Ƙirƙiri Mai Runduna Mai Kyau, Ƙididdigar Kare Kalmar wucewa da Takaddun shaida na SSL ta amfani da Nginx Web Server a cikin Arch Linux.
Labarin Arch Linux 'LEMP' na baya ya rufe ainihin kayan aiki, daga shigar da sabis na cibiyar sadarwa (Nginx, MySQL database da PhpMyAdmin) da kuma saita ƙaramin tsaro da ake buƙata don uwar garken MySQL da PhpMyadmin.
Wannan batu yana da alaƙa sosai da tsohon Shigar LEMP akan Arch Linux kuma zai jagorance ku ta hanyar saita ƙarin hadaddun saiti don tarin LEMP, musamman Nginx saitin sabar yanar gizo, kamar ƙirƙirar Mai watsa shiri na gani , yi amfani da Abubuwan da aka Kare kalmar sirri, ƙirƙira da daidaita HTTP Secure Sockets Layer, HTTP rashin tsaro yana turawa zuwa HTTPS sannan kuma zai gabatar muku da wasu rubutun Bash masu amfani waɗanda zai sauƙaƙa aikin akan kunna Virtual Hosts kuma ya samar da Takaddar SSL da Maɓallai.
Shigar LEMP tare da MariaDB Database a cikin Arch Linux
Mataki 1: Kunna Runduna Mai Kyau akan Nginx
Ɗaya daga cikin hanya mafi sauƙi don kunna Mai watsa shiri na gani yana amfani da haɗa kalamai akan babban fayil ɗin Nginx, wanda ke sa aikin ƙarin daidaitawa ya fi sauƙi da inganci saboda zaku iya ƙirƙirar fayiloli masu sauƙi. ga kowane sabon mai watsa shiri kuma kiyaye babban fayil ɗin sanyi mai tsabta.
Wannan hanyar tana aiki kamar yadda akan Apache Web Server, abu na farko da kake buƙatar yi shine ka saka sabuwar hanyar URI inda Nginx yakamata ya karanta umarnin fayil.
1. Don haka, buɗe babban fayil ɗin nginx.conf yana kan hanyar tsarin /etc/nginx/ kuma a ƙasa, kafin madaidaicin sashi na ƙarshe “} >” ƙara hanyar inda fayilolin sanyi na Mai watsa shiri na gaba za su zauna.
$ sudo nano /etc/nginx/nginx.conf
A ƙasa ƙara bayani mai zuwa.
include /etc/nginx/sites-enabled/*.conf;
Wannan umarnin yana gaya wa Nginx ya kamata ya karanta duk fayilolin da aka samo a cikin /etc/nginx/sites-enabled/ wanda ya ƙare tare da ƙara .conf.
2. Mataki na gaba shine ƙirƙirar kundin adireshi na sites-enabled da kuma wani, mai suna sites-available, inda zaku adana duk fayilolin daidaitawar Virtual Hosts.
$ sudo mkdir /etc/nginx/sites-available /etc/nginx/sites-enabled
3. Yanzu lokaci ya yi da za a ƙirƙiri sabon Mai watsa shiri na Virtual. Wannan misalin zai yi amfani da adireshin IP na tsarin azaman Sunan Mai watsa shiri na Virtual, don haka ƙirƙirar sabon fayil mai suna name-ip.conf.
sudo nano /etc/nginx/sites-available/name-ip.conf
Ƙara abun ciki mai zuwa.
## File content ##
server {
listen 80;
server_name 192.168.1.33;
access_log /var/log/nginx/192.168.1.33.access.log;
error_log /var/log/nginx/192.168.1.33.error.log;
root /srv/http;
location / {
index index.html index.htm index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
Umarnin da ke kunna Virtual Mai watsa shiri shine bayanin server_name a ƙarƙashin tashar sauraro. Hakanan, wani muhimmin umarni anan shine tushen sanarwa da ke nuna Nginx Virtual Host don ba da abun cikin fayil daga hanyar tsarin /srv/http/.
4. Mataki na ƙarshe shine ƙirƙirar /srv/http/ directory kuma sanya name-ip.conf daidaitawar fayil don karanta Nginx (ta amfani da hanyar haɗin alama), sannan sake kunna daemon. don sa sabon saiti a bayyane.
