Usifaka njani isicelo seSifihlo?

Ungasifaka njani isicelo seSifihlo?

MasiFihlelele umGaqo weSatifikethi se-SSL kunye neSifundo sokuFakelo

Yintoni i-SSL?Chen WeiliangKwinqaku elidlulileyo "Yintoni umahluko phakathi kwe-http vs https? Ingcaciso ebanzi yenkqubo yoguqulelo oluntsonkothileyo lwe-SSL” ekhankanywe kwi.

ngaphandle kweEzorhweboIwebhusayithi kufuneka ithenge isatifikethi esifihliweyo se-SSL kwaye isebenzise iwebhusayithi njenge-WeChatUkunyuswa kweakhawunti yoluntukaiindaba ezintshaAbantu, ukuba ufuna ukufaka isatifikethi se-SSL, ungasifaka simahla isatifikethi se-SSL esifihliweyo.seoIluncedo, inokuphucula umgangatho wewebhusayithi yamagama angundoqo kwiinjini zokukhangela.

Masi Fihla ngokwayo ibhale uluhlu lweenkqubo (https://certbot.eff.org/), sebenzisaLinuxbahlobo, unokulandela esi sifundo ngelixa ubhekisa kwinkqubo.

Khuphela isixhobo se-certbot-auto kuqala, emva koko uqhube ukuxhomekeka kofakelo lwesixhobo.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Yenza isatifikethi se-SSL

Okulandelayo, ngeChen WeiliangThatha igama lesizinda sebhlog njengomzekelo, nceda uyiguqule ngokweemfuno zakho.I-SSH yenza le miyalelo ilandelayo.

Qinisekisa ukulungisa umyalelo kwi:

1. ibhokisi yeposi
2. indlela yomncedisi
3. Igama lesizinda sewebhusayithi

Indawo enye, yenza isatifikethi:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Isilawuli se-multi-domain enye, yenza isatifikethi: (oko kukuthi, amagama amaninzi ethambeka, ulawulo olunye, sebenzisa isatifikethi esifanayo)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

Isatifikethi se-SSL esenziweyo siza kugcinwa apha:/etc/letsencrypt/live/www.chenweiliang.com/ Ngaphantsi kwemixholo.

Amagama amaninzi edomeyini kunye nabalawuli abaninzi, velisa isatifikethi: (oko kukuthi, amagama amaninzi esizinda, abalawuli abaninzi, sebenzisa isatifikethi esifanayo)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Emva kokuba isatifikethi se-Let Encrypting sifakwe ngempumelelo, lo myalezo ulandelayo uza kuvela kwi-SSH:

AMANQAKU AQHELEKILEYO:
– Sivuyisana nawe Isatifikethi sakho kunye nesifundoain zigcinwe apha:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Ifayile yakho yesitshixo igcinwe apha:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Isiqinisekiso sakho siya kuphelelwa ngo-2018-02-26. Ukufumana entsha okanye ilungisiwe
uguqulelo lwesi satifikethi kwixesha elizayo, sebenzisa ngokulula i-certbot-auto
Ukungahlaziyeki ngokutsha *zonke* izatifikethi zakho, sebenzisa
"ukuhlaziya i-certbot-auto"
-Ukuba uyathanda iCertbot, nceda ujonge ukuxhasa umsebenzi wethu ngokwenza oku:
Ukunikela kwi-ISRG / Masifihle: https://letsencrypt.org/donate
Ukunikela kwi-EFF: https://eff.org/donate-le

Ukuhlaziywa kweSatifikethi se-SSL

Ukuhlaziywa kwesatifikethi nako kulula kakhulu, usebenzisaicrontabHlaziya ngokuzenzekelayo.Enye i-Debian ayinayo i-crontab efakiweyo, unokuyifaka ngesandla kuqala.

apt-get install cron

Le miyalelo ilandelayo ikwi nginx kwaye apache ngokulandelelanayo / njl / crontab Umyalelo ofakwe kwifayile uthetha ukuba uhlaziywa rhoqo ngeentsuku ze-10, kwaye ixesha lokuqinisekiswa kwe-90 lanele.

Ifayile ye-Nginx crontab, nceda wongeze:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Ifayile yeApache crontab, nceda wongeze:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

Isatifikethi se-SSL Ubumbeko lwe-Apache

Ngoku, kufuneka senze utshintsho kuqwalaselo lwe-Apache.

Iingcebiso:

• ukuba uyayisebenzisaIphaneli yokulawula yeCWP, kwi Yongeza igama lommandla wokukhangela Yenza ngokuzenzekelayo isatifikethi se-SSL, siya kuqwalasela ngokuzenzekelayo isatifikethi se-SSL seApache.
• Ukuba wenza ngakumbi kula manyathelo alandelayo, impazamo inokuthi yenzeke emva kokuqalisa kwakhona i-Apache.
• Ukuba kukho impazamo, cima ubumbeko olongeze ngesandla.

