Debian/Ubuntu上如何使用免费Lets Encrypt TLS/SSL证书保护Lighttpd
时间:2019-11-20 08:53:45 来源:igfitidea点击:
在Debian/Ubuntu Linux上,如何为Lighttpd Web服务器配置https?
如何使用Lets Encrypt免费SSL证书保护Lighttpd服务器?
如何使用Lets Encrypt免费TLS/SSL证书配置Lighttpd?
Lighttpd服务器如何配置HTTPS?
Linux web服务器如何安装TLS/SSL证书?
如何在Linux上使用Lets Encrypt设置Lighttpd?
配置说明
- Lighttpd默认的配置文件:
/etc/lighttpd/lighttpd.conf - Ubuntu/Debian Linux默认的Lighttpd SSL配置文件:
/etc/lighttpd/conf-enabled/10-ssl.conf - Lighttpd SSL认证目录:
/etc/lighttpd/ssl/theitroad.test/ - Lighttpd DocumentRoot(根)路径:
/var/www/html/ - TLS/SSL端口:
443 - 域名:
www.theitroad.test - 公网IP:
171.32.32.111
安装acme.sh客户端
执行以下apt-get命令/apt命令:
$ sudo apt-get install git bc wget curl
使用git克隆脚本
执行以下命令,使用git克隆acme.sh客户端:
$ cd /tmp $ git clone https://github.com/Neilpang/acme.sh.git $ sudo -i # cd /tmp/acme.sh/ # ./acme.sh --install
创建/.well-known/acme-challenge/目录
创建目录并设置权限:
# mkdir -vp /var/www/html/.well-known/acme-challenge/ # chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/ # chmod -R 0555 /var/www/html/.well-known/acme-challenge/
创建保存SSL证书的目录
执行以下mkdir命令:
# mkdir -p /etc/lighttpd/ssl/theitroad.test/
创建dhparam.pem文件
执行以下命令来创建Diffie-Hellman(DH)组文件:
# cd /etc/lighttpd/ssl/theitroad.test/ # openssl dhparam -out dhparam.pem -dsaparam 4096
为域名颁发证书
语法为:
acme.sh --issue -w /server.document-root-path/ -d www.example.com acme.sh --issue -w /var/www/html/ -d example.com -k 2048
这里我们为www.theitroad.test颁发证书:
# acme.sh --issue -w /var/www/html -d www.theitroad.test -k 4096
启用Lighttpd SSL模块
执行以下命令:
# lighttpd-enable-mod ssl
Enabling ssl: ok Run /etc/init.d/lighttpd force-reload to enable changes
在Lighttpd 中配置SSL
编辑文件/etc/lighttpd/conf-enabled/10-ssl.conf:
# vi /etc/lighttpd/conf-enabled/10-ssl.conf
参考配置:
# turn on ssl #
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.disable-client-renegotiation = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/theitroad.test/ssl.pem"
ssl.ca-file = "/etc/lighttpd/ssl/theitroad.test/ca.cer"
ssl.dh-file = "/etc/lighttpd/ssl/theitroad.test/dhparam.pem"
# ECDH/ECDHE ciphers curve strength
ssl.ec-curve = "secp384r1"
ssl.use-compression = "disable"
# Environment flag for HTTPS enabled
setenv.add-environment = (
"HTTPS" => "on"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
# HSTS(15768000 seconds = 6 months)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=15768000;"
)
}
下面的配置只支持Firefox 63,Android 10.0,Chrome 70,Edge 75,Java 11,OpenSSL 1.1.1,Opera 57和Safari 12.1:
# Only supports TLS 1.3 and no support for SSL 2/3 or TLS v/1.1/1.2
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, -TLSv1.2")
ssl.cipher-list = ""
ssl.honor-cipher-order = "disable"
以下配置支持Firefox 27,Android 4.4.2,Chrome 31,Edge,Windows 7上的IE 11,Java 8u31,OpenSSL 1.0.1,Opera 20和Safari 9:
# General-purpose servers with a variety of clients
# All SSL suport disabled including TLS 1 and 1.1
# Only supports TLS 1.2 and 1.3
ssl.openssl.ssl-conf-cmd = ("Protocol" => "ALL, -SSLv2, -SSLv3, -TLSv1, -TLSv1.1")
ssl.cipher-list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl.honor-cipher-order = "disable"
为Lighttpd Web服务器安装颁发的证书
首先为lighttpd ssl.pem文件创建一个钩子,如下所示:
# vi /root/.acme.sh/www.theitroad.test/hook.sh
脚本内容如下:
#!/bin/bash
dom="www.theitroad.test" #your domain name
dest="/etc/lighttpd/ssl/theitroad.test" #lighttpd ssl path root
croot="/root/.acme.sh/${dom}" #acme.sh root path for your domain
### NO edit below ###
sslfile="${dest}/ssl.pem" #lighttpd .pem file path
certfile="${croot}/${dom}.cer" #lighttpd certficate file path
keyfile="${croot}/${dom}.key" #lighttpd key file path
echo "Running lighttpd cmd..."
/bin/cat "${certfile}" "${keyfile}" > "${sslfile}"
/bin/systemctl restart lighttpd
设置可执行权限:
# chmod +x /root/.acme.sh/www.theitroad.test/hook.sh
上面的脚本将创建一个/etc/lighttpd/ssl/theitroad.test/ssl.pem文件。
执行下面的命令,安装证书并重启lighttpd Web服务器:
# acme.sh --installcert -d www.theitroad.test \ --capath /etc/lighttpd/ssl/theitroad.test/ca.cer \ --reloadcmd '/root/.acme.sh/www.theitroad.test/hook.sh'
配置防火墙
配置UFW防火墙,打开443端口(https):
# ufw allow proto tcp from any to 171.32.32.111 port 443
测试
验证lighttpd是否在端口443上运行
# netstat -tulpn | grep ':443'
在浏览器中打开下面地址:
https://www.theitroad.test
如何升级acme.sh客户端?
# acme.sh --upgrade
如何续订Lets Encrypt SSL证书?
# acme.sh --renew -d www.theitroad.test
crontab 自动续订证书
可以在crontab添加计划任务,自动续订证书。
$ sudo crontab -l
计划任务示例:
1 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
