Isalathiso senqaku
Ungasifaka njani isicelo seSifihlo?
MasiFihlelele umGaqo weSatifikethi se-SSL kunye neSifundo sokuFakelo
Yintoni i-SSL?Chen WeiliangKwinqaku elidlulileyo "Yintoni umahluko phakathi kwe-http vs https? Ingcaciso ebanzi yenkqubo yoguqulelo oluntsonkothileyo lwe-SSL” ekhankanywe kwi.
ngaphandle kweEzorhweboIwebhusayithi kufuneka ithenge isatifikethi esifihliweyo se-SSL kwaye isebenzise iwebhusayithi njenge-WeChatUkunyuswa kweakhawunti yoluntukaiindaba ezintshaAbantu, ukuba ufuna ukufaka isatifikethi se-SSL, ungasifaka simahla isatifikethi se-SSL esifihliweyo.seoIluncedo, inokuphucula umgangatho wewebhusayithi yamagama angundoqo kwiinjini zokukhangela.
Masi Fihla ngokwayo ibhale uluhlu lweenkqubo (https://certbot.eff.org/), sebenzisaLinuxbahlobo, unokulandela esi sifundo ngelixa ubhekisa kwinkqubo.
Khuphela isixhobo se-certbot-auto kuqala, emva koko uqhube ukuxhomekeka kofakelo lwesixhobo.
wget https://dl.eff.org/certbot-auto --no-check-certificate chmod +x ./certbot-auto ./certbot-auto -n
Yenza isatifikethi se-SSL
Okulandelayo, ngeChen WeiliangThatha igama lesizinda sebhlog njengomzekelo, nceda uyiguqule ngokweemfuno zakho.I-SSH yenza le miyalelo ilandelayo.
Qinisekisa ukulungisa umyalelo kwi:
- ibhokisi yeposi
- indlela yomncedisi
- Igama lesizinda sewebhusayithi
Indawo enye, yenza isatifikethi:
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com
Isilawuli se-multi-domain enye, yenza isatifikethi: (oko kukuthi, amagama amaninzi ethambeka, ulawulo olunye, sebenzisa isatifikethi esifanayo)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com
Isatifikethi se-SSL esenziweyo siza kugcinwa apha:/etc/letsencrypt/live/www.chenweiliang.com/
Ngaphantsi kwemixholo.
Amagama amaninzi edomeyini kunye nabalawuli abaninzi, velisa isatifikethi: (oko kukuthi, amagama amaninzi esizinda, abalawuli abaninzi, sebenzisa isatifikethi esifanayo)
./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org
Emva kokuba isatifikethi se-Let Encrypting sifakwe ngempumelelo, lo myalezo ulandelayo uza kuvela kwi-SSH:
AMANQAKU AQHELEKILEYO:
– Sivuyisana nawe Isatifikethi sakho kunye nesifundoain zigcinwe apha:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Ifayile yakho yesitshixo igcinwe apha:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Isiqinisekiso sakho siya kuphelelwa ngo-2018-02-26. Ukufumana entsha okanye ilungisiwe
uguqulelo lwesi satifikethi kwixesha elizayo, sebenzisa ngokulula i-certbot-auto
Ukungahlaziyeki ngokutsha *zonke* izatifikethi zakho, sebenzisa
"ukuhlaziya i-certbot-auto"
-Ukuba uyathanda iCertbot, nceda ujonge ukuxhasa umsebenzi wethu ngokwenza oku:
Ukunikela kwi-ISRG / Masifihle: https://letsencrypt.org/donate
Ukunikela kwi-EFF: https://eff.org/donate-le
Ukuhlaziywa kweSatifikethi se-SSL
Ukuhlaziywa kwesatifikethi nako kulula kakhulu, usebenzisaicrontabHlaziya ngokuzenzekelayo.Enye i-Debian ayinayo i-crontab efakiweyo, unokuyifaka ngesandla kuqala.
apt-get install cron
Le miyalelo ilandelayo ikwi nginx kwaye apache ngokulandelelanayo / njl / crontab Umyalelo ofakwe kwifayile uthetha ukuba uhlaziywa rhoqo ngeentsuku ze-10, kwaye ixesha lokuqinisekiswa kwe-90 lanele.
