọ, lelee nhazi Apache maka njehie syntax nwere ike na, ọ bụrụ na syntax ahụ dị mma, malitegharịa Apache daemon site n'inye iwu ndị dị n'okpuru.
# ln -sf /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf /usr/local/etc/apache24/sites-enabled/ # apachectl -t # service apache24 restart
12. Iji lelee ma ọrụ Apache na-ege ntị na ọdụ ụgbọ mmiri HTTPS 443, nye iwu a ka ịdepụta oghere netwọk httpd.
# sockstat -4 | grep httpd
13. Ị nwere ike ịnyagharịa na adreesị ngalaba gị site na ihe nchọgharị site na HTTPS protocol iji gosi na A na-etinye akwụkwọ ntinye akwụkwọ nke ọma.
https://www.yourdomain.com
14. Iji nweta ozi ndị ọzọ gbasara akwụkwọ ikike ka anyị ezoro ezo site na ahịrị iwu, jiri openssl iwu dị ka ndị a.
# openssl s_client -connect www.yourdomain.com:443
15. Ị nwekwara ike nyochaa ma ọ bụrụ na okporo ụzọ na-ezoro ezo na okporo ụzọ na a irè akwụkwọ nyere site Let's Encrypt CA site na ekwentị mkpanaaka dị ka e gosiri na n'okpuru mobile screenshot.
Ọ gwụla! Ndị ahịa ahụ nwere ike ịga na webụsaịtị gị nke ọma, n'ihi na ezoro ezoro ụzọ okporo ụzọ na-agafe n'etiti ihe nkesa na ihe nchọgharị onye ahịa. Maka ọrụ ndị siri ike gbasara certbot ịba uru gaa na njikọ a: https://certbot.eff.org/