Kif Tiżgura Apache b'SSL u Ejja Encrypt fi FreeBSD
F'dan it-tutorja ser nitgħallmu kif niżguraw is-server Apache HTTP b'ċertifikati TLS/SSL offruti minn Let's Encrypt fi FreeBSD 11.x. Aħna se nkopru wkoll kif awtomat il-proċess tat-tiġdid taċ-ċertifikat għal Lets' Encrypt.
Iċ-ċertifikati TLS/SSL jintużaw mis-server tal-web Apache biex jikkriptaw il-komunikazzjoni bejn in-nodi tat-tarf, jew aktar ordinarji bejn is-server u l-klijent sabiex jipprovdu sigurtà. Let's Encrypt jipprovdi utilità tal-linja tal-kmand ta 'cerbot, li hija applikazzjoni li tista' tiffaċilita l-mod kif tista 'tikseb ċertifikati ta' fiduċja b'xejn.
- Installazzjoni ta' FreeBSD 11.x
- 10 Affarijiet X'tagħmel Wara l-Installazzjoni ta' FreeBSD
- Kif Tinstalla Apache, MariaDB u PHP fi FreeBSD
Pass 1: Ikkonfigura Apache SSL fuq FreeBSD
1. Qabel ma tibda tinstalla l-utilità certbot u toħloq il-fajl tal-konfigurazzjoni TSL għal Apache, l-ewwel oħloq żewġ direttorji distinti bl-isem ta 'siti-disponibbli u siti attivati fid-direttorju tal-konfigurazzjoni tal-għeruq ta' Apache billi toħroġ il-kmandi ta 'hawn taħt.
L-għan ta 'dawn iż-żewġ direttorji huwa li jiffaċilita l-ġestjoni tal-konfigurazzjoni tal-hosting virtwali fis-sistema, mingħajr ma jiġi mmodifikat il-fajl ewlieni tal-konfigurazzjoni Apache httpd.conf kull darba li nżidu host virtwali ġdid.
# mkdir /usr/local/etc/apache24/sites-available # mkdir /usr/local/etc/apache24/sites-enabled
2. Wara li tkun ħloqt iż-żewġ direttorji, iftaħ il-fajl Apache httpd.conf b'editur tat-test u żid il-linja li ġejja qrib it-tmiem tal-fajl kif illustrat hawn taħt.
# nano /usr/local/etc/apache24/httpd.conf
Żid il-linja li ġejja:
IncludeOptional etc/apache24/sites-enabled/*.conf
3. Sussegwentement, ippermetti l-modulu TLS għal Apache billi toħloq dan li ġej fajl ġdid bl-isem 020_mod_ssl.conf fid-direttorju modules.d bil-kontenut li ġej.
# nano /usr/local/etc/apache24/modules.d/020_mod_ssl.conf
Żid il-linji li ġejjin mal-fajl 020_mod_ssl.conf.
Listen 443 SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300
4. Issa, neħħi l-kumment tal-modulu SSL mill-fajl /usr/local/etc/apache24/httpd.conf billi tneħħi l-hashtag mill-bidu tal-linja li ġejja kif illustrat hawn taħt:
LoadModule ssl_module libexec/apache24/mod_ssl.so
5. Sussegwentement, oħloq il-fajl tal-konfigurazzjoni TLS għad-dominju tiegħek fid-direttorju tas-siti disponibbli, preferibbilment bl-isem tad-dominju tiegħek, kif ippreżentat fis-silta hawn taħt:
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Żid il-konfigurazzjoni virtualhost li ġejja fil-fajl bsd.lan-ssl.conf.
<VirtualHost *:443>
ServerName www.yourdomain.com
ServerAlias yourdomain.com
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/apache/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
#AllowOverride controls what directives may be placed in .htaccess files.
AllowOverride All
#Controls who can get stuff from this server file
Require all granted
</Directory>
ErrorLog "/var/log/apache/yourdomain.ssl-error.log"
CustomLog "/var/log/apache/yourdomain.ssl-access_log" combined
</VirtualHost>
Kun żgur li tissostitwixxi l-varjabbli tal-isem tad-dominju minn ServerName, ServerAlias, ErrorLog, CustomLog dikjarazzjonijiet kif xieraq.
Pass 2: Installa Lets'Encrypt fuq FreeBSD
6. Fuq il-pass li jmiss, agħti l-kmand li ġej sabiex tinstalla l-utilità ta 'cerbot ipprovduta minn Let's Encrypt, li se tintuża biex tikseb ċertifikati Apache TSL ħielsa għad-dominju tiegħek.
