Otu esi echekwa Nginx na SSL ma ka anyị zoo na FreeBSD
N'ime ntuziaka a, anyị ga-atụle otu esi echekwa sava weebụ Nginx na FreeBSD yana asambodo TLS/SSL nyere site n'aka Let's Encrypt Certificate Authority. Anyị ga-egosikwa gị otu esi emeghari asambodo Lets' Encrypt ozugbo tupu ụbọchị agwụ.
TLS, acronym maka Transport Layer Security, bụ protocol nke na-agba ọsọ n'okpuru protocol HTTP ma na-eji asambodo na igodo iji chekwaa ngwugwu ma zoo data gbanwere n'etiti sava na onye ahịa, ma ọ bụ na nke a n'etiti sava weebụ Nginx na nke onye ahịa. ihe nchọgharị, iji chekwaa njikọ ahụ, ka ndị ọzọ, nke nwere ike igbochi okporo ụzọ, enweghị ike ibelata nnyefe ahụ.
Enwere ike ime ka usoro inweta asambodo Let's Encrypt n'efu na FreeBSD dị mfe site na ịwụnye ngwa ahịa certboot, nke bụ onye ahịa Ka anyị Encrypt na-eji maka imepụta na nbudata asambodo.
- Wụnye ngwugwu FBEMP (Nginx, MariaDB na PHP) na FreeBSD
Kwụpụ 1: Hazie Nginx TLS/SSL
1. Site na ndabara, anaghị eme nhazi ihe nkesa TLS/SSL na FreeBSD n'ihi na ekwuru okwu ngọngọ nkesa TLS na faịlụ nhazi Nginx.
Iji mee ka ihe nkesa TLS rụọ ọrụ na Nginx, mepee faịlụ nhazi nginx.conf, chọọ akara nke na-akọwa mmalite nke sava SSL ma melite ngọngọ dum ka ọ dị ka n'okpuru nlele.
# nano /usr/local/etc/nginx/nginx.conf
Nginx HTTPS ihe mgbochi:
server {
listen 443 ssl default_server;
server_name www.yourdomain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location / {
root /usr/local/www/nginx;
index index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem";
ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Use gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_http_version 1.0;
# Set a variable to work around the lack of nested conditionals
set $cache_uri $request_uri;
location ~ /.well-known {
allow all;
}
location ~ \.php$ {
root /usr/local/www/nginx;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
Ihe mgbochi a dị n'elu, na mgbakwunye na ngọngọ SSL, nwekwara ụfọdụ nkwupụta maka ịme gzip mkpakọ na FastCGI Process Manager, eji maka ịnyefe koodu PHP na ọnụ ụzọ PHP-FPM iji mee ngwa weebụ dị ike.
Mgbe ị gbakwunyere koodu ahụ dị n'elu na faịlụ nhazi Nginx, maliteghachila daemon ma ọ bụ tinye ntọala ahụ tupu ị wụnye ma nweta akwụkwọ ikike Encrypt maka ngalaba gị.
Kwụpụ 2: Wụnye Client Certbot na FreeBSD
2. Usoro nke ịwụnye Let's Encrypt certbot client utility in FreeBSD gụnyere nbudata koodu iyi maka py-certbot wee chịkọta ya na mpaghara, site na ịnye iwu ndị a.
# cd /usr/ports/security/py-certbot # make install clean
3. Ịchịkọta ọrụ py-certbot na-ewe oge dị ukwuu iji tụnyere ịwụnye ngwugwu ọnụọgụ abụọ mgbe niile. N'oge a, a chọrọ ka ebudata usoro dabere na mpaghara na FreeBSD.
Ọzọkwa, usoro mkpali ga-apụta na ihuenyo gị, na-achọ ka ịhọrọ ngwugwu a ga-eji n'oge chịkọta maka ndabere ọ bụla. Na ihuenyo mbụ, họrọ ngwaọrụ ndị a, site na ịpị igodo [ohere], maka ịchịkọta ndabere python27, dị ka egosiri na foto dị n'okpuru.
- IPV6
- LIBFI
- NLS
- PYMALLOC
- ỤRỤ
- UCS4 maka nkwado Unicode
4. Ọzọ, họrọ DOCS na THREADS maka gettext-Tools ndabere wee pịa OK ka ịga n'ihu dị ka egosiri na foto dị n'okpuru.
