Python Web部署笔记六(SSL)

发表于2020-08-23 21:24:29 - superadmin

SSL

使用Letsencrypt，参考：
Let's Encrypt 给网站加 HTTPS 完全指南
笔记：Let’s Encrypt 获取 TLS 证书（Webroot + Nginx）
How To Secure Nginx with Let's Encrypt on CentOS 7

安装cerbot

$ yum install epel-release
$ yum install certbot

生成证书

$ mkdir /etc/letsencrypt/configs
$ vi /etc/letsencrypt/configs/example.com.conf

# 写你的域名和邮箱
domains = example.com
rsa-key-size = 2048
email = your-email@example.com
text = True

# 使用webroot方式验证域名，并且使用nginx配置的验证路径
authenticator = webroot
webroot-path = /var/www/letsencrypt

$ vi /etc/nginx/conf.d/awesome.conf

# /etc/nginx/conf.d/awesome.conf
# nginx conf for awesome

server {
    listen 80 default_server;

    root        /srv/awesome/www;
    access_log  /srv/awesome/log/access.log;
    error_log   /srv/awesome/log/error.log;

    location = / {
        proxy_pass      http://127.0.0.1:9000;
    }

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
    }

    location ^~ /static/ {
        root    /srv/awesome/www;
    }

    location / {
        proxy_pass      http://127.0.0.1:9000;
        proxy_set_header Host $Host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

$ mkdir -p /var/www/letsencrypt
$ nginx -s reload
$ certbot -c /etc/letsencrypt/config/example.com.conf certonly

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-11-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

配置nginx-ssl

Mozilla SSL Configuration Generator $ mkdir /etc/nginx/ssl $ openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

ssl_trusted_certificate 需要下载 Root Certificates，不过根据 Nginx 官方文档 所说，ssl_certificate 如果已经包含了 intermediates 就不再需要提供 ssl_trusted_certificate，这里我直接用了ssl_certificate的文件fullchain.pem

$ cd /etc/letsencrypt/live/example.com
$ sudo wget https://letsencrypt.org/certs/isrgrootx1.pem
$ sudo mv isrgrootx1.pem root.pem
$ sudo cat root.pem chain.pem > root_ca_cert_plus_intermediates

nginx 配置ssl后的完整文件

# /etc/nginx/conf.d/awesome.conf
# nginx conf for awesome

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

    # replace with the IP address of your resolver
    resolver 173.199.96.96 173.199.96.97;


    root        /srv/awesome/www;
    access_log  /srv/awesome/log/access.log;
    error_log   /srv/awesome/log/error.log;

    #location = / {
    #    proxy_pass      http://127.0.0.1:9000;
    #}

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
    }

    location ^~ /static/ {
        root    /srv/awesome/www;
    }

    location / {
        proxy_pass      http://127.0.0.1:9000;
        proxy_set_header Host $Host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

$ nginx -s reload

自动更新证书

1.crontab (centos, ubuntu)

$ crontab -e
0 1 * * * /usr/bin/certbot renew --quiet # 每天1:00运行
0 13 13 * * nginx -s reload # 需要重启nginx，证书才生效 $ crontab -l

2.systemd，暂未使用

$ vi /etc/systemd/system/letsencrypt.service

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=certbot renew --quiet --agree-tos
ExecStartPost=nginx -s reload

$ vi /etc/systemd/system/letsencrypt.timer

[Unit]
Description=Monthly renewal of Let's Encrypt's certificaes

[Timer]
OnCalendar=monthly
Persistent=true

[Install]
WantedBy=timers.target

$ systemctl enable letsencrypt.timer
$ systemctl start letsencrypt.timer
$ systemctl list-timers