GNU/Linux >> Belajar Linux > >> Ubuntu

Cara Mengamankan Nginx dengan Letsencrypt di Ubuntu 20.04

Ini dikembangkan oleh Internet Security Research Group (ISRG) dan dipercaya oleh semua browser utama. Ini digunakan untuk mengotomatiskan proses pembuatan sertifikat, validasi, penandatanganan, implementasi, dan pembaruan sertifikat untuk situs web yang aman.

Sertifikat hanya berlaku selama 90 hari, jadi Anda perlu memperbaruinya secara manual atau atau menyiapkan sistem perpanjangan otomatis,

Let's encrypt mendukung penerbitan sertifikasi otomatis untuk Apache, Nginx, Plex, dan HAproxy. Kami akan membahas nginx dalam panduan ini.

Konten Terkait

Cara Mengamankan Nginx dengan Letsencrypt di Rocky Linux/Centos 8
Cara Menginstal dan Menyetel Nginx, WordPress, dan Mysql 8 di Rocky Linux/Centos 8
Cara Menginstal Nginx dan mengonfigurasi Virtual host di Ubuntu 20.04

Prasyarat:

Server Ubuntu 20.04 dengan akses internet dan IP publik
Nama domain yang valid dengan DNS yang diarahkan ke server
Akses root atau akses sudo ke server

Memasang Certbot Let's Encrypt Client

Masuk ke server menggunakan ssh [email protected] -p port :

ssh [email protected]

Perbarui semua paket Anda ke versi terbaru yang tersedia.

sudo apt update
sudo apt upgrade -y

Instal Nginx

sudo apt install -y nginx

Mulai dan aktifkan nginx

systemctl start nginx
systemctl enable nginx

Mari kita buat konfigurasi nginx untuk site1.citizix.com:

Buka file konfigurasi dengan editor teks Anda:

sudo vim /etc/nginx/conf.d/site1.conf

Tambahkan konten ini:

server {
    listen 80;
    server_tokens off;
    client_max_body_size 10M;
    server_name site1.citizix.com;

    access_log /var/log/nginx/site1.citizix.com/access.log;
    error_log /var/log/nginx/site1.citizix.com/error.log;
    ignore_invalid_headers off;

    ## Deny illegal Host headers
    if ($host !~* ^(site1.citizix.com)$ ) {
        return 444;
    }

    root /var/www/site1.citizix.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Scheme $scheme;
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

}

Instal Klien Certbot

Certbot adalah alat baris perintah yang digunakan untuk menyederhanakan proses untuk mendapatkan dan memperbarui sertifikat SSL Let's Encrypt untuk situs web Anda. Gunakan perintah ini untuk menginstalnya bersama dengan dependensi python:

sudo apt install certbot python3-certbot-nginx

jika Anda telah menginstal dan mengaktifkan firewall ufw, buka lalu lintas http dan https dari web:

ufw allow 80
ufw allow 443
ufw reload

Mendapatkan Sertifikat

Hentikan nginx:

sudo systemctl stop nginx

sudo certbot --nginx --non-interactive --agree-tos --email [email protected] -d site1.citizix.com

Keluaran

# sudo certbot --nginx --non-interactive --agree-tos --email [email protected] -d site1.citizix.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Requesting a certificate for site1.citizix.com
Performing the following challenges:
http-01 challenge for site1.citizix.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site1.citizix.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site1.citizix.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://site1.citizix.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/site1.citizix.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/site1.citizix.com/privkey.pem
   Your certificate will expire on 2021-11-05. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Mulai nginx:

sudo systemctl start nginx

Perbarui konfigurasi Nginx untuk mengarahkan lalu lintas http ke https

server {
    server_tokens off;
    client_max_body_size 10M;
    server_name site1.citizix.com;

    access_log /var/log/nginx/site1.citizix.com/access.log;
    error_log /var/log/nginx/site1.citizix.com/error.log;
    ignore_invalid_headers off;

    ## Deny illegal Host headers
    if ($host !~* ^(site1.citizix.com)$ ) {
        return 444;
    }

    root /var/www/site1.citizix.com;

    location / {
        proxy_pass http://127.0.0.1:8096;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Scheme $scheme;
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/site1.citizix.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/site1.citizix.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = site1.citizix.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name site1.citizix.com;
    return 404; # managed by Certbot
}

Cara menginstal Komunitas Zammad di ubuntu 20.04 Cara Menginstal mysqmail-postfix-logger di Ubuntu 20.04

Ubuntu