5. Na ihuenyo ọzọ hapụ nhọrọ TESTS nwere nkwarụ maka libffi-3.2.1 wee pịa OK ka ịga n'ihu.
6. Ọzọ, see oghere iji họrọ DOCS maka py27-enum34 dabere, nke ga-wụnye akwụkwọ maka ngwá ọrụ a, na pịa OK na-aga n'ihu, dị ka e gosiri na n'okpuru nseta ihuenyo.
7. N'ikpeazụ, họrọ ịwụnye ihe atụ samples maka py27-openssl ndabere site na ịpị [ohere] igodo na see OK imecha nchịkọta na nwụnye usoro maka py-certbot ahịa.
8. Mgbe usoro nchịkọta na ịwụnye py-certbot utility gwụchara, mee iwu dị n'okpuru ebe a iji kwalite ngwá ọrụ na ụdị ngwugwu kachasị ọhụrụ dị ka e gosiri na nseta ihuenyo dị n'okpuru.
# pkg install py27-certbot
9. Iji zere ụfọdụ okwu nwere ike ime mgbe inweta a free Ka anyị encrypt akwụkwọ, ndị kasị nkịtị njehie bụ \pkg_resources.DistributionNotFound, jide n'aka na ndị na-esonụ abụọ dependencies nwekwara ugbu na gị usoro: py27-nnu na py27- acme.
# pkg install py27-salt # pkg install py27-acme
Kwụpụ 3: Wụnye Ka anyị Encrypt Asambodo maka Nginx na FreeBSD
10. Iji nweta a Let's Encrypt standalone certificate for your domain, na-agba ọsọ na-esonụ iwu na-enye gị ngalaba aha na niile subdomains ị chọrọ iji nweta asambodo n'ihi na-egosi na -d ọkọlọtọ.
# certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
11. Mgbe ị na-amụba akwụkwọ, a ga-ajụ gị ka itinye adreesị email gị na ikwenye ka anyị ezoro usoro ọrụ. Pịnye a site na ahụigodo ka ikwenye wee gaa n'ihu, a ga-ajụkwa gị ma ị dị njikere ịkọrọ ndị mmekọ Let's Encrypt adreesị email gị.
Ọ bụrụ na ịchọghị ikesa adreesị ozi-e gị, pịnye naanị enweghị okwu n'ime ngwa ngwa wee pịa igodo [enter] ka ịga n'ihu. Mgbe enwetara asambodo maka ngalaba gị nke ọma, ị ga-enweta ụfọdụ ndetu dị mkpa nke ga-agwa gị ebe echekwara asambodo na sistemụ gị yana mgbe ha kubie ume.
12. Ọ bụrụ na ịchọrọ inweta akwụkwọ ka anyị ezoro ezo site na iji ngwa mgbakwunye “webroot” site na ịgbakwunye ndekọ webroot nke sava Nginx maka ngalaba gị, nye iwu na-esonụ na -webroot na -w ọkọlọtọ. Site na ndabara, ọ bụrụ na igbanwebeghị Nginx webroot ụzọ, ọ ga-adị na /usr/local/www/nginx/ usoro ụzọ.
# certbot certonly --webroot -w /usr/local/www/nginx/ -d yourdomain.com -d www.yourdomain.com
Dị ka usoro --strandalone maka ịnweta akwụkwọ, usoro -webroot ga-ajụkwa gị ka ịnye adreesị ozi-e maka mmelite akwụkwọ na ọkwa nchekwa, ka pịa <a ka anyị kwenye na Ka anyị ezoro usoro na ọnọdụ yana ee e ma ọ bụ ee iji kesaa ma ọ bụ ghara ịkọrọ adreesị ozi-e Ka anyị zoo ndị mmekọ dị ka egosiri na nlele n'okpuru.
