Yadda za a Amince Nginx tare da SSL kuma Bari Mu Encrypt a cikin FreeBSD
A cikin wannan jagorar za mu tattauna yadda ake amintar sabar gidan yanar gizo ta Nginx a cikin FreeBSD tare da takaddun shaida na TLS/SSL da Mu Encrypt Certificate Authority ke bayarwa. Za mu kuma nuna muku yadda ake sabunta takaddun shaida ta Lets' Encrypt ta atomatik kafin ranar ƙarewa.
TLS, acronym don Tsaro Layer Tsaro, yarjejeniya ce wacce ke gudana ƙarƙashin ka'idar HTTP kuma tana amfani da takaddun shaida da maɓallai don ɓoye fakitin da ɓoye bayanan da aka musayar tsakanin sabar da abokin ciniki, ko a wannan yanayin tsakanin sabar gidan yanar gizo na Nginx da abokin ciniki. browser, don tabbatar da haɗin kai, ta yadda wani ɓangare na uku, wanda zai iya tsangwama zirga-zirga, ba zai iya lalata watsawa ba.
Hanyar samun takardar shedar Mu Encrypt kyauta a cikin FreeBSD ana iya sauƙaƙe ta ta hanyar shigar da kayan aikin abokin ciniki na certboot, wanda shine babban abokin ciniki Let's Encrypt da ake amfani da shi don samarwa da zazzage takaddun shaida.
- Shigar FBEMP (Nginx, MariaDB da PHP) tari a cikin FreeBSD
Mataki 1: Sanya Nginx TLS/SSL
1. Ta hanyar tsoho, ba a kunna saitin uwar garken TLS/SSL a cikin FreeBSD saboda an yi sharhin toshewar bayanan sabar uwar garken TLS a cikin tsohuwar fayil ɗin Nginx.
Domin kunna uwar garken TLS a cikin Nginx, buɗe fayil ɗin sanyi na nginx.conf, bincika layin da ke bayyana farkon sabar SSL kuma sabunta duk toshe don yin kama da samfurin da ke ƙasa.
# nano /usr/local/etc/nginx/nginx.conf
Nginx HTTPS toshe yanki:
server {
listen 443 ssl default_server;
server_name www.yourdomain.com;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}
location / {
root /usr/local/www/nginx;
index index.html index.htm;
try_files $uri $uri/ /index.php?$args;
}
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem";
ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Use gzip compression
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_http_version 1.0;
# Set a variable to work around the lack of nested conditionals
set $cache_uri $request_uri;
location ~ /.well-known {
allow all;
}
location ~ \.php$ {
root /usr/local/www/nginx;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;
}
}
Toshewar da ke sama, ban da toshe SSL, kuma ya ƙunshi wasu bayanai don ba da damar matsawa gzip da FastCGI Process Manager, da aka yi amfani da shi don wuce lambar PHP zuwa ƙofar PHP-FPM don gudanar da aikace-aikacen yanar gizo masu ƙarfi.
Bayan kun ƙara lambar da ke sama zuwa babban fayil ɗin Nginx, kar a sake kunna daemon ko amfani da saitunan kafin shigarwa da samun takardar shaidar Mu Encrypt don yankinku.
Mataki 2: Sanya Abokin Ciniki na Certbot a cikin FreeBSD
2. Tsarin shigar Let's Encrypt certbot abokin ciniki mai amfani a cikin FreeBSD ya haɗa da zazzage lambar tushe don py-certbot da haɗa shi a cikin gida, ta hanyar ba da umarnin da ke ƙasa.
# cd /usr/ports/security/py-certbot # make install clean
3. Haɗa kayan aikin py-certbot yana ɗaukar lokaci mai yawa idan aka kwatanta da shigar da kunshin binary na yau da kullun. A wannan lokacin, ana buƙatar jerin abubuwan dogaro da za a zazzage su a cikin gida a cikin FreeBSD.
Hakanan, jerin faɗakarwa za su bayyana akan allonku, suna buƙatar ku zaɓi fakitin da za a yi amfani da su a lokacin tattarawa don kowane dogaro. A allon farko, zaɓi kayan aiki masu zuwa, ta danna maɓallin [space], don haɗa abin dogaro na python27, kamar yadda aka kwatanta a hoton da ke ƙasa.
