Tusitusiga Tusitusiga
E fa'afefea ona talosaga mo Let's Encrypt?
Se'i o tatou fa'ailoga SSL Certificate Principle & Installation Tutorial
O le a le SSL?Chen WeiliangI le tusiga muamua "O le a le eseesega i le va o le http vs https? Fa'amatalaga au'ili'ili ole faiga fa'ailoga SSL"O loʻo taʻua i le ".
e ese maiE-pisinisiI le faaopoopo atu i le faʻatauina o se faʻailoga faʻamaonia SSL, e tatau ona faʻaoga le upega tafaʻilagi mo WeChatFa'aliga tala fa'alaua'iteleNuala faʻasalalau fouTagata, afai e te manaʻo e faʻapipiʻi se tusi faamaonia SSL, e mafai ona e faʻapipiʻi moni se faʻailoga SSL faʻailoga mo le leai o se totogi, e lelei moSeoE fesoasoani ma e mafai ona faʻaleleia le faʻavasegaina o upega tafaʻilagi upu autu i masini suʻesuʻe.
Let's Encrypt lava ia na tusia se seti o faiga (https://certbot.eff.org/), fa'aaogaLinuxUo, e mafai ona e vaʻai i lenei faiga ma mulimuli i lenei aʻoaʻoga.
Muamua la'u mai le meafaigaluega certbot-auto, ona fa'agasolo lea o vaega fa'alagolago i le mea faigaluega.
wget https://dl.eff.org/certbot-auto --no-check-certificate chmod +x ./certbot-auto ./certbot-auto -n
Fausia le tusi faamaonia SSL
Sosoo ai, amata iChen WeiliangAve le igoa ole blog e fai ma fa'ata'ita'iga Fa'amolemole sui e tusa ai ma ou mana'oga.
Faamolemole ia mautinoa e sui le poloaiga:
- Pusa meli
- Ala o le server
- igoa ole upegatafa'ilagi
Lisi lisi lisi ta'itasi, fai se tusi pasi:
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com
Lisi lisi lisi tele, faia se tusi faamaonia: (o le tele o igoa ole igoa, tasi le lisi, faʻaaoga le tusi faamaonia e tasi)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com
O le tusi faamaonia SSL na faia o le a teuina i:/etc/letsencrypt/live/www.chenweiliang.com/
I lalo o anotusi.
Fa'aigoa fa'ailoga e tele ma fa'atonuga e tele, fa'atupu se tusi pasi: (fa'aigoa ole tele igoa ole igoa, tele fa'atonuga, fa'aoga le tusi pasi e tasi)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org
A maeʻa ona faʻapipiʻiina le tusi faamaonia Let's Encrypt, o le a faʻaalia le savali faʻavave a le SSH:
FAAMATALAGA FAATINO:
– Manuia lau tusipasi ma le chain ua faasaoina i:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Ua teu lau faila autu ile:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
O lau tusipasi o le a muta ile 2018-02-26 Mo le mauaina o se mea fou pe faʻapipiʻi
lomiga o lenei tusi faamaonia i le lumanaʻi, naʻo le taʻavale certbot-auto
toe fa'afou
"certbot-auto faafou"
- Afai e te fiafia i le Certbot, faʻamolemole mafaufau e lagolagoina la matou galuega e ala i:
Foai i le ISRG / Let's Encrypt: https://letsencrypt.org/donate
Foaʻi i le EFF: https://eff.org/donate-le
Faafouga tusi faamaonia SSL
O le faʻafouina o tusi faamaonia e matua faigofie foi, faʻaaogacrontabFaia le faafouga otometi. Afai o nisi Debians e le o faʻapipiʻiina crontab, e mafai ona e faʻapipiʻi muamua ma le lima.
apt-get install cron
O tulafono nei e mo nginx ma apache i le faasologa. / etc / crontab O le poloaiga na ulufale i totonu o le faila o lona uiga o le faafouga i aso uma e 10, ma o se vaitaimi aoga o le 90 aso ua lava.
Nginx crontab faila, faʻamolemole faʻaopoopo:
0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"
Apache's crontab faila, faʻamolemole faʻaopoopo:
0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"
SSL Tusi Faamaonia Apache Configuration
I le taimi nei, matou te manaʻomia le suia o le faʻatulagaga Apache.
Fautuaga:
- Afai o loʻo e faʻaaogainaCWP Pulea Vaega, siaki Otometi gaosia le tusi faamaonia SSL pe a faʻaopoopo se igoa faʻapitonuʻu, ma o le SSL tusi faamaonia Apache o le a otometi lava configured.
- Afai e te faia le tele o laasaga nei, e ono tupu se mea sese pe a uma ona toe amataina Apache.
- Afai e iai se mea e faaletonu, tape le fa'atulagaga na e fa'aopoopo ma le lima.
Fa'atonu le faila httpd.conf ▼
/usr/local/apache/conf/httpd.conf
Su'e ▼
Listen 443
- (Aveese le numera fa'amatalaga muamua #)
Po'o le fa'aopoopoina o le tau fa'alogo 443 ▼
Listen 443
SSH siaki le tau fa'alogo Apache ▼
grep ^Listen /usr/local/apache/conf/httpd.conf
Su'e ▼
mod_ssl
- (Aveese le numera fa'amatalaga muamua #)
pe faaopoopo ▼
LoadModule ssl_module modules/mod_ssl.so
Su'e ▼
httpd-ssl
- (Aveese le numera fa'amatalaga muamua #)
Ona faia lea e SSH le poloaiga lenei (fa'aaliga e sui le ala ia oe lava):
at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" EOF
Sosoo ai, i le faaiuga o le Apache configuration mo le upega tafaʻilagi na e fatuinalalo.