Ifayile ye-Nginx crontab, nceda wongeze:
0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"
Ifayile yeApache crontab, nceda wongeze:
0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"
Isatifikethi se-SSL Ubumbeko lwe-Apache
Ngoku, kufuneka senze utshintsho kuqwalaselo lwe-Apache.
Iingcebiso:
- ukuba uyayisebenzisaIphaneli yokulawula yeCWP, kwi Yongeza igama lommandla wokukhangela Yenza ngokuzenzekelayo isatifikethi se-SSL, siya kuqwalasela ngokuzenzekelayo isatifikethi se-SSL seApache.
- Ukuba wenza ngakumbi kula manyathelo alandelayo, impazamo inokuthi yenzeke emva kokuqalisa kwakhona i-Apache.
- Ukuba kukho impazamo, cima ubumbeko olongeze ngesandla.
Hlela ifayile ye-httpd.conf ▼
/usr/local/apache/conf/httpd.conf
Fumana ▼
Listen 443
- (susa inombolo yezimvo ezandulelayo #)
okanye yongeza izibuko lokumamela 443 ▼
Listen 443
SSH khangela iApache yokumamela izibuko ▼
grep ^Listen /usr/local/apache/conf/httpd.conf
Fumana ▼
mod_ssl
- (susa inombolo yezimvo ezandulelayo #)
okanye udibanise ▼
LoadModule ssl_module modules/mod_ssl.so
Fumana ▼
httpd-ssl
- (susa inombolo yezimvo ezandulelayo #)
Emva koko, i-SSH yenza lo myalelo ulandelayo (qaphela ukutshintsha indlela eya kweyakho):
at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLHonorCipherOrder on SSLProtocol all -SSLv2 -SSLv3 SSLProxyProtocol all -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache/logs/ssl_mutex" EOF
Okulandelayo, ekupheleni koqwalaselo lwe-Apache lwewebhusayithi oyenzileyophantsi.
Yongeza ifayile yoqwalaselo yecandelo le-SSL (qaphela ukususa izimvo, kwaye utshintshe indlela eya kweyakho):
<VirtualHost *:443> DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录 ServerName www.chenweiliang.com:443 //域名 ServerAdmin [email protected] //邮箱 ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志 CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志 SSLEngine on SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书 SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥 <Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录 SetOutputFilter DEFLATE Options FollowSymLinks AllowOverride All suPHP_UserGroup eloha eloha //用户组(有些服务器配置需要,有些可能不需要,出错请删除此行) Order allow,deny Allow from all DirectoryIndex index.html index.phps </Directory> </VirtualHost>
Ekugqibeleni qala kwakhona i-Apache kuyo:
service httpd restart
I-Apache inyanzelisa i-HTTP iqondise kwakhona kwi-HTTPS
- Izicelo ezininzi zewebhu zihlala ziqhutywa kuphela nge-SSL.
- Kufuneka siqinisekise ukuba ngalo lonke ixesha sisebenzisa i-SSL, iwebhusayithi kufuneka ifikeleleke nge-SSL.
- Ukuba nawuphi na umsebenzisi uzama ukufikelela kwiwebhusayithi nge-URL engeyiyo ye-SSL, kufuneka athunyelwe kwakhona kwiwebhusayithi ye-SSL.
- Qondisa kwakhona kwi-URL ye-SSL usebenzisa imodyuli ye-Apache mod_rewrite.
- Ukuba usebenzisa i-LAMP cofa-kanye iphakheji yokufakela, ufakelo oluzenzekelayo lwesatifikethi se-SSL kunye nokunyanzeliswa kolwalathiso kwi-HTTPS, ukuhanjiswa kwakhona kwi-HTTPSNdiyanyanzela, awudingi ukongeza ukuhanjiswa kwe-HTTPS.
