Apache-ni SSL bilen nädip goramaly we FreeBSD-de şifrlemek
Bu gollanmada, FreeBSD 11.x-de Let Encrypt tarapyndan hödürlenýän TLS/SSL şahadatnamalary bilen Apache HTTP serwerini nädip goramalydygyny öwreneris. Şeýle hem, “Lets” şifrlemek üçin şahadatnamanyň täzeleniş amalyny nädip awtomatlaşdyrmalydygyny öwreneris.
TLS/SSL şahadatnamalary, Apache web serweri tarapyndan ahyrky düwünleriň arasyndaky aragatnaşygy şifrlemek üçin ulanylýar, ýa-da howpsuzlygy üpjün etmek üçin serwer bilen müşderiniň arasynda has adaty. Geliň, şifrlemek, ygtybarly şahadatnamalary mugt almagyňyzy aňsatlaşdyryp bilýän programma bolan sertbot buýruk setiriniň peýdalylygyny üpjün edýär.
- FreeBSD 11.x gurmak
- FreeBSD gurlandan soň etmeli 10 zat
- FreeBSD-de Apache, MariaDB we PHP-ni nädip gurmaly
1-nji ädim: FreeBSD-de Apache SSL-i sazlaň
1. Certbot kömekçi programmasyny gurup başlamazdan we Apache üçin TSL konfigurasiýa faýly döretmezden ozal, aşakdaky buýruklary çykaryp, Apache kök konfigurasiýa katalogynda saýtlar we saýtlar bilen işleýän iki sany aýratyn katalog dörediň.
Bu iki katalogyň maksady, her gezek täze wirtual host goşanymyzda esasy Apache httpd.conf konfigurasiýa faýlyny üýtgetmän ulgamdaky wirtual hosting konfigurasiýa dolandyryşyny aňsatlaşdyrmak.
# mkdir /usr/local/etc/apache24/sites-available # mkdir /usr/local/etc/apache24/sites-enabled
2. Iki katalogy döredeniňizden soň, Apache httpd.conf faýlyny tekst redaktory bilen açyň we aşakda görkezilişi ýaly faýlyň soňuna ýakyn setir goşuň.
# nano /usr/local/etc/apache24/httpd.conf
Aşakdaky setiri goşuň:
IncludeOptional etc/apache24/sites-enabled/*.conf
3. Ondan soň, aşakdaky mazmunly modules.d katalogynda 020_mod_ssl.conf atly täze faýl döredip, Apache üçin TLS modulyny işlediň.
# nano /usr/local/etc/apache24/modules.d/020_mod_ssl.conf
020_mod_ssl.conf faýlyna aşakdaky setirleri goşuň.
Listen 443 SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300
4. Indi, SSL modulyny aşakda görkezilişi ýaly aşakdaky setiriň başyndan hastagy aýyrmak bilen /usr/local/etc/apache24/httpd.conf faýlyndan çykaryň:
LoadModule ssl_module libexec/apache24/mod_ssl.so
5. Ondan soň, aşakdaky bölekde görkezilişi ýaly, domeniňiz üçin TLS konfigurasiýa faýlyny saýtlardaky katalogda, has gowusy domeniňiziň ady bilen dörediň:
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Bsd.lan-ssl.conf faýlyna aşakdaky wirtualhost konfigurasiýasyny goşuň.
<VirtualHost *:443>
ServerName www.yourdomain.com
ServerAlias yourdomain.com
DocumentRoot "/usr/local/www/apache24/data/"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/apache/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/usr/local/www/apache24/data/">
Options Indexes FollowSymLinks MultiViews
#AllowOverride controls what directives may be placed in .htaccess files.
AllowOverride All
#Controls who can get stuff from this server file
Require all granted
</Directory>
ErrorLog "/var/log/apache/yourdomain.ssl-error.log"
CustomLog "/var/log/apache/yourdomain.ssl-access_log" combined
</VirtualHost>
Domen adynyň üýtgeýjisini ServerName, ServerAlias, ErrorLog, CustomLog jümlelerinden çalyşýandygyňyzy anyklaň.
2-nji ädim: FreeBSD-de Lets’Encrypt guruň
6. Indiki ädimde, domeniňiz üçin Apache TSL mugt şahadatnamalaryny almak üçin ulanyljak “Let Encrypt” tarapyndan üpjün edilen sertbot programmasyny gurmak üçin aşakdaky buýrugy beriň.