Hlela ifayile ye-httpd.conf ▼

/usr/local/apache/conf/httpd.conf

Fumana ▼

Listen 443

• (susa inombolo yezimvo ezandulelayo #)

okanye yongeza izibuko lokumamela 443 ▼

Listen 443

SSH khangela iApache yokumamela izibuko ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Fumana ▼

mod_ssl

• (susa inombolo yezimvo ezandulelayo #)

okanye udibanise ▼

LoadModule ssl_module modules/mod_ssl.so

Fumana ▼

httpd-ssl

• (susa inombolo yezimvo ezandulelayo #)

Emva koko, i-SSH yenza lo myalelo ulandelayo (qaphela ukutshintsha indlela eya kweyakho):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Okulandelayo, ekupheleni koqwalaselo lwe-Apache lwewebhusayithi oyenzileyophantsi.

Yongeza ifayile yoqwalaselo yecandelo le-SSL (qaphela ukususa izimvo, kwaye utshintshe indlela eya kweyakho):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Ekugqibeleni qala kwakhona i-Apache kuyo:

service httpd restart

I-Apache inyanzelisa i-HTTP iqondise kwakhona kwi-HTTPS

• Izicelo ezininzi zewebhu zihlala ziqhutywa kuphela nge-SSL.
• Kufuneka siqinisekise ukuba ngalo lonke ixesha sisebenzisa i-SSL, iwebhusayithi kufuneka ifikeleleke nge-SSL.
• Ukuba nawuphi na umsebenzisi uzama ukufikelela kwiwebhusayithi nge-URL engeyiyo ye-SSL, kufuneka athunyelwe kwakhona kwiwebhusayithi ye-SSL.
• Qondisa kwakhona kwi-URL ye-SSL usebenzisa imodyuli ye-Apache mod_rewrite.
• Ukuba usebenzisa i-LAMP cofa-kanye iphakheji yokufakela, ufakelo oluzenzekelayo lwesatifikethi se-SSL kunye nokunyanzeliswa kolwalathiso kwi-HTTPS, ukuhanjiswa kwakhona kwi-HTTPSNdiyanyanzela, awudingi ukongeza ukuhanjiswa kwe-HTTPS.

Yongeza umgaqo wokwalathisa

• Kwifayile yoqwalaselo ye-Apache, hlela i-website ye-host host enenyani kwaye wongeze ezi zicwangciso zilandelayo.
• Ungongeza kwakhona izicwangciso ezifanayo kwingcambu yoxwebhu kwiwebhusayithi yakho kwifayile yakho .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Ukuba ufuna ukukhankanya i-URL ethile oza kuphinda uqondise kuyo kwi-HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Ukuba umntu uzama ukufikelela umyalezo , iphepha liya kuxhuma ku-https, kwaye umsebenzisi unokufikelela kuphela kwi-URL nge-SSL.

Qala kwakhona i-Apache ukwenzela ukuba ifayile ye-htaccess isebenze:

service httpd restart

Izilumkiso

• Nceda utshintshe idilesi ye-imeyile engentla kwidilesi ye-imeyile yakho.
• Nceda ukhumbule ukutshintsha igama lesizinda sewebhusayithi kwigama lesizinda sakho sewebhusayithi.

Ingxaki yendawo yokulawula ngokutsha

Ngaphantsi kwemithetho ye-pseudo-static, xa ubeka imithetho yokutsiba ngokutsha, uhlala udibana nayo i-http ayinakuphinda iqondise ku-https Ingxaki.

Ekuqaleni sikhuphele ikhowudi yokuqondisa kwakhona kwi .htaccess kwaye iya kuvela kwezi meko zilandelayo ▼

• [L] ibonisa ukuba umgaqo wangoku ngumgaqo wokugqibela, yeka ukuhlalutya le mithetho ilandelayo yokubhala kwakhona.
• Ke xa ufikelela kwinqaku eliqondiswe ngokutsha, [L] umisa lo mgaqo ulandelayo, ngoko ke umthetho wokwalathisa awusebenzi.

Xa undwendwela i-http yephepha lasekhaya, sifuna ukuvusa ulwalathiso lwe-URL, tsiba umgaqo-pseudo-static ukuphumeza umthetho wokutsiba kwakhona, ukuze ube nokuphunyezwa.Isiza ngokubanzi http uqondise kwakhona kwi-https ,

Musa ukubeka imigaqo ye-https yokuqondisa kwakhona [L] Ngezantsi kwemithetho, beka [L] ngaphezulu kwemithetho ▼

Ukwandiswa kokufunda:

• Yintoni umahluko phakathi kwe-http vs https? Ingcaciso ebanzi yenkqubo yoguqulelo oluntsonkothileyo lwe-SSL
• Kufuneka ndenze ntoni ukuba ndifumana impazamo 500 emva kokufaka iSitifiketi se-SSL se-Let’s Encrypting SSL kwiqela lolawulo le-CWP?
• Ukutsibela ngokuzenzekelayo kwinqanaba lesibini lesizinda segama ngaphandle kwegama lesizinda somgangatho ophezulu we-www: igama lesizinda sengcambu 301 iphinda iqondise www