Bii o ṣe le beere fun Jẹ ki a Encrypt? Jẹ ki a Encrypt Ilana Iwe-ẹri Ọfẹ SSL & Ikẹkọ fifi sori ẹrọ

Bii o ṣe le beere fun Jẹ ki a Encrypt?

Jẹ ki a Encrypt SSL ijẹrisi Ilana & Fifi sori Tutorial

Kini SSL?Chen WeiliangNinu nkan ti tẹlẹ "Kini iyato laarin http vs https? Alaye alaye ti ilana fifi ẹnọ kọ nkan SSL"O ti mẹnuba ninu.

yato siE-iṣowoOju opo wẹẹbu gbọdọ ra ijẹrisi SSL ti o ni ilọsiwaju ati lo oju opo wẹẹbu bi WeChatÀkọsílẹ iroyin igbegatimedia tuntunAwọn eniyan, ti o ba fẹ fi ijẹrisi SSL sori ẹrọ, o le fi ijẹrisi SSL ti paroko sori ẹrọ ni ọfẹ.SEOIranlọwọ, le mu ipo awọn koko-ọrọ aaye ayelujara dara si ni awọn ẹrọ wiwa.

Jẹ ki a Encrypt funrararẹ ti kọ eto awọn ilana kan (https://certbot.eff.org/), loLinuxAwọn ọrẹ, o le tẹle ikẹkọ yii lakoko ti o tọka si ilana naa.

Ṣe igbasilẹ ohun elo certbot-auto ni akọkọ, lẹhinna ṣiṣe awọn igbẹkẹle fifi sori ẹrọ naa.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Ṣẹda ijẹrisi SSL

Nigbamii, pẹluChen WeiliangMu orukọ aaye bulọọgi naa gẹgẹbi apẹẹrẹ, jọwọ ṣe atunṣe gẹgẹbi awọn iwulo tirẹ. SSH nṣiṣẹ awọn aṣẹ wọnyi.

Rii daju lati yi aṣẹ pada ni:

1. Apoti meeli
2. olupin ona
3. aaye ayelujara ašẹ orukọ

Liana ẹyọkan, ṣe ipilẹṣẹ ijẹrisi kan:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Liana ẹyọkan-ọpọlọpọ, ṣe ina ijẹrisi kan: (ie, awọn orukọ agbegbe pupọ, itọsọna ẹyọkan, lo ijẹrisi kanna)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

Ijẹrisi SSL ti ipilẹṣẹ yoo wa ni fipamọ ni:/etc/letsencrypt/live/www.chenweiliang.com/ Labẹ awọn akoonu.

Awọn orukọ agbegbe pupọ ati awọn ilana ilana pupọ, ṣe ipilẹṣẹ ijẹrisi kan: (iyẹn ni, awọn orukọ agbegbe pupọ, awọn ilana ilana pupọ, lo ijẹrisi kanna)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Lẹhin ti Jẹ ki ká Encrypt ijẹrisi ti fi sori ẹrọ ni aṣeyọri, ifiranṣẹ kiakia atẹle yoo han ni SSH:

Awọn abawọn pataki:
– Oriire! ijẹrisi rẹ ati chain ti wa ni fipamọ ni:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Faili bọtini rẹ ti wa ni ipamọ ni:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Iwe-ẹri rẹ yoo pari ni 2018-02-26. Lati gba tuntun tabi tweaked
ti ikede yi ijẹrisi ni ojo iwaju, nìkan ṣiṣe certbot-auto
lẹẹkansi Lati ti kii-interactively tunse *gbogbo* ti awọn iwe-ẹri rẹ, ṣiṣe awọn
"certbot-auto isọdọtun"
- Ti o ba fẹ Certbot, jọwọ ronu atilẹyin iṣẹ wa nipasẹ:
Ṣetọrẹ si ISRG / Jẹ ki a Encrypt: https://letsencrypt.org/donate
Ẹbun si EFF: https://eff.org/donate-le

Isọdọtun ijẹrisi SSL

Isọdọtun ijẹrisi tun rọrun pupọ, lilocrontabAtunṣe laifọwọyi.Diẹ ninu Debian ko ni crontab sori ẹrọ, o le fi sii pẹlu ọwọ ni akọkọ.

apt-get install cron

Awọn aṣẹ atẹle wa ni nginx ati apache ni atele / ati be be lo / crontab Aṣẹ ti a tẹ sinu faili tumọ si pe o ti tunse ni gbogbo ọjọ mẹwa 10, ati pe akoko ifọwọsi ọjọ 90 kan to.

Nginx crontab faili, jọwọ fikun:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Faili crontab Apache, jọwọ ṣafikun:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

SSL ijẹrisi Apache iṣeto ni

Bayi, a nilo lati ṣe awọn ayipada si iṣeto Apache.

Awọn imọran:

• ti o ba loIgbimọ Iṣakoso CWP, ni Fikun-ašẹ orukọ ayẹwo Laifọwọyi ṣe ina ijẹrisi SSL kan, yoo tunto ijẹrisi SSL laifọwọyi fun Apache.
• Ti o ba ṣe diẹ sii ti awọn igbesẹ wọnyi, aṣiṣe le waye lẹhin ti o tun Apache bẹrẹ.
• Ti aṣiṣe ba wa, paarẹ iṣeto ni ti o ṣafikun pẹlu ọwọ.

