Kafa HTTPS tare da Bari Mu Encrypt SSL Certificate Don Nginx akan RHEL/CentOS 7/6


Bayan jerin abubuwan da suka gabata Bari Mu Encrypt game da Apache ko sabar gidan yanar gizo na Nginx tare da tsarin SSL/TLS, wannan labarin za mu jagorance ku kan yadda ake samarwa da shigar da takardar shaidar SSL/TLS da aka samu kyauta daga Bari Mu Encrypt Certificate Authority wanda za mu yi amfani da shi. don amintar Nginx uwar garken gidan yanar gizo HTTP ma'amala akan CentOS/RHEL 7/6 da rarraba Fedora.

Idan kuna neman shigar Bari Mu Encrypt don Apache akan RHEL/CentOS 7/6 da Rarraba Fedora, bi wannan jagorar da ke ƙasa:

  1. Sunan yanki mai rijista tare da ingantaccen bayanan DNS don nuna baya ga adireshin IP na jama'a.
  2. Sabar sabar gidan yanar gizo na Nginx da aka shigar tare da kunna SSL kuma an kunna Runduna Mai Runduna (kawai don yankuna da yawa ko kuma masu rahusa baƙi).

Mataki 1: Shigar Nginx Web Server

1. A mataki na farko, idan ba ku riga an shigar da Nginx daemon ba, ba da umarnin da ke ƙasa tare da tushen gata don shigar da sabar gidan yanar gizo na Nginx daga ma'ajin Epel:

# yum install epel-release
# yum install nginx

Mataki 2: Zazzage ko Clone Kyauta Bari Mu Encrypt SSL Certificate

2. Hanya mafi sauri na shigar Bari mu Encrypt abokin ciniki akan tsarin Linux ta hanyar rufe fakitin daga wuraren ajiyar github.

Da farko, shigar da abokin ciniki git akan tsarin tare da umarnin da ke ƙasa:

# yum install git

3. Bayan an shigar da abokin ciniki na git, canza directory zuwa hanyar /opt kuma ja Bari mu Encrypt software ta hanyar bin umarnin da ke ƙasa:

# cd /opt
# git clone https://github.com/letsencrypt/letsencrypt

Mataki na 3: Ƙirƙirar Kyautar Bari Mu Encrypt SSL Certificate don Nginx

4. Tsarin samun SSL/TLS Certificate na Nginx kyauta za a yi da hannu ta amfani da Mu Encrypt Standalone plugin.

Wannan hanyar tana buƙatar tashar tashar jiragen ruwa 80 dole ne ta kasance kyauta yayin lokacin Bari mu Encrypt abokin ciniki ya tabbatar da asalin sabar kuma yana samar da takaddun shaida.

Don haka, idan Nginx ya riga ya fara aiki, dakatar da daemon tare da umarni mai zuwa kuma kunna ss mai amfani don tabbatar da cewa tashar jiragen ruwa 80 ba ta aiki a cikin tarin cibiyar sadarwa.

# service nginx stop
# systemctl stop nginx
# ss -tln

5. Yanzu lokaci ya yi da za a sami Takaddun shaida na SSL kyauta daga Bari mu Encrypt. Matsar zuwa Bari mu Encrypt directory shigarwa, idan ba a can ba, kuma gudanar da umarnin letsencrypt-auto tare da zaɓin --standalone da -d tuta ga kowane yanki ko yanki da kuke son samar da takaddun shaida kamar yadda aka ba da shawara a cikin misalin da ke ƙasa.

# cd /opt
# ./letsencrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tld

6. Bayan an shigar da jerin fakiti da abubuwan dogaro akan injin ku, Bari mu Encrypt zai sa ku shigar da asusunku wanda za'a yi amfani da shi don dawo da maɓalli ko sanarwar gaggawa.

7. Na gaba yakamata ku yarda da sharuɗɗan lasisi ta latsa maɓallin Shigar.

8. A ƙarshe, idan komai ya tafi yadda ya kamata, za a nuna saƙon bayanin taya murna akan tashar bash ɗin ku. Saƙon kuma zai nuna lokacin da takaddun shaida zai ƙare.

Mataki 4: Shigar Bari Mu Encrypt SSL Certificate a Nginx

9. Yanzu da ka mallaki Takaddun SSL/TLS kyauta, lokaci yayi da za a shigar da shi a cikin sabar gidan yanar gizo na Nginx domin yankinku ya yi amfani da shi.

Duk sabbin takaddun shaida na SSL ana sanya su a cikin /etc/letsencrypt/live/ ƙarƙashin kundin adireshi mai suna bayan sunan yankinku. Yi amfani da umarnin ls don lissafin fayilolin Takaddun shaida da aka bayar don yankin ku kuma gano su.

# sudo ls /etc/letsencrypt/live/
# sudo ls -al /etc/letsencrypt/live/your_domain.tld

10. Don shigar da fayilolin takaddun shaida a cikin Nginx da ba da damar SSL, buɗe /etc/nginx/nginx.conf fayil don gyarawa da ƙara bayanan da ke ƙasa bayan layin sauraron ƙarshe daga toshewar uwar garken. Yi amfani da hoton da ke ƙasa azaman jagora.

# vi /etc/nginx/nginx.conf

Nginx SSL toshe yanki:

# SSL configuration
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

Maye gurbin sunan yankin don takaddun shaida na SSL don dacewa da yankinku.

11. A ƙarshe, sake kunna sabis na Nginx kuma ziyarci yankin ku ta hanyar HTTPS Protocol a https://domain. Shafin ya kamata ya yi lodi mai santsi, ba tare da wani kuskuren takaddun shaida ba.

