Yadda za a Amince Apache tare da SSL kuma Bari Mu Encrypt a cikin FreeBSD

A cikin wannan koyawa za mu koyi yadda ake amintaccen uwar garken HTTP Apache tare da takaddun shaida na TLS/SSL da Mu Encrypt ke bayarwa a cikin FreeBSD 11.x. Za mu kuma rufe yadda ake sarrafa aikin sabunta takaddun shaida don Lets' Encrypt.

Sabar yanar gizo na Apache ke amfani da takaddun shaida TLS/SSL don ɓoye sadarwa tsakanin ƙarshen nodes, ko fiye na yau da kullun tsakanin sabar da abokin ciniki don samar da tsaro. Bari mu Encrypt yana samar da mai amfani da layin umarni na certbot, wanda shine aikace-aikacen da zai iya sauƙaƙe hanyar da zaku iya samun amintattun takaddun shaida kyauta.

1. Shigar da FreeBSD 11.x
2. Abubuwa 10 da yakamata ayi Bayan Shigar FreeBSD
3. Yadda ake Sanya Apache, MariaDB da PHP a cikin FreeBSD

Mataki 1: Sanya Apache SSL akan FreeBSD

1. Kafin fara shigar da mai amfani da certbot da ƙirƙirar fayil ɗin sanyi na TSL don Apache, da farko ƙirƙirar kundayen adireshi guda biyu masu suna rukunin yanar gizo-samuwa da rukunin yanar gizon da aka kunna a cikin tsarin saitin tushen Apache ta hanyar ba da umarnin da ke ƙasa.

Manufar waɗannan kundayen adireshi guda biyu shine don sauƙaƙe gudanarwar daidaitawa ta hanyar haɗin gwiwa a cikin tsarin, ba tare da gyaggyara babban fayil ɗin sanyi na Apache httpd.conf duk lokacin da muka ƙara sabon runduna mai kama-da-wane ba.

# mkdir /usr/local/etc/apache24/sites-available
# mkdir /usr/local/etc/apache24/sites-enabled

2. Bayan kun ƙirƙiri kundayen adireshi biyu, buɗe fayil ɗin Apache httpd.conf tare da editan rubutu kuma ƙara layin mai zuwa kusa da ƙarshen fayil ɗin kamar yadda aka kwatanta a ƙasa.

# nano /usr/local/etc/apache24/httpd.conf

Ƙara layi mai zuwa:

IncludeOptional etc/apache24/sites-enabled/*.conf

3. Na gaba, kunna tsarin TLS don Apache ta hanyar ƙirƙirar sabon fayil mai zuwa 020_mod_ssl.conf a cikin modules.d directory tare da abun ciki mai zuwa.

# nano /usr/local/etc/apache24/modules.d/020_mod_ssl.conf

Ƙara layin masu biyowa zuwa fayil 020_mod_ssl.conf.

Listen 443
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog  builtin
SSLSessionCacheTimeout  300

4. Yanzu, uncomment da SSL module daga /usr/local/etc/apache24/httpd.conf fayil ta cire hashtag daga farkon wadannan layin kamar yadda aka kwatanta a kasa:

LoadModule ssl_module libexec/apache24/mod_ssl.so

5. Na gaba, ƙirƙiri fayil ɗin sanyi na TLS don yankinku a cikin adiresoshin rukunin yanar gizo, zai fi dacewa tare da sunan yankinku, kamar yadda aka gabatar a cikin wannan yanki na ƙasa:

# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf

Ƙara saitin Virtualhost zuwa fayil bsd.lan-ssl.conf.

<VirtualHost *:443>
    ServerName www.yourdomain.com
	ServerAlias yourdomain.com
                DocumentRoot "/usr/local/www/apache24/data/"
	SSLEngine on

	SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
	SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
	SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>

<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

	BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

	CustomLog "/var/log/apache/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	<Directory "/usr/local/www/apache24/data/">
            Options Indexes FollowSymLinks MultiViews
        #AllowOverride controls what directives may be placed in .htaccess files.       
                        AllowOverride All
        #Controls who can get stuff from this server file
                        Require all granted
        </Directory>
       
    ErrorLog "/var/log/apache/yourdomain.ssl-error.log"
    CustomLog "/var/log/apache/yourdomain.ssl-access_log" combined

</VirtualHost>

Tabbatar cewa kun maye gurbin canjin sunan yankin daga ServerName, ServerAlias, ErrorLog, maganganun CustomLog daidai da haka.

