Ubuntu & Debian
Menggunakan Port selain 80 atau 443 untuk https.
Ada kasus, memerlukan https, untuk selain port diatas, misal, kita ingin bisa mengakses alamat seperti : https://myapps.com:81
sudo apt update
sudo apt install certbot
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp www-data /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo nano /etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;
}
sudo nano /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
sudo nano /etc/nginx/sites-enabled/mysites.conf
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
sudo ln -s /etc/nginx/sites-available/mysites.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx
sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
sudo nano /etc/nginx/sites-available/mysites.conf
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
}
sudo nginx -t
sudo systemctl restart nginx
Renew
Untuk renew secara otomatis bisa menjalankan perintah minimal setiap hari 1x dengan cron :
Untuk nginx
sudo crontab -e
43 6 * * * certbot renew --post-hook "systemctl reload nginx"
Untuk apache
sudo crontab -e
43 6 * * * certbot renew --post-hook "systemctl reload apache2"
Mac
Ketika melakukan pengembangan secara lokal, terkadang kita memerlukan https, seperti ketika aplikasi kita menggunakan oauth2. Untuk setup nya, bisa membaca [4]
Referensi
- How To Secure Nginx with Let's Encrypt on Ubuntu 16.04, https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
- Using Free SSL/TLS Certificates from Let’s Encrypt with NGINX, https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
- Secure Nginx with Let's Encrypt on Debian 10 Linux, https://serverfault.com/questions/790772/cron-job-for-lets-encrypt-renewal
- Wildcard HTTPS on local MacOS, https://blog.cdivilly.com/2020/06/15/localhost-wildcard_https
No comments:
Post a Comment