- IPV6
- LIBFI
- NLS
- PYMALLOC
- TSARA
- UCS4 don tallafin Unicode
4. Na gaba, zaɓi DOCS da THREADS don dogaro da kayan aikin gettext kuma danna Ok don ci gaba kamar yadda aka nuna a hoton da ke ƙasa.
5. A kan allo na gaba bar zaɓin TESTS nakashe don libffi-3.2.1 kuma danna Ok don matsawa gaba.
6. Na gaba, buga sarari don zaɓar DOCS don dogaro da py27-enum34, wanda zai shigar da takaddun don wannan kayan aikin, kuma danna Ok don ci gaba, kamar yadda aka kwatanta a hoton da ke ƙasa.
7. A ƙarshe, zaɓi shigar da samfuran misali don dogaro da py27-openssl ta latsa maɓallin [sarari] kuma danna Ok don gama tsarin tattarawa da shigarwa don abokin ciniki na py-certbot.
8. Bayan an gama aiwatar da haɗawa da shigar da kayan aikin py-certbot, gudanar da umarnin da ke ƙasa don haɓaka kayan aiki a sabon sigar kunshin kamar yadda aka kwatanta a hotunan kariyar kwamfuta.
# pkg install py27-certbot
9. Domin kauce wa wasu al'amurran da suka shafi shi zai iya faruwa yayin samun free Bari mu Encrypt takardar shaidar, da ya fi na kowa kuskure kasancewa \pkg_resources.DistributionNotFound, tabbatar da wadannan biyu dogara ne kuma ba a cikin ku tsarin: py27-gishiri da py27- acme.
# pkg install py27-salt # pkg install py27-acme
Mataki 3: Shigar Bari Mu Encrypt Certificate don Nginx akan FreeBSD
10. Domin samun takardar shedar Mu Encrypt kadai don yankinku, gudanar da umarni mai zuwa kuma ku samar muku da sunan yankin da duk wuraren da kuke son samun takaddun shaida ta hanyar nuna alamar -d.
# certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
11. Yayin samar da takardar shaidar za a tambaye ku don shigar da adireshin imel ɗin ku kuma ku yarda da Mu Encrypt sharuddan sabis. Buga a daga madannai don yarda da ci gaba kuma za a tambaye ku idan kuna son raba adireshin imel ɗin ku tare da abokan haɗin gwiwar Mu Encrypt.
Idan ba ka son raba adireshin imel ɗinka, kawai rubuta no kalma a cikin hanzari kuma danna maɓallin [shirya] don ci gaba. Bayan an sami nasarar samun takaddun shaida na yankinku, za ku sami wasu mahimman bayanai waɗanda za su sanar da ku inda ake adana takaddun shaida a cikin na'urar ku da lokacin da suka ƙare.
12. Idan kuna son samun takardar shedar Mu Encrypt ta amfani da plugin ɗin webroot ta ƙara adireshin yanar gizo na uwar garken Nginx don yankinku, ba da umarni mai zuwa tare da --webroot da -w tutoci. Ta hanyar tsoho, idan baku canza hanyar Nginx webroot ba, yakamata a kasance a cikin /usr/local/www/nginx/ tsarin tsarin.
# certbot certonly --webroot -w /usr/local/www/nginx/ -d yourdomain.com -d www.yourdomain.com
Kamar yadda a cikin --strandalone hanya don samun takardar shaida, tsarin --webroot zai kuma neme ku don samar da adireshin imel don sabunta takaddun shaida da sanarwar tsaro, don danna adon yarda da Bari Mu Encrypt sharuddan da kuma a'a ko e don ko a'a raba adireshin imel Bari mu ɓoye abokan hulɗa kamar yadda aka kwatanta a cikin samfurin ƙasa.