$ sudo mkdir /srv/http/ $ sudo ln -s /etc/nginx/sites-available/name-ip.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx
5. Don tabbatar da shi, nuna burauzar ku zuwa Arch system IP address kuma ku ga cewa abubuwan da ke cikin gidan yanar gizon sun bambanta da http://localhost. Anan na ƙara ƙaramin rubutun php wanda shima yana duba tsarin FastCGI PHP kamar a hoton da ke ƙasa.
$ sudo nano /srv/http/info.php
## File content ## <?php phpinfo(); ?>
6. Wata hanyar da na ɓullo da kaina don kunna ko kashe Mai watsa shiri na Virtual akan Nginx shine mafi kyawun tsari kuma an yi wahayi daga rubutun Apache a2eniste.
Don amfani da wannan hanyar buɗe editan fayil kuma ƙirƙirar sabon fayil, mai suna n2ensite, akan hanyar ku ta $HOME tare da abubuwan da ke ƙasa, sanya shi aiwatarwa, gudanar da shi tare da tushen gata. kuma wuce azaman zaɓi zuwa sabon sunan Mai watsa shiri ba tare da ƙare .conf ba (cika kyauta don gyara shi gwargwadon bukatunku).
$ sudo nano n2ensite
## File content ##
#!/bin/bash
if test -d /etc/nginx/sites-available && test -d /etc/nginx/sites-enabled ; then
echo "-----------------------------------------------"
else
mkdir /etc/nginx/sites-available
mkdir /etc/nginx/sites-enabled
fi
avail=/etc/nginx/sites-available/$1.conf
enabled=/etc/nginx/sites-enabled/
site=`ls /etc/nginx/sites-available/`
if [ "$#" != "1" ]; then
echo "Use script: n2ensite virtual_site"
echo -e "\nAvailable virtual hosts:\n$site"
exit 0
else
if test -e $avail; then
sudo ln -s $avail $enabled
else
echo -e "$avail virtual host does not exist! Please create one!\n$site"
exit 0
fi
if test -e $enabled/$1.conf; then
echo "Success!! Now restart nginx server: sudo systemctl restart nginx"
else
echo -e "Virtual host $avail does not exist!\nPlease see available virtual hosts:\n$site"
exit 0
fi
fi
Sanya shi mai aiwatarwa kuma gudanar da shi kamar yadda aka nuna.
$ sudo chmod +x n2ensite $ sudo ./n2ensite your_virtual_host
7. Don kashe Virtual Hosts ƙirƙirar sabon fayil na n2dissite tare da abun ciki mai zuwa sannan a yi amfani da saitunan iri ɗaya kamar na sama.
$ sudo nano n2dissite
## File content ##
#!/bin/bash
avail=/etc/nginx/sites-enabled/$1.conf
enabled=/etc/nginx/sites-enabled
site=`ls /etc/nginx/sites-enabled/`
if [ "$#" != "1" ]; then
echo "Use script: n2dissite virtual_site"
echo -e "\nAvailable virtual hosts: \n$site"
exit 0
else
if test -e $avail; then
sudo rm $avail
else
echo -e "$avail virtual host does not exist! Exiting!"
exit 0
fi
if test -e $enabled/$1.conf; then
echo "Error!! Could not remove $avail virtual host!"
else
echo -e "Success! $avail has been removed!\nPlease restart Nginx: sudo systemctl restart nginx"
exit 0
fi
fi
8. Yanzu zaku iya amfani da wannan rubutun guda biyu don kunna ko kashe duk wani Mai watsa shiri na Virtual amma idan kuna son yin amfani da shi azaman umarni mai fa'ida kawai sai ku kwafi dukkan rubutun zuwa /usr/local/bin/ sannan zaku iya. amfani da shi ba tare da tantance hanya ba.
$ sudo cp n2ensite n2dissite /usr/local/bin/
Mataki 2: Kunna SSL tare da Mai Runduna Mai Kyau akan Nginx
SSL (Secure Sockets Layer) wata yarjejeniya ce da aka ƙera don ɓoye haɗin HTTP akan cibiyoyin sadarwa ko Intanet, wanda ke sa ana watsa bayanai akan tashoshi mai tsaro ta amfani da maɓallan simmetric/ asymmetric cryptography keys. kuma an samar dashi a cikin Arch Linux ta kunshin OpenSSL.
$ sudo pacman -S openssl
9. Don kunna haɗin HTTPS tare da Nginx tunanin farko da kuke buƙatar yi shine ƙirƙirar maɓallan Runduna Mai Runduna. Har ila yau, don sauƙaƙe abubuwa, na ƙirƙiri ƙananan rubutun da ke haifar da maɓalli ta atomatik akan /etc/nginx/ssl hanyar shugabanci, ta amfani da Virtual Host suna a matsayin maɓalli.