Mara na onye ahịa certbot nwere ike ịchọpụta adreesị ozi-e adịgboroja na agaghị ekwe ka ị gaa n'ihu na-emepụta asambodo ruo mgbe ị wetara ezigbo adreesị ozi-e.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email #A fake email address will be detected There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/nginx/ for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-12-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Kwụpụ 4: Melite Asambodo Nginx TLS
13. Ebe enwetara Ka anyị Encrypt asambodo na igodo dị na FreeBSD bụ /usr/local/etc/letsencrypt/live/www.yourdomain.com/ usoro ụzọ. Wepụta ls iwu iji gosipụta akụkụ nke asambodo Let's Encrypt gị: faịlụ yinye, faịlụ fullchain, igodo nzuzo na faịlụ asambodo, dị ka egosiri na ihe atụ na-esonụ.
# ls /usr/local/etc/letsencrypt/live/www.yourdomain.com/
14. Iji wụnye Ka anyị Encrypt asambodo maka ngalaba gị na sava weebụ Nginx, mepee Nginx isi nhazi faịlụ ma ọ bụ faịlụ nhazi maka sava Nginx TLS, ma ọ bụrụ na ọ bụ faịlụ dị iche, ma gbanwee ahịrị ndị dị n'okpuru iji gosipụta ụzọ ka anyị ezoro ezo. nyere asambodo dị ka e gosiri n'okpuru.
# nano /usr/local/etc/nginx/nginx.conf
Melite ahịrị ndị a ka ọ dị na nlele a:
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"; ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
15. Ọzọkwa, ọ bụrụ na ahịrị ssl_dhparam dị na nhazi Nginx SSL, ị kwesịrị ịmepụta igodo 2048 ọhụrụ Diffie-Hellman site na iwu na-esonụ:
# openssl dhparam –out /usr/local/etc/nginx/dhparam.pem 2048
16. N'ikpeazụ, iji mee ka nhazi Nginx TLS rụọ ọrụ, buru ụzọ lelee nhazi Nginx zuru ụwa ọnụ maka njehie syntax ga-ekwe omume na, mgbe ahụ, malitegharịa ọrụ Nginx iji tinye nhazi SSL site n'inye iwu ndị a.
# nginx -t # service nginx restart
17. Kwenye ma ọ bụrụ na Nginx daemon na-ejikọta na ọdụ ụgbọ mmiri 443 site n'inye iwu ndị a nke nwere ike depụta oghere netwọk niile meghere na usoro na-ege ntị.
# netstat -an -p tcp| grep LISTEN # sockstat -4
18. Ịnwekwara ike ịga na adreesị ngalaba gị site na protocol HTTPS site na imepe ihe nchọgharị wee pịnye adreesị a iji gosi na asambodo Let's Encrypt na-arụ ọrụ dị ka a tụrụ anya ya. N'ihi na ị na-eji asambodo sitere na ikike Asambodo bara uru, ọ nweghị njehie ekwesịghị igosipụta na ihe nchọgharị ahụ.
https://www.yourdomain.com
19. Opensl utility nwekwara ike inyere gị aka ịchọta ozi gbasara asambodo enwetara n'aka Let's Encrypt CA, site na iji nhọrọ ndị a na-eme iwu.
# openssl s_client -connect www.yourdomain.com:443
Ọ bụrụ na ịchọrọ ịmanye Nginx ka ọ duzie arịrịọ http na https niile natara maka ngalaba gị na ọdụ ụgbọ mmiri 80 gaa HTTPS, mepee faịlụ nhazi Nginx, chọta ntuziaka ihe nkesa maka ọdụ ụgbọ mmiri 80 wee gbakwunye ahịrị dị n'okpuru mgbe nkwupụta aha server_name dị ka e gosipụtara na ihe atụ dị n'okpuru. .
rewrite ^(.*) https://www.yourdomain.com$1 permanent;
20. Ịtọlite akpaaka mmeghari maka akwụkwọ nyere site Let's Encrypt ikike tupu ha ekubie ume nwere ike mere site scheduling a cron ọrụ na-agba ọsọ otu ugboro n'ụbọchị site n'inye iwu na-esonụ.
# crontab -e
Ọrụ cron iji megharịa asambodo.
0 0 * * * certbot renew >> /var/log/letsencrypt.log
Ọ gwụla! Nginx nwere ike izigara ndị ọbịa gị ngwa webụ echekwara echekwabara site na iji asambodo efu.