Ku sani cewa abokin ciniki na certbot zai iya gano adireshin imel na karya kuma ba zai bari ku ci gaba da samar da takaddun shaida ba har sai kun samar da ainihin adireshin imel.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email #A fake email address will be detected There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/nginx/ for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-12-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Mataki 4: Sabunta Takaddun shaida na Nginx TLS
13. Wurin da aka samu Bari mu ɓoye takaddun shaida da maɓalli a cikin FreeBSD shine /usr/local/etc/letsencrypt/live/www.yourdomain.com/ tsarin tsarin. Bayar da umarnin ls don nuna abubuwan da ke cikin takardar shaidar Mu Encrypt ɗinku: fayil ɗin sarkar, fayil ɗin cikakken chain, maɓallin keɓaɓɓen da fayil ɗin takaddun shaida, kamar yadda aka kwatanta a misali mai zuwa.
# ls /usr/local/etc/letsencrypt/live/www.yourdomain.com/
14. Domin shigar da Takaddun shaida na yankinku a cikin sabar gidan yanar gizon Nginx, buɗe babban fayil ɗin Nginx ko fayil ɗin daidaitawa na uwar garken Nginx TLS, idan fayil ɗin daban ne, sannan a gyara layin da ke ƙasa don nuna hanyar bari mu Encrypt bayar da takaddun shaida kamar yadda aka kwatanta a ƙasa.
# nano /usr/local/etc/nginx/nginx.conf
Sabunta layin masu zuwa don yin kama da wannan samfurin:
ssl_certificate "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"; ssl_certificate_key "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem";
15. Hakanan, idan layin ssl_dhparam yana cikin tsarin Nginx SSL, yakamata ku samar da sabon maɓallin 2048 bit Diffie–Hellman tare da umarni mai zuwa:
# openssl dhparam –out /usr/local/etc/nginx/dhparam.pem 2048
16. A ƙarshe, don kunna Nginx TLS sanyi, da farko duba Nginx tsarin duniya don yiwuwar kurakurai na syntax kuma, sannan, sake kunna sabis na Nginx don amfani da tsarin SSL ta hanyar ba da umarni masu zuwa.
# nginx -t # service nginx restart
17. Tabbatar da idan Nginx daemon yana ɗaure akan tashar 443 ta hanyar ba da umarni masu zuwa waɗanda zasu iya lissafa duk buƙatun cibiyar sadarwa da aka buɗe a cikin tsarin a cikin yanayin sauraro.
# netstat -an -p tcp| grep LISTEN # sockstat -4
18. Hakanan zaka iya ziyartar adireshin yankin ku ta hanyar HTTPS ta hanyar buɗe mashigar bincike kuma buga adireshin da ke gaba don tabbatar da cewa Takaddun shaida na Mu Encrypt suna aiki kamar yadda ake tsammani. Saboda kana amfani da takaddun shaida ta ingantacciyar Takaddun Shaida, bai kamata a nuna wani kuskure a cikin mazuruftar ba.
https://www.yourdomain.com
19. Opensl utility kuma zai iya taimaka maka samun bayani game da takardar shaidar da aka samu daga Let's Encrypt CA, ta hanyar gudanar da umarni tare da zaɓuɓɓuka masu zuwa.
# openssl s_client -connect www.yourdomain.com:443
Idan kuna son tilasta Nginx don jagorantar duk buƙatun http zuwa https da aka karɓa don yankinku akan tashar jiragen ruwa 80 zuwa HTTPS, buɗe fayil ɗin sanyi na Nginx, nemo umarnin uwar garken don tashar jiragen ruwa 80 kuma ƙara layin ƙasa bayan bayanin sunan uwar garken kamar yadda aka kwatanta a cikin misalin da ke ƙasa. .
rewrite ^(.*) https://www.yourdomain.com$1 permanent;
20. Kafa auto sabuntawa ga takardar shaidar bayar da Let's Encrypt ikon kafin su ƙare za a iya yi ta hanyar tsara wani cron aikin gudu sau ɗaya a rana ta hanyar bayar da wadannan umarni.
# crontab -e
Aikin Cron don sabunta takaddun shaida.
0 0 * * * certbot renew >> /var/log/letsencrypt.log
Shi ke nan! Nginx na iya ba da amintattun aikace-aikacen gidan yanar gizo ga baƙi ta amfani da Mu Encrypt takaddun shaida kyauta.