Ƙirƙiri fayil mai suna nginx_gen_ssl kuma ƙara abun ciki mai zuwa.
$ sudo nano nginx_gen_ssl
## File content ## #!/bin/bash mkdir /etc/nginx/ssl cd /etc/nginx/ssl echo -e "Enter your virtual host FQDN: \nThis will generate the default name for Nginx SSL certificate!" read cert openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key chmod 600 $cert.key openssl req -new -key $cert.key -out $cert.csr openssl x509 -req -days 365 -in $cert.csr -signkey $cert.key -out $cert.crt echo -e " The certificate $cert has been generated!\nPlease link it to nginx ssl available website!" ls -all /etc/nginx/ssl exit 0
10. Bayan an ƙirƙiri rubutun append izinin aiwatarwa, gudanar da shi kuma samar da zaɓuɓɓukan Certificate ɗin ku, mafi mahimmancin filin Common Name ( ƙara sunan yankin hukuma anan) sannan ku bar kalmar sirri da filayen Kamfanin Optional babu komai. .
$ sudo chmod +x nginx_gen_ssl $ sudo ./nginx_gen_ssl
A ƙarshen aikin samar da maɓalli, za a nuna jeri tare da duk maɓallan da aka samu a ƙarƙashin Nginx ssl directory.
Hakanan idan kuna son wannan rubutun ya kasance a yi amfani da shi azaman umarnin tsarin, kwafi ko matsar da shi zuwa /usr/local/bin/.
$ sudo mv nginx_gen_ssl /usr/local/bin
11. Bayan mun samar da maɓallan da suka wajaba don Nginx SSL Virtual Mai watsa shiri lokaci ya yi da za a ƙirƙiri fayil ɗin sanyi na SSL Virtual Host. Yi amfani da adireshin IP iri ɗaya don Mai watsa shiri na Virtual kamar yadda yake sama akan umarnin server_name amma, ɗan canza sunan fayil ɗin Mai watsa shiri ta hanyar saka ssl kafin .conf, don tunatar da ku cewa wannan fayil ɗin yana nufin name-ip Mai watsa shiri na SSL.
$ sudo nano /etc/nginx/sites-availabe/name-ip-ssl.conf
Akan wannan fayil ɗin canza saurara bayanin tashar jiragen ruwa zuwa 443 ssl kuma samar da SSL da takaddun takaddun fayilolin maɓalli tare da waɗanda aka ƙirƙira a baya don kama da su a ƙasa.
## File content ##
server {
listen 443 ssl;
server_name 192.168.1.33;
ssl_certificate /etc/nginx/ssl/192.168.1.33.crt;
ssl_certificate_key /etc/nginx/ssl/192.168.1.33.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/192.168.1.33-ssl.access.log;
error_log /var/log/nginx/192.168.1.33-ssl.error.log;
root /srv/http;
location / {
index index.html index.htm index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
location ~ \.php$ {
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
12. Bayan an ƙirƙiri fayil ɗin yi amfani da rubutun n2ensite ko layin umarni don kunna shi (yana ƙirƙirar hanyar haɗin yanar gizo ta alama a cikin shafukan-kunna directory). ), sannan sake kunna Nginx daemon don amfani da saituna.
$ sudo ./n2ensite name-ip-ssl OR $ sudo ln -s /etc/nginx/sites-available/name-ip-ssl.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx
13. Sake nuna burauzar ku zuwa Arch IP URL amma a wannan karon ta amfani da HTTPS yarjejeniya - https://192.168.1.33 akan tsarina- da kuma Connection Untrusted. kuskuren tsaro yakamata ya bayyana ( Ƙara kuma Tabbatar da Keɓancewar Tsaro don ci gaba a shafi).
Kamar yadda kuke gani yanzu Nginx Virtual Mai watsa shiri yana hidima iri ɗaya kamar mai masaukin name-ip na baya amma wannan lokacin ta amfani da amintaccen haɗin HTTP.
Mataki 3: Samun damar PhpMyAdmin ta hanyar Mai watsa shiri na Virtual
Idan an kunna Mai watsa shiri na Virtual akan Nginx, ba za mu sake samun damar zuwa http://localhost abubuwan da ke cikin hanyar ( localhost yawanci yana ba da abun ciki ta amfani da adireshin IP na loopback ko adireshin IP na tsarin idan ba a daidaita shi ba) saboda muna da amfani da Arch system IP azaman server_name don haka hanyar abun cikin mu ya canza.
