Momwe mungalembetsere Let's Encrypt? Tiyeni Tilembetse Mfundo Yaulere ya SSL & Maphunziro Oyikira

Kodi mungalembe bwanji Let Encrypt?

Tiyeni Tilembetse Mfundo ya Satifiketi ya SSL & Maphunziro Oyikira

Kodi SSL ndi chiyani?Chen WeiliangM'nkhani yapitayi "Kodi pali kusiyana kotani pakati pa http vs https? Kufotokozera mwatsatanetsatane ndondomeko ya SSL encryption"Imatchulidwa mu.

kupatulaZamalondaWebusaitiyi iyenera kugula satifiketi ya SSL yapamwamba kwambiri ndikugwiritsa ntchito tsambalo ngati WeChatKukwezeleza akaunti yapaguluwamedia yatsopanoAnthu, ngati mukufuna kukhazikitsa satifiketi ya SSL, mutha kukhazikitsa satifiketi ya SSL yaulere.SEOZothandiza, zitha kukonza kusanja kwa mawu osakira patsamba pamainjini osakira.

Let's Encrypt palokha yalemba njira zingapo (https://certbot.eff.org/), kugwiritsa ntchitoLinuxabwenzi, mukhoza kutsatira phunziroli pamene akunena za ndondomekoyi.

Tsitsani chida cha certbot-auto kaye, kenako yambitsani kudalira kwa chidacho.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Pangani satifiketi ya SSL

Kenako, ndiChen WeiliangTengani dzina lamalo abulogu mwachitsanzo, chonde sinthani malinga ndi zosowa zanu. SSH imayendetsa malamulo otsatirawa.

Onetsetsani kuti mwasintha lamulo mu:

1. Bokosi Lamakalata
2. njira ya seva
3. Dzina lawebusayiti

Chikwatu chimodzi chokha, pangani satifiketi:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Chikwatu chimodzi chamitundu yambiri, pangani satifiketi: (ie, mayina angapo, chikwatu chimodzi, gwiritsani ntchito satifiketi yomweyo)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

Sitifiketi ya SSL yopangidwa idzasungidwa mu:/etc/letsencrypt/live/www.chenweiliang.com/ Pansi zamkati.

Mayina angapo olamulira ndi maulalo angapo, pangani satifiketi: (ndiko kuti, mayina angapo, zolemba zingapo, gwiritsani ntchito satifiketi yomweyo)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Pambuyo pa satifiketi ya Let's Encrypt ikakhazikitsidwa bwino, uthenga wotsatirawu uwoneka mu SSH:

DZIWANI IZI:
- Zabwino kwambiri, satifiketi yanu ndi chain adasungidwa ku:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Fayilo yanu yayikulu yasungidwa pa:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Cert yanu idzatha pa 2018-02-26. Kuti mupeze zatsopano kapena zosinthidwa
mtundu wa satifiketi iyi mtsogolomo, ingoyendetsani certbot-auto
Kuti musawonjezerenso *masatifiketi* anu onse, thamangani
"certbot-auto renew"
- Ngati mukufuna Certbot, chonde lingalirani kuthandizira ntchito yathu ndi:
Kupereka kwa ISRG / Tiyeni Tilembetse: https://letsencrypt.org/donate
Kupereka kwa EFF: https://eff.org/donate-le

Kukonzanso kwa Satifiketi ya SSL

Kukonzanso satifiketi ndikosavuta kwambiri, pogwiritsa ntchitocrontabKukonzanso zokha.Debian ina ilibe crontab yoyika, mutha kuyiyika pamanja poyamba.

apt-get install cron

Malamulo otsatirawa ali mu nginx ndi apache motsatana / etc / crontab Lamulo lolowa mufayilo limatanthauza kuti limakonzedwanso masiku 10 aliwonse, ndipo nthawi yovomerezeka ya masiku 90 ndiyokwanira.

Nginx crontab file, chonde onjezani:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Apache crontab file, chonde onjezani:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

Sitifiketi ya SSL Kusintha kwa Apache

Tsopano, tifunika kusintha kasinthidwe ka Apache.

Malangizo:

• ngati mugwiritsaCWP Control Panel, mu Onjezani dzina lachidziwitso fufuzani Pangani chiphaso cha SSL, chidzasintha chiphaso cha SSL cha Apache.
• Ngati muchita zambiri mwa izi, cholakwika chikhoza kuchitika mutayambitsanso Apache.
• Ngati pali cholakwika, chotsani masinthidwe omwe mudawonjeza pamanja.

