如何在OpenSUSE 15.1/15.2上使用Lets Encrypt保护Nginx
时间:2020-01-09 10:39:41 来源:igfitidea点击:
如何在基于OpenSUSE Linux 15.1/15.2 nginx的服务器上使用OCSP装订和ECC证书安装和设置Lets Encrypt TLS/SSL证书。
Lets Encrypt是您的网站,电子邮件服务器,数据库服务器等的免费,自动化和开放式证书颁发机构。
本教程显示如何使用Lets Encrypt为Nginx Web服务器安装TLS证书。
如何在OpenSUSE Linux上使用Lets Encrypt保护Nginx
获取SSL/TLS证书的过程如下:
- 获取acme.sh客户端,运行:
git clone https://github.com/Neilpang/acme.sh.git - 为您的域创建nginx配置:
vi/etc/nginx/vhosts.d/your-domain-name.conf - 在您的域中获取SSL证书:
acme.sh issue -d your-domain-name nginx - 在Nginx上配置TLS:
vi/etc/nginx/conf.d/your-domain-name.conf - 为自动续订TLS证书设置cron作业
- 使用firewalld打开端口443(HTTPS):
sudo firewall-cmd add-service = https
让我们详细了解所有步骤。
步骤1安装所需的软件(配置要求)
打开终端,然后执行以下命令。
确保使用CLI更新OpenSUSE Linux软件和内核,如下所示:
$ sudo zypper ref $ sudo zypper up
我们的acme.sh客户需要curl,wc和其他软件包。
因此,我们必须使用zypper命令安装所需的软件:
$ sudo zypper install wget curl bc git socat cronie
在OpenSUSE Linux上安装Nginx
再次使用zypper:
$ sudo zypper install nginx $ sudo systemctl enable nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
启动Nginx服务器并使用systemctl命令进行验证:
$ sudo systemctl start nginx.service $ sudo systemctl status nginx.service
最后在OpenSUSE Linux上使用firewllad打开HTTP端口80
$ sudo firewall-cmd --zone=public --add-service=http $ sudo firewall-cmd --zone=public --add-service=http --permanent $ sudo firewall-cmd --list-services
ssh dhcpv6-client http
步骤2安装acme.sh让Encrypt客户端
我们必须克隆acme.sh存储库:
$ cd /tmp/ $ git clone https://github.com/Neilpang/acme.sh.git
安装客户端,但首先使用su命令/sudo命令以root用户身份登录:
$ sudo -i # touch /root/.bashrc # cd /tmp/acme.sh/ # acme.sh --install --accountemail your-email-id@domain-here
步骤3在OpenSUSE上为HTTP服务器配置基本Nginx
我将为名为opensuse.theitroad.local的域创建一个新配置(可以用您的实际域名随意替换opensuse.theitroad.local),如下所示:
# vi /etc/nginx/vhosts.d/opensuse.theitroad.local.conf
追加以下指令:
# http port 80 config
server {
listen 80 default_server; # IPv4
listen [::]:80 default_server; # IPv6
server_name opensuse.theitroad.local; # domain name
access_log /var/log/nginx/http_opensuse.theitroad.local_access.log;
error_log /var/log/nginx/http_opensuse.theitroad.local_error.log;
root /srv/www/htdocs;
}
保存并关闭文件。
测试nginx的设置并重新加载nginx服务器,如下所示:
# nginx -t && systemctl restart nginx.service
步骤4建立dhparam.pem档案
我们需要使用openssl命令创建Diffie-Hellman密钥交换文件,如下所示:
# mkdir -pv /etc/nginx/ssl/theitroad.local/ # cd /etc/nginx/ssl/theitroad.local/ # openssl dhparam -out dhparams.pem -dsaparam 4096 # ls -l
步骤5获得域证书
我们可以使用第3步中配置的Nginx服务器颁发证书。
但是,如果您的服务器位于反向代理CDN(例如Cloudflare)之后,请使用独立模式,如下所述。
使用预配置的Nginx颁发证书
# DOM="opensuse.theitroad.local"
# D="/srv/www/htdocs"
# mkdir -pv ${D}/.well-known/acme-challenge/
# acme.sh --webroot "${D}" --issue -d "$DOM" --ocsp-must-staple --keylength 4096
## GET ecc cert too. Only ec-384 or ec-256 ##
# acme.sh --webroot "${D}" --issue -d "$DOM" --ocsp-must-staple --keylength ec-384
以独立模式发行证书
# DOM="opnesuse.theitroad.local" # acme.sh --issue --standalone -d "$DOM" --ocsp-must-staple --keylength 4096 ## GET ecc cert too. Only ec-384 or ec-256 ## # acme.sh --issue --standalone -d "$DOM" --ocsp-must-staple --keylength ec-384
其中:
--webroot/srv/www/htdocs:指定用于Web根模式的Web根文件夹。您必须在根目录中创建/.well-known/acme-challenge/。--issue:颁发证书。-d domain-name:指定一个用于发布,续订或撤销的域。我们可以多次使用它。例如:acme.sh --issue -d www.theitroad.local -d ftp.cybercit.com --ocsp-must-staple --keylength 4096- `--ocsp-must-staple':生成ocsp必须装订扩展名
--keylength 4096:指定域密钥的长度:2048、3072、4096、8192或ec-256,ec-384,ec-521。--keylength ec-256:椭圆曲线密码学(ECC)是一种基于有限域上椭圆曲线的代数结构的公钥密码学方法。与非EC加密(基于普通Galois字段)相比,ECC允许更小的密钥,以提供同等的安全性。
步骤6在OpenSUSE Linux服务器上配置Nginx
编辑配置文件:
# vi /etc/nginx/vhosts.d/opensuse.theitroad.local.conf
更新如下:
# http port 80 config
server {
listen 80 default_server; # IPv4
listen [::]:80 default_server; # IPv6
server_name opensuse.theitroad.local;
access_log off;
error_log off;
root /srv/www/htdocs;
return 301 https://$host$request_uri;
}