14. Hanya mafi sauƙi don samun damar zuwa PhpMyAdmin ta hanyar yanar gizo shine ƙirƙirar hanyar haɗin gwiwa tsakanin /usr/share/webapps/phpMyAdmin/hanyar da sabuwar hanyar Mai watsa shiri ta Virtual. (/srv/http).
$ sudo ln -s /usr/share/webapps/phpMyAdmin/ /srv/http/
15. Bayan kun aiwatar da wannan umarni na sama, sake sabunta shafinku kuma zaku ga sabon babban fayil phpMyAdmin ya bayyana, idan autoindex bayanin ya kunna akan Nginx Virtual Host ko nuna URL ɗinku kai tsaye zuwa babban fayil ɗin PhpMyAdmin https: //arch_IP/phpMyAdmin.
16. Idan kana so ka sanitize phpMyAdmin kirtani a browser gyara your Virtual Hosts fayiloli kuma ƙara da wadannan abun ciki a karkashin uwar garken block.
location /phpmyadmin {
rewrite ^/* /phpMyAdmin last;
}
Mataki 4: Kunna Jagorar Kariyar Kalmar wucewa akan Nginx
Ba kamar Apache ba, Nginx yana amfani da tsarin HttpAuthBasic don kunna Kudiddigar Kare Kalmomin sirri amma baya samar da kowane kayan aiki don ƙirƙirar fayil ɗin .htpasswd rufaffen.
17. Don cimma kariyar kalmar sirri ta directory tare da Nginx akan Arch Linux shigar da sabar gidan yanar gizo na Apache kuma yi amfani da kayan aikin sa don ƙirƙirar fayil ɗin .htaccess rufaffen.
$ sudo pacman -S apache
18. Bayan kun shigar Apache ƙirƙirar sabon kundin adireshi a ƙarƙashin /etc/nginx/ mai suna passwd intuitively inda za'a adana fayil ɗin .htpasswd sannan a yi amfani da htpasswd > umarni tare da –c kunna mai amfani na farko don samar da fayil, sannan idan kuna son ƙara ƙarin masu amfani yi amfani da htpasswd ba tare da canza –c ba.
$ sudo mkdir /etc/nginx/passwd $ sudo htpasswd -c /etc/nginx/passwd/.htpasswd first_user $ sudo htpasswd /etc/nginx/passwd/.htpasswd second_user $ sudo htpasswd /etc/nginx/passwd/.htpasswd third_user
19. Domin kare name-ip-ssl Virtual Host Tushen /srv/http/ yana ba da hanya tare da duk manyan fayiloli da fayilolin da ke ƙarƙashinsa ƙara waɗannan umarnin cikin naku. Toshe uwar garken Mai watsa shiri na Virtual a ƙarƙashin umarnin tushen kuma nuna shi zuwa cikakkiyar hanyar fayil .htpasswd.
auth_basic "Restricted Website"; auth_basic_user_file /etc/nginx/passwd/.htpasswd;
20. Bayan kun sake kunna sabis na Nginx, sake sabunta shafin da wani Ana Bukatar Tabbatarwa ya kamata ya bayyana yana buƙatar takaddun shaidarku.
Yanzu kun sami nasarar kunna Nginx Abubuwan da aka Kare Kalmar sirri amma ku sani cewa lokaci guda an shigar da sabar gidan yanar gizo ta Apache a cikin tsarin ku don haka tabbatar da cewa ya ci gaba da aiki kuma ta kowace hanya kar ku fara shi saboda yana iya haifar da hakan. tashoshin jiragen ruwa suna cin karo da Nginx.
Mataki 5: Juya HTTP zuwa HTTPS akan Nginx
21. Idan kuna son masu bincike su tura duk buƙatun HTTP marasa tsaro ta atomatik zuwa ka'idar HTTPS buɗe kuma ku gyara ku ba ssl ba ne mai watsa shiri kuma ƙara wannan umarni a ƙarƙashin umarnin server_name .
rewrite ^ https://$server_name$request_uri? permanent;
Duk saitunan da aka gabatar akan wannan labarin inda aka yi a ƙarƙashin tsarin Arch Linuxwanda ke aiki azaman uwar garken, amma yawancinsu, musamman waɗanda suka shafi fayilolin daidaitawar Nginx, suna samuwa akan yawancin tsarin Linux tare da ɗan bambance-bambance.