Mataki 2: Shigar Lets'Encrypt akan FreeBSD

6. A mataki na gaba, ba da umarni mai zuwa don shigar da kayan aikin certbot wanda Let's Encrypt ya bayar, wanda za a yi amfani da shi don samun takaddun shaida kyauta na Apache TSL don yankinku.

Yayin shigar da certbot jerin faɗakarwa za a nuna akan allonku. Yi amfani da hoton allo na ƙasa don saita kayan aikin certbot. Hakanan, haɗawa da shigar da kayan aikin certbot na iya ɗaukar ɗan lokaci, ya danganta da albarkatun injin ku.

# cd /usr/ports/security/py-certbot
# make install clean

7. Bayan an gama aikin haɗawa, ba da umarnin da ke ƙasa don sabunta kayan aikin certbot da abubuwan dogaro da ake buƙata na certbot.

# pkg install py27-certbot
# pkg install py27-acme

8. Domin samar da takaddun shaida don yankinku, ba da umarni kamar yadda aka kwatanta a ƙasa. Tabbatar cewa kun samar da madaidaicin wurin tushen gidan yanar gizonku inda aka adana fayilolin gidan yanar gizonku a cikin tsarin fayil (Dokokin Root daga fayil ɗin daidaitawar yankinku) ta amfani da tutar -w. Idan kuna da ƙananan yanki da yawa ƙara su duka tare da alamar -d.

# certbot certonly --webroot -w /usr/local/www/apache24/data/ -d yourdomain.com -d www.yourdomain.com

Yayin samun takardar shaidar, samar da adireshin imel don sabunta takaddun shaida, danna don yarda da Mu Encrypt sharuɗɗa da sharuɗɗa da n don kar a raba adireshin imel Bari mu Encrypt abokan.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email 
There seem to be problems with that address. Enter email address (used for
urgent renewal and security notices)  If you really want to skip this, you can
run the client with --register-unsafely-without-email but make sure you then
backup your account key from /etc/letsencrypt/accounts   (Enter 'c' to cancel):[email 

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/apache24/data for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

9. Bayan kun sami takaddun shaida don yankinku, zaku iya gudanar da umarnin ls don lissafa duk abubuwan takaddun shaida (sarkar, maɓallin sirri, takaddun shaida) kamar yadda aka gabatar a cikin misalin da ke ƙasa.

# ls -al /usr/local/etc/letsencrypt/live/www.yourdomain.com/

Mataki 3: Sabunta Takaddun shaida na Apache TLS akan FreeBSD

10. Domin ƙara Bari mu Encrypt takaddun shaida zuwa gidan yanar gizon ku, buɗe fayil ɗin sanyi na apache don yankinku kuma sabunta layin da ke gaba don nuna hanyar takaddun takaddun da aka bayar.

# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf

Ƙara waɗannan layin takaddun shaida na TLS:

SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
	SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
	SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"

11. A ƙarshe, kunna fayil ɗin sanyi na TLS, ta hanyar ƙirƙirar alamar haɗin kai don fayil ɗin daidaitawar TLS na yankinku zuwa kundin adireshi-kunna, duba saitunan Apache don yuwuwar kurakuran haɗin gwiwa kuma, idan tsarin haɗin gwiwar ya yi kyau, sake kunna Apache daemon ta hanyar ba da umarnin da ke ƙasa.

# ln -sf /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf /usr/local/etc/apache24/sites-enabled/
# apachectl -t
# service apache24 restart

12. Domin bincika idan sabis na Apache yana sauraron tashar HTTPS 443, ba da umarni mai zuwa don lissafta soket ɗin cibiyar sadarwa na httpd.

# sockstat -4 | grep httpd

13. Kuna iya kewaya zuwa adireshin yankinku daga mai bincike ta hanyar HTTPS protocol don tabbatar da cewa Anyi nasarar amfani da takaddun shaida Mu Encrypt.

https://www.yourdomain.com

14. Domin samun ƙarin bayani game da bayar da Let's Encrypt certificate from order line, yi amfani da openssl umurnin kamar haka.

# openssl s_client -connect www.yourdomain.com:443

15. Hakanan zaka iya tabbatar idan an rufaffen zirga-zirgar tare da ingantacciyar takardar shaidar da Let's Encrypt CA ta bayar daga na'urar hannu kamar yadda aka kwatanta a hoton wayar hannu ta ƙasa.

Shi ke nan! Abokan ciniki yanzu za su iya ziyartar gidan yanar gizon ku amintacce, saboda zirga-zirgar da ke gudana tsakanin uwar garken da mai binciken abokin ciniki an ɓoye shi. Don ƙarin hadaddun ayyuka game da amfanin certbot ziyarci hanyar haɗin yanar gizon: https://certbot.eff.org/