# https port 443 config
server {
listen 443 ssl http2; # IPv4
listen [::]:443 ssl http2; # HTTP/2 TLS IPv6
server_name opensuse.theitroad.local; # domain name
# Set document root
location / {
root /srv/www/htdocs;
index index.html index.htm;
}
# Set access and error log for this vhos
access_log /var/log/nginx/https.opensuse.theitroad.local_access.log;
error_log /var/log/nginx/https.opensuse.theitroad.local_error.log;
# TLS/SSL CONFIG
ssl_certificate /etc/nginx/ssl/theitroad.local/opensuse.theitroad.local.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/theitroad.local/opensuse.theitroad.local.key;
# ECC certificates
ssl_certificate /etc/nginx/ssl/theitroad.local/opensuse.theitroad.local.fullchain.cer.ecc;
ssl_certificate_key /etc/nginx/ssl/theitroad.local/opensuse.theitroad.local.key.ecc;
ssl_dhparam /etc/nginx/ssl/theitroad.local/dhparams.pem;
# A little bit of optimization
ssl_session_timeout 1d;
ssl_session_cache shared:theitroadSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# TLS version 1.2 and 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Feature-policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;
# WARNING: The HTTP Content-Security-Policy response header allows sysadmin/developers
# to control resources the user agent is allowed to load for a given page.
# Wrong config can create problems for third party scripts/ad networks. Hence read the following url:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
add_header content-security-policy "default-src https://opensuse.theitroad.local:443" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/nginx/ssl/theitroad.local/opensuse.theitroad.local.fullchain.cer;
# Replace with the IP address of your resolver
resolver 1.1.1.1;
}
index.html示例
创建一个新文件,如下所示:
# vi /srv/www/htdocs/index.html
追加以下代码:
<!doctype html> <html lang="en"> <head> <title>OpenSUSE.theitroad.local Nginx server</title> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0"> </head> <body> <article> <h2>Hello, World!</h2> <p>This is a test server powerd by OpenSUSE Linux 15.2 and Nginx with free TLS certficate.</p> <hr> <small> Email us <a href="mailto:[email protected]">[email protected]</a>. </small> </body> </html>
步骤7在OpenSUSE 15.1/15.2上安装Lets Encrypt TLS证书
将颁发的证书安装到nginx服务器并重新加载服务器:
# DOM="opensuse.theitroad.local" # acme.sh -d "$DOM" \ --install-cert \ --reloadcmd "systemctl reload nginx" \ --fullchain-file "/etc/nginx/ssl/theitroad.local/$DOM.fullchain.cer" \ --key-file "/etc/nginx/ssl/theitroad.local/$DOM.key" \ --cert-file "/etc/nginx/ssl/theitroad.local/$DOM.cer"
也安装ECC证书:
# acme.sh -d "$DOM" \ --ecc \ --install-cert \ --reloadcmd "systemctl reload nginx" \ --fullchain-file "/etc/nginx/ssl/theitroad.local/$DOM.fullchain.cer.ecc" \ --key-file "/etc/nginx/ssl/theitroad.local/$DOM.key.ecc" \ --cert-file "/etc/nginx/ssl/theitroad.local/$DOM.cer.ecc"
步骤8打开TCP端口443 [HTTPS端口]
现在该在OpenSUSE Linux上使用firewllad打开HTTPS TCP端口443了,如下所示:
# firewall-cmd --zone=public --add-service=https # firewall-cmd --zone=public --add-service=https --permanent # firewall-cmd --list-services # curl -I https://opensuse.theitroad.local/
步骤9进行测试
SSL实验室测试:安全标头测试:触发Web浏览器并执行您的域,例如:
https://opensuse.theitroad.local
步骤10基本acme.sh命令
我们可以列出所有证书,运行:
# acme.sh --list
Main_Domain KeyLength SAN_Domains Created Renew opensuse.theitroad.local "4096" no Mon Jul 6 19:07:07 UTC 2020 Fri Sep 4 19:07:07 UTC 2020 opensuse.theitroad.local "ec-384" no Mon Jul 6 19:11:54 UTC 2020 Fri Sep 4 19:11:54 UTC 2020
续订名为opensuse.theitroad.local的域的证书
# acme.sh --renew -d opensuse.theitroad.local # acme.sh --force --renew -d opensuse.theitroad.local -d www.theitroad.local
请注意,Cron作业也会尝试为您续订证书。
默认情况下按如下方式安装(您无需采取任何措施)。
要查看cron作业运行:
# crontab -l
28 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
要升级acme.sh客户端,执行:
# acme.sh --upgrade
获得帮助:
# acme.sh --help | more