Yongeza umgaqo wokwalathisa
- Kwifayile yoqwalaselo ye-Apache, hlela i-website ye-host host enenyani kwaye wongeze ezi zicwangciso zilandelayo.
- Ungongeza kwakhona izicwangciso ezifanayo kwingcambu yoxwebhu kwiwebhusayithi yakho kwifayile yakho .htaccess.
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Ukuba ufuna ukukhankanya i-URL ethile oza kuphinda uqondise kuyo kwi-HTTPS:
RewriteEngine On RewriteRule ^message$ https://www.etufo.org/message [R=301,L]
- Ukuba umntu uzama ukufikelela umyalezo , iphepha liya kuxhuma ku-https, kwaye umsebenzisi unokufikelela kuphela kwi-URL nge-SSL.
Qala kwakhona i-Apache ukwenzela ukuba ifayile ye-htaccess isebenze:
service httpd restart
Izilumkiso
- Nceda utshintshe idilesi ye-imeyile engentla kwidilesi ye-imeyile yakho.
- Nceda ukhumbule ukutshintsha igama lesizinda sewebhusayithi kwigama lesizinda sakho sewebhusayithi.
Ingxaki yendawo yokulawula ngokutsha
Ngaphantsi kwemithetho ye-pseudo-static, xa ubeka imithetho yokutsiba ngokutsha, uhlala udibana nayo i-http ayinakuphinda iqondise ku-https Ingxaki.
Ekuqaleni sikhuphele ikhowudi yokuqondisa kwakhona kwi .htaccess kwaye iya kuvela kwezi meko zilandelayo ▼
- [L] ibonisa ukuba umgaqo wangoku ngumgaqo wokugqibela, yeka ukuhlalutya le mithetho ilandelayo yokubhala kwakhona.
- Ke xa ufikelela kwinqaku eliqondiswe ngokutsha, [L] umisa lo mgaqo ulandelayo, ngoko ke umthetho wokwalathisa awusebenzi.
Xa undwendwela i-http yephepha lasekhaya, sifuna ukuvusa ulwalathiso lwe-URL, tsiba umgaqo-pseudo-static ukuphumeza umthetho wokutsiba kwakhona, ukuze ube nokuphunyezwa.Isiza ngokubanzi http uqondise kwakhona kwi-https ,
Musa ukubeka imigaqo ye-https yokuqondisa kwakhona [L] Ngezantsi kwemithetho, beka [L] ngaphezulu kwemithetho ▼
Ukwandiswa kokufunda:
- Yintoni umahluko phakathi kwe-http vs https? Ingcaciso ebanzi yenkqubo yoguqulelo oluntsonkothileyo lwe-SSL
- Kufuneka ndenze ntoni ukuba ndifumana impazamo 500 emva kokufaka iSitifiketi se-SSL se-Let’s Encrypting SSL kwiqela lolawulo le-CWP?
- Ukutsibela ngokuzenzekelayo kwinqanaba lesibini lesizinda segama ngaphandle kwegama lesizinda somgangatho ophezulu we-www: igama lesizinda sengcambu 301 iphinda iqondise www
Ndiyathemba Chen Weiliang Blog ( https://www.chenweiliang.com/ ) ekwabelwana ngayo "Usifaka njani isicelo sokuba siFakelwe kwiNguqulelo entsonkothileyo? Masibhale kwiNqaku leSiqinisekiso saMahla se-SSL kunye neSifundo sokuFakela", eluncedo kuwe.
Wamkelekile ukwabelana ngekhonkco leli nqaku:https://www.chenweiliang.com/cwl-512.html
Wamkelekile kwisitishi seTelegram sebhlog kaChen Weiliang ukufumana uhlaziyo lwamva nje!
📚 Esi sikhokelo sinexabiso elikhulu, 🌟Eli lithuba elinqabileyo, ungaliphoswa! ⏰⌛💨
Yabelana kwaye uthanda ukuba uyathanda!
Ukwabelana kwakho kunye nezinto ozithandayo ziyinkuthazo yethu eqhubekayo!