如何使用Debian/Ubuntu上的Lets Encrypt TLS/SSL证书保护Lighttpd
在本教程中,您将学习如何使用Lets Encrypt免费TLS/SSL证书安装,配置和设置Lighttpd,以保护在Debian或Ubuntu Linux云服务器上运行的流量。
如何在Ubuntu Linux 16.04/18.04/20.04 LTS或Debian Linux 8.x/9.x/10.x服务器上使用Lets Encrypt免费SSL证书保护Lighttpd Web服务器?
如何使用Lets Encrypt免费的TLS/SSL证书配置Lighttpd?
Lets Encrypt是您的网站或任何其他项目的免费开放证书颁发机构。
您可以获取免费的TLS/SSL证书来为站点访问者创建加密的HTTPS会话。
在本教程中,将介绍如何使用Lets Encrypt为Lighttpd Web服务器安装免费的SSL证书
我们的示例使用Lets Encrypt设置了Lighttpd
在Debian或Ubuntu Linux上使用Lets Encrypt对Lighttpd 进行TLS/SSL安全设置 示例
- 默认的Lighttpd配置文件:
/etc/lighttpd/lighttpd.conf - Ubuntu/Debian Linux默认的Lighttpd SSL配置文件:
/etc/lighttpd/conf-enabled/10-ssl.conf - Lighttpd SSL认证目录:
/etc/lighttpd/ssl/theitroad.local / - Lighttpd DocumentRoot(根)路径:
/var/www/html / - TLS/SSL端口:443
- 我们的示例域:www.theitroad.local
- 专用公共IP:
10.16.26.69
让我们看看如何在Linux上使用Lets Encrypt设置Lighttpd。
步骤1安装acme.sh客户端
执行以下apt-get命令/apt命令:
$ sudo apt-get install git bc wget curl
步骤2克隆Repo
执行以下命令:
$ cd /tmp $ git clone https://github.com/Neilpang/acme.sh.git $ sudo -i # cd /tmp/acme.sh/ # ./acme.sh --install
步骤3建立/.well-known/acme-challenge/目录
执行以下命令(根据您的设置将" D"设置为实际的" server.document-root"路径):
# D=/var/www/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R www-data:www-data ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
步骤4创建目录以存储SSL证书
执行以下mkdir命令:
# mkdir -p /etc/lighttpd/ssl/theitroad.local/
步骤5设置/创建您的dhparam.pem文件
执行以下命令来创建一个强大的Diffie-Hellman(DH)组文件:
# cd /etc/lighttpd/ssl/theitroad.local/ # openssl dhparam -out dhparam.pem -dsaparam 4096
步骤6为您的域颁发证书
语法为:
acme.sh --issue -w /server.document-root-path/ -d www.example.com acme.sh --issue -w /var/www/html/ -d example.com -k 2048
要为www.theitroad.local颁发证书,请执行:
# acme.sh --issue -w /var/www/html -d www.theitroad.local -k 4096
步骤7为Lighttpd启用SSL
执行以下命令:
# lighttpd-enable-mod ssl
步骤8 Lighttpd SSL配置
编辑/etc/lighttpd/conf-enabled/10-ssl.conf文件,
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
更新如下:
# turn on ssl #
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/theitroad.local/ssl.pem"
ssl.ca-file = "/etc/lighttpd/ssl/theitroad.local/ca.cer"
ssl.dh-file = "/etc/lighttpd/ssl/theitroad.local/dhparam.pem"
# ECDH/ECDHE ciphers curve strength
ssl.ec-curve = "secp384r1"
ssl.use-compression = "disable"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# HSTS(15768000 seconds = 6 months)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000;"
)
}
以下配置仅支持Firefox 63,Android 10.0,Chrome 70,Edge 75,Java 11,OpenSSL 1.1.1,Opera 57和Safari 12.1:
# Only supports TLS 1.3 and no support for SSL 2/3 or TLS v/1.1/1.2
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2")
ssl.cipher-list = ""
ssl.honor-cipher-order = "disable"
以下配置支持Firefox 27,Android 4.4.2,Chrome 31,Edge,Windows 7上的IE 11,Java 8u31,OpenSSL 1.0.1,Opera 20和Safari 9:
# General-purpose servers with a variety of clients
# All SSL suport disabled including TLS 1 and 1.1
# Only supports TLS 1.2 and 1.3
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl.honor-cipher-order = "disable"
保存并关闭文件。
步骤9安装Lighttpd Web服务器的已颁发证书
首先为lighttpd ssl.pem文件创建一个钩子,如下所示:
# vi /root/.acme.sh/www.theitroad.local/hook.sh
追加以下脚本:
#!/bin/bash
dom="www.theitroad.local" #your domain name
dest="/etc/lighttpd/ssl/theitroad.local" #lighttpd ssl path root
croot="/root/.acme.sh/${dom}" #acme.sh root path for your domain
### NO edit below ###
sslfile="${dest}/ssl.pem" #lighttpd .pem file path
certfile="${croot}/${dom}.cer" #lighttpd certficate file path
keyfile="${croot}/${dom}.key" #lighttpd key file path
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd
保存并关闭文件。
设置可执行权限:
# chmod +x /root/.acme.sh/www.theitroad.local/hook.sh
上面的脚本将创建一个名为/etc/lighttpd/ssl/theitroad.local/ssl.pem的文件(ssl.pem = cert + privkey)。
执行以下命令以安装证书并重新启动lighttpd Web服务器:
# acme.sh --installcert -d www.theitroad.local \ --capath /etc/lighttpd/ssl/theitroad.local/ca.cer \ --reloadcmd '/root/.acme.sh/www.theitroad.local/hook.sh'
输出示例:
Sun Mar 12 19:51:30 UTC 2016] Installing CA to:/etc/lighttpd/ssl/theitroad.local/ca.cer [Sun Mar 12 19:51:30 UTC 2016] Run reload cmd: /root/.acme.sh/www.theitroad.local/hook.sh Running lighttpd cmd... [Sun Mar 12 19:51:30 UTC 2016] Reload success
步骤10进行测试
验证lighttpd是否在端口443上运行
# netstat -tulpn | grep ':443' `tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 379/lighttpd`
步骤11使用UFW防火墙打开端口443
执行以下ufw命令以打开端口443:
# ufw allow proto tcp from any to 10.16.26.69 port 443
在浏览器中输入以下网址:
https://www.theitroad.local
如何续订证书?
# acme.sh --renew -d www.theitroad.local
如何升级acme.sh客户端?
# acme.sh --upgrade
关于Cron工作的说明
计划任务也会尝试为您续订证书。
默认情况下按如下方式安装(您无需采取任何措施)。
因此,我们可以使用crontab命令将其列出,如下所示:
$ sudo crontab -l
参考:
33 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
