Yadda za a Amince Nginx tare da Lets Encrypt akan Ubuntu da Debian
Bayan baya Bari Mu Encrypt koyawa game da Apache SSL, a cikin wannan labarin za mu tattauna yadda ake samarwa da shigar da takardar shaidar SSL/TLS kyauta wanda Bari mu Encrypt CA don sabar gidan yanar gizo ta Nginx akan Ubuntu ko Debian.
- Amintaccen Apache tare da Kyauta Bari Mu Rufewa akan Ubuntu da Debian
- Shigar Bari Mu Rufe SSL don Tabbatar da Apache akan RHEL da CentOS
- Yanki mai rijista tare da ingantaccen rikodin DNS
Adon nuna baya zuwa adireshin IP na sabar ku. - Sabar sabar gidan yanar gizo ta Nginx da aka kunna tare da kunna SSL da Vhost, idan kuna shirin ɗaukar yankuna da yawa ko ƙananan yanki.
Mataki 1: Sanya Nginx Web Server
1. A mataki na farko shigar da sabar gidan yanar gizon Nginx, idan ba a riga an shigar da shi ba, ta hanyar ba da umarnin da ke ƙasa:
$ sudo apt-get install nginx
Mataki 2: Ƙirƙirar Bari Mu Encrypt SSL Certificate don Nginx
2. Kafin samar da takardar shaidar SSL/TLS kyauta, shigar Bari Mu Encrypt software a cikin /usr/local/ tsarin tsarin fayil tare da taimakon git abokin ciniki ta hanyar ba da umarnin da ke ƙasa:
$ sudo apt-get -y install git $ cd /usr/local/ $ sudo git clone https://github.com/letsencrypt/letsencrypt
3. Kodayake hanyar samun Takaddun shaida don Nginx ta atomatik, har yanzu kuna iya ƙirƙira da shigar da takardar shaidar SSL kyauta don Nginx ta amfani da Let's Encrypt Standalone plugin.
Wannan hanyar tana buƙatar cewa tashar jiragen ruwa 80 ba dole ba ne a yi amfani da tsarin ku na ɗan gajeren lokaci yayin da Mu Encrypt abokin ciniki ya tabbatar da shaidar uwar garken kafin samar da takaddun shaida.
Idan kuna gudana Nginx riga, dakatar da sabis ta hanyar ba da umarni mai zuwa.
$ sudo service nginx stop OR $ sudo systemctl stop nginx
Idan kuna gudanar da wani sabis ɗin da ke ɗaure akan tashar jiragen ruwa 80 dakatar da wannan sabis ɗin shima.
4. Tabbatar cewa tashar jiragen ruwa 80 kyauta ce ta hanyar gudanar da umarnin netstat:
$ sudo netstat -tlpn | grep 80
5. Yanzu ya yi da za a gudu letsencrypt domin samun SSL Certificate. Je zuwa Let's Encrypt directory shigarwa da aka samo a cikin/usr/local/letsencrypt tsarin tsarin kuma gudanar da umarnin letsencrypt-auto ta hanyar samar da zaɓin -- tsaye da alamar -d kowane yanki ko reshen yanki da kuke son samar da takaddun shaida.
$ cd /usr/local/letsencrypt $ sudo ./letsencrypt-auto certonly --standalone -d your_domain.tld
6. Shigar da adireshin imel wanda Bari mu Encrypt za a yi amfani da shi don ɓata maɓallin dawo da sanarwar gaggawa.
7. Yarda da sharuɗɗan lasisi ta latsa maɓallin Shigar.
8. A ƙarshe, idan komai ya yi nasara, saƙo mai kama da hoton hoton da ke ƙasa yakamata ya bayyana akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Mataki 3: Shigar Bari Mu Encrypt SSL Certificate a Nginx
9. Yanzu da aka samar da Takaddun shaida na SSL lokaci ne don saita sabar gidan yanar gizon Nginx don amfani da shi. Sabbin takaddun shaidar SSL ana sanya su a cikin /etc/letsencrypt/live/ ƙarƙashin kundin adireshi mai suna bayan sunan yankinku. Gudanar da umarnin ls don lissafin fayilolin Takaddun shaida da aka bayar don yankinku.
$ sudo ls /etc/letsencrypt/live/ $ sudo ls -al /etc/letsencrypt/live/caeszar.tk
10. Na gaba, bude /etc/nginx/sites-available/defaultfayil tare da editan rubutu kuma ƙara wannan toshe bayan layin farko da aka yi sharhi wanda ya ƙayyade farkon toshe SSL. Yi amfani da hoton allo na ƙasa azaman jagora.
$ sudo nano /etc/nginx/sites-enabled/default
Nginx block daga:
# SSL configuration
#
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/caeszar.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/caeszar.tk/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
Sauya ƙimar sunan yankin don takaddun shaida na SSL daidai da haka.
11. A mataki na gaba samar da karfi Diffie-Hellman cipher a /etc/nginx/ssl/ directory domin kare uwar garken ku daga harin Logjam ta hanyar bin umarni masu zuwa.
$ sudo mkdir /etc/nginx/ssl $ cd /etc/nginx/ssl $ sudo openssl dhparam -out dhparams.pem 2048
12. A ƙarshe, sake kunna Nginx daemon don nuna canje-canje.
$ sudo systemctl restart nginx
kuma gwada takardar shaidar SSL ta ziyartar URL na ƙasa.
https://www.ssllabs.com/ssltest/analyze.html
Mataki 4: Sabunta atomatik Bari mu ɓoye Takaddun shaida na Nginx
13. Takaddun shaida da Let's Encrypt CA ya bayar yana aiki na kwanaki 90. Domin sabunta fayilolin ta atomatik kafin ranar karewa ƙirƙiri ssl-renew.sh rubutun bash a cikin kundin adireshin /usr/local/bin/ tare da abun ciki mai zuwa.
$ sudo nano /usr/local/bin/ssl-renew.sh
Ƙara abun ciki mai zuwa zuwa fayil ssl-renew.sh.
#!/bin/bash cd /usr/local/letsencrypt sudo ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/var/www/html/ -d your_domain.tld sudo systemctl reload nginx exit 0
Sauya madaidaicin --webroot-hanya don dacewa da tushen daftarin aiki Nginx. Tabbatar cewa rubutun yana aiwatarwa ta hanyar ba da umarni mai zuwa.
$ sudo chmod +x /usr/local/bin/ssl-renew.sh
14. A ƙarshe ƙara aikin cron don gudanar da rubutun kowane wata biyu da tsakar dare don tabbatar da cewa za a sabunta satifiket ɗin ku a cikin kusan kwanaki 30 kafin ya ƙare.
$ sudo crontab -e
Ƙara layi mai zuwa a kasan fayil ɗin.
0 1 1 */2 * /usr/local/bin/ssl-renew.sh >> /var/log/your_domain.tld-renew.log 2>&1
Shi ke nan! Sabar Nginx ɗinku yanzu tana ba da abun ciki SSL ta amfani da takaddun shaida Mu Encrypt SSL kyauta.