使用HTTPS(提升网站安全性)

2019年12月09日 阅读数:19
这篇文章主要向大家介绍使用HTTPS(提升网站安全性),主要内容包括基础应用、实用技巧、原理机制等方面,希望对大家有所帮助。

参考1 :ghost-letsencrypt-httpsnginx

参考2:在Amazon Linux 上 使用 Let’s encrypt 免费的SSLgit

这两天是迭代间隙,恰好有点空,部署了一个GHOST博客,使用HTTPS的遇到点问题,参考上面两篇文章,解决了一点问题。github

申请证书

Certbot tool 是The Electronic Frontier Foundation提供的一个签名证书工具。The Electronic Frontier Foundation的介绍是这样的。web

The Electronic Frontier Foundation is a nonprofit based in San Francisco that focuses on how new technologies affect our civil liberties. In our mailings, you'll learn about free speech, privacy, innovation, and the law. Read more about our work at https://eff.org.

You can also learn about our work by following us on social media:

Twitter: https://twitter.com/eff
Facebook: https://www.facebook.com/eff
Google+: https://plus.google.com/+eff

我是使用这个工具来生成证书,部署进ngnix的。步骤上基本上是参考1,2来作的,有些细节点,权看成是本身作个笔记吧sql

STEP1
openssl dhparam -out /etc/ssl/private/dhparams_2048.pem 2048  

STEP2

apt-get install git  
git clone https://github.com/letsencrypt/letsencrypt  
cd letsencrypt  
./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview --no-bootstrap

step2若是没报错的话:apache

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):www.yeshen.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.yeshen.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.yeshen.org/fullchain.pem. Your cert will
   expire on 2017-08-11. To obtain a new or tweaked version of this
   certificate in the future, simply run letsencrypt-auto again. To
   non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

能够检查一下这些文件是否是成功生成了bootstrap

Certificate: /etc/letsencrypt/live/www.yeshen.org/cert.pem
Full Chain: /etc/letsencrypt/live/www.yeshen.org/fullchain.pem
Private Key: /etc/letsencrypt/live/www.yeshen.org/privkey.pem

其中www.yeshen.org 是个人网站的地址。segmentfault

须要注意的是:这个证书是有有效期的,须要按期更新api

NGNIX部署

部署进ngnix,这个是直接照抄参考2的
ngnix的配置在bash

/etc/nginx/sites-available/default
server {
    listen       80;

    server_name  YOUR_WEBSITE_HERE;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://YOUR_WEBSITE_HERE$request_uri;

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name YOUR_WEBSITE_HERE;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/YOUR_WEBSITE_HERE/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    access_log /var/log/nginx/YOUR_WEBSITE_HERE-access.log;
    error_log /var/log/nginx/YOUR_WEBSITE_HERE-error.log;
    location / {
        proxy_pass http://127.0.0.1:8003;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

其中

proxy_pass http://127.0.0.1:8003;

是本地网站的路径,经过反向映射提供给外网

手动更新

sudo /etc/init.d/nginx stop 
# ps aux | grep nginx
# sudo killall nginx
cd letsencrypt
sudo /usr/local/bin/certbot-auto renew
sudo /etc/init.d/nginx start

按期更新的时候会报错:

/usr/local/bin/certbot-auto renew

Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.yeshen.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.yeshen.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.yeshen.org) from /etc/letsencrypt/renewal/www.yeshen.org.conf produced an unexpected error: Failed authorization procedure. www.yeshen.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for www.yeshen.org. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.yeshen.org/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.yeshen.org/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.yeshen.org
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for www.yeshen.org

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

是这样解决的

sudo /etc/init.d/nginx stop 
# ps aux | grep nginx
# sudo killall nginx
cd letsencrypt
sudo /usr/local/bin/certbot-auto --force-renewal
# 2
# 1
sudo /etc/init.d/nginx start
上一篇: MongoDB学习