“Certbot” gurlanda ekranyňyzda birnäçe görkezme görkeziler. “Certbot” programmasyny düzmek üçin aşakdaky skrinshotdan peýdalanyň. Şeýle hem, sertbot enjamyny düzmek we gurmak, enjamyňyzyň çeşmelerine baglylykda birnäçe wagt alyp biler.
# cd /usr/ports/security/py-certbot # make install clean
7. ilationygyndy prosesi gutarandan soň, sertbot peýdalylygyny we sertbot zerur garaşlylygy täzelemek üçin aşakdaky buýrugy beriň.
# pkg install py27-certbot # pkg install py27-acme
8. Domeniňiz üçin şahadatnama döretmek üçin aşakda görkezilişi ýaly buýrugy beriň. Web sahypa faýllaryňyzyň faýl ulgamynda (domen konfigurasiýa faýlyňyzdan DocumentRoot direktiwasy) -w baýdagyny ulanyp, dogry webroot ýerini üpjün edýändigiňize göz ýetiriň. Birnäçe subdomeniňiz bar bolsa, hemmesini -d baýdagy bilen goşuň.
# certbot certonly --webroot -w /usr/local/www/apache24/data/ -d yourdomain.com -d www.yourdomain.com
Şahadatnamany alanyňyzda, şahadatnamanyň täzelenmegi üçin e-poçta salgysyny beriň, Geliň şifrlemek şertleri we şertleri we n bilen ylalaşmak üçin e-poçta salgysyny paýlaşalyň.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):[email There seem to be problems with that address. Enter email address (used for urgent renewal and security notices) If you really want to skip this, you can run the client with --register-unsafely-without-email but make sure you then backup your account key from /etc/letsencrypt/accounts (Enter 'c' to cancel):[email ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:a------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:nObtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /usr/local/www/apache24/data for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem. Your cert will expire on 2017-11-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
9. Domeniňiz üçin şahadatnamalary alanyňyzdan soň, aşakdaky mysalda görkezilişi ýaly ähli şahadatnamalaryň böleklerini (zynjyr, şahsy açar, şahadatnama) sanawlamak üçin ls buýrugyny işledip bilersiňiz.
# ls -al /usr/local/etc/letsencrypt/live/www.yourdomain.com/
3-nji ädim: FreeBSD-de Apache TLS şahadatnamalaryny täzeläň
10. Geliň, web sahypaňyza şifrlemek şahadatnamalaryny goşmak üçin domeniňiz üçin apache konfigurasiýa faýly açyň we berlen şahadatnamalaryň ýoluny görkezmek üçin aşakdaky setirleri täzeläň.
# nano /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf
Bu TLS şahadatnama setirlerini goşuň:
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.yourdomain.com/fullchain.pem"
11. Netijede, TLS konfigurasiýa faýlyňyzy saýtlar bilen işleýän katalogda baglanyşyk döredip, TNA konfigurasiýa faýlyny işlediň, mümkin sintaksis ýalňyşlyklary üçin Apache konfigurasiýalaryny barlaň we sintaksis gowy bolsa, aşakdaky buýruklary bermek bilen Apache daemonyny täzeden açyň.
# ln -sf /usr/local/etc/apache24/sites-available/bsd.lan-ssl.conf /usr/local/etc/apache24/sites-enabled/ # apachectl -t # service apache24 restart
12. Apache hyzmatynyň HTTPS 443 portunda diňleýändigini ýa-da ýokdugyny barlamak üçin httpd tor rozetkalaryny sanawlamak üçin aşakdaky buýrugy beriň.
# sockstat -4 | grep httpd
13. Geliň şifrlemek şahadatnamalarynyň üstünlikli ulanylýandygyny tassyklamak üçin HTTPS protokoly arkaly brauzerden domen adresiňize geçip bilersiňiz.
https://www.yourdomain.com
14. Berlen buýruk setirinden berlen şifrlemek şahadatnamasy barada goşmaça maglumat almak üçin openssl buýrugyny aşakdaky ýaly ulanyň.
# openssl s_client -connect www.yourdomain.com:443
15. Şeýle hem, aşakdaky ykjam skrinshotda görkezilişi ýaly, ykjam enjamdan “Let Encrypt CA” tarapyndan berlen ygtybarly şahadatnama bilen traffigiň şifrlenendigini ýa-da ýokdugyny barlap bilersiňiz.
Bu hemmesi! Müşderiler indi web sahypaňyza arkaýyn girip bilerler, sebäbi serwer bilen müşderiniň brauzeriniň arasynda akýan traffik kodlanýar. Certbot peýdasy bilen baglanyşykly has çylşyrymly meseleler üçin aşakdaky baglanyşyga giriň: https://certbot.eff.org/