Faʻaopoopo le faila faʻapipiʻi SSL (faʻaaliga e aveese faʻamatalaga ma sui le ala ia oe lava):
<VirtualHost *:443> DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录 ServerName www.chenweiliang.com:443 //域名 ServerAdmin [email protected] //邮箱 ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志 CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书 SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥 <Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All suPHP_UserGroup eloha eloha //用户组(有些服务器配置需要,有些可能不需要,出错请删除此行) Order allow,deny Allow from all DirectoryIndex index.html index.phps </Directory> </VirtualHost>
Mulimuli ane, toe amata Apache:
service httpd restart
Apache faʻamalosi HTTP toe faʻafeiloaʻi HTTPS
- Le tele o talosaga i luga ole laiga e mafai ona fa'aoga ile SSL.
- E tatau ona tatou mautinoa o taimi uma tatou te faʻaogaina ai le SSL, e tatau ona tatou faʻaogaina le upega tafaʻilagi e ala ile SSL.
- Afai e taumafai soʻo se tagata faʻaoga e faʻaoga le upega tafaʻilagi e faʻaaoga ai le URL e le o le SSL, e tatau ona toe faʻafeiloaʻi i le upega tafaʻilagi SSL.
- Fa'aoga le Apache mod_rewrite module e toe fa'afeiloa'i i SSL URLs.
- Afai e te faʻaogaina le LAMP e faʻapipiʻi ai le afifi i le kiliki e tasi, o loʻo i ai le faʻapipiʻiina otometi o faʻamaumauga SSL ma faʻamalosia le toe faʻafeiloaʻi i le HTTPS ma le toe faʻafeiloaʻi i le HTTPS.I le malosi, e leai se manaʻoga e faʻaopoopo le HTTPS redirection.
Fa'aopoopo le tulafono fa'atonu
- I le faila fetuutuunaiga a Apache, faʻasaʻo le 'upega tafaʻilagi' upega tafaʻilagi ma faʻaopoopo tulaga nei.
- E mafai fo'i ona e fa'aopoopo tulaga tutusa i le a'a pepa i lau 'upega tafa'ilagi i se faila .htaccess.
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Afai e te manaʻo e faʻamaonia se URL patino e toe faʻafeiloaʻi i HTTPS:
RewriteEngine On RewriteRule ^message$ https://www.etufo.org/message [R=301,L]
- Afai e taumafai se tasi e sao feʻau , o le a oso le itulau i https, ma e mafai e tagata faʻaoga ona faʻaogaina le URL e faʻaaoga ai le SSL.
Toe amata Apache ina ia fa'amanaia le faila .htaccess:
service httpd restart
Lapataiga
- Fa'amolemole sui le tuatusi imeli o lo'o i luga i lau lava tuatusi imeli.
- Faamolemole ia manatua e sui le igoa ole upegatafa'ilagi i luga ile igoa ole igoa ole upegatafa'ilagi.
Toe fa'asino le tulaga o le tulafono
I lalo o tulafono pseudo-static, pe a tuʻuina tulafono oso faʻafeiloaʻi, e masani ona e feagai http e le mafai ona toe fa'asino i le https O le faʻafitauli.
Muamua na matou kopiina le code redirect i le .htaccess ma o le a aliali mai i mataupu nei ▼
- [L] fa'ailoa mai o le tulafono o lo'o iai nei o le tulafono mulimuli, taofi le su'esu'eina o tulafono toe tusi nei.
- A o'o atu la i le itulau fa'asinoala toe fa'asa'o, [L] taofi le tulafono o lo'o mulimuli mai, o lea e le aoga le tulafono toe fa'atonu.
Pe a asiasi i le itulau autu o le http, matou te mananaʻo e faʻaosoina se URL toe faʻafeiloaʻi, faaseʻe le tulafono pseudo-static e faʻatino ai le tulafono oso faʻafeiloaʻi, ina ia mafai ona ausia.Site-lautele http toe fa'asaga i https .
Aua le tu'uina i totonu tulafono fa'asinoala https [L] I lalo o tulafono, tuu [L] i luga atu o tulafono ▼
Faitau atili:
- O le a le eseesega i le va o le http vs https? Fa'amatalaga au'ili'ili ole faiga fa'ailoga SSL
- O le a se mea e tatau ona ou faia pe a ou maua se mea sese 500 pe a uma ona faʻapipiʻi le Let's Encrypt SSL certificate i le CWP control panel?
- Otometi ona oso i le igoa lona lua e aunoa ma le www pito i luga ole igoa ole igoa: ole a'a ole igoa ole igoa 301 toe tuusao www
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) faasoa "E faʻafefea ona talosaga mo Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial", lea o le a fesoasoani ia te oe.
Fa'afeiloa'i e fa'asoa le so'otaga o lenei tusitusiga:https://www.chenweiliang.com/cwl-512.html
Faʻafeiloaʻi i le Telegram channel o le blog a Chen Weiliang e maua ai faʻamatalaga lata mai!
📚 O lenei taʻiala o loʻo i ai le taua tele, 🌟O se avanoa e seasea maua, aua le misia! ⏰⌛💨
Faasoa ma fiafia pe a e fiafia i ai!
O lau fefa'asoaa'i ma le fiafia o la matou fa'aosofiaga faifaipea!