Ṣatunkọ faili httpd.conf ▼

/usr/local/apache/conf/httpd.conf

Wa ▼

Listen 443

• (yọ nọmba asọye ti iṣaaju kuro #)

tabi fi kun ibudo 443 ▼

Listen 443

SSH ṣayẹwo ibudo gbigbọ Apache ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Wa ▼

mod_ssl

• (yọ nọmba asọye ti iṣaaju kuro #)

tabi fi kun ▼

LoadModule ssl_module modules/mod_ssl.so

Wa ▼

httpd-ssl

• (yọ nọmba asọye ti iṣaaju kuro #)

Lẹhinna, SSH ṣiṣẹ pipaṣẹ atẹle (akọsilẹ lati yi ọna pada si tirẹ):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Nigbamii, ni ipari iṣeto Apache fun oju opo wẹẹbu ti o ṣẹdalabẹ.

Ṣafikun faili iṣeto ni apakan SSL (akọsilẹ lati yọ asọye kuro, ki o yi ọna pada si tirẹ):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Níkẹyìn tun Apache bẹrẹ lori rẹ:

service httpd restart

Apache ipa HTTP àtúnjúwe si HTTPS

• Ọpọlọpọ awọn ibeere wẹẹbu le nigbagbogbo ṣiṣẹ pẹlu SSL nikan.
• A nilo lati rii daju pe ni gbogbo igba ti a lo SSL, oju opo wẹẹbu gbọdọ wa ni iwọle nipasẹ SSL.
• Ti olumulo eyikeyi ba gbiyanju lati wọle si oju opo wẹẹbu pẹlu URL ti kii ṣe SSL, o gbọdọ darí si oju opo wẹẹbu SSL.
• Ṣe àtúnjúwe si SSL URL nipa lilo Apache mod_rewrite module.
• Iru bii lilo ohun elo fifi sori titẹ-ọkan LAMP, fifi sori ẹrọ laifọwọyi ti ijẹrisi SSL ati itusilẹ fi agbara mu si HTTPS, atunṣe si HTTPSPelu agbara, o ko nilo lati ṣafikun HTTPS àtúnjúwe.

Fi àtúnjúwe ofin

• Ninu faili iṣeto Apache, ṣatunkọ ogun oju opo wẹẹbu naa ki o ṣafikun awọn eto atẹle.
• O tun le ṣafikun awọn eto kanna si gbongbo iwe aṣẹ lori oju opo wẹẹbu rẹ ninu faili .htaccess rẹ.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Ti o ba kan fẹ pato URL kan lati tun dari si HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Ti ẹnikan ba gbiyanju lati wọle si ifiranṣẹ , oju-iwe naa yoo fo si https, ati pe olumulo le wọle si URL nikan pẹlu SSL.

Tun Apache bẹrẹ fun faili .htaccess lati ni ipa:

service httpd restart

Awọn iṣọra

• Jọwọ yi adirẹsi imeeli ti o wa loke pada si adirẹsi imeeli rẹ.
• Jọwọ ranti lati yi orukọ ìkápá oju opo wẹẹbu ti o wa loke pada si orukọ ìkápá oju opo wẹẹbu rẹ.

Atunṣe ofin ipo isoro

Labẹ awọn ofin pseudo-aimi, nigbati o ba gbe awọn ofin fo redirection, o maa pade http ko le darí si https Iṣoro naa.

Ni ibẹrẹ a daakọ koodu atunṣe sinu .htaccess ati pe yoo han ni awọn iṣẹlẹ wọnyi ▼

• [L] tọkasi pe ofin lọwọlọwọ jẹ ofin ti o kẹhin, dawọ gbeyewo awọn ofin atunko atẹle wọnyi.
• Nitorinaa nigbati o ba wọle si oju-iwe nkan ti a darí, [L] da ofin atẹle duro, nitorinaa ofin atunṣe ko ṣiṣẹ.

Nigbati o ba n ṣabẹwo si oju-ile http, a fẹ lati ṣe okunfa atunṣe URL kan, fo ofin pseudo-static lati ṣiṣẹ ofin fo atunṣe, ki o le ṣee ṣe.Oju opo wẹẹbu http darí si https ,

Maṣe fi awọn ofin atunṣe https sinu L Ni isalẹ awọn ofin, fi L loke awọn ofin ▼

Siwaju sii kika:

• Kini iyato laarin http vs https? Alaye alaye ti ilana fifi ẹnọ kọ nkan SSL
• Kini MO le ṣe ti MO ba gba aṣiṣe 500 lẹhin fifi sii Jẹ ki a Encrypt SSL ijẹrisi ni igbimọ iṣakoso CWP?
• Fofo ni aifọwọyi si orukọ-ašẹ ipele-keji laisi orukọ ašẹ oke-ipele www: orukọ ašẹ root 301 awọn atunṣe www.