# systemctl restart nginx
# service nginx restart

12. Domin tabbatar da takardar shaidar SSL/TLS da madaidaicin sa ziyarci hanyar haɗin yanar gizon:

https://www.ssllabs.com/ssltest/analyze.html 

13. Idan kun sami sanarwar cewa uwar garken ku tana goyan bayan musayar maɓallin DH mai rauni da ƙimar ƙimar B gabaɗaya, samar da sabon Diffie-Hellman cipher a cikin /etc/nginx/ssl/ directory don kare sabar ku daga harin Logjam gudanar da wadannan umarni.

# mkdir /etc/nginx/ssl
# cd /etc/nginx/ssl
# openssl dhparam -out dhparams.pem 4096

A cikin wannan misalin mun yi amfani da maɓallin 4096 bit, wanda a zahiri yana ɗaukar lokaci mai tsawo don samarwa kuma yana sanya ƙarin sama sama akan sabar ku da musafaha SSL.

Idan babu wata takamaiman buƙatu don amfani da maɓalli na tsawon wannan tsayi kuma ba za ku damu ba, yakamata ku kasance lafiya tare da maɓallin 2048 bit.

14. Bayan an ƙirƙiro maɓallin DH, buɗe fayil ɗin sanyi na Nginx kuma ƙara bayanan da ke ƙasa bayan layin ssl_ciphers don ƙara maɓallin DH kuma haɓaka matakin tsaro na yankinku zuwa A+ daraja.

# vi /etc/nginx/nginx.conf

Ƙara abubuwan toshe mai zuwa zuwa Nginx.conf:

ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:10m;
ssl_buffer_size 8k;
add_header Strict-Transport-Security max-age=31536000;

15. Sake kunna sabis na Nginx don amfani da canje-canje kuma sake gwada takardar shaidar SSL ta share cache na baya na sakamakon da aka ambata a sama.

# systemctl restart nginx
# service nginx restart

Mataki 5: Sabunta Nginx Kyauta ta atomatik Yana ba da damar ɓoye takaddun shaida na SSL

16. Bari mu Encrypt CA saki free SSL/TLS takaddun shaida aiki na kwanaki 90. Ana iya sabunta takaddun shaida da hannu kuma a yi amfani da su kafin ƙarewa ta amfani da plugin ɗin webroot, ba tare da dakatar da sabar gidan yanar gizon ku ba, ta hanyar ba da umarni na ƙasa:

# ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d yourdomain.tld -d www.yourdomain.tld
# systemctl reload nginx

Lokacin gudanar da umarnin da ke sama ka tabbata ka maye gurbin webroot-hanya don dacewa da tushen daftarin aiki na sabar gidan yanar gizon ku, bayanin tushen Nginx ya kayyade.

17. Domin sabunta takardar shaidar ta atomatik kafin ta ƙare ƙirƙiri wannan rubutun bash daga github erikaheidi a cikin/usr/gida/bin/directory kuma ƙara abubuwan da ke ƙasa (rubutun an ɗan gyara shi don nuna saitin Nginx).

# vi /usr/local/bin/cert-renew

Ƙara layin masu biyowa zuwa fayil ɗin sabuntawa.

#!/bin/bash

webpath='/usr/share/nginx/html/'
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;

get_domain_list(){
        certdomain=$1
        config_file="$le_conf/renewal/$certdomain.conf"

        if [ ! -f $config_file ] ; then
                echo "[ERROR] The config file for the certificate $certdomain was not found."
                exit 1;
        fi

        domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
        last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')

        if [ "${last_char}" = "," ]; then
                domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
        fi

        echo $domains;
}

if [ -z "$domain" ] ; then
        echo "[ERROR] you must provide the domain name for the certificate renewal."
        exit 1;
fi

cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

if [ ! -f $cert_file ]; then
        echo "[ERROR] certificate file not found for domain $domain."
        exit 1;
fi

exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)

echo "Checking expiration date for $domain..."

if [ "$days_exp" -gt "$exp_limit" ] ; then
        echo "The certificate is up to date, no need for renewal ($days_exp days left)."
        exit 0;
else
        echo "The certificate for $domain is about to expire soon. Starting renewal request..."
        domain_list=$( get_domain_list $domain )
"$le_path"/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=”$webpath” --domains "${domain_list}"
        echo "Reloading Nginx..."
sudo systemctl reload nginx
        echo "Renewal process finished for domain $domain"
        exit 0;
fi

18. Sauya canjin $hanyar yanar gizo daga farkon rubutun don dacewa da tushen takaddar Nginx. Tabbatar cewa rubutun yana aiwatarwa kuma an shigar da kalkuleta bc akan tsarin ku ta hanyar ba da umarni masu zuwa.

# chmod +x /usr/local/bin/cert-renew
# yum install bc

Kuna iya gwada rubutun akan yankinku ta hanyar ba da umarni mai zuwa:

# /usr/local/bin/cert-renew yourdomain.tld


19. A ƙarshe, don gudanar da tsarin sabunta takardar shaidar ta atomatik, ƙara sabon aikin cron don aiwatar da rubutun kowane mako don sabunta takardar shaidar a cikin kwanaki 30 kafin ranar karewa.

# crontab -e

Ƙara layi mai zuwa a kasan fayil ɗin.

@weekly  /usr/local/bin/cert-renew your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1

Shi ke nan! Yanzu uwar garken Nginx na iya isar da amintattun abun cikin gidan yanar gizo tare da SSL/TLS Bari Mu Encrypt takardar shedar kyauta akan gidan yanar gizon ku.