Waqt l-installazzjoni ta 'certbot se jintwerew serje ta' pront fuq l-iskrin tiegħek. Uża l-screenshot ta 'hawn taħt biex tikkonfigura l-utilità ta' certbot. Ukoll, il-kompilazzjoni u l-installazzjoni tal-utilità ta 'cerbot tista' tieħu xi żmien, skont ir-riżorsi tal-magna tiegħek.
# cd /usr/ports/security/py-certbot # make install clean
7. Wara li l-proċess ta 'kompilazzjoni jkun intemm, ħarġet il-kmand ta' hawn taħt sabiex taġġorna l-utilità taċ-ċertbot u d-dipendenzi meħtieġa taċ-certbot.
# pkg install py27-certbot # pkg install py27-acme
8. Sabiex tiġġenera ċertifikat għad-dominju tiegħek, agħti l-kmand kif muri hawn taħt. Kun żgur li tipprovdi l-post korrett tal-webroot fejn il-fajls tal-websajt tiegħek huma maħżuna fis-sistema tal-fajls (direttiva tad-DocumentRoot mill-fajl tal-konfigurazzjoni tad-dominju tiegħek) billi tuża l-marka -w. Jekk għandek diversi sottodominji żidhom kollha bil-marka -d.
# certbot certonly --webroot -w /usr/local/www/apache24/data/ -d yourdomain.com -d www.yourdomain.com
Waqt li tikseb iċ-ċertifikat, ipprovdi indirizz elettroniku għat-tiġdid taċ-ċertifikat, agħfas a biex taqbel mat-termini u l-kundizzjonijiet Let's Encrypt u n biex ma taqsamx l-indirizz elettroniku lill-imsieħba Let's Encrypt.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/apache24/data for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
9. Wara li tkun ksibt iċ-ċertifikati għad-dominju tiegħek, tista 'taħdem ls kmand sabiex telenka l-komponenti kollha taċ-ċertifikat (katina, ċavetta privata, ċertifikat) kif ippreżentat fl-eżempju ta' hawn taħt.
# ls -al /usr/local/etc/letsencrypt/live/www.yourdomain.com/
Pass 3: Aġġorna ċ-Ċertifikati Apache TLS fuq FreeBSD
10. Sabiex iżżid iċ-ċertifikati Let's Encrypt mal-websajt tiegħek, iftaħ il-fajl tal-konfigurazzjoni tal-apache għad-dominju tiegħek u aġġorna l-linji li ġejjin biex jirriflettu t-triq taċ-ċertifikati maħruġa.
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Żid dawn il-linji taċ-ċertifikat TLS:
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
11. Fl-aħħarnett, ippermetti l-fajl ta 'konfigurazzjoni TLS, billi toħloq symlink għall-fajl ta' konfigurazzjoni TLS tad-dominju tiegħek għal direttorju ppermettiet is-siti, iċċekkja l-konfigurazzjonijiet ta 'Apache għal żbalji ta' sintassi possibbli u, jekk is-sintassi hija OK, terġa 'tibda Apache daemon billi toħroġ il-kmandi ta' hawn taħt.
# ln -sf /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf /usr/local/etc/apache24/sites-enabled/ # apachectl -t # service apache24 restart
12. Sabiex tiċċekkja jekk is-servizz Apache hux qed jisma' fuq il-port HTTPS 443, agħti l-kmand li ġej biex telenka sockets tan-netwerk httpd.
# sockstat -4 | grep httpd
13. Tista 'tinnaviga għall-indirizz tad-dominju tiegħek minn browser permezz tal-protokoll HTTPS sabiex tikkonferma li ċ-ċertifikati Let's Encrypt huma applikati b'suċċess.
https://www.yourdomain.com
14. Sabiex tikseb informazzjoni żejda dwar iċ-ċertifikat Let's Encrypt maħruġ mil-linja tal-kmand, uża l-kmand openssl kif ġej.
# openssl s_client -connect www.yourdomain.com:443
15. Tista 'wkoll tivverifika jekk it-traffiku huwiex encrypted b'ċertifikat validu pprovdut minn Let's Encrypt CA minn apparat mobbli kif muri fil-screenshot tal-mowbajl hawn taħt.
Dak kollox! Il-klijenti issa jistgħu jżuru l-websajt tiegħek b'mod sigur, minħabba li t-traffiku li jiċċirkola bejn is-server u l-browser tal-klijent huwa encrypted. Għal kompiti aktar kumplessi li jikkonċernaw l-utilità taċ-ċertbot żur il-link li ġejja: https://certbot.eff.org/