Sinthani fayilo ya httpd.conf ▼

/usr/local/apache/conf/httpd.conf

Pezani ▼

Listen 443

• (chotsani ndemanga yapitayi #)

kapena onjezani doko lomvera 443 ▼

Listen 443

SSH fufuzani doko lomvera la Apache ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Pezani ▼

mod_ssl

• (chotsani ndemanga yapitayi #)

kapena kuwonjezera ▼

LoadModule ssl_module modules/mod_ssl.so

Pezani ▼

httpd-ssl

• (chotsani ndemanga yapitayi #)

Kenako, SSH perekani lamulo ili (zindikirani kuti musinthe njira yanu):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Kenako, kumapeto kwa kasinthidwe ka Apache kwa tsamba lomwe mudapangapansi.

Onjezani fayilo yosinthira ya gawo la SSL (zolemba kuti muchotse ndemanga, ndikusintha njira kukhala yanu):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Pomaliza yambitsaninso Apache pa izo:

service httpd restart

Apache ikakamiza HTTP kupita ku HTTPS

• Zopempha zambiri zapaintaneti zimatha kuyenda ndi SSL nthawi zonse.
• Tiyenera kuonetsetsa kuti nthawi iliyonse yomwe timagwiritsa ntchito SSL, webusaitiyi iyenera kupezeka kudzera pa SSL.
• Ngati wogwiritsa ntchito aliyense ayesa kupeza tsambalo ndi ulalo wosakhala wa SSL, ayenera kutumizidwa patsamba la SSL.
• Pitani ku SSL URL pogwiritsa ntchito Apache mod_rewrite module.
• Monga kugwiritsa ntchito phukusi la LAMP longodina kamodzi, kukhazikitsa kokhazikika kwa satifiketi ya SSL ndikukakamizanso kupita ku HTTPS, kupita ku HTTPS.Akulimbikitsidwa, simukuyenera kuwonjezera kuwongolera kwa HTTPS.

Onjezani lamulo lolozeranso

• Mu fayilo ya kasinthidwe ya Apache, sinthani oyambitsa webusayiti ndikuwonjezera zoikamo zotsatirazi.
• Mukhozanso kuwonjezera zoikamo zomwezo ku mizu ya zolemba pa webusaiti yanu mu fayilo yanu ya .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Ngati mukungofuna kufotokoza ulalo wina kuti muwongolere ku HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Ngati wina ayesa kupeza uthenga , tsamba lidzalumphira ku https, ndipo wogwiritsa ntchito amatha kupeza URL ndi SSL.

Yambitsaninso Apache kuti fayilo ya .htaccess igwire ntchito:

service httpd restart

Njira zopewera

• Chonde sinthani imelo yomwe ili pamwambayi kukhala imelo yanu.
• Chonde kumbukirani kusintha dzina la webusayiti yomwe ili pamwambapa kukhala dzina lawebusayiti yanu.

Londoleranso vuto lamalo

Pansi pa malamulo a pseudo-static, mukamayika malamulo odumphira apaulendo, nthawi zambiri mumakumana http sangathe kulondoleranso ku https Vutolo.

Poyamba tidakopera kachidindo kolowera ku .htaccess ndipo iziwoneka muzochitika zotsatirazi ▼

• [L] ikuwonetsa kuti lamulo lapano ndilo lamulo lomaliza, siyani kusanthula malamulo otsatirawa olemberanso.
• Chifukwa chake mukapeza tsamba lomwe latumizidwanso, [L] imayimitsa malamulo otsatirawa, kotero kuti malamulo owongolera sagwira ntchito.

Poyendera tsamba lofikira la http, tikufuna kuyambitsa kuwongolera kwa ulalo, kudumphani lamulo la pseudo-static kuti mukwaniritse lamulo lolumphira, kuti likwaniritsidwe.Patsamba lonse http lolunjika ku https .

Osayika malamulo owongolera https [L] Pansi pa malamulo, ikani [L] pamwamba pa malamulo ▼

Kuwerenga kowonjezera:

• Kodi pali kusiyana kotani pakati pa http vs https? Kufotokozera mwatsatanetsatane ndondomeko ya SSL encryption
• Kodi nditani ndikapeza cholakwika 500 nditayika satifiketi ya Let's Encrypt SSL mu gulu lowongolera la CWP?
• Dzilumphireni ku dzina lachidziwitso chachiwiri popanda dzina lachidziwitso cha www-top-level: the root domain name 